The U.S. Department of Commerce and the European Commission have agreed on a set of data protection principles to enable U.S. companies to satisfy requirements under European Union law related to the transfers of PII transferred from the EEA to the U.S. (the “U.S. – EU Safe Harbor”). As well, the U.S. Department of Commerce and the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland have agreed on a similar set of data protection principles to enable U.S. companies to satisfy requirements under Swiss data protection law related to the transfers of PII transferred from Switzerland to the U.S. (the “U.S. – Swiss Safe Harbor”). In keeping with its commitment to protect personal privacy, Dendreon complies with, and has certified its adherence to, the privacy principles (the “Principles”) of both the U.S.-EU Safe Harbor and U.S. – Swiss Safe Harbor.
This Policy applies to all PII Dendreon receives in the U.S. from the EEA and Switzerland, in any format.
The following key terms are used throughout this Policy:
“European Union (EU)” refers to those states that are members of the EU and include Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.
“European Economic Area (EEA)” refers to those states of the EU, in addition to Iceland, Liechtenstein and Norway.
“Personally Identifiable Information (PII)”, also known as “Personal Information (PI)”, is any type of data and information relating to an identified or identifiable natural person. An identifiable natural person is a natural person who can be identified, directly or indirectly, by reference to an identification number or factors specific to his or her physical, physiological, mental, economic, cultural or social identity. Set forth below is a non-exclusive list of information that constitutes PII when such information relates to an identified or identifiable natural person, either on their own or when combined together: account number (e.g., bank account, personal/company credit card), address, biometric identifier (e.g., fingerprints or voice recordings), birth certificate or professional license number, date of birth, government identifiers (such as social security numbers or driver's license numbers), health information, name, personnel number, photograph or video identifiable to an individual. PII may also include other information related to an individual that may directly or indirectly identify the individual (e.g., in most cases salary, career history, etc.).
“Sensitive PII” is a category of PII that, according to local regulations or business decisions, requires an extra level of protection or a higher duty of care. Sensitive types of data are generally considered to be without limitation: PII specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sexual orientation of an individual.
NOTICE: Where Dendreon collects PII directly from individuals in the EEA and Switzerland, it will inform such individuals about the purposes for which it collects and uses information about them, how to contact Dendreon with any inquiries or complaints, the types of third parties to which Dendreon discloses the information, and the choices and means Dendreon offers individuals for limiting its use and disclosure. Notice is provided in clear and conspicuous language when individuals are first asked to provide PII to Dendreon or as soon thereafter as is practicable, but in any event before Dendreon uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party. Dendreon explains the need for PII and in some cases Sensitive PII, relating to its innovative products, research and general business.
Where Dendreon receives PII from its subsidiaries, affiliates or other entities in the EEA and Switzerland, it uses and discloses such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such PII relates.
CHOICE: Without prejudice to any applicable law or regulation mandating PII processing or disclosure, Dendreon offers individuals the opportunity to choose (i.e., opt out) whether their PII is: (a) to be disclosed to a third party; or (b) to be used for the purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual.
Dendreon provides notice where PII will be shared or collected by third parties. Dendreon is committed to honor cases in which individuals express their objection (opt out) to have their data shared with, or collected by, other third parties. Yet, in cases where Dendreon has hired third party service providers to perform specific services (e.g., such as external medical research organizations for the conduct of clinical trials or payroll providers for payroll administration), and where the individual opts out as described above, Dendreon will not be able to provide that service.
Dendreon recognizes that EEA and Swiss citizens may request to opt out of sharing their PII with third parties in the future even after earlier agreeing to such sharing. Although Dendreon is committed to honor such requests (for future PII sharing), there may be limited cases in which Dendreon is under the legal obligation or has a legitimate interest in continuing sharing PII for a limited period of time. This is namely the case in which patients’ PII have to continue to be processed in the framework of a clinical trial and that not doing so might endanger the quality of the results or final outcome of the clinical trial. However, in these circumstances, Dendreon has taken measures to ensure that: (a) PII will only be used to the extent necessary for the quality of the clinical trial; and (b) the PII will not be used or shared for any other reason than for satisfying the scientific and medical needs of the clinical trials or applicable regulatory requirements.
DATA INTEGRITY: Dendreon does not process PII in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, Dendreon will take reasonable steps to ensure that PII is reliable for its intended use, accurate, complete, and current.
TRANSFERS TO AGENTS: When disclosing PII from individuals in the EEA or Switzerland to a third party, Dendreon applies the Notice and Choice Principles. Where Dendreon wishes to transfer such PII to a third party that is acting as an agent, it will only do so if: (a) it first ascertains that the third party subscribes to the Principles; (b) is subject to EU Directive 95/46/EC, Swiss Federal Act on Data Protection and/or another adequacy finding; or (c) enters into a written agreement with the third party requiring that the third party provide at least the same level of privacy protection as is required by the Principles.
Where Dendreon has knowledge that an agent is using or disclosing PII in a manner contrary to this Policy, it will take reasonable steps to prevent or stop the use or disclosure.
SECURITY: Dendreon takes reasonable precautions to protect PII in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. Specifically, Dendreon established a data classification framework to help provide protection for all confidential PII and increased protection for Sensitive PII.
ACCESS AND CORRECTION: Upon request, Dendreon will grant individuals reasonable access to PII it holds about them. In addition, Dendreon will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete.
ENFORCEMENT: Dendreon monitors compliance with the Principles through periodic privacy compliance assessments and, as necessary, audits, and provides a readily available and affordable recourse mechanism for individuals providing PII, as described in the Dispute Resolution section below.
DISPUTE RESOLUTION: Any questions, concerns or complaints regarding this Policy should be directed to Dendreon‘s Corporate Privacy and Compliance Office at the address given below. Dendreon will investigate and attempt to resolve complaints and disputes regarding this Policy. However, for complaints or disputes that cannot be resolved by Dendreon, it has agreed to participate in the following dispute resolution mechanisms:
Questions or comments regarding this Policy can be submitted to the Dendreon Privacy Office by mail to:
Dendreon Corporate Privacy and Compliance Office
1301 2nd Avenue
Seattle, WA 98101
Or by e-mail: Privacy@Dendreon.com
Or by telephone: 866-767-8839
This Policy may be amended from time to time, consistent with the requirements of the Principles. A notice will be posted on the privacy page of the Dendreon web site (www.dendreon.com) for at least 60 days whenever this Policy is changed in a material way.
EFFECTIVE DATE: June 30, 2011
For further information about the Safe Harbor Program, see the U.S. Department of Commerce website at http://www.export.gov/safeharbor/.