Data Privacy Framework
This Data Privacy Framework Policy (“Policy”) applies to MedCompli Inc. when Personal Information is received from or about Individuals in the European Economic Area (EEA), United Kingdom (UK), or Switzerland in any format including electronic, paper or verbal. MedCompli respects the relationships we have with our customers and respects the privacy of all Individuals whose Personal Information (see Definitions) may be processed by MedCompli in the performance of our services and our business operations.
To demonstrate our commitment to the protection of Personal Information, including Personal Information transferred out of the EEA, UK, and Switzerland for the performance of our services and business operations in the United States, MedCompli complies with the EU-U.S. Data Privacy Framework (“DPF”), the UK extension to the DPF (“UK Extension”), and the Swiss-U.S. Data Privacy Framework (“Swiss DPF”), respectively, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EEA, UK, and Switzerland to the United States.
MedCompli has certified with the Department of Commerce that it adheres to the DPF Principles. If there is any conflict between the terms in this Policy and the DPF Principles, the DPF Principles shall govern. To learn more about the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/s/. We also use standard contractual clauses and other mechanisms approved by the European Union for certain transfers of Personal Information to the United States from the EEA, UK, and Switzerland.
This Policy supplements MedCompli’s General Privacy Policy which can be found by following this link (collectively, they comprise MedCompli’s “Privacy Policies”).
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, MedCompli commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
SCOPE: This Policy applies to all Personal Information of Individuals received by MedCompli in the U.S. from the EEA, UK, or Switzerland, including Personal Information of consumers, healthcare professionals, suppliers, vendors, job applicants, business contacts and partners. This Policy will help you understand how MedCompli collects, uses, shares and safeguards Individuals’ Personal Information, and how, in certain circumstances, you can elect whether or not to allow your Personal Information to be used or shared. MedCompli endeavors to collect, use and disclose Personal Information in a manner consistent with the laws of countries in which it does business, and also has a tradition of upholding the highest ethical standards in its business practices.
PURPOSE / DISCLOSURE: MedCompli may disclose personal information to the following types of organizations:
1.To our third-party service providers, such as website hosting providers, information technology providers, payment services providers, and/or communication providers.
2.To parties involved in litigation, judicial or administrative bodies in the US or a foreign jurisdiction, dispute resolution providers, and/or regulatory bodies in the US or a foreign jurisdiction.
3.To a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).
4.To respond to lawful requests from public authorities, including public and government authorities outside your country of residence, to meet national security, public interest, or law enforcement requirements.
MedCompli will process & store personal data provided by clients to facilitate their compliance with regulations, law, and internal client policies & procedures. MedCompli is a platform utilized by clients to manage relationships with Healthcare Professionals and the data may include Name, Email Address, Address, medical license registration numbers and other basic demographic information. MedCompli would also include information on the client and information on client users of the platform such as their name, email address & manager.
MedCompli processes personal data for the purpose of providing client services. Personal Data relating to clients is collected from clients who provide it to us in connection with our provision of services to those clients. Client data is processed in the normal conduct of our business relationship with the client, to perform the services requested by and contracted with our clients.
Customers using MedCompli’s cloud solutions are responsible for managing the data that they store within MedCompli’s cloud solutions. Customers determine the categories of Personal Data and other information that are stored by MedCompli. Similarly, MedCompli’s customers and prospective customers who share data with MedCompli in connection with any of its Services determine which categories of Personal Data will be shared and for what purposes. Consequently, MedCompli does not generally know the categories of Personal Data to be processed or the purpose(s) of the processing unless and until MedCompli receives this information from its customers or prospective customers.
When MedCompli processes Personal Data, MedCompli does so only for the purpose of providing Services.
MedCompli does not share the personal data with any third parties.
The Customer’s and Prospective Customer’s Responsibilities with Respect to Personal Data
MedCompli customers and prospective customers may choose to include Personal Data among the data stored within the MedCompli cloud or otherwise shared with MedCompli in connection with its provision of Services.
MedCompli processes only the Personal Data that its customers or prospective customers have chosen to share with MedCompli. MedCompli has no direct or contractual relationship with the subject of such Personal Data (a "Data Subject"). As a result, when a customer or prospective customer shares Personal Data, the customer or prospective customer is solely responsible for satisfying all legal obligations owed directly to the Data Subject under applicable data protection laws.
It is the customer's or prospective customer's responsibility to ensure that Personal Data it collects can be legally collected in the country of origin. The customer or prospective customer is also responsible for providing to the Data Subject any notices required by applicable law and for responding appropriately to the Data Subject's request to exercise his or her rights with respect to Personal Data. In addition, the customer or prospective customer is responsible for ensuring that its use of MedCompli’s cloud offerings or Services is consistent with any privacy policy the customer or prospective customer has established and any notices it has provided to Data Subjects.
LIMITATIONS ON SCOPE:
Adherence to the DPF Principles may be limited (i) to the extent required or allowed by applicable law, rule or regulation; (ii) to the extent necessary to respond to lawful requests by public authorities, including to meet national security, law enforcement, legal or governmental requirements; and/or (iii) to protect the health or safety of an Individual. Also, this Policy may not apply or may be limited when Personal Information is collected or processed by the following:
MedCompli, under an agreement that contains the requisite standard contractual clauses approved by the European Commission with respect to the Personal Information;
MedCompli, when necessary for the performance of a contract (e.g., an employment contract) between an Individual and MedCompli; or
Any MedCompli affiliate, successor, subsidiary, business division, or group that makes a separate certification to DPF, whether or not such certification covers only part of or all types of Personal Information in scope of this Policy.
DEFINITIONS: For purposes of this Policy, the following definitions shall apply:
- “Agent” means any third party that uses Personal Information provided to it by MedCompli to perform tasks on behalf of and/or under the instructions of MedCompli or to which MedCompli discloses Personal Information for use on its behalf.
- “European Economic Area” means for the purposes of this Policy the following thirty (30) countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Italy, Ireland, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden (i.e. countries within the European Union), and Iceland, Liechtenstein, and Norway.
- “Individual” means any natural person located in the EEA, UK, or Switzerland whose Personal Information is shared with MedCompli in the United States.
- “Personal Information” means any information or set of information about an identified or identifiable individual, including, but not limited to: (a) first name or initial and last name; (b) home or other physical address; (c) telephone number; (d) email address or online identifier associated with the individual; (e) Social Security number or other similar identifier; (f) employment, financial or health information; or (g) any other information relating to an individual that is combined with any of the above. The term “Personal Information” does not include non‐identifiable information or information that is reported in the aggregate (provided that such aggregated information is not identifiable to a natural person).
- “Personnel” includes, but is not limited to, any employee (permanent or temporary), director, officer, contractor, worker, temporary worker, job applicant, and any and all of their respective dependents.
- “DPF Principles” collectively mean the seven (7) privacy principles, as well as the supplemental privacy principles and the associated guidance, details of which can be found at https://www.dataprivacyframework.gov/s/article/Participation-Requirements-Data-Privacy-Framework-DPF-Principles-dpf.
- “Sensitive Personal Information” means Personal Information subject to specified extra protection under the EU Data Protection Directive of 95/46/EC, the European Union General Data Protection Regulation, the UK General Data Protection Regulation, or any superseding legislation, such as race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data where processed to uniquely identify a person, or that concerns medical or health conditions or sex life. In addition, MedCompli will treat as Sensitive Personal Information any information received from an employee or third party where that employee or third party treats and identifies the information as sensitive.
Capitalized terms not defined above have the definitions set forth in the respective paragraphs of this Policy.
NOTICE
Where MedCompli collects Personal Information directly from Individuals, it will explain the purposes for which it collects and uses Personal Information about the Individuals, the types of third parties to which MedCompli discloses that information, and the choices and means, if any, MedCompli offers Individuals for limiting the use and disclosure of Personal Information about them. Notice will be provided in clear and conspicuous language. This explanation will be provided as soon as practicable and, in any event, before MedCompli discloses the Personal Information or uses such information for a purpose materially different than that for which it was originally collected or processed.
In circumstances in which MedCompli obtains personal data as a service provider for its clients or affiliates, MedCompli’s clients or affiliates are responsible for providing appropriate notice to the Individuals whose personal data are transferred to the U.S. and obtaining any requisite consent (unless this function has been delegated to MedCompli).
-
Business Contacts. For Individuals who are business contacts of MedCompli, MedCompli may collect personal information concerning contact information for such business contacts. This information may be used for purposes consistent with the provision of information by these contacts, which may include marketing activities focused on sales of new products and services, requests to participate in market research that enhance MedCompli’s product offerings and other business activities.
CHOICE
MedCompli will offer Individuals the opportunity, where practical and appropriate, to choose (optout) whether their Personal Information is (a) to be disclosed to a non‐agent third party, or (b) to be used for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by the Individual.
MedCompli will not process Sensitive Personal Information about Individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the Individual unless the Individual explicitly consents to the processing (“opt‐in”), or as required or permitted, or where not prohibited by law or regulation.
In some cases, even if an Individual opts‐out of disclosures of their Personal Information, MedCompli may still disclose such Personal Information (i) if we are required to do so by law, court order or legal process; (ii) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (iii) under the discovery process in litigation; (iv) to enforce MedCompli policies or contracts; (v) to collect amounts owed to MedCompli; (vi) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity; or (vii) in the good faith belief that disclosure is otherwise necessary or advisable. MedCompli also may transfer Personal Information when a material event concerning its business operation(s), assets or shares, such as purchase, disposal, merger, joint venture or acquisition, is proposed or occurs. In such an event, MedCompli will endeavor to direct the transferee to use Personal Information in a manner that is consistent with this Policy. MedCompli will provide Individuals with reasonable mechanisms to exercise their choices to the extent required by applicable law.
ONWARD TRANSFER
In most situations, transfers to third parties are covered by the provisions in this Policy regarding notice and choice.
MedCompli does not sell or otherwise disclose Individuals’ Personal Information, except as described in our Privacy Policies or in a notice provided to Individuals at the time of collection, or as Individuals explicitly consent. MedCompli may share Individuals’ Personal Information with our service providers, consultants and affiliates for our and our affiliates’ internal business purposes or to provide Individuals with a requested service.
MedCompli will endeavor to only transfer Personal Information to a third party/Agent where such third party/Agent has given assurances that it provides at least the same level of privacy protection as required by the DPF Principles and this Policy and will notify MedCompli if it makes a determination it can no longer meet this obligation
Where MedCompli knows that any third party to whom it has provided Personal Information is using or disclosing Personal Information in a manner contrary to this Policy and/or the DPF Principles, MedCompli will take reasonable steps to prevent or stop the use or disclosure. With respect to such onward transfers to Agents, and to the extent MedCompli is responsible for the event, MedCompli shall remain liable should its Agents process Personal Information in a manner inconsistent with the DPF Principles and this Policy.
In circumstances in which MedCompli obtains personal data as a service provider for its clients or affiliates, MedCompli’s clients or affiliates are responsible for protecting individual rights with respect to onward transfers. MedCompli has potential liability in cases of onward transfer to third parties of data of EU individuals received pursuant to the DPF Principles.
SECURITY
MedCompli will endeavor to take reasonable and appropriate technical, administrative and physical precautions designed to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Information MedCompli is processing, and regardless of whether such Personal Information is in electronic or tangible, hard copy form.
DATA INTEGRITY AND PURPOSE LIMITATION
MedCompli endeavors to use Personal Information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the Individual. MedCompli will take reasonable steps designed to ensure that only Personal Information that is relevant to its intended use, accurate, complete, current, and otherwise reliable in relation to the purposes for which the information was obtained is used by MedCompli for as long as MedCompli retains possession of such information. MedCompli’s Personnel have a responsibility to assist MedCompli in maintaining accurate, complete and current Personal Information
ACCESS
MedCompli will, on request, provide an Individual with confirmation regarding whether MedCompli is processing Personal Information about them. In addition, upon request of an Individual, MedCompli will take reasonable steps to correct, amend, or delete their Personal Information that is found to be inaccurate, incomplete or processed in a manner non‐compliant with this Policy or the DPF Principles, except where the burden or expense of providing access would be disproportionate to the risks to that Individual’s privacy, where the rights of persons other than the Individual would be violated or where doing so is otherwise consistent with DPF Principles. Unless prohibited by applicable law, MedCompli reserves the right to charge a reasonable fee to cover costs for providing copies of Personal Information requested by Individuals.
In circumstances in which MedCompli maintains personal data as a service provider for its clients or affiliates, MedCompli ’s clients or affiliates are responsible for providing Individuals with access to their personal data and the right to correct, amend or delete the data where it is inaccurate. In these circumstances, Individuals should direct their questions to the appropriate MedCompli client or affiliate. If they do not receive a response, MedCompli will provide reasonable assistance in forwarding the Individual’s request.
RECOURSE, ENFORCEMENT AND LIABILITY
MedCompli encourages Individuals covered by this Policy to raise questions about the processing of Personal Information about them by contacting MedCompli through the contact information provided below. Any Personnel that MedCompli determines is in violation of the DPF Principles and/or this Policy will be subject to disciplinary action up to and including termination of employment, where applicable, in accordance with MedCompli’s disciplinary procedures.
In accordance with the DPF Principles, MedCompli commits to resolve complaints about Individuals’ collection or use of your Personal Information. Any Individuals with inquiries or complaints regarding this Policy or the use or disclosure of Personal Information in accordance with the DPF Principles should first contact MedCompli using the contact information given below. MedCompli will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information in accordance with the DPF Principles outlined in this Policy. In addition, MedCompli has further committed to cooperate with the panel established by the EU data protection authorities (“DPAs”) and comply with the advice given by the panel with respect to unresolved DPF complaints related to Individuals’ personal data transferred from the EEA. MedCompli also commits to cooperate with the Swiss Federal Data Protection and Information Commissioner (FDPIC) and the UK’s Information Commissioner’s Office (ICO) and to comply with the advice given by such authorities with regard to personal data transferred from Switzerland and the UK. If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact your DPA for more information or to file a complaint. The services of DPAs (including the FDPIC and the ICO) are provided at no cost to Individuals. If any request remains unresolved, Individuals may, under certain circumstances, have a right to invoke binding arbitration under DPF; for additional information, see https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf.
The Federal Trade Commission has jurisdiction over MedCompli’ compliance with the DPF Principles.
Such independent dispute resolution mechanisms are available to Individuals free of charge. Under certain limited conditions, if your complaint is not resolved through these channels, it may be possible for Individuals to invoke binding arbitration before the EU-U.S. DPF Panel to be created by the U.S. Department of Commerce and the European Commission. For additional information, please visit https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2
CONTACT INFORMATION: Questions, comments, concerns or complaints regarding this Policy or MedCompli's processing of Personal Information should be submitted to MedCompli by clicking here.
RESERVATION OF RIGHTS: MedCompli reserves the right to share an Individual’s Personal Information and contracts with Agents as required or authorized by law or regulation or in response to duly authorized information requests of government authorities.
CHANGES TO THE POLICY: This Policy may be reviewed and amended from time to time, without advance notice, to ensure that an appropriate level of protection for Personal Information is maintained. All amendments will be posted on this website. Please check back periodically for updates to this Policy.
POLICY - EFFECTIVE DATE: February 20, 2024