Last Revised: July, 2022
These disclosures (the “Disclosures”) supplement the Hologic Privacy Notice. All terms not defined in these Disclosures have the same meaning as in the Hologic Privacy Notice.
The Disclosures apply only to our processing of personal data within the scope of the General Data Protection Regulation (“GDPR”) and/or the GDPR as it is incorporated into the laws of England and Wales, Scotland and Northern Ireland (“UK GDPR”) as follows:
- Processing of personal data by a Hologic company located in one or more of the European Union Member States plus Iceland, Lichtenstein and Norway (together known as the “European Economic Area” or “EEA”) and/or the United Kingdom (“UK”) and
- Processing of personal data by a Hologic company located outside of the EEA and/or the UK, but that is offering goods or services into the EEA and/or the UK or monitoring the behavior of individuals in the EEA and/or the UK, in which case the following Disclosures apply only to the processing of personal data of individuals located in the EEA and/or the UK.
Hologic is comprised of Hologic, Inc. and its group of subsidiary companies which are different legal entities. These Disclosures are issued on behalf of this group of entities so when we mention ”Hologic”, “we”, “us” or “our” in this Privacy Notice, we are referring to the relevant company in the group responsible for processing your data. The controller for your personal data will be identified when you purchase a product or service or interact with us.
Transfers of Personal Data across Borders
Data Retention
We retain personal data pursuant to our records retention program, for as long as is necessary for the purposes set out in the Hologic Privacy Notice, unless a longer period is required under applicable law or is needed to resolve disputes or protect our legal rights, in accordance with the principles set forth in Articles 5(1) of the GDPR and the UK GDPR, as applicable.
When deciding how long to retain personal data we take into account our legal and regulatory obligations, the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of personal data, the purposes for which we process personal data and whether we can achieve those purposes through other means. The specific criteria used to determine the period for which personal data about you will be stored varies depending on the legal basis under which we process such personal data:
|
Legitimate Interests
|
For a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of the data subjects. |
|
Contractual Necessity |
For the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the limitation period for legal claims that could arise from the contractual relationship. |
|
Legal Obligation
|
For the duration of time we are legally obligated to keep the personal data. |
|
Consent |
For the period of time necessary to fulfill the underlying agreement with you, subject to your right, under certain circumstances, to have certain personal data about you erased (see Data Subject Rights below).
|
We may face any threat of legal claim and in that case, we may need to apply a “legal hold” that retains personal data beyond our typical retention period. In that case, we will retain the personal data until the hold is removed, which typically means the claim or threat of claim has been resolved.
Transfers of personal data across borders
Any personal data that you provide to us is stored and processed in, and transferred between, any of the countries in which Hologic and its agents, contractors and affiliated organizations have offices, in order to enable Hologic to use that personal data as set out in these Disclosures and the Hologic Privacy Notice.
Not all of these countries have data protection laws equivalent to those in force in the EEA and/or the UK. In order to ensure the protection of your personal data outside of the EEA and/or the UK we rely on appropriate or suitable safeguards, including:
- Using standard contractual clauses approved by relevant authorities as ensuring adequate safeguards.
- Transferring personal data to countries that have been deemed to provide an adequate level of protection for personal data by relevant authorities.
- Obtaining your consent to transfer personal data after first informing you about the potential risks of the transfer.
- Transferring personal data when it is necessary for the performance of a contract between you and us, or if the transfer is necessary for the performance of a contract between us and a third party and the contract was entered into in your interest.
- Transferring personal data when it is necessary to establish, exercise or defend legal claims.
We seek to use reasonable organizational, technical and administrative measures to protect personal data within Hologic. Unfortunately, no data transmission or storage system can be guaranteed to be secure at all times. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Contact Us” section below.
Individuals whose personal data we process subject to the GDPR and/or the UK GDPR have certain rights as required by law, including the right of access, erasure and data portability, as well as the right to rectification, to restrict processing, to withdraw consent, and to object to processing as follows.
Access: Individuals have the right to know if we are processing personal data about them and, if so, to access and obtain a copy of personal data about them, as well as information relating to the processing of that data.
Rectification: Individuals have the right to have us correct or update any personal data about them that is inaccurate or incomplete without undue delay.
Restriction: Individuals have the right to restrict or limit the ways in which we process personal data about them where the accuracy of the personal data is contested by them, where data has been obtained by us unlawfully, where the individual has objected to our processing of the data (see right of objection below) and we are considering whether to cease processing, or where we no longer need to process the personal data.
Objection: Individuals have the right to object to our processing of their personal data where we are relying on legitimate interests as our legal basis and their rights override our legitimate interests in processing their personal data. Individuals also have the right to object to our processing of their personal data for direct marketing purposes.
Withdrawal of Consent: Where we rely on consent as the basis for processing personal data, individuals have the right to withdraw their consent.
Erasure: Individuals have the right to request deletion or erasure of their personal data in a number of circumstances where required by law. These include where we no longer require the personal data for the purposes for which it was collected, the individual has withdrawn consent, or where we are relying on legitimate interests as a legal basis and the individual’s rights override our legitimate interests.
Portability: Individuals have the right to obtain a copy of the personal data we hold about you in a structured machine-readable format and to have it transmitted to another controller. This right only occurs where we are relying on your consent or performance of a contract as our legal basis and the processing is carried out automatically.
Make a Complaint: Individuals also have the right to make a complaint about our personal data handling practices to their local Supervisory Authority.
Data Subject Access Request
You may exercise your rights to review, know, correct, update, delete, restrict or object to the processing of your personal information at any time by completing Data Subject Access Request here.
Complaints
You may exercise your rights to submit a complaint regarding the processing of your personal data at any time by completing a form here.
If you have any queries, questions or concerns about this Privacy Notice or our personal data handling practices, please email data.privacy@hologic.com or write to:
For UK:
Hologic Hub Ltd.
International Legal Department
Heron House, Oaks Business Park,
Crewe Road, Wythenshawe,
Manchester, M23 9HZ, UK
For EU:
Hologic BV
International Legal Department
The Corporate Village, Building Caprese 3th floor
Da Vincilaan 5
1930 Zaventem, Belgium