Glooko’s DATA Privacy FRAMEWORK Notice
EU-U.S., Swiss-U.S., and UK Extension to Data Privacy Framework
Effective Date: March 26, 2021
Glooko, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Glooko has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Glooko has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Data Privacy Framework Notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Glooko is responsible for the processing of personal data it receives under the DPF and subsequently transfers to a third party acting as an agent on its behalf. Glooko complies with the DPF Principles for all onward transfers of personal data from the EU, UK, and Switzerland, including the onward transfer liability provisions.
The Federal Trade Commission has jurisdiction over Glooko’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
Your Rights
Under the DPF, you have rights in relation to your Personal Data as described in our Privacy Policy. These include:
Information on the types of Personal Data collected.
Information on the purposes of collection and use.
Information on the type or identity of third parties to which your personal data is disclosed.
Choices for limiting use and disclosure of your Personal Data.
Access to your personal data.
Notification of the organization’s liability if it transfers your Personal Data.
Notification of the requirement to disclose your Personal Data in response to lawful requests by public authorities.
Reasonable and appropriate security for your Personal Data.
A response to your complaint within 45 days.
Cost-free independent dispute resolution to address your data protection concerns.
The ability to invoke binding arbitration to address any complaint that Glooko has violated its obligations under the DPF Principles to you and that has not been resolved by other means.
You can also verify our self-certification to the DPF and check the information we have provided by viewing our details on the DPF List.
Personal Data Collection and Use
We may collect data concerning your health (Sensitive Personal Data) to provide, assess, and/or enhance our current and future products and services. When we collect Sensitive Personal Data, we will obtain your opt-in consent where the DPF requires, including if we disclose your Sensitive Personal Data to third parties, or before we use your Sensitive Personal Data for a different purpose than we collected it for or than you later authorized.
Data Transfers to Third Parties
Third-Party Agents or Service Providers. We may transfer Personal Data to our third-party agents or service providers who perform functions on our behalf. Where required by the DPF, we enter into written agreements with those third-party agents and service providers requiring them to provide the same level of protection the DPF requires and limiting their use of the data to the specified services provided on our behalf. We take reasonable and appropriate steps to ensure that third-party agents and service providers process Personal Data in accordance with our DPF obligations and to stop and remediate any unauthorized processing. Under certain circumstances, we may remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their handling of Personal Data that we transfer to them.
Third-Party Data Controllers. In some cases, we may transfer Personal Data to unaffiliated third-party data controllers. These third parties do not act as agents or service providers and are not performing functions on our behalf. We may transfer your Personal Data to third-party data controllers for the purposes described in our Privacy Policy. We will only provide your Personal Data to third-party data controllers where you have not opted-out of such disclosures, or in the case of Sensitive Personal Data, where you have opted-in if the DPF requires consent. We enter into written contracts with any unaffiliated third-party data controllers requiring them to provide the same level of protection for Personal Data the DPF requires. We also limit their use of your Personal Data so that it is consistent with any consent you have provided and with the notices you have received.] [If we transfer your Personal Data to one of our affiliated entities within our corporate group, we will take steps to ensure that your Personal Data is protected with the same level of protection the DPF requires.
Disclosures for National Security or Law Enforcement. Under certain circumstances, we may be required to disclose your Personal Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements. We will only do so in accordance with the DPF Principles.
Binding Arbitration
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Glooko commits to refer unresolved complaints concerning our handling of customer personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
For more information on binding arbitration, see US Department of Commerce’s DPF: Annex I (Binding Nature of Decisions).
Changes To This Policy
We reserve the right to amend this Policy from time to time consistent with the DPF’s requirements.
Contact Us
If you have any questions about this Policy or would like to request access to your Personal Data, please contact us as at [email protected].
For complaints regarding DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website.