Data Safeguards, Privacy and Destruction
Data Safeguards Policy
RWS Life Sciences (“Organization”) has implemented the following safeguards to protect the Organization, client, and personal information it obtains, uses, accesses, or processes in connection with its performance of translation services.
Network and Computer Security The Organization uses up-to-date virus protection software on all computers used by the Organization.
The Organization uses a firewall product, such as a firewall built into its operating system, a network appliance, or a personal firewall software package
The Organization’s vendors keep all applications, including operating systems, patched with any software patch product, including automatic update services, that are recommended for any application or operating system used in performance of translation services.
The Organization does not run or send programs of unknown origin.
The Organization disables hidden filename extensions.
The Organization makes regular backups of critical data, keeps a copy of important files on removable media, and uses a software backup tool if available. The Organization stores its backup disks in a secure location.
The Organization keeps a recovery disk in case its computers are damaged or compromised.
The Organization encrypts its wireless connection.
The Organization requires any vendor with which it works to affirm in writing its compliance with the above network and computer safeguards.
Protected Information
Protected information includes confidential and non-public Organization, client, and supplier personal information gathered and/or utilized in the course of establishing and maintaining business relationships and/or in the performance of translation services. Access to protected information is limited. The Organization may disclose such information to clients and suppliers, for the purpose of performing translation services or fulfilling audit activities, or may disclose such information to regulatory agencies or ISO registrars for the purpose of fulfilling certifications.
Personal Information in Client Documents
The Organization utilizes a procedure by which it takes reasonable and appropriate steps to identify personal information in documents supplied by clients. This information may include individual or patient names, addresses, phone numbers, fax numbers, email addresses, birth dates, social security numbers, medical record numbers, health plan beneficiary number, account numbers, photographs or other images, and any other unique information by which an individual or patient may be identified. Access to the client documents that may contain such personal information is limited to the Organization’s production staff assigned to the client’s projects. When such information is discovered, processing will cease, the documents will be segregated immediately, and the client will be informed. Based on determination by the client, the Organization will either redact the PII and continue with processing or destroy the original source documents and provide the client with Certificate of Destruction, as described below.
Protection of Documents
Any documents that the Organization receives or obtains in connection with its performance of translation services, including paper copies, computer disks, removable media, or electronic submission, which contains protected information, are stored in a secure location, accessible only by those Organization employees with a need for such access. Physical documents containing protected information are retained by the Organization only until the assignment is complete, and are then returned to the client. Any copies or backup files (including electronic copies) are not maintained and will be destroyed.
Data Privacy Policy
The Organization respects individual privacy and values the confidence of its clients. The Organization does not collect, use or disclose personal information provided by clients. At the direction of the client, the Organization may use personal information for the purpose of processing translation requests only. The Organization does not store or disclose client provided personal information for any other reason than to ship and invoice requested translation services. However, in the event that the Organization did use any of this information, it would be conducted in a manner consistent with the laws of the countries in which it does business and with the Privacy Shield Principles set forth in the Privacy Shield. The Organization and its predecessor organizations have a tradition of upholding the highest ethical standards in its business practices. This Data Privacy Policy Statement sets forth the privacy principles the Organization follows with respect to transfers of personal information from the European Union and from Switzerland to the United States.
Privacy Shield
RWS Life Sciences complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. RWS Life Sciences has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.
To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov.
Scope
This Privacy Shield Policy Statement applies to all personal information received by the Organization in the United States from the EU and from Switzerland, in any format, including electronic, paper, or verbal.
Privacy Principles
The privacy principles in this Policy have been developed based on the Privacy Shield Principles.
Notice: Where the Organization collects personal information directly from individuals in the EU and Switzerland, it will inform them about the purposes for which it collects and uses personal information about them, the types of non–agent third parties to which the Organization discloses that information, the choices and means, if any, the Organization offers individuals for limiting the use and disclosure of personal information about them, and how to contact the Organization. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to the Organization, or as soon as practicable thereafter, and in any event before the Organization uses or discloses the information for a purpose other than that for which it was originally collected.
Where the Organization receives personal information from its parent, affiliates or other entities in the EEA, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such personal information relates.
Choice: The Organization will offer individuals the opportunity to choose (opt-out) whether their personal information is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual or client.
For sensitive personal information, the Organization will give individuals the opportunity to affirmatively and explicitly (opt-in) consent to the disclosure of the information to a non-agent third party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual or client.
The Organization will provide individuals with reasonable mechanisms to exercise their choices.
Accountability for Onward Transfer: The Organization will obtain assurances from its agents that they will safeguard personal information consistently with this Policy. Where the Organization has knowledge that an agent is using or disclosing personal information in a manner contrary to this Policy, the Organization will take reasonable steps to remediate.
Security: The Organization will take reasonable and appropriate measures to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Data Integrity and Purpose Limitation: The Organization will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual or client. The Organization will not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual or client. The Organization will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current.
Access: Upon request, the Organization will grant individuals reasonable access to personal information that it holds about them. In addition, the Organization will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete.
Recourse, Enforcement, and Liability: The Organization will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that the Organization determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment. Any questions or concerns regarding the use or disclosure of personal information should be directed to the RWS Life Sciences Headquarters at the address given below. The Organization will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information by reference to the principles contained in this Policy. For complaints that cannot be resolved between the Organization and the complainant, the Organization has agreed to participate in dispute resolution procedures in the investigation and resolution of complaints to resolve disputes pursuant to the Privacy Shield Principles. For disputes involving personal information received by the Organization from its clients, the Organization will employ a licensed moderator to mitigate and resolve.
In reference to Data Privacy, the Organization is subject to the investigatory and enforcement powers of the FTC and any other U.S. authorized statutory body.
The Organization commits to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.
In the context of an onward transfer, the Organization has responsibility for the processing of personal information it receives and transfers on its behalf. The Organization shall remain liable under the Privacy Shield Principles if its agent processes such personal information in a manner inconsistent with the Privacy Shield Principles, unless the Organization proves that it is not responsible for the event giving rise to the damage.
In compliance with the Privacy Shield Principles, the Organization commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact RWS Life Sciences at:
Attn: Privacy Policy Committee
RWS Life Sciences
101 East River Drive, 2nd Floor
East Hartford, CT 06108
Email: data.governance@rws.com
Independent Dispute Resolution ICDR/AAA
The Organization has further committed to refer unresolved Privacy Shield complaints to International Centre for Dispute Resolution American Arbitration Association (ICDR/AAA), an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit ICDR/AAA at the location listed below for more information or to file a complaint. The services of International Centre for Dispute Resolution Case Filing Services are provided at no cost to you.
For claims and disputes arising under or relating to this Policy, individuals may invoke binding arbitration in a location mutually agreeable to the parties. An award of arbitration may be confirmed in a court of competent jurisdiction.
ICDR/AAA Contact
International Centre for Dispute Resolution American Arbitration Association1101 Laurel Oak Road, Suite 100
Voorhees, NJ, 08043
United States
Website: http://go.adr.org/privacyshield.html
Email: casefiling@adr.org
Phone: +1.856.435.6401
Fax: +1.212.484.4178
Limitation on Application of Privacy Shield Principles
Adherence by the Organization to these Privacy Shield Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; (b) to the extent necessary to meet national security, public interest or law enforcement obligations; and (c) to the extent expressly permitted by an applicable law, rule or regulation.Internet Privacy
The Organization sees the Internet and the use of other technology as valuable tools to communicate and interact with consumers, employees, healthcare professionals, business partners, and others. The Organization recognizes the importance of maintaining the privacy of information collected online and has standard operating procedures to govern the information collected through the web sites it operates.Contact Information
Questions or comments regarding this Policy should be submitted to the Organization by mail to: Attn: Privacy Policy Committee RWS Life Sciences 101 East River Drive, 2nd Floor East Hartford, CT 06108Changes to this Policy
This Policy may be amended from time to time, consistent with the requirements of the Privacy Shield Principles.Destruction Policy
Paper or Electronic Documents and Files
1. Client data will be destroyed upon request by authorized clients.
2. All paper and electronic documents that contain client data will be destroyed using an acceptable method of destruction.
3. Acceptable methods of destruction for paper documents include shredding, incineration, pulverization and use of a bonded recycling company.
4. Computers, laptops, servers and hard drives are used to store client data. Data may be stored in a number of areas on a computer hard drive. For example, data may be stored in “Folders” specifically designated for storage of this type of information, in temporary storage areas and in cache. Simply deleting the files or folders containing this information does not necessarily erase the data.
a. To ensure that any client data has been removed, a utility that overwrites the entire disk drive with “1”s and “0”s must be used.
b. If the computer is being disposed of due to damage and it is not possible to run the utility to overwrite the data, then the hard drive must be removed from the computer and physically destroyed. Alternatively, the drive can be erased by use of magnetic bulk eraser. This applies to PC workstations, laptops and servers.
5. Backup or Data Tapes: Tapes, USB drives or diskettes that are being decommissioned must be degaussed before disposal. This can be accomplished using a bulk tape eraser. Alternatively, the media may be pulverized or shredded.
6. Compact Disks (CDs) and Diskettes: CDs containing resident health information must be cut into pieces or pulverized before disposal.
7. If a service is used for disposal, the vendor should provide a certificate indicating the following:
a. Computers and media that were decommissioned have been disposed of in accordance with environmental regulations as computers and media may contain hazardous materials.
b. Data stored on the decommissioned computer and/or media was erased or destroyed per the previously stated method(s) prior to disposal.
Destruction Records
The Organization provides the client with a destruction certificate upon completion of the data destruction. These certificates are signed by the appropriate member of the management staff and stored indefinitely. A Destruction Log is maintained to identify the destroyed records. At a minimum, the Destruction Log must capture the information listed below.
a. Date of destruction (date/s records are destroyed),
b. Destroyed by (name/s of the individuals responsible for destroying the records),
c. Method of destruction (method used to destroy records), and
d. Description of destroyed item (file name, document title).
Effective Date: 14 August 2020