GE HealthCare’s Commitment to the Protection of Personal Information
GE HealthCare respects the privacy rights of individuals and is committed to handling Personal Information responsibly, in accordance with applicable law, applicable contractual obligations, and GE HealthCare’s Commitment to the Protection of Personal Information (the Commitment), described below. The Commitment sets out GE HealthCare’s principles for the processing of Personal Information by and on behalf of GE HealthCare
The Commitment establishes a legal basis for cross-border transfers of Personal Information within the GE HealthCare Group (all wholly or majority-owned divisions of GE HealthCare Company). Additionally, GE HealthCare may carry out cross-border transfers of Personal Information to third parties outside the GE HealthCare Group in accordance with applicable law. GE HealthCare will handle Personal Information in accordance with the Commitment where applicable, unless in conflict with stricter requirements of local law, in which case local law will prevail.
The Commitment is designed to ensure that Personal Information will be protected regardless of geography or technology, when used within the GE HealthCare Group, and applies to GE HealthCare’s processing of GE HealthCare Personal Information and GE HealthCare Customer Personal Information.
Processing Personal Information
GE HealthCare only processes GE HealthCare Customer Personal Information on behalf of the Customer and in accordance with the Customer’s instructions.
GE HealthCare observes the following principles when processing Personal Information and provides reasonable cooperation and assistance to Customer to facilitate its observance of the same principles. Where required by applicable law, this includes assisting Customer with privacy impact assessments, necessary consultations with relevant data protection authorities and with implementing compliance measures such as privacy by design and by default:
Fairness: GE HealthCare will process Personal Information fairly and lawfully.
Purpose: GE HealthCare will limit the processing of Personal Information to the fulfilment of GE HealthCare’s specific, legitimate purposes. GE HealthCare will only carry out processing that is compatible with such purposes unless GE HealthCare has the unambiguous consent of the individual or confirmation from the relevant Customer that such consent has been obtained where required.
In general, GE HealthCare will process Personal Information:
- • where GE HealthCare has a legitimate interest that, on balance, justifies the processing;
- • where necessary for the maintenance or the performance of a legal relationship between GE HealthCare and the individual;
- • where necessary for complying with an obligation imposed on GE HealthCare by applicable law, regulation, or governmental authority;
- • where there are exceptional situations that threaten the life, health or security of the individual or of another person;
- • after obtaining the individual’s freely given, explicit and informed consent where required by applicable law; or
- • where the processing is in connection with a Customer service agreement.
Where consent has been obtained directly by GE HealthCare, GE HealthCare will provide a process to allow individuals to withdraw their consent to the extent required under applicable law, at any time and without charge.
Proportionality: GE HealthCare will limit the processing of Personal Information to that which is adequate, relevant and not excessive in relation to the purposes for which GE HealthCare collects and uses it.
Information Quality: GE HealthCare will take reasonable steps to provide Customer with a means to ensure that Personal Information is accurate and kept up to date, to keep Personal Information only for as long as necessary for the purposes for which it is collected and used, and to delete or to render it anonymous after such retention requirements have been met.
Following a valid Customer request and where reasonably practicable to do so, GE HealthCare will:
- • perform or provide Customer with the means to rectify, update, anonymise or delete (as applicable) GE HealthCare Customer Personal Information; and
- • notify this fact to each GE Entity or third party to whom the GE HealthCare Customer Personal Information has been disclosed.
Transparency: Where required by applicable law, GE HealthCare will make available to individuals at the point of collection, or within a reasonable period of collection, information about GE HealthCare’s identity; the purposes and legal basis of processing their Personal Information; intended recipients and cross-border data transfers; source(s) of Personal Information; how individuals may exercise their rights regarding Personal Information; contact details for the Data Protection Officer where applicable; and additional explanations as needed to ensure fair processing. Where GE HealthCare collects Personal Information through the Internet or other electronic means, GE HealthCare will post an easily accessible privacy notice that meets these transparency requirements.
Confidentiality: GE HealthCare will maintain the confidentiality of Personal Information it processes, except where disclosure is required by an applicable operational or legal requirement. This obligation will continue even after the relationship with the Customer has ended. GE HealthCare requires that all members of the GE HealthCare Group that process GE HealthCare Customer Personal Information and their employees comply with the Customer’s instructions regarding processing of the GE HealthCare Customer Personal Information.
Security: GE HealthCare strives to protect Personal Information with appropriate technical and organizational measures to ensure its integrity, confidentiality, security and availability and requires that all members of the GE HealthCare Group that process GE HealthCare Customer Personal Information and their employees comply with the security and confidentiality measures set out in the service agreement with Customer. GE HealthCare will provide reasonable assistance to GE HealthCare Customer to ensure the security of their processing and will inform GE HealthCare Customer of a security breach of GE HealthCare Customer Personal Information as required under such laws.
Effect of Term: On termination of the service agreement with Customer, unless otherwise agreed with the Customer or prevented from doing so by applicable law, GE HealthCare will return or destroy (and in the case of destruction, certify to the Customer that it has done so) all of the GE HealthCare Customer Personal Information and all copies it holds thereof.
Sharing and/or Transferring Personal Information
GE HealthCare may share or transfer Personal Information in the following circumstances:
- • Personal Information may be shared within the GE HealthCare Group for the purposes specified above, provided the GE HealthCare Group entity processing Personal Information adheres to this Commitment.
- • GE HealthCare may provide Personal Information to selected suppliers or service providers hired to perform certain processing or other services on its behalf. GE HealthCare will strive to ensure that new supplier engagements provide for processing of Personal Information in a manner consistent with this Commitment and applicable law by means of a legal relationship established through a contract or other legally permissible means which shall impose equivalent obligations on the supplier to those that apply to GE HealthCare under the service agreement with Customer. Under such contracts, suppliers must implement adequate security measures and may only process Personal Information in accordance with GE HealthCare’s instructions.
- • GE HealthCare may disclose certain Personal Information to other third parties, including law enforcement authorities, where required by law, to protect GE HealthCare’s legal rights, or in connection with any GE HealthCare merger or acquisition activity or the insolvency or re-organization of any part of GE HealthCare. GE HealthCare may carry out cross-border transfers of Personal Information within the GE HealthCare Group, based upon recipient Group members’ adherence to the relevant parts of this Commitment. GE HealthCare may also carry out cross-border transfers outside the GE HealthCare Group when the recipient will afford the minimum level of protection provided for in this Commitment, relies on an appropriate justification under applicable law, or the country to which such information is transmitted affords the level of protection provided by adequacy decisions of the EU Commission. As part of GE HealthCare’s commitment to accountability, GE HealthCare will be ready to demonstrate that a cross-border transfer complies with the protections provided for in this Commitment, in particular where so required by a competent supervisory authority.
- • When performing cross-border transfers, the GE HealthCare Companies and the GE HealthCare Entities have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the Personal Information by the data importer prevent the data importer from fulfilling its obligations under this Commitment and they take due account of the specific circumstances of the cross-border transfer, the laws and practices of the third country of destination any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under this Commitment.
Processing of Sensitive Personal Information
Where GE HealthCare processes and/or transfers Sensitive Personal Information, it will do so under the Customer’s instructions and apply the appropriate safeguards as required by applicable law. Appropriate security measures will be provided depending upon the nature of this information and the risks associated with its intended uses.
GE HealthCare is accountable for fulfilling the requirements sets out in the Commitment and under applicable law. In particular, GE HealthCare will:
- • take the necessary measures to observe the requirements of the Commitment and applicable law; and
- • have the necessary internal mechanisms in place to demonstrate such observance, including maintaining a record of its processing activities in accordance with applicable law.
GE HealthCare employs privacy practices designed to support its compliance with the Commitment and applicable law, including the appointment of a network of privacy leaders, education and awareness programs, incident response protocols, privacy impact assessments, audit routines, and a Privacy by Design and Privacy by Default approach to process and system development.
In accordance with applicable law, an individual who has satisfactorily established his or her identity to GE HealthCare or to Customer may exercise the following rights in relation to Personal Information GE has collected directly from him or her; GE HealthCare will assist the Customer in meeting its privacy obligations toward individuals:
Access: Where required by applicable law, following a request by an individual and upon Customer’s instructions, GE HealthCare will provide Personal Information about him or her that GE HealthCare holds, including information concerning the source of the Personal Information, the purposes of any processing by GE HealthCare and the recipients, or categories of recipients, to whom such Personal Information is disclosed.
Correction and Deletion: Upon Customer’s instructions, valid requests for correction or deletion of Personal Information which is not incomplete, inaccurate or excessive will be respected, and confirmed as such, except that deletion will not be performed where retention is required by the contractual relationship between GE HealthCare and Customer, in the context of a legal dispute or other legal retention requirement, or as otherwise required by applicable law.
Objection: Upon Customer’s instructions, GE HealthCare will cease processing Personal Information where an individual’s objection is justified under applicable law, for example where the individual’s life or health is at risk due to the processing. An individual also has the right to object to decisions based solely on automated processing of Personal Information that produce legal effects which significantly affect the individual involved, except where the individual requested the processing, or when necessary for the contractual relationship between GE and Customer. In the latter case, the individual may give his or her views on the automated decision. An individual has the right to object to processing of Personal Information by GE HealthCare for marketing purposes where allowed by applicable law. The exercise of this right to object may be superseded where GE HealthCare and/or Customer can demonstrate that their compelling legitimate interest in continuing the processing overrides the interests or fundamental rights and freedoms of the individual.
Restriction: An individual also has the right to request the restriction of any processing of his or her GE HealthCare Personal Information by GE HealthCare, to the extent such right is provided for under applicable law, for example where the accuracy of the GE Personal Information is contested. Upon Customer’s instructions, GE HealthCare will cease processing such information where the restriction is justified, with the exception of storage and other permitted continued processing under applicable law.
Complaints: Any individual who claims to have suffered damage as a result of non-compliance by a GE HealthCare Group entity with the Commitment may file a complaint with the applicable GE HealthCare Group Privacy Leader or Compliance Officer, or with GE HealthCare’s Complaint Handling Processes available on GE HealthCare’s websites if other channels are unavailable or exhausted:
- • Internal concern reporting: https://gehc-privacy-portal.cloud.health.ge.com/wordpress/
- • External concern reporting: privacy.GEHC@ge.com.
GE HealthCare will only be required to handle the complaint if the Customer has become insolvent, factually disappeared or has ceased to exist at law and only where the legal obligations of the Customer have not been assumed by a successor entity.
If Customer considers the complaint to be justified, GE HealthCare will assist Customer and take reasonable steps to resolve the complaint to the reasonable satisfaction of the individual. GE HealthCare endeavors to assist Customer to respond to complaints within thirty days of receipt. An individual with an unresolved complaint regarding GE HealthCare’s compliance with the Commitment within countries governed by the APEC Cross Border Privacy Rules may contact GE HealthCare’s US-based third-party dispute resolution provider (free of charge).
Enforcement: An individual who has suffered damage as a result of a breach of the Commitment may be entitled to receive compensation for such damages in accordance with applicable law and as provided in the Commitment. An individual who is entitled to receive compensation may enforce his or her rights as provided in the Commitment by direct recourse to the courts or other judicial authority in accordance with applicable law.
Cooperation with Supervisory Authorities
YGE HealthCare will cooperate with any competent national or regional supervisory authority responsible for supervising applicable privacy law that has good cause to question any processing of Personal Information by GE HealthCare, and will comply with such competent supervisory authority’s decisions on any issue related to the Commitment.
GE HealthCare will notify Customer of any legally binding request that it receives from a law enforcement authority for the disclosure of the GE HealthCare Customer Personal Information, unless otherwise prohibited by applicable law, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.
Changes to the Commitment
GE HealthCare reserves the right to modify the Commitment. Any material changes will be submitted to GE HealthCare’s lead Data Protection Authority and/or its trustmark agent, where appropriate, and will be notified on GE HealthCare’s website.
Where any proposed change to the Commitment will have a materially detrimental effect upon the processing conditions for GE HealthCare Customer Personal Information, GE HealthCare notifies the Customer of such proposed change, and Customer can either object to the proposed change for the purposes of an existing service agreement or terminate the relevant service agreement.
Personal Information is any information relating to an identified or identifiable natural person. GE HealthCare Customer Personal Information is any Personal Information that is obtained in the context of the provision of services by GE HealthCare to a Customer under a service agreement and which GE HealthCare processes on behalf of the Customer. Customeris a person or entity that enters into a service agreement with GE HealthCare. Sensitive Personal Information, a special category of Personal Information, is information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life or sexual orientation.
GE HealthCare Personal Information is any Personal Information that is obtained in the context of an individual’s relationship with GE HealthCare and which GE HealthCare processes on behalf of the Customer. Such GE HealthCare Personal Information may include, for example, customer data obtained in the context of a customer relationship with GE HealthCare.
GE HealthCare Customer Personal Information is any Personal Information that is obtained in the context of the provision of services by GE HealthCare to a Customer under a service agreement and which GE HealthCare processes on behalf of the Customer. Customeris a person or entity that enters into a service agreement with GE HealthCare. Sensitive Personal Information, a special category of Personal Information, is information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life or sexual orientation.
Customeris a person or entity that enters into a service agreement with GE HealthCare.
Sensitive Personal Information, a special category of Personal Information, is information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life or sexual orientation.