Lifebit EU-US and Swiss-US Data Privacy Framework Policy

 

This EU-US and SWISS-US Data Privacy Framework Policy (“DPF Policy”) supplements the Lifebit Privacy Policy or other applicable privacy notice which we  provide at the time of data collection.   This DPF Policy applies to the transfers of personal data from the European Union, the United Kingdom (and Gibraltar), and Switzerland in order to comply with the transfer requirements under data protection laws, including the EU General Data Protection Regulation (“GDPR”).

Lifebit complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  

Lifebit has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

Lifebit has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

 

Federal Trade Commission (FTC)

Lifebit has certified that it adheres to the DPF Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability with respect to all personal data received from the EU, UK, or Switzerland in reliance on the DPF. Lifebit is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC), which has jurisdiction over Lifebit’s compliance with this Policy and the DPF.

 

Relevant EU Data protection authorities

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Lifebit commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

 

Our contact information

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Lifebit commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Lifebit at privacy@lifebit.ai.

 

Purpose of Data Processing

Lifebit processes personal data for the purpose of providing a platform for Data Consumers and Data Custodians (Clients) to access and analyse siloed biomedical data. Personal Data relating to individuals is collected from clients who provide it to us in connection with our provision of services to those clients. Client personal data is processed in the normal conduct of our business relationship with clients, to perform the services requested by and contracted with our clients.

Lifebit also processes personal data for the purposes of vendor management , recruitment, employment, and marketing, or for other purposes, which we disclose at the time of collection of the personal data.

 

Notice

As set out in Lifebit’s Privacy Policy on the Lifebit Website, at the time of, or before data collection, Lifebit notifies data subjects about its data practices regarding personal data, including the types of personal data it collects about them, the purposes for which it collects and uses such personal data, the types of third parties to which it discloses such personal data and the purposes for which it does so, the rights of data subjects to access their personal data, and the choices and means that Lifebit offers for limiting its use and disclosure of such personal data.

 

Choice

Lifebit provides individuals with notice and an opportunity to “opt-out” if such personal data is to be:

  1. disclosed to a third party (other than a third party acting on behalf of Lifebit) or
  2. used for a reason that is incompatible with the purposes for which it was originally collected.

 

Access

Individuals for whom Lifebit may process Personal Data are entitled to obtain confirmation of whether his/her Personal Data are being processed, access the information held, and ask us to correct, amend, or delete that information where it is inaccurate or has been processed in violation of the laws.

Individuals may request access as provided above via email to: privacy@lifebit.ai.

 

Accountability for Onward Transfer

We will not share, sell or distribute any of the information you provide to us without your consent, except as described in the relevant privacy notice provided at or near the time of collection, or when acting on behalf of our clients, at the direction of our clients (the data controllers) on whose behalf we are processing personal data.

The information provided to Lifebit will be available to Lifebit, as well as to affiliated companies within the Lifebit group who act for us for the purposes set out in this Policy and who are subject to this Policy.

 

Sharing your information with third parties

Lifebit may share your information with external third parties, such as vendors, consultants and other service providers who are performing certain services on behalf of Lifebit (our agents). Such third parties have access to Personal Data solely for the purposes of performing the services specified in the applicable service contract, and not for any other purpose. Lifebit requires these third parties to undertake technical and security measures consistent with the protections specified in this Policy. Additional details regarding the types of third parties which Lifebit discloses personal information and the purposes for which we do so are set out within our Lifebit Privacy Notice.

Lifebit will remain responsible for the processing of personal data it receives under the DPF and subsequently transfers to a third party acting as an agent on its behalf if they process personal information in a manner inconsistent with the DPF principles unless Lifebit proves that it is not responsible in an event giving rise to damage.

In the event Lifebit transfer personal data covered by this DPF Policy to a third party acting as a controller, we will do so consistent with any notice provided to data subjects and any consent they have given (where applicable), and only if the third party has given us contractual assurances that it will: 

(i) process the personal data for limited and specified purposes consistent with any consent provided

(ii) provide at least the same level of protection as is required by the DPF Principles and notify us if it makes a determination that it cannot do so; and 

(iii) cease processing of the personal data or take other reasonable and appropriate steps to remediate if it makes such a determination. 

If Lifebit has knowledge that a third party acting as a controller is processing Personal Data covered by this DPF Policy in a way that is contrary to the DPF Principles, Lifebit will take reasonable steps to prevent or stop such processing.

Disclosure to Public Authorities

Lifebit may be required to disclose Personal Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.

 

Security

Lifebit takes reasonable and appropriate technical, organizational and security measures to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. We will permit only authorized staff, who are trained in the proper handling of personal information to have access to that information. Staff who violate our security and privacy policies will be subject to our disciplinary process. We employ security measures to protect your information from access by unauthorized persons and against unlawful processing, accidental loss, destruction and damage.

 

Data Integrity and Purpose Limitation

Lifebit will retain Personal Data for a reasonable period of time, taking into account legitimate business needs to capture and retain such information. Information will also be retained for a period of time necessary to comply with state, local, federal regulations, or country specific regulations and requirements, and in accordance with Lifebit’s Document Retention Policy.

We will not use your information in a manner that is incompatible with the purpose for which it was originally collected without providing you with notice and an opportunity to opt-out.

 

Contact Information

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Lifebit commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Lifebit at privacy@lifebit.ai with attention to the DPO.

 

Enforcement and Dispute Resolution

Individuals are encouraged to raise any complaints regarding the processing of personal data to Lifebit.

In compliance with EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Lifebit commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

Data subjects may contact the relevant independent recourse mechanism listed below:

Lifebit will cooperate with the applicable data protection authority in the investigation and resolution of complaints brought under the DPF. Lifebit will comply with any advice given by the EU DPAs, the FDPIC, or the ICO where the applicable authority takes the view that the organization needs to take specific action to comply with the DPF Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the DPF Principles, and will provide the applicable authority with written confirmation that such action has been taken.

If a dispute or complaint cannot be resolved by Lifebit nor by the EU Data Protection authorities, the Swiss FDPIC, or the UK ICO, a data subject has the right to require that Lifebit enter into binding arbitration pursuant to the DPF’s Recourse, Enforcement and Liability Principle and Annex I of the DPF (see link).

 


Last Updated: 13 June 2024