Effective Date: September 30th, 2016
GE Medical Systems, Ultrasound & Primary Care Diagnostics LLC and the following US entities of the GEHC group of companies (Datex-Ohmeda, Inc., GE Medical Systems Information Technologies, Inc., GE Medical Systems LLC, General Electric Company, OEC Medical Systems, Inc., collectively “GEHC”) adhere to the principles of the EU-U.S. and Swiss-U.S. Privacy Shield frameworks with respect to personal data submitted by GEHC’s customers in reliance on the Privacy Shield frameworks as regards services provided by the following GEHC business units: Molecular Imaging & CT (MICT), Detection & Guidance Solutions (DGS), Life Care Solutions (LCS), Ultrasound (US), Magnetic Resonance (MR), Global Services and Surgery divisions.
This Policy outlines our general policy and practices for the Privacy Shield programs as described below.
For purposes of this Policy:
“Individual” means any natural person who is located in the EEA or Switzerland, but excludes anyone whose Personal Information is obtained by GEHC or any of its affiliates in the context of an employment or other working relationship with GEHC or any of its affiliates.
“Customer” means any entity that obtains products or services from GEHC related to the business processes for which GEHC has certified to the Privacy Shield programs.
“EEA” means the European Economic Area.
“Personal Information” means any information, including Sensitive Personal Information, that (i) is transferred to GEHC in the U.S. from the EEA or Switzerland pursuant to the Privacy Shield programs respectively, (ii) is recorded in any form, (iii) relates to an identified or identifiable Individual, and (iv) can be linked to that Individual.
“Sensitive Personal Information” means Personal Information about racial or ethnic origin, political opinions, religious or political beliefs, trade union membership, health or medical records, sex life or criminal records.
“Privacy Shield” means the US-EU Privacy Shield Framework and the US-Swiss Privacy Shield Framework
“Privacy Framework” or “Privacy Frameworks” refers collectively to the US-EU and the US-Swiss Privacy Shield frameworks.
Personal Information processed by GEHC
GE Healthcare processes data that our customers submit to our services or instruct us to process on their behalf. While GE Healthcare’s customers decide what data to submit, it typically includes information about their customers, employees and business partners.
Purposes of GEHC processing of Personal Information
In accordance with the privacy principles of the relevant Privacy Framework, GEHC personnel in the U.S. obtain or access Personal Information about Individuals located in the EEA or Switzerland on behalf of GEHC Customers for purposes of (1) managing and responding to Customer requests for service or support, (2) addressing Customer service events and issue escalations, (3) developing and implementing customized protocols for Customers, (4) providing remote services and troubleshooting certain devices and equipment, (5) providing technical support for relevant systems and databases, (6) managing off-site repair, refurbishment and disposal of malfunctioning components and devices, (7) providing various enhanced or add-on services to which a Customer has subscribed (for example, data analytics and trending) and (8) otherwise supporting GEHC Customers’ use of GEHC’s products and services. GEHC provides relevant hosting, infrastructure and other related technology services in the U.S. to support the activities described in (1) through (8) above. In connection with the activities described above, GEHC acts as a service provider to its Customers and pursuant to their instructions.
Because GEHC obtained or maintains Personal Information about Individuals with whom GEHC does not have a direct relationship as a service provider for its Customers, GEHC’s Customers are responsible for providing the relevant Individuals with certain choices with respect to the Customers’ use or disclosure of the Individuals’ Personal Information.
GEHC may disclose Personal Information (i) to service providers the company has retained to perform services on its behalf, (ii) to other GE group companies performing services on its behalf, (iii) if it is required to do so by law or legal process, (iv) to law enforcement or other government authorities in response to lawful requests by public authorities, including to meet national security or law enforcement requirements , or (v) when GEHC believes disclosure is necessary to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual illegal activity. GEHC also reserves the right to transfer Personal Information in the event it sells or transfers all or a portion of its business or assets (including in the event of a reorganization, dissolution or liquidation).
Onward Transfer of Personal Information
GEHC uses a limited number of third-party service providers to assist in the provision of services to its customers. These third party providers offer technical support to our customers, and support GE Healthcare in delivering repairs and replacement parts for customer devices. These third parties may access, process, or store personal data in the course of providing their services. GEHC maintains contracts with these third parties restricting their access, use and disclosure of personal data in compliance with its Privacy Shield obligations and these third parties contractually agree to provide at least the same level of protection for Personal Information as is required by the relevant Privacy Framework principles. GEHC is responsible for these service providers meeting these obligations, and for any failure by them to do the same.
Because GEHC obtained or maintains Personal Information about Individuals with whom GEHC does not have a direct relationship as a service provider for its Customers, GEHC’s Customers are responsible for providing Individuals with access to the Personal Information and the right to correct, amend or delete the information where it is inaccurate. Individuals should direct their questions to the appropriate Customer. When an Individual is unable to contact the appropriate Customer, or does not obtain a response from the Customer, GEHC will provide reasonable assistance in forwarding the Individual’s request to the Customer.
GEHC takes reasonable precautions to protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
GEHC takes reasonable steps to ensure that the Personal Information the company processes are (i) relevant for the purposes for which they are to be used, (ii) reliable for their intended use, and (iii) accurate, complete and current. Because GEHC obtained or maintains Personal Information about Individuals with whom GEHC does not have a direct relationship as a service provider for its Customers, GEHC depends on its Customers to update and correct Personal Information to the extent necessary for the purposes for which the information was collected or subsequently authorized by the relevant Individuals. Customers may contact GEHC as indicated below to request that GEHC update or correct Personal Information GEHC obtained or maintains on their behalf, as appropriate.
GEHC has established procedures for periodically verifying implementation of and compliance with the Privacy Frameworks’ principles. GEHC conducts an annual self-assessment of its Personal Information practices to verify that the attestations and assertions the company makes about its privacy practices are true and that the company’s privacy practices have been implemented as represented.
Because GEHC obtained or maintains Personal Information about Individuals with whom GEHC does not have a direct relationship as a service provider for its Customers, Individuals may submit complaints concerning the processing of their Personal Information to the relevant Customer, in accordance with the Customer’s dispute resolution process. GEHC will participate in this process at the request of the Customer or the Individual.
If GE Healthcare receives a complaint from an individual, a response will be provided within 45 days. If the complaint cannot be resolved through GEHC’s internal processes, GEHC will cooperate with JAMS pursuant to the JAMS International Mediation Rules, which are accessible on the JAMS website at www.jamsadr.com/international-mediation-rules. The mediator or the Individual also may refer the matter to the U.S. Federal Trade Commission, which has Privacy Shield enforcement jurisdiction over GEHC. If JAMS is unable to resolve the complaint satisfactorily, under certain conditions as described on the Privacy Shield website, there may be the option for pursuing the complaint through independent binding arbitration via the Privacy Shield panel.
GEHC will take steps to remedy any issues arising out of a failure to comply with the relevant Privacy Frameworks’ framework principles. Please contact GEHC as specified below to address any complaints regarding the company’s Personal Information practices.
How to Contact GEHC
Attention: Chief Privacy Counsel
9900 Innovation Drive
Wauwatosa, WI 53226
Last Revised: March 1, 2018