LAST REVISION UPDATE:
February 4, 2020
EU – U.S. PRIVACY SHIELD AND SWISS – U.S. PRIVACY SHIELD COMPLIANT
To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov
AFFILIATE, PARTNER AND THIRD-PARTY WEB SITES
PURPOSE OF COLLECTION OF PERSONAL INFORMATION
“Personal Data" is any information that relates to you and that identifies you either directly from that information or indirectly, by reference to other information that We have access to. Grail Insights collects Personal Information in order to provide you with enhanced features such as customized content, access to special sections on Our website, or e-mail delivery of blog posts. Further, this Personal Information will enable Us to respond to your requests, to communicate with you, to support or enhance your relationship with Us, and improve Our services. Where you have consented to a particular processing, you have a right to withdraw the consent at any time.
WHAT PERSONAL INFORMATION GRAIL INSIGHTS ACTIVELY COLLECTS
- When you choose to register with Our Site for newsletters or white papers or when you choose to participate in an online forum, contest, sweepstakes, survey or voting procedure, We may collect Personal Information that includes, but is not limited to, your name, position or role, company name, physical mailing address, your email address, and phone number(s). We may also ask you to provide Us with demographic information or information regarding your interests, hobbies or similar information.
- When you attend trade shows, conferences or other events, We may collect Personal Information that includes, but is not limited to, your name, position or role, company, address, email address, work address, and phone numbers.
- We may provide you the opportunity to e-mail a friend an invitation to join the Site. The e-mail addresses you supply Us for such activity will be used to send the requested e-mail and will not be used to send you or your friend any other e-mail communications.
- When you visit the careers section of the website or register your interest in working for Us, you may be asked to provide your email address, residence, education, work experience and other similar information.
- If you access one or more of Grail Insights’ web-based technology platforms, you may be asked to provide certain Personal Information in order to access those web–based services.
WHAT PERSONAL INFORMATION GRAIL INSIGHTS PASSIVELY COLLECTS: COOKIES AND OTHER TECHNOLOGIES
This Site, Grail Insights’ online services, applications, platforms, email messages, and advertisements, if any, may use "cookies" and other technologies to collect information about you. A cookie is a small data file stored on the web browser on your computer’s hard drive. A cookie associates the identification numbers built into the cookie with information about you that you have provided to Us. This association allows Us to recognize you when you arrive at our website. Other technologies tell Us where on our website you have visited, counts how many users visited certain web pages within Our website, and measures the effectiveness of advertisements, if any, and web searches.
LIMITATIONS ON USE AND DISCLOSURE OF PERSONAL INFORMATION
Grail Insights may share any or all of your Personal Information with and among Our affiliated or related entities, including Grail Insights affiliates located in the EU and elsewhere. These affiliated companies will use your Personal Information only to accomplish the purposes for which the Personal Information was collected. Any onward transfer of your Personal Information may also be done to allow these entities to offer you information about their businesses, products or services that may be of interest to you, or for other lawful business purposes.
Accountability for Onward Transfer (Transfers to Third Parties):
If Grail Insights transfers information to a third party that is acting as its agent, Grail Insights will require the third party to have adequate privacy protection as is required by the relevant Privacy Shield Principles or under other data protection laws. With respect to onward transfers, Grail Insights remains liable under the Principles if Our agent processes personal information in a manner inconsistent with the Principles, unless Grail Insights proves that it is not responsible for the event giving rise to the damage.
Grail Insights may, if required by law, legal process, litigation and/or requests from public or governmental authorities, disclose your Personal Information. We may also disclose Personal Information about you if We determine, in good faith and in Our sole discretion, that such disclosure is necessary for purposes of national security, law enforcement, the prevention of a crime, or other issues of public importance. We may also disclose Personal Information about you if We determine, in Our sole discretion, that it is reasonably necessary to enforce the T&Cs, or to protect Our operations or users. Additionally, in the event of a corporate reorganization, merger or acquisition, or sale, We may transfer any and all Personal Information we collect to a relevant third party.
OPTING OUT: HOW YOU CONTROL THE USE OF YOUR PERSONAL INFORMATION
In the event you decide that you want to opt out from Grail Insights’ use of your Personal Information that you previously provided to Grail Insights, you may opt out of Our use of your Personal Information by using the "Contact Us" option at https://www.grailinsights.com/contact-us/
Additionally, you can contact Us regarding exercising the following rights:
INTEGRITY, PROTECTION AND RETENTION OF YOUR PERSONAL INFORMATION
- Change or Correct Data
- Delete Data
- Object to or restrict the use of certain personal data
- Request access to your data
This website is not intended for use by children. Grail Insights does not knowingly solicit or collect Personal Information from children under the age of 13. If you are under the age of 18, you must obtain the consent of your parent or guardian to use this website. Grail Insights encourages parents and guardians to take an active role in their children’s online activities and interests.
FEDERAL TRADE COMMISION ENFORCEMENT POWERS
As a Privacy Shield participating organization, Grail Insights is subject to the jurisdiction of the Federal Trade Commission. Under the Federal Trade Commission Act, an organization’s failure to abide by commitments to implement the Privacy Shield Principles may be challenged as deceptive by the FTC. The FTC has the power to prohibit such misrepresentations through administrative orders or by seeking court orders.
INQUIRIES AND COMPLAINTS
Grail Insights has further committed to refer unresolved privacy complaints to the EU Data Protection Authorities (EU DPAs). To find your country’s Data Protection Authority, please click here https://edpb.europa.eu/about-edpb/board/members_en
. Grail Insights commits to cooperate with EU DPAs and comply with the advice given by such authorities with regard to human resources data transferred from the EU in the context of the employment relationship. You may have the ability, under certain conditions, to invoke binding arbitration with a Privacy Shield Panel for complaints regarding Grail Insights’ Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. For additional information regarding this arbitration, please visit: https://www.privacyshield.gov/article?id=ANNEX-I-introduction
General Data Protection Regulation (GDPR) Compliance
Grail Insights is a business process outsourcing company and may process European Economic Area (“EEA”) residents’ personal data. When it does, it does so in compliance with the General Data Protection Regulation (“GDPR”).
Under the GDPR, there are 6 legal bases for processing personal data of EEA residents:
- The data subject has given consent to the processing.
- Processing is necessary for performance of a contract between two parties.
- Processing is necessary for compliance with a legal obligation.
- Processing is necessary to protect the data subject’s vital interests.
- Processing is necessary in order to protect a public interest or exercise official authority.
- Processing is necessary for the purpose of legitimate interests, so long as fundamental rights and freedoms are not infringed.
Under the GDPR, EEA residents have the following rights:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
Rights related to automated decision making and profiling.
Grail Insights will continue to (and ensure that any subprocessor acting under its authority will):
- Process personal data only as needed to provide services in accordance with the specific documented instructions the data controller provides to Grail Insights, including with regard to any transfer, as set forth in the governing contracts, unless required to otherwise comply with any EEA or Member state law;
- Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Take all security measures required by GDPR.
- Comply with the obligations regarding personal data breaches (GDPR Articles 33 and 34 and item 5 below), data protection impact assessments (GDPR Article 35), and prior consultation (GDPR Article 36), in all cases, taking into account the nature of processing and the information available to Grail Insights;
- At the data controller’s discretion, delete or return all the personal data to the data controller after the end of the provision of services relating to processing, and delete existing copies unless applicable EEA or Member State law requires Grail Insights to store the personal data;
- Provide the data controller with all information necessary to demonstrate compliance with the obligations laid down in the GDPR, and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller; and
- Immediately inform the data controller if, in its opinion, an instruction infringes the GDPR or other EEA or Member State data protection provisions.
- Grail Insights shall not share any personal data with or engage any subprocessor without the written authorization of the data controller. Grail Insights will impose data protection obligations on any subprocessor that are at least as strong as those Grail Insights commits to with its data controller.
- Grail Insights will not transfer any personal data outside the EEA (and shall not permit its approved subprocessors to transfer any personal data outside the EEA) without the prior consent of its data controller. Grail Insights understands that adequate protection for the personal data must exist after the transfer.
- Grail Insights shall promptly and thoroughly investigate all allegations of unauthorized access to, use or disclosure of the personal data. Grail Insights will notify the data controller without undue delay in the event of any personal data breach.
- Grail Insights maintains a team of individual across all of its regions dedicated to data protection issues. These liaisons are the point of contact both internally and externally for questions or concerns regarding Grail Insights’ data protection efforts. They can be contacted at firstname.lastname@example.org.
Employee education is an important component of Grail Insights’ security and privacy regime. Regular awareness and education about the importance of information security are provided to all Grail Insights employees through newsletters, awareness posters, trainings, and infomercials.
California Consumer Privacy Act of 2018 (CCPA) Compliance
California residents have been afforded new rights under the CCPA. Specifically, a California resident has the right to:
- Request disclosure of Grail Insights’ business data collection and sales practices, including the categories of personal information that Grail Insights has collected, the source of the information, Grail Insights’ use of the information, and if the information was disclosed or sold to third parties, the categories of personal information disclosed or sold to third parties and the categories of third parties to whom such information was disclosed or sold.
- Request a copy of the specific personal information collected about them during the 12 months before their request (such request can only be made twice in a 12-month period).
- Have such information deleted (with exceptions).
- Request that personal information not be sold to third parties, if applicable.
- Not be discriminated against because they exercised any of their rights.
Personal information or erasure requests may be submitted on Grail Insights’ website’s contact page found here: https://www.grailinsights.com/contact-us/
. Alternatively, such a request can be made by calling the following toll-free number: +1 (800) 895-9186 or dropping email at email@example.com
In the past twelve months since the policy effective date, Grail Insights has collected the following categories of personal data: contact information, government IDs, cookies, social security number, health information, information on race, gender, and ethnicity, professional, educational, and employment information. The source of all of these categories’ personal information is either from law firm or corporate clients for whom Grail Insights processes data on behalf of (almost always electronically), Grail Insights’ human resources department via the receipt of resumes and job applications on the Grail Insights website, and Grail Insights’ marketing department via cookies on the Grail Insights website as well as a “Contact Us” submission page. All categories of data are used either in support of the data processing services Grail Insights provides to its clients as a business process outsourcing company, for its own internal market research and human resources functions, or for legal and compliance purposes. Grail Insights only discloses personal information for its business process outsourcing operations in accordance with instructions it receives from its clients -- the data controllers.