At UPMC, we are committed to protecting the privacy of your Personal Data, as European Union (“EU”) regulations require. When we say “Personal Data,” we mean any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, using identifiers that can include a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Attached is UPMC’s “Notice of EU Privacy Practices” (“EU Notice”). The EU Notice explains how we meet this commitment. The EU Notice also explains the Personal Data we collect and process and your rights under the European Union and its member states.
In this EU Notice, the words “we,” “us,” and “our” mean UPMC and all the people and places that follow this EU Notice. All people and places that make up UPMC who collect Personal Data from individuals who are in the EU at the time the Personal Data is collected must follow the EU Notice.
For our Patients – UPMC may collect your Personal Data to deliver healthcare services related to health promotion, disease prevention, diagnosis, treatment, and rehabilitation at your request. We may also collect your Personal Data for administrative and accounting activities closely related to the healthcare services you intend to receive. Types of Personal Data we may collect include:
For our Workforce – UPMC may collect your Personal Data for employment and staff-related purposes. Types of Personal Data we may collect include:
We will not collect Personal Data about you if the collection of such Personal Data is in violation of your fundamental rights as an individual and/or a minor.
UPMC may process your Personal Data for the business, treatment, payment, or health care operations purposes that this EU Notice describes.
For our Patients - UPMC may create and maintain records with Personal Data about your care. We may collect, process, and store your Personal Data for purposes such as:
For our Workforce - UPMC normally creates and maintains records with Personal Data about your employment or staff-related services. We may collect, process, and store your Personal Data, and/or transfer this Personal Data to the U.S. for purposes such as:
UPMC shall not use your Personal Data in a way that is incompatible with the purposes for which it has been collected unless authorized by you. UPMC will also take reasonable steps to ensure that Personal Data collected is relevant for its intended use, and is accurate, complete, and current.
Our workforce includes our staff, physicians, students, residents, trainees, volunteers, and others providing services within or for these facilities, who may or may not be directly employed by UPMC and may have access to your Personal Data.
UPMC may transfer Personal Data to a third party acting as its agent (e.g., health care operations, medical consultants, tax advisors and preparers, accountants, auditors, lawyers, financial services, and benefit administrators) without the necessity to provide additional notice to you, as long as UPMC has entered into an appropriate agreement under which such third party is obligated to adhere to requirements at least as restrictive as those set forth in this EU Notice. Personal Data that is transferred shall comply with the EU GDPR and any other applicable EU individual provider-based data protection agreements. With respect to sensitive Personal Data (for example, political or religious beliefs, union membership, health matters etc.), UPMC will not share such information except as otherwise described in this EU Notice unless specifically authorized by you. UPMC may disclose sensitive Personal Data if required to comply with the legal process.
UPMC may create or maintain records containing Personal Data in conjunction with its patient care and employment-related activities at UPMC’s EU-based operations. UPMC may also receive and/or manage Personal Data for organizations within EU member countries that UPMC does business with. UPMC may transfer your Personal Data to the United States for processing. With respect to the handling and protection of your Personal Data, UPMC adheres to the EU GDPR. All UPMC operations that have access to Personal Data from an EU member country shall follow this EU Notice and other Privacy rules required under US law (as applicable), or under EU data protection agreements.
All Personal Data processed and stored by UPMC will be maintained for no less than the minimum number of years as required by applicable laws and only for a period deemed strictly necessary to fulfill the purposes for which it serves.
The law gives you the following rights about your Personal Data:
Upon request, UPMC will provide you with reasonable access to Personal Data that it holds about you and will take reasonable steps to permit you to correct or amend any Personal Data which is inaccurate or incomplete. If you want access to your Personal Data, you should provide a written request to the Data Controller and/or Data Protection Officer of the facility where you provided your Personal Data.
UPMC understands that your Personal Data, particularly health and employment information, is sensitive and confidential. Therefore, we take reasonable security measures to protect your Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. These measures include, but are not limited to, password protection for online information systems and restricted access to your Personal Data.
If you believe your data protection rights have been violated by us, you may file a confidential complaint with us. You can do this by contacting UPMC’s Office of Consumer and Patient Privacy, 600 Grant Street, 58th Floor, Pittsburgh, PA 15219; telephone: 412-647-6286, Fax: 412-623-6476; or email at: email@example.com.
You also have the right to make a complaint with a competent supervisory authority if you believe that the processing of your Personal Data carried out by UPMC is unlawful. UPMC will participate in the dispute resolution process established by the EU Data Protection Authorities.
You will not be penalized for making a complaint.
Questions or concerns regarding the use or disclosure of Personal Data should be directed to the Data Controller and/or Data Protection Officer of the facility where you provided your Personal Data, or to the UPMC’s Office of Consumer and Patient Privacy US Steel Tower, 600 Grant Street, 58th Floor, Pittsburgh, PA 15219; telephone: 412-647-6286, Fax: 412-623-6476; or email at: firstname.lastname@example.org.