This Privacy Shield Policy applies to Imprivata and Ground Control, Inc. and was last updated on January 11, 2021.
1. What does this Policy cover?
Imprivata complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as outlined by U.S. Department of Commerce regarding the collection, use, and retention of Personal Data (as defined below) that is transferred from European Union member countries and Switzerland to the United States. If there is any conflict between the policies outlined in this Policy and the Privacy Shield Principles, the Privacy Shield Principles will govern. To learn more about the Privacy Shield Framework, and to view our certification page, please visit https://www.privacyshield.gov/.
As the Privacy Shield Framework only applies to Personal Data transferred from European Union member countries and Switzerland, this Policy only applies to Personal Data transferred from European Union member countries and Switzerland to our operations in the United States.
All employees of Imprivata that have access to Personal Data covered by this Policy are responsible for conducting themselves in accordance with this Policy. Personal Data covered by this Policy shall not be collected, used, or disclosed in a manner contrary to this Policy without proper written permission from Imprivata's legal department.
2. What terms do I need to know to understand this policy?
"Data subject" means an identifiable natural person who can be identified, directly or indirectly, by Personal Data supplied to Imprivata.
"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").
"Sensitive Personal Data" mean Personal Data regarding a Data Subject's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, or sexual life.
3. How does Imprivata comply with Privacy Shield?
Imprivata commits to subject all Personal Data covered by this Policy to the Privacy Shields' Principles in accordance with the respective Privacy Shield Framework. Information about each of the Privacy Shield's Principles, and how Imprivata complies with each, can be found below.
Imprivata notifies Data Subjects covered by this Policy about our data practices regarding Personal Data received in the U.S. from European Union member countries and Switzerland in reliance on the respective Privacy Shield framework. The information we provide to Data Subjects includes the types of Personal Data we collect about them, the purposes for which we collect and use such Personal Data, the types of third parties to which we disclose such Personal Data and the purposes for which we do so, the rights of Data Subjects to access their Personal Data, the choices and means that we offer for limiting our use and disclosure of such Personal Data, how our obligations under the Privacy Shield are enforced, and how Data Subjects can contact us with any inquiries or complaints.
If Personal Data is (a) disclosed to a third party not identified at the time of data collection or (b) used for a purpose other than that which it was originally collected for, Imprivata will provide Data Subjects with an opportunity to choose whether to have their Personal Data so disclosed or used.
Imprivata's employees are responsible for providing proper notification to Data Subjects when they
have the right to opt out of such disclosures or uses.
• Accountability for Onward Transfer
In the event that Imprivata transfers Personal Data covered by this Policy to a third party acting as a
controller, we will do so only if the third party has provided us with contractual assurances that it will
(a) process the Personal Data for limited and specified purposes consistent with the consent provided
by the Data Subject; (b) provide the same level of protection as is required by the Privacy Shield
Principles; and (c) notify us if they can no longer meet this obligation.
In the conduct of Imprivata's business operations, we may share personal data with attorneys,
consultants, human resources providers, payroll providers, and other service providers contracted to
provide services for the activities, delivery, and management of Imprivata products and services.
Imprivata may disclose personal data to approved third party data processors retained or contracted by
Imprivata such as business partners and subcontractors, including, without limitation, affiliates,
vendors, service providers and suppliers. We may share certain personal information with third parties
who conduct marketing studies and data analytics, including those that provide tools or code which
facilitates our review and management of our web site and services, such as Google Analytics or
similar software products from other providers.
Except to the extent agreed by you, Imprivata may be required to share personal information as
required or permitted by law, regulation, legal process, court order, bankruptcy or other legal
requirement, or when we believe in our sole discretion that disclosure is necessary or appropriate, to
respond to an emergency or to protect our rights, protect your safety or the safety of others, investigate
fraud, comply with a judicial proceeding or subpoenas, court order, law-enforcement or government
request, including without limitation to meet national security or law enforcement requirements, or
aforementioned exceptions, the use and disclosure of all transferred personal information will be
subject to this Policy.
In the event that Imprivata transfers Personal Data covered by this Policy to a third party acting as an
agent, we will do so only if the third party has provided us with contractual assurances that it will (a)
transfer the Personal Data for limited and specified purposes; (b) provide the same level of protection
that is required by the Privacy Shield Principles; (c) take reasonable and appropriate steps to ensure
that the agent effectively processes the Personal Data transferred in a manner consistent with our
obligations under the Privacy Shield Principles; (d) and require the agent to notify us if it makes a
determination that it can no longer meet its obligations to provide the same level of protection as
required by the Privacy Shield Principles. If we receive such a notice, we will (a) take reasonable and
appropriate steps to stop and remediate any authorized processing and (b) provide a summary or copy
of the relevant privacy provisions of our contract with that agent to the U.S. Department of
Commerce, if requested.
Imprivata remains liable under the Privacy Shield Principles if an agent processes Personal Data
covered by this Privacy Shield Policy in a manner inconsistent with the Principles, except where we
are not responsible for the event giving rise to the damage. Additionally, we may be required to
disclose Personal Data in response to a lawful request by public authorities, including to meet national
security or law enforcement requirements.
Imprivata takes reasonable and appropriate measures to protect Personal Data covered by this Policy
from loss, misuse, unauthorized access, disclosure, alteration and destruction. While Imprivata cannot
guarantee the security of Personal Data, we are committed to safeguarding all Personal Data received
from the EU and Switzerland.
• Data Integrity and Purpose Limitations
Imprivata only collects Personal Data covered by this Policy that is relevant for the purposes of
processing. We do not process Personal Data that is incompatible with the purposes for which it was
collected or authorized by the Data Subject. Additionally, Imprivata takes reasonable steps to ensure
that any Personal Data that is collected is relevant to its intended use, accurate, complete and current.
Imprivata retains Personal Data in a form identifying or making identifiable a Data Subject only for as
long as it serves a purpose of processing, which includes the performance of Services, obligations to
comply with professional standards and legitimate business purposes. We will only request the
minimum amount of Personal Data required to carry out these purposes, and will adhere to the Privacy
Shield Principles for as long as we retain Personal Data.
All Data Subjects have the right to access the Personal Data covered by this policy that Imprivata
holds about them. Additionally, if Personal Data is inaccurate or has been processed in violation with
the Privacy Shield Framework, Data Subjects have the right to access their Personal Data to correct it,
amend it or delete it.
To request access to, or correction, amendment or deletion of, Personal Data, a Data Subject should
contact us at: firstname.lastname@example.org. Imprivata will cooperate with all reasonable
requests to assist Data Subjects to exercise their rights under the Privacy Shield, except when the
burden or expense of providing access, correction, amendment, or deletion would be disproportionate
to the risks to the Data Subject's privacy, or where the rights of persons other than the Data Subject
would be violated.
• Recourse, Enforcement and Liability
Imprivata's participation in the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield
Framework is subject to investigation and enforcement by the Federal Trade Commission. In
compliance with the Privacy Shield Principles, Imprivata commits to resolve complaints about your
privacy and our collection or use of your personal information.
EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first
Imprivata has further committed to cooperate with the panel established by the European Union data
protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner
(FDPIC) with regard to unresolved Privacy Shield complaints concerning data transferred from the
EU and Switzerland. If you do not receive timely acknowledgment of a complaint, or if we do not
satisfactorily address your compliant, please visit the Privacy Shield website
(https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint) for more information about
how to contact your local DPA or the Swiss Commissioner.
In addition to the above dispute resolution mechanisms, Data Subjects may be able to invoke binding
arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the
European Commission, under certain conditions.
Imprivata agrees to periodically review and verify our compliance with the Privacy Shield Principles,
and to remedy any issues that arise out of failure to comply with the Privacy Shield Principles. We
acknowledge that failure to provide an annual self-certification to the U.S. Department of Commerce
will remove Imprivata from the Department's list of Privacy Shield participants.
4. What happens if Imprivata changes this Policy?
Imprivata may modify this Policy from time to time, consistent with changes to the requirements of the
Privacy Shield Principles or Framework, or changes within our organization. If Imprivata changes this Policy,
we will provide Data Subjects appropriate notice regarding such modifications by highlighting the change on
our Site, or by emailing Data Subjects' email addresses of record.
5. How can I contact Imprivata about this Policy?
Should you have any questions or concerns about this Policy or need to update certain personal information,
please contact Imprivata: