European Union (EU) Privacy Notice (Effective 2018)
Last update: December 10, 2021
This Privacy Notice may be updated at any time. Each Privacy Notice mentions the date of its last update.
This notice describes how UPMC collects and processes your Personal Data, including sensitive health data.
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
This EU Privacy Notice applies to Personal Data collected by UPMC from individuals who are in the European Union (EU) at the time the Personal Data is provided.
UPMC understands that your Personal Data, particularly health and employment information, is sensitive and confidential. UPMC makes every reasonable effort to protect your Personal Data.
UPMC will not collect Personal Data from you if the collection of such Personal Data is in violation of your fundamental rights as an individual and or minor.
UPMC may create or maintain records containing Personal Data in conjunction with its patient care and employment-related activities at UPMC’s EU-based operations. UPMC may also receive and/or manage Personal Data for organizations within EU member countries that UPMC does business with. UPMC may transfer your Personal Data to the United States for processing. With respect to the handling and protection of your Personal Data, UPMC adheres to the EU General Data Protection Regulation 2016/679 (GDPR). All UPMC operations that have access to Personal Data from an EU member country shall follow this EU Privacy Notice and other Privacy rules required under US law (as applicable), or EU individual provider- based data protection agreements.
UPMC is comprised of a network of hospitals, doctors, rehabilitation services, skilled nursing services, home health services, pharmacy services, laboratory services and other health care related services. Our workforce includes our staff, physicians, students, residents, trainees, volunteers, and others providing services within or for these facilities, who may or may not be directly employed by UPMC.
UPMC may process your Personal Data for the business, treatment, payment, or health care operations purposes that this EU Privacy Notice describes. UPMC takes reasonable security measures to protect your Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. These measures include, but are not limited to, password protection for online information systems and restricted access to your Personal Data.
UPMC shall not use your Personal Data in a way that is incompatible with the purposes for which it has been collected unless authorized by you. UPMC will also take reasonable steps to ensure that Personal Data collected is relevant for its intended use, and is accurate, complete and current.
FOR OUR PATIENTS
UPMC may create and maintain records with Personal Data about your care. We may process your Personal Data for purposes such as:
- Providing healthcare services to you;
- Designing, implementing and/or maintaining patient care and patient-related information systems;
- Maintaining medical records (including transcriptions, laboratory results, diagnostic images and other types of clinical information);
- Performing government reporting; and
- Conducting auditing, accounting, financial, quality assurance and economic and clinical analyses.
With respect to sensitive Personal Data (for example, political or religious beliefs, union membership, health matters etc.), UPMC will not share such information except as otherwise described in this Privacy Notice unless specifically authorized by you. UPMC may disclose sensitive Personal Data if required to comply with the legal process.
In the course of your treatment or utilising any of the healthcare services of UPMC, your Personal Data (relating to you, your next of kin or legal representative for emergency contact) may be processed by the health and administrative staff of UPMC.
In addition, Data Processors and third parties who provide services to UPMC (such as, professionals, consultants, external laboratories, insurers, etc.), may also access your data.
Such processing of Personal Data may include its collection, recording, retrieval, use, retention, and disposal/destruction.
Personal Data may include (but is not limited to):
- Address (Phone, email, Contact information)
- Medical information (i.e., Diagnosis, Medication, Medical history)
- Health insurance and payment details
- Religious affiliation (where relevant)
Also, any other information which is relevant for the purpose of your diagnoses, treatment, and/or availing of healthcare services in a UPMC facility.
Your electronic Personal/Sensitive data will be stored and processed securely on IT systems owned and managed by UPMC within our premises or in secure cloud-hosted data centres within the EU.
As Data Controller, UPMC may use third-party data processors to assist in processing the data. They are subject to the same professional codes of conduct, national laws, and EU data protection legislation as well as binding contracts.
UPMC will keep your data only as long as necessary or as prescribed by the applicable data protection or medical records laws.
FOR OUR WORKFORCE
UPMC creates and maintains records with Personal Data about your employment or staff-related services. UPMC may collect, process, and store your Personal Data, and/or transfer this Personal Data to the U.S. for purposes such as:
- management and administration of employment-related matters;
- designing and administering compensation, benefits, and human resource programs;
- designing and implementing employment-related education and training programs;
- monitoring and evaluating employee conduct and performance;
- maintaining plant and employee security, health and safety;
- facilitating communications, negotiations, transactions, and conferences; and
- compliance with contractual and legal obligations.
All Personal Data received and stored by UPMC will be maintained for no less than the minimum number of years as required by applicable laws.
UPMC may transfer Personal Data to a third party acting as its agent/Data Processor (e.g., heath care operations, medical consultants, tax advisors and preparers, accountants, auditors, lawyers, financial services and benefit administrators) without the necessity to provide additional notice to you, as long as UPMC has entered into an appropriate agreement under which such third party is obligated to adhere to requirements at least as restrictive as those set forth in this EU Privacy Notice. Personal Data that is transferred shall comply with the EU GDPR and any other applicable EU individual provider-based data protection agreements.
YOUR RIGHTS AS A DATA SUBJECT
Upon request, UPMC will provide you with reasonable access to Personal Data that it holds about you and will take reasonable steps to permit you to correct or amend any Personal Data which is inaccurate or incomplete. If you want access to your Personal Data, you should provide a written request to the Data Controller and/or Data Protection Officer of the facility where you provided your Personal Data. Please see Medical Healthcare Records section of the website for specific information related to your medical record. In addition to the right to access your Personal Data, you also have the following rights:
- Right to Access
- Right to Rectification
- Right to Erasure
- Right to Restriction of Processing
- Right to Portability
- Right to Object
- Right not to be subject to a decision based solely on automated processing
Questions or concerns regarding the use or disclosure of Personal Data should be directed to the Data Controller and/or Data Protection Officer of the facility where you provided your Personal Data.
DATA CONTROLLER CONTACT INFORMATION
Should you need to contact the Data Protection Officer for any of our locations, please email firstname.lastname@example.org.
The postal addresses for all locations are as follows:
DPO, UPMC Aut Even Hospital Limited, Freshford Road, Co. Kilkenny R95D370
DPO, UPMC Whitfield Hospital Limited, Cork Road, Butlerstown, Waterford, X91DH9W
DPO, UPMC Kildare Hospital Limited, Prosperous Road, Clane, Co. Kildare, W91 W535
DISPUTE RESOLUTION PROCESS
If you have a question regarding UPMC’s use of your Personal Data, you may contact UPMC or the Country’s Data Privacy Supervisory Authority. UPMC will investigate and try to resolve your issue. If it cannot be resolved, UPMC will participate in dispute resolution process established by the EU Data Protection Authorities.
The Supervisory Authority in Ireland is the Data Protection Commission. You can contact the Office of the Data Protection Commissioner at:
Telephone: +353 (0)761 104 800 or Lo Call Number 1890 252 231
Postal Address: Data Protection Commissioner, Canal House, Station Road, Portarlington, R32 AP23 Co. Laois
For further information please visit the Data Protection Commissioner website www.dataprotection.ie.