NOTICE TO INDIVIDUALS LOCATED IN THE EUROPEAN ECONOMIC AREA, UNITED KINGDOM, OR SWITZERLAND
THIS SECTION ONLY APPLIES TO USERS OF OUR SERVICES THAT ARE LOCATED IN THE EUROPEAN ECONOMIC AREA, UNITED KINGDOM, OR SWITZERLAND (COLLECTIVELY, THE “DESIGNATED COUNTRIES”) AT THE TIME OF DATA COLLECTION. WE MAY ASK YOU TO IDENTIFY WHICH COUNTRY YOU ARE LOCATED IN WHEN YOU USE SOME OF OUR SERVICES, OR WE MAY RELY ON YOUR IP ADDRESS TO IDENTIFY WHICH COUNTRY YOU ARE LOCATED IN.
- Fulgent’s relationship to you. A “controller” is an entity that determines the purposes for which and the manner in which any personal information is processed. Fulgent is a “controller” with respect to your personal information under certain circumstances. In relation to our Provider Portal and Patient Portal, Fulgent is a controller in relation to the information that a provider enters directly into the Websites about him or herself or about his or her patients. To the extent a user or patient directly enters personal information on our Websites to pay for, use or obtain further information about our Services, Fulgent is a controller. A “processor” is an entity that processes personal information on behalf of a controller. For example, any third parties that act as our service providers are “processors” that handle your personal information in accordance with our instructions. To the extent that Fulgent receives personal information as part of any Informed Consent or Test Requisition Form, and to the extent that Fulgent receives identifiable samples and/or identifiable genetic information necessary to perform the Services, Fulgent is a processor and your provider is the controller.
- Lawful basis for processing your personal information. We process personal information on the following legal bases: (1) with your consent per an informed consent form from your provider; (2) as necessary to fulfill our contractual obligations to provide Services; and (3) as necessary for our legitimate interests in providing the Services where those interests do not override your fundamental rights and freedoms related to data privacy. To the extent that any de-identified data is anonymized, it is not considered personal data and falls outside applicable privacy laws.
- Marketing activities. Direct marketing includes any communications we send to you that are only based on advertising or promoting products and services. Transactional communications about your account or our Services are not considered “direct marketing” communications. We will only contact patients or providers by electronic means (including email or SMS) based on our legitimate interest or their consent. If you do not want us to use your personal information in this way, please click an unsubscribe link in your emails, or contact us at firstname.lastname@example.org.
- Individual data subject rights. We provide you with the rights described below when you use our Services. When we receive an individual rights request from you, please make sure you are ready to verify your identity. Please be advised that there are limitations to your individual rights. We may limit your individual rights in the following ways: (i) where denial of access is required or authorized by law; (ii) when granting access would have a negative impact on other's privacy; (iii) to protect our rights and properties; and (iv) where the request is frivolous or burdensome. If you have questions, if you would like to exercise your rights under the applicable law please contact us at email@example.com.
- Right to withdraw consent. If we rely on consent to process your personal information, you have the right to withdraw your consent at any time. A withdrawal of consent will not affect the lawfulness of our processing or the processing of any third parties based on consent before your withdrawal.
- Right of access and rectification. If you request a copy of your personal information that we hold, we will provide you with a copy without undue delay and free of charge, except where we are permitted by law to charge a fee. We may limit your access if such access would adversely affect the rights and freedoms of other individuals. You may request to correct or update any of your personal information held by us, unless you can already do so directly via the Services.
- Right to erasure (the “right to be forgotten”). You may request us to erase any of your personal information held by us that: is no longer necessary in relation to the purposes for which it was collected or otherwise processed; was collected in relation to processing that you previously consented to, but later withdrew such consent; or was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing.
- Right to object to processing. You may object to our processing at any time and as permitted by applicable law if we process your personal information on the legal basis of consent, contract or legitimate interests. We can continue to process your personal information if it is necessary for the defense of legal claims, or for any other exceptions permitted by applicable law.
- Right to restriction. You have the right to restrict our processing your personal information where one of the following applies:
- You contest the accuracy of your personal information that we processed. We will restrict the processing of your personal information, which may result in an interruption of some or all of the Services, during the period necessary for us to verify the accuracy of your personal information.
- The processing is unlawful and you oppose the erasure of your personal information and request the restriction of its use instead.
- We no longer need your personal information for the purposes of the processing, but it is required by you to establish, exercise or defense of legal claims.
- You have objected to processing, pending the verification whether the legitimate grounds of our processing override your rights. We will only process your restricted personal information with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform you if or when the restriction is lifted.
- Right to data portability. If we process your personal information based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your personal information in a structured, commonly used and machine-readable format, and to have us transfer your personal information directly to another “controller”, where technically feasible, unless exercise of this right adversely affects the rights and freedoms of others.
- Notification to third-parties. If we share your personal information with third parties, we will notify them of any requests for rectification, erasure or restriction of your personal information, unless this proves impossible or involves disproportionate effort.
The rights described above may be limited by local laws. Further, your right of access and deletion is not absolute and may not be available if fulfillment of such right would, among other things:
- cause interference with execution and enforcement of the law and legal private rights (such as in the case of the investigation or detection of legal claims or the right to a fair trial);
- breach or prejudice the rights of confidentiality and security of others;
- prejudice security or grievance investigations, corporate re-organizations, future and ongoing negotiations with third parties, the compliance with regulatory requirements relating to economic and financial management; or
- otherwise violate the interests of others or where the burden or cost of providing access would be disproportionate.
If you believe we have infringed or violated your privacy rights, please contact us at firstname.lastname@example.org so that we can work to resolve your concerns. You also have a right to lodge a complaint with a competent supervisory authority situated in a Member State of your habitual residence, place of work, or place of alleged infringement. A listing of data protection authorities can be found at http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
You may also contact our EU Representative, DataRep, at https://www.datarep.com.