Attachment A – EU Privacy Notice (Effective, 2018)
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
This EU Privacy Notice applies to Personal Data collected by UPMC from individuals who are in the European Union (EU) at the time the Personal Data is provided.
UPMC understands that your Personal Data, particularly health and employment information, is sensitive and confidential. UPMC makes every reasonable effort to protect your Personal Data.
UPMC will not collect Personal Data from you if the collection of such Personal Data is in violation of your fundamental rights as an individual and or minor.
UPMC may create or maintain records containing Personal Data in conjunction with its patient care and employment-related activities at UPMC’s EU-based operations. UPMC may also receive and/or manage Personal Data for organizations within EU member countries that UPMC does business with. UPMC may transfer your Personal Data to the United States for processing. With respect to the handling and protection of your Personal Data, UPMC adheres to the EU GDPR. All UPMC operations that have access to Personal Data from an EU member country shall follow this EU Privacy Notice and other Privacy rules required under US law (as applicable), or EU individual provider- based data protection agreements.
UPMC is comprised of a network of hospitals, doctors, rehabilitation services, skilled nursing services, home health services, pharmacy services, laboratory services and other health care related services. Our workforce includes our staff, physicians, students, residents, trainees, volunteers and others providing services within or for these facilities, who may or may not be directly employed by UPMC.
UPMC may process your Personal Data for the business, treatment, payment, or health care operations purposes that this EU Privacy Notice describes. UPMC takes reasonable security measures to protect your Personal Data from loss, misuse, and unauthorized access, disclosure, alteration and destruction. These measures include, but are not limited to, password protection for online information systems and restricted access to your Personal Data.
UPMC shall not use your Personal Data in a way that is incompatible with the purposes for which it has been collected unless authorized by you. UPMC will also take reasonable steps to ensure that Personal Data collected is relevant for its intended use, and is accurate, complete and current.
For our Patients - UPMC may create and maintain records with Personal Data about your care. We may collect, process and store your Personal Data for purposes such as:
- Providing healthcare services to you;
- Designing, implementing and/or maintaining patient care and patient-related information systems;
- Maintaining medical records (including transcriptions, laboratory results, diagnostic images and other types of clinical information);
- Performing government reporting; and
- Conducting auditing, accounting, financial, quality assurance and economic and clinical analyses.
With respect to sensitive Personal Data (for example, political or religious beliefs, union membership, health matters etc.), UPMC will not share such information except as otherwise described in this Privacy Notice unless specifically authorized by you. UPMC may disclose sensitive Personal Data if required to comply with the legal process.
Upon request, UPMC will provide you with reasonable access to Personal Data that it holds about you and will take reasonable steps to permit you to correct or amend any Personal Data which is inaccurate or incomplete. If you want access to your Personal Data, you should provide a written request to the Data Controller and/or Data Protection Officer of the facility where you provided your Personal Data. In addition to the right to access your Personal Data, you also have the following rights:
- Right to Access
- Right to Rectification
- Right to Erasure
- Right to Restriction of Processing
- Right to Portability
- Right to Object
- Right not to be subject to a decision base solely on automated processing
Questions or concerns regarding the use or disclosure of Personal Data should be directed to the Data Controller and/or Data Protection Officer of the facility where you provided your Personal Data, or to the UPMC Corporate Ethics and Compliance Office, US Steel Tower, 600 Grant Street, 58th Floor, Pittsburgh, PA 15219; telephone: 412-647-6286, Fax: 412-623-6476; or email at: email@example.com. firstname.lastname@example.org.
For our Workforce - UPMC normally creates and maintains records with Personal Data about your employment or staff-related services. We may collect, process, and store your Personal Data, and/or transfer this Personal Data to the U.S. for purposes such as:
- management and administration of employment-related matters;
- designing and administering compensation, benefits, and human resource programs;
- designing and implementing employment-related education and training programs;
- monitoring and evaluating employee conduct and performance;
- maintaining plant and employee security, health and safety;
- facilitating communications, negotiations, transactions, and conferences; and
- compliance with contractual and legal obligations.
All Personal Data received and stored by UPMC will be maintained for no less than the
minimum number of years as required by applicable laws.
For Third Parties - UPMC may transfer Personal Data to a third party acting as its agent (e.g., heath care operations, medical consultants, tax advisors and preparers, accountants, auditors, lawyers, financial services and benefit administrators) without the necessity to provide additional notice to you, as long as UPMC has entered into an appropriate agreement under which such third party is obligated to adhere to requirements at least as restrictive as those set forth in this EU Privacy Notice. Personal Data that is transferred shall comply with the EU GDPR and any other applicable EU individual provider- based data protection agreements.
Dispute Resolution Process - If you have a dispute regarding UPMC's use of your Personal Data, you may make a complaint to UPMC or the Country’s Data Privacy Supervisory Authority. UPMC will investigate and try to resolve your complaint. If the dispute cannot be resolved, UPMC will participate in dispute resolution process established by the EU Data Protection Authorities. Contact UPMC’s Office of Consumer and Patient Privacy, 600 Grant Street, 58th Floor, Pittsburgh, PA 15219; telephone: 412-647-6286, Fax: 412-623-6476; or email at: email@example.com.