NOTICE OF PRIVACY PRACTICES UNDER GDPR FOR EU AND SWISS RESIDENTS

Guardant Health, Inc. is committed to securely protecting any personal data we obtain or generate through our business. We are located in the United Sates, so your personal data will be transferred, used and maintained in the US.

With respect to EU and Swiss Residents, the US Department of Commerce has agreed upon requirements that permit US companies to satisfy the mandate under European and Swiss law that adequate protection is provided to personal data transferred from the European Union, European Economic Area or Switzerland to the US.  For EU citizens’ personal data, these requirements are set forth in the EU-US Privacy Shield Framework. For Swiss citizens’ personal data, these requirements are set forth in the Swiss-US Privacy Shield Framework.  Guardant Health has certified to compliance with these Privacy Shield Frameworks and is registered on the US Department of Commerce Privacy website.

Effective May 25, 2018, EU’s General Data Protection Regulation (GDPR), (EU) 2016/679 also protects the privacy and security of personal data transferred out of the EU. This Notice lets you know what personal data we collect, what we do with it, who can access it and what rights you have concerning your personal data.

This Notice provides important information about our use and control of personal data.  If you would like to review our full Privacy Policy, please visit our website at guardanthealth.com.

PERSONAL DATA WE COLLECT
How We Obtain Personal Data
Guardant Health, as a healthcare provider, only obtains and uses personal data that we actually need in order to perform and improve our healthcare services. We obtain your personal data in a number of ways:

Patients

  • You provide it to us when you register for an account to receive information about our testing
  • You provide it to us when you contact us via email, fax, or telephone
  • Your physicians provide your personal data to us in order for us to perform laboratory testing for you
  • When you visit our websites, we automatically log some basic information like how you got to the site, where you navigated within it, and what features and settings you use. We use this information to improve our websites and services.
  • We generate a test results report which we provide to your physicians and to you when you directly request this information

Physicians

  • You provide it to us when you register for an account to receive information about our testing
  • You provide it to us when you contact us via email, fax, or telephone
  • You provide it to us when we visit with you in person
  • When you visit our websites, we automatically log some basic information like how you got to the site, where you navigated within it, and what features and settings you use. We use this information to improve our websites and services.
  • We generate a test results report for your test orders and provide these reports to you for your patient treatment purposes

Employees

Collection of personal data for EU and Swiss employees is governed by Guardant Health’s EU Employee Privacy Notice which is provided to these employees at time of hire. If you are an EU or Swiss employee and have any questions, please contact HR or privacy@guardanthealth.com.

What Personal Data Is Collected

The personal data we collect includes contact information about you, such as your name, address, email address, telephone number and identification numbers used by your physicians.

If you are a patient, we also obtain information concerning your health, such as your current diagnosis, types of treatment for your cancer, what other tests have been performed and other pathology data needed to perform our testing services.

When we provide a test results report, it will include the patient’s personal data and will include genetic information regarding possible mutations in your cancer tumor.

If you visit our product website, limited cookies will be used to help us improve, promote and protect our services. These cookies track your IP address, your submissions to us and your interactions with our web content. The information is used by us to provide a better web experience for you and to keep information you have given to us as accurate as possible. 

PROCESSING PERSONAL DATA

How We Process Personal Data

Personal data is processed in order to:

  • Maintain your account through our patient and physician portals
  • Maintain a patient’s medical record per applicable regulations
  • Contact physicians regarding patient test results and any information that may be missing from a test order
  • Obtain payment for our services
  • Contact physicians to provide educational information about our services
  • Perform testing services as requested by your physicians through our network systems
  • Respond to any direct inquiries from you
  • We may keep a record of your payment if you paid Guardant Health directly. This record will only include your name and payment amount. Payments made by patients are made through a third party payment service; and therefore, we do not obtain, maintain or store any credit card information on Guardant Health systems.
  • After pseudonymization or anonymization of personal data, conduct scientific research to improve testing services

Lawful Basis for Processing Personal Data

We process personal data as mentioned above in order to perform our laboratory testing services for patients.  We are using your personal data in ways that you would expect:

Patients for treatment purposes. In order to perform testing and bill for our services, we need accurate and current contact information and medical information.  Test results depend on certain personal data related to health and genetic data provided through the patient’s blood draw. Guardant Health has no direct contact with a patient whenever a test is ordered by a physician.  Therefore, the patient’s consent for testing is explained by and given to the patient by his/her physician.

If you have registered for an online account with us, we also need personal data from you to maintain your account up-to-date and to communicate with you.

We legitimately need all the personal data we obtain in order to perform our testing services, maintain accounts and records, and provide information to physicians for use in patient treatment.

Data for scientific research purposes.  Pseudonymized and anonymized data is used for scientific research related solely to improving our testing services and to provide medical education to physicians. For most studies, we do not have personally identifiable data related to the study subjects.  However, we may conduct data research on data where we have removed identifiable information.  Therefore, we would not be able to identify the data to any specific patient.  This type of research, even if in the hands of a wrong-doer, has a very low risk of patient re-identification.

Physicians for contact purposes. Physician contact information is maintained in order to communicate directly with treating physicians about their patients.  We also use personal data to provide medical education information to physicians.  We might also contact physicians regarding contractual services such as advisory boards and presentations.

Sharing Personal Data with Third Parties

Under some circumstance we are required to provide your personal data to others. We will disclose personal information if it’s necessary to comply with a legal obligation, prevent fraud, enforce an agreement, or for public safety. We may be required by law to preserve or disclose your personal information and service data to comply with any applicable laws, regulations, legal process or governmental request, including to meet national security requirements.

Guardant Health does not share your personal data except as needed to provide its healthcare services.  Therefore, your data may be shared with your physicians, your authorized representatives, internally with Guardant Health’s medical team and with researchers after pseudonymization or anonymization.

We never sell your identifiable personal data or share it with marketers.  However, some of our service providers may have incidental contact with your personal data when they perform contracted services for us, such as our billing vendor.  These contractors will be obligated to maintain privacy and security of personal data they might view.  All vendors who may handle personal data have had a security assessment to ensure that they have the capability of maintaining appropriate security measures.

Storing Personal Data

We store your personal data using state-of-the-art technical tools, such as data encryption which encrypts data while at rest and in transit, access control to all systems, sharing only the minimum amount necessary with the minimum number of employees (and trained contractors) to perform our services, password protection, constant security monitoring and recovery mechanisms for data loss.

We store your personal data for as long as necessary to run your test, ensure that the results are complete and accurate and within clinical laboratory regulations which currently require medical record storage for seven years. Additionally, pseudonymized and anonymized data may be stored for additional years if necessary for research record keeping and regulatory submissions.

Physician contact information is kept until they are no longer customers. Physicians who stop ordering tests will have their personal data removed from our systems.

YOUR RIGHTS

If you are in the European Economic Area (EEA), you have the following rights with respect to information that Guardant Health holds about you.

      • Right to access. You have the right to access (and obtain a copy of, if required) the categories of personal information that we hold about you, including the information’s source, purpose and period of processing, and the persons to whom the information is shared
      • Right to rectification. You have the right to update the information we hold about you or to rectify any inaccuracies. Based on the purpose for which we use your information, you can instruct us to add supplemental information about you in our database.
      • Right to erasure. You have the right to request that we delete your personal information in certain circumstances, such as when it is no longer necessary for the purpose for which it was originally collected.
      • Right to restriction of processing. You may also have the right to request us to restrict the use of your information in certain circumstances, such as when you have objected to our use of your data. However, we can verify whether we have overriding legitimate grounds to use it.
      • Right to data portability. You have the right to transfer your information to a third party in a structured, commonly used and machine-readable format, in circumstances where the information is processed with your consent or by automated means.
      • Right to object. You have the right to object to the use of your information in certain circumstances, such as the use of your personal information for direct marketing.
      • Right to complain. You have the right to complain to the appropriate supervisory authority if you have any grievance against the way we collect, use or share your information. This right may not be available to you if there is no supervisory authority dealing with data protection in your country.

CONTACT INFORMATION

Guardant Health has appointed a Data Protection Officer to oversee our management of your personal data in accordance with this Privacy Policy. If you have any questions or concerns about our privacy practices with respect to your personal information, you can reach out to our Data Protection Officer by sending an email to dpo@guardanthealth.com or by writing to Data Protection Officer, Guardant Health, 505 Penobscot Drive, Redwood City, CA, USA, 94063.

Effective Date:  May 25, 2018

Guardant Health reserves the right to update this Notice as deemed necessary.  Updates will be posted online as soon as they are effective.