Privacy Notice EU & UK
EU AND UK PRIVACY NOTICE FOR MOLECULAR TESTING SERVICES
Effective date: May 2, 2024
Latest Revision: May 2, 2024
Caris may update this notice from time to time. You can find an up-to-date notice at https://www.carislifesciences.com/privacy-website-policies/.
ABOUT CARIS LIFE SCIENCES
U.S. Caris MPI, Inc. d/b/a Caris Life Sciences and its affiliates and subsidiaries (collectively, “Caris” or “we”) offers comprehensive molecular profiling that assesses the biomarkers found in your tumor or blood, revealing a molecular blueprint to help your health care provider or professional (“HCP”) make more informed and individualized treatment decisions specific to your cancer.
Please carefully read this privacy notice. This notice is to help you understand why we collect personal data about you, what we do with it and how exercise your rights in accordance with (i) the Regulation (EU) 2016/679 (“EU GDPR”) and (ii) the UK General Data Protection Regulation (as defined in s.3(10) and as supplemented by s.205(4) of the UK Data Protection Act of 2018 (“UK GDPR”) (EU GDPR and UK GDPR together “GDPR”).
If you have any questions in relation to our use of your personal data or this privacy notice, please contact our Data Protection Officer: Caris Life Sciences, Privacy Officer, 750 West John Carpenter Freeway, Suite 800, Irving, Texas 75039, USA.
HOW WE COLLECT AND USE YOUR PERSONAL DATA
We may collect your data indirectly from the following sources:
- In the EEA, a HCP who completes the requisition form ordering the test.
- In the UK, a HCP who completes the requisition form or a distributor who co-ordinates the ordering process and/or may provide services to you.
- The sample that is sent to us for testing.
| Purposes | Description | Legal bases |
|---|---|---|
| Conduct molecular profile testing and provide a report upon completion of testing | The report will be used by your HCP to make decisions about your health care.The report may be shared with other persons specified on your consent or requisition form. | Consent Provision of healthcare (including diagnostics) Public health |
| Further reuse for future research | To reuse your personal data collected for the test in order to conduct future research.To use the future research’s results. | Legitimate Interests Consent Scientific Research (where applicable) |
| Safety and Product Improvements to the tests | Safety reportingInternal analyses, including for regulatory purposesAnonymization and/or pseudonymization of data for the above purposes | Legitimate Interests Public health |
| Pre-litigation or litigation management | To take action against any identified breach.To manage any dispute or litigation. | Legitimate Interests Legal claims |
| Compliance with legal and regulatory obligations | To comply with legal and regulatory obligations, in particular regarding the reliability and safety of the test.To process your requests to exercise your rights. | Legal and regulatory obligations to which Caris is subject |
| Operational and administrative purposes | Managing your testsAdministration and billing | Legitimate Interests |
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason compatible with the original purpose.
WHAT PERSONAL DATA WE COLLECT
Personal identification information such as name, address, other contact details, patient number, date of birth, and gender.
Sensitive personal data: Name and address of physicians, hospitals, and other HCPs involved in the treatment of the patient’s tumor or cancer; data on relevant treatment history and pathology reports; DNA, RNA, protein, and other molecular data; and other data required for the treatment and analysis of tumors or cancer.
RECIPIENTS OF PERSONAL DATA
We may share your personal data with third parties, including:
- Caris and its distributor in your region.
- Companies that are part of Caris’s corporate group.
- Our services providers (such as hosting providers and IT service providers).
- Your healthcare insurance or healthcare plan, where applicable.
- Your HCPs.
- Regulatory authorities.
- Lawyers and all interested parties but exclusively in the case of the management of possible disputes and other legal matters where appropriate.
We may also share your personal data with academic researchers, universities, hospitals, laboratories, and life science, pharmaceutical, and other companies for the purposes of research, where you have provided us with consent to do so. A list of these companies is here. Before sharing any data with these organisations for the purpose of research, we take data minimisation steps, such as pseudonymisation or anonymisation (where possible) and take steps to ensure the research is undertaken in accordance with relevant laws, including ethical consents where required.
RETENTION AND SECURITY OF YOUR PERSONAL DATA
We will only retain personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal or reporting requirements.
We follow strict security procedures as to how your personal data is stored and used, and who sees it, to help stop any unauthorised person accessing it.
YOUR RIGHTS
Subject to the exceptions under applicable laws, you may exercise the following rights:
- You can access, correct, update or request deletion of your personal information.
- In addition, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information.
If you want to exercise any of these rights, please contact Privacy@CarisLS.com. Under certain circumstances, we may ask you for specific information in order to confirm your identity. This is another appropriate security measure to ensure that personal data is not disclosed to an individual who does not have the right to receive it.
You also have a right to lodge a complaint with your national data protection authority.
For more information on your rights, please visit: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/
WHERE YOUR PERSONAL DATA WILL BE STORED
Your data will be stored in the United States.
TRANSFER OF YOUR PERSONAL DATA
We may transfer your personal data for the purposes described in this notice to countries which do not provide an adequate level of protection according to the GDPR. In the absence of an adequacy decision and after having carried out an assessment of the level of protection of your rights on the territory of the third country where the recipient is established, we will implement all necessary measures through the adoption of appropriate safeguards (such as standard contractual clauses).
If you want to be provided with a copy of these safeguards, please contact Privacy@CarisLS.com.