Noona Privacy Statement
Effective date: November 5, 2020
Varian Medical Systems, Inc. (including its affiliate entities, collectively, “Varian”, “we” and “us”) is committed to respecting your privacy and we understand that Health Data, as defined below, is private and confidential. As you visit our Noona website and mobile application, our intent is that your experience is informative, convenient and secure. Varian has adopted this Privacy Statement to explain our commitment to your privacy and how we responsibly manage personal data.
This Privacy Statement applies to our Noona Symptom Management subscription service, which records patient feedback through their treatment and recovery, and which can be used through a website or mobile application for our customers (the “Service”). This Privacy Statement describes how we process Personal Data or Health Data that we collect from you, that we may receive from third parties such as your Healthcare Provider, or that you provide to us in and through the Service.
In this Privacy Statement, the term “Personal Data” means any information that relates to an identified or identifiable natural person. “Data Concerning Health” or “Health Data” means Personal Data that relates to your health, including the provision of health care services, which reveal information about your health status.
Varian provides services to its customers, which are often hospitals, clinics or other healthcare providers that provide treatment to you (“Healthcare Provider”). The Healthcare Provider is often the data controller with respect to your Health Data. In these scenarios, Varian is a data processor. For information about how your Healthcare Provider uses your Personal Data please review the applicable Healthcare Provider’s privacy statement and contact the Healthcare Provider if you have any concerns in relation to their use of your information.
**The use of our Service is optional, and if you do not want your Personal Data or your Health Data to be processed by Varian and its third-party service providers for the purposes described in this Privacy Statement, please do not register to use the Services.**
Varian may process your Personal Data as a controller for the limited purposes described in this Privacy Notice and, subject to a lawful consent given by you, also process your Health Data as a controller.
COLLECTION OF PERSONAL DATA
When you install the Service, register as a user of the Service, and as you use the Service, we may collect information that you provide to us directly. If you provide your explicit consent to your Healthcare Provider, we may also receive information about you and copies of your electronic medical records from your Healthcare Provider. This information may include, without limitation, the following information that may, in certain circumstances, constitute Personal Data or Health Data:
– A unique identifier such as a patient ID;
– E-mail address and phone number;
– Diagnostic and treatment information relating to your cancer;
– Information about other illnesses you may have and other medications you are taking;
– Information regarding your response to treatment, your wellbeing and overall quality of life; and
– Any other information you choose to submit in and through the Service.
As is true of most websites and applications, we gather certain information automatically. This information may include:
– Device data and analytics data: We collect the Internet Protocol (IP) address from which you access the Service, information about the hardware model and operating system of your device, the name of your Internet Service Provider, and audit logs reflecting your logins, logouts and the activities taken within the Service.
– Data collected by third party service providers who we subcontract to analyse activity in the Service. For example, we use Google Analytics to aggregate and analyze data about your use of the Service. (For more information, see the Google Privacy and Terms. Should you wish to opt-out, visit Google Analytics Opt-out Browser Add-on page).
We wish to remind you that this Privacy Statement does not cover or apply to the processing of Personal Data or Health Data that the Healthcare Provider undertakes independently of Varian or together with other third parties. Neither does it apply to any links to third parties’ websites and/or services, such as third-party applications or websites, which you may encounter when you use the Service. We encourage you to carefully familiarize yourself with privacy policies provided by the Healthcare Provider or applicable to any websites and/or services operated by third parties. Please be aware that we are not responsible for the privacy practices of any third parties, including the Healthcare Provider.
PURPOSES OF USING PERSONAL INFORMATION
We process your Personal Data and Health Data as a processor on behalf of your Healthcare Provider to set up and maintain your registration with the Service, to provide the Service, to communicate with you and your Healthcare Provider, and at all times in accordance with the instructions we receive from your Healthcare Provider for the primary purpose of providing the Service to you and the Healthcare Provider.
As a data controller, Varian uses and otherwise processes your Personal Data, including data collected automatically described above, for the following purposes:
– To prevent and investigate fraud and other misuses;
– To protect our rights and/or our property;
– To maintain, administer, audit, make changes, updates or improvements to or to optimize the performance of the Service or to otherwise inform future development;
– To troubleshoot and ensure the technical functionality and security of the Service; and
– To provide you with products, services, and information that you request.
The lawful basis for this processing (under European and other data privacy laws) is that such processing is necessary for the purposes of Varian’s or a relevant third party’s legitimate interests, including those described above.
We may also process your Personal Data in order to comply with our legal obligations, to perform a contract between us and you/our customer, or to establish and defend any legal claims.
If you provide your explicit consent we may also process your Health Data as a controller to de-identify it and (i) combine it with other user’s de-identified data for the purpose of analyzing how the Service is used and to make changes, updates or improvements to or to optimize the performance of the Service or to otherwise inform future development; and (ii) share it with pharmaceutical companies and other third parties with whom Varian partners for the purpose of conducting scientific research.
Where our basis for processing is your consent you have the right to withdraw such consent at any time. If the means for doing so are not apparent from the context, please contact us at firstname.lastname@example.org. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.
INFORMATION SHARED WITH OUTSIDE PARTIES
When we process your Personal Data or Health Data as a processor on behalf of your Healthcare Provider, we will share your Personal Data and Health Data with your Healthcare Provider. In regard to other sharing of your personal data, we will only disclose your Personal Data or Health Data as instructed by your Healthcare Provider or otherwise as permitted by applicable law or required by legal process.
Where we process your Personal Data or Health Data as a controller, we will disclose your Personal Data and Health Data to the following categories of recipients:
– Any competent law enforcement body, regulator, government agency, court or other third party where we believe disclosure is necessary under law, to exercise, establish or defend our legal rights, or to protect our rights or the rights of third parties; and
– Our subsidiaries and affiliates; or to a subsequent or potential subsequent owner, co-owner or operator of the Service and their advisors in connection with a corporate merger, consolidation, restructuring, or the sale of substantially all of our stock and/or assets or other corporate reorganization;
– Our service providers, such as data storage service providers, which enable us to provide the Service to you, and may transfer your Personal Data and Health Data to such service providers for purposes of hosting the Service and analysis and storage; and
– Any other person with your consent.
Once we have de-identified your Personal Data and Health Data, we may also disclose information to our business partners for analysis and further processing including, for example, to analyze statistics related to Service, user behavior relating to device and Service usage, and data and communication usage and time distribution of the Service usage activity.
If for any reason you wish to correct, update, or delete your Personal Data or profile please log on to your account in order make these changes or communicate with your Healthcare Provider.
When Varian processes Personal Data on behalf of your Healthcare Provider you should consult with your Healthcare Provider if you wish to exercise any rights granted to your under applicable data protection laws.
Where Varian processes your Personal Data and Health Data as a controller, you may have the right pursuant to applicable data protection laws to: (i) request access to your data; (ii) request rectification of your personal data; (iii) request erasure of your data (“right to be forgotten”); (iv) obtain restriction of processing of your data; (v) request data portability; and (vi) object to the processing of your data. Please note that these aforementioned rights might be limited under the applicable data protection law.
In addition, you have the right to file a complaint with the competent supervisory authority regarding the processing of your Personal Data or Health Data by Varian or your Healthcare Provider.
We follow generally accepted industry standards to protect Personal Data that we process, including during transmission and once we receive it. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, while we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. We suggest that you change your passwords often, that your passwords include a combination of letters and numbers, and that you make certain that you are using a secure browser. Products and services are available which can help give you privacy protection while navigating the web. See http://www.privacyalliance.org/resources/rulesntools/ for an overview of many privacy-related tools. If you have any questions about security on our website, you can email us at email@example.com.
We safeguard the security of the data you send us with certain physical, electronic, and managerial procedures. We have taken reasonable precautions to protect against misuse, theft, loss, unauthorized access, disclosure, alteration or destruction of your Personal Data. For seminar registrations, our forms are sent through a server protected by a firewall. Additionally, we use industry-standard-encryption to enhance the security of data transmissions. If there is ever a time when we will need to transfer or receive particularly sensitive information, we will notify you in an appropriate fashion.
When we process your Personal Data as a processor on behalf of your Healthcare Provider, we will retain your Personal Data in accordance with the instructions we receive from your Healthcare Provider. Please note that your Healthcare Provider may be required (by law or otherwise) to keep certain elements for certain time period, and possibly permanently.
Where we process your Personal Data as a controller, we will retain your data for as long as your account is active, for as long as needed to fulfill our service obligations to you and for other purposes as set out in this Privacy Notice, in accordance with applicable laws. Also, we will retain and use your Personal Data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
TRANSFERS OF PERSONAL DATA TO OTHER COUNTRIES
Your Personal Data may be stored and or accessed outside of the country in which you live. As of July 16, 2020, we rely on country-level adequacy decisions or utilize privacy frameworks to legitimize the transfer of the personal data or health data, such as the Standard Contractual Clauses or similar for EEA, Switzerland and UK transfers.
Prior to July 16, 2020, we relied on our EU-US Privacy Shield certification as one means of demonstrating adequacy and safeguarding transfers of data from the EEA. In addition to Privacy Shield, we also executed Standard Contractual Clauses with entities involved in such data transfers. For transfers occurring prior to July 16, 2020, we will continue to be responsible for the processing of EEA, Switzerland and UK Personal Information under the EU Privacy Shield Framework and will maintain full compliance with the requirements of that framework until further notice.
We do not structure the Services to be used by children. Accordingly, we do not knowingly collect Personal Data from anyone who is 13 years of age or younger (or a different age that constitutes a minor under relevant local law outside of the United States).
CHANGES TO THIS PRIVACY NOTICE
Varian may decide to change this Privacy Statement from time to time to reflect changes to our information practices. You can tell when changes have been made to the Privacy Statement by referring to the “Last Updated” legend on top of this page. If we make material changes to this statement, we will notify you here, by email (sent to the email address specified in your account), or by means of a notice on our home page. Your continued use of the Service following any changes to this Privacy Statement constitutes your acceptance of any such changes made. Please note that your Healthcare Provider may also change the way your data is submitted to or collected through the Service is processed. We encourage you to periodically review this page for the latest information on our privacy practices.
COMMUNICATION, OVERSIGHT AND QUESTIONS
We may from time to time send you either email communications or push notifications to your mobile device with an installed copy of the Service. Such communications will occur in order to activate the installed Service, communicate with you regarding your use of the Service or any part thereof, and which may include questionnaires on your use of the Service or information on new or alternative features of the Services.
We welcome comments and questions on this Privacy Statement. As stated above, we are dedicated to protecting your privacy, and we will make every reasonable effort to keep your information secure. If you have any questions or comments about this statement you can contact us electronically at firstname.lastname@example.org.
Additionally, you may contact us by writing via postal mail at the following addresses:
Varian Medical Systems, Inc.
Attention: Data Privacy Office
3120 Hansen Way, M/S G100
Palo Alto, CA 94304.
Varian Medical Systems Finland Oy
Attention: Data Privacy Office