Privacy Notice Addendum for Laboratory and Testing Services for Patients Outside of the United States
Effective Date: June 3, 2022
This Privacy Notice Addendum for Laboratory and Testing Services for Patients Outside of the United States (our “Privacy Notice”) sets out how Adaptive Biotechnologies Corporation and our subsidiaries and affiliates (“Adaptive,” “we” or “us”) collects, uses and discloses the personal data we collect in the context of laboratory and testing services performed for patients who are outside of the United States (“you”) and as otherwise described in this section.
Personal Data Collection and Processing
Adaptive collects and processes personal data about you. This information may come from you or from third parties with whom we contract. Personal data about you includes all information that identifies you or can be used to identify you. The specific types of personal data we collect depends on the type of services you will be receiving, but will usually be pseudonymized (that is, coded). The specific types of personal data we collect may include the following categories of information:
- Coded Identifiers: This includes patient IDs and barcodes, which are used to track and manage your biological sample as it is processed through our laboratory, but do not allow us to directly identify you.
- Limited Health Information: This includes information about your health status and biological sample, which allows us to process your test and generate results. This includes information such as the date on which your sample was collected.
Processing operations include the recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data. The personal data we collect about you may be stored in accordance with applicable laws and regulations, as well as Adaptive’s record retention policies and procedures.
Purposes and Disclosures
Adaptive processes personal data about you for the following purposes:
- Performance of laboratory and testing services for you; and
- Compliance with Adaptive’s legal, regulatory, and quality obligations.
For most regions, we process your information based on your consent.
Under European data protection laws, Adaptive must have a legal basis to process your personal data. The legal basis that applies in a particular instance will depend on for which of the specific purposes described above Adaptive is processing your personal data:
- Adaptive processes your data for testing purposes based on your consent to collect and process your personal data (Articles 6(1)(a) and 9(2)(a) GDPR). Whenever you choose to provide your consent, you may later withdraw your consent by contacting us as described in the “How to Reach Us” section. Please note that the withdrawal of consent will not affect processing which has already occurred.
- Adaptive also processes your personal data when necessary in order to comply with an applicable law or regulation (Articles 6(1)(c) and 9(2)(i) GDPR). You may not be able to opt-out of this processing.
Adaptive contracts with third parties to perform activities or functions related to the purposes specified above on behalf of Adaptive that involve the use of personal data about you. In such cases, Adaptive requires these third parties to protect the confidentiality and security of the personal data that is shared with them. These third parties are required to agree that they will not use or disclose personal data about you except as necessary to provide services to us or perform services on our behalf, or as necessary to comply with applicable laws or regulations.
In the event Adaptive decides to reorganize or divest our business through sale, financing arrangement, merger, or acquisition, Adaptive may share personal data about you with actual or prospective purchasers. We will require any actual or prospective purchasers to treat this personal data in a manner consistent with this notice.
International Data Transfers
Adaptive transmits personal data about you to countries which may be deemed under certain laws (e.g., GDPR) to not ensure an adequate level of data protection. Specifically, your biological samples and personal data will be sent to Adaptive’s laboratories, which are based in the United States. Your data may be transferred to other countries to the extent that any third parties noted in the previous section (Purposes and Disclosures) are located in countries other than your own.
In certain cases and depending on where you are from, we may have received your consent to transfer your data as described. If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, transfers to third parties are managed through the use of EU standard contractual clauses (as approved by the European Commission based on Commission Implementing Decision (EU) 2021/914 of 4 June 2021), or other approved transfer mechanisms. The current form for the standard contractual clauses can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
To obtain more information about the safeguards Adaptive has in place for cross-border transfers of personal data, please contact us using the information provided in the “How to Reach Us” section.
In this section we describe the choices individuals have regarding our collection, use, and handling of their personal data. Your rights may vary depending on the place you are from and the laws applicable to you and your personal data. You may submit a request to us related to your personal data through our Data Subject Request form, which can be found here.
While the rights specific to you will vary depending on where you are from, they may include the following:
- Information: You may request from us confirmation as to whether or not personal data concerning you is being processed and, where that is the case, to request access to the personal data;
- Access: You may request access to the personal data that Adaptive has about you and to receive copies of your data under certain circumstances;
- Amendment: You may request that Adaptive corrects or rectifies the personal data that we have about you;
- Deletion: You may request that Adaptive deletes or destroys personal data that we hold about you if the data are no longer needed for the purposes for which you provided it and/or if continued processing is not required by law or other applicable exemption;
- Restriction: You may request that we restrict how we use and disclose your Personal Data, particularly if the accuracy of your data is in dispute or if we are unable to delete (for example, due to our legal obligations);
- Objection: You may object to our use and disclosure of your personal data, subject to applicable laws, exemptions, and/or, if you are subject to GDPR, unless we have demonstrated a compelling legitimate interest which overrides your rights and freedoms;
- Objection to Marketing: If you are subject to GDPR, you may request that we do not transfer your data to unaffiliated third parties for the purposes of direct marketing;
- Portability: Subject to certain exceptions, you may request that we provide you with a copy of your personal data in a structured, machine–readable and commonly used format so that you can transmit it to one or more third parties;
- Transfer Safeguards: Under certain laws, you may request to obtain a copy of, or reference to, the safeguards under which your personal data is transferred outside of your country, in which case we may redact some of the materials to protect commercial terms;
- Withdrawal of Consent: You may withdraw your consent where the processing of your personal data is based on consent (see the Purposes and Disclosures section above), in which case Adaptive will stop processing your personal data unless we have another legal basis or legal obligation to continue doing so (note that the withdrawal of your consent does not impact any processing of your personal data that occurred prior to your exercising of this right); and
- File a Complaint: You may comply to your national data protection regulator if you feel that any of your personal data is not being processed in accordance with applicable law.
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality that we owe to others, if we are legally entitled to deal with the request in a different way, or if relevant exemptions apply to some or all of the personal data subject to the request. If this is the case, we will inform you when responding to your request. If you are subject to GDPR, we may rely on applicable exemptions under EU, Member State, or UK law in order to deny part or all of your request. As noted previously, we will disclose any such exemptions in our response to you if this is the case.
Protecting Your Data
We have implemented security measures to protect the personal data we collect from unauthorized access or disclosure, including technical and organizational security measures to safeguard and secure the personal data we collect. Despite this, data security cannot always be guaranteed. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please immediately notify us at email@example.com. In addition, you or anyone on your behalf are specifically requested not to send to us any health information or other sensitive personal information via email when making such a request.
How to Reach Us
If you have any questions or concerns related to this Notice or our data practices, please email us at firstname.lastname@example.org. You may also contact us via postal mail at:
Adaptive Biotechnologies Corporation
Attn: Data Protection Officer
C/O: Adaptive Legal Department
1165 Eastlake Avenue East
Seattle, Washington 98102, USA
Additionally, Adaptive has representatives established in the EU and UK to comply with EU and UK law. You can contact our EU and UK representatives using the following information:
Cuserstraat 93, Floor 2 and 3
Amsterdam, 1081 CN, Netherlands
107-111 Fleet Street
London, EC4A 2AB, United Kingdom
This Notice may be updated from time to time. Please refer to this site for updates to this Notice.
The data protection regulator (e.g., Data Protection Authority, Supervisory Authority, or equivalent) in your country is responsible for making sure that the applicable privacy laws are followed in your country. For more information about your privacy rights, or if you are unable to resolve a problem directly with us and wish to make a complaint, please reach out to your authority.