EU-U.S. Privacy Shield Framework Compliance
Kipu publicly commits to comply with the EU-U.S. Privacy Shield Framework Principles through self-certification. Swiss-U.S. Privacy Shield
Kipu Health LLC and its subsidiaries and affiliates, listed below (“Kipu”), are committed to protecting the privacy and security of its clients, partners, and associates and, therefore, operate under a set of strict privacy principles. Kipu is required to comply with certain legal requirements in respect of any personal data it collects, holds and/or processes from the European Economic Area (“EEA”). These requirements are set out in the European Data Protection Directive, the European General Data Protection Regulation and the local laws of each country in the EEA.
To the extent that Kipu’s business operations require that personal data collected in the EEA be processed in the United States of America (“U.S.”), Kipu complies with the EU-U.S. Privacy Shield Framework (“Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the transfer, collection, use, and retention of personal information transferred from EEA member countries to the U.S. Kipu has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the policies described in these Privacy Shield Privacy Guidelines (“Privacy Guidelines”) and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.
These Privacy Guidelines set forth the privacy principles Kipu follows with respect to any transfer of personal data from the EEA to the U.S. These Privacy Guidelines apply to all personal data received from the EEA by Kipu regardless of the medium or format in which the information is stored. Kipu is subject to the investigatory and enforcement power of the U.S. Federal Trade Commission (“FTC”) relative to the Privacy Shield Principles.
The following Kipu Health LLC subsidiaries and affiliates receive personal data from the EEA and adhere to the Privacy Shield Principles: Kipu Systems LLC; pingmd, Inc.
Kipu’s Data Processing Roles, the Types of Personal Data Kipu Receives and the Purposes for which it Processes Personal Data from the EEA:
Kipu has two separate roles when processing personal data transferred from the EEA:
First, as a “data controller” Kipu determines the purposes for which and the manner in which it collects, stores and processes the relevant personal data.
Kipu, as a data controller, collects and processes personal data relating to its clients, vendors, partners and associates. Personal data collected from clients, vendors and partners and processed by Kipu is limited to what is necessary in the business relationship, e.g. name, contact details, payment records, contracts and business correspondence.
Second, as a “data processor” Kipu processes personal data for its clients who are data controllers. In this capacity, Kipu does not own or determine the purposes for which it processes the personal data. Kipu’s clients, as a data controllers, collect the data and determine the purpose for which it is processed. Kipu receives and processes personal data for and at the instruction of its client, and in such circumstances Kipu has no direct relationship with the individuals to whom such personal data relates. As a data processor acting on behalf of a Kipu client who is the data controller, Kipu is required to perform its services in accordance with the Privacy Shield Principles and its contract with the client together with any data privacy protections incorporated therein. Kipu, however, is otherwise dependent upon its client, the data controller, to comply with applicable EEA data protection laws at the time that the personal data is originally collected or received by the client.
As a manufacturer of clinical and management information systems, Kipu assists its clients worldwide in the implementation and support of Kipu solutions in their healthcare institution(s). Since Kipu provides implementation and support for different healthcare institutions, Kipu may receive, hold, and process personal data from clients within the EEA, including client employee name, work role, email, telephone number, work address, etc. and any patient data provided by clients for the purpose of troubleshooting specific computer system hardware and software problems and issues in accordance with business and/or service agreements. Kipu also provides managed services such as remote hosting, remote system monitoring, disaster recovery, data warehousing and application management services, in which it may act as the custodian of patient health information for certain clients. With these offerings, Kipu not only has access to provider-based personal health information, but also performs many of a provider’s custodial duties as well.
These Privacy Guidelines are to be read subject to this distinction.
When Kipu, as the data controller, transfers data to a third-party, or uses the data for a different purpose than originally authorized, Kipu will notify the individual data subject in accordance with the Notice and Choice Principles of the Privacy Shield Framework. Kipu informs individuals for whom it is a data controller that it participates in the Privacy Shield; the purpose and use of the personal information; about how individuals can contact Kipu with any inquiries or complaints; the types of third parties to which it discloses the information; the purpose for which it discloses; individuals right to access their personal data; the choices and means Kipu offers for limiting use and disclosure of the information; Kipu’s independent dispute resolution body; possibility for binding arbitration; Kipu may be required to disclose personal information in response to lawful request by public authorities, including to meet national security or law enforcement requirements; and Kipu’s potential liability in onward transfers to third parties.
In the event Kipu is processing personal data in the U.S. from individuals in the EEA for a client, Kipu processes the personal data in accordance with the client’s instructions and informs the client that it participates in the Privacy Shield. The client, as the “data controller,” is responsible for ensuring that the personal data is processed in accordance with the rights and requirements of the individuals concerned under European data protection law.
Kipu, as a data controller, will offer individuals the opportunity to choose (through an “opt out” choice and unless otherwise required by law) whether their personal data is (1) to be disclosed to a third party controller or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Individuals may opt-out by using the contact information listed below.
For sensitive personal data (that is personal data specifying medical or health conditions, racial or ethnic origin, political opinions, ideological views or activities, trade union membership or information specifying the sex life of the individual, information on social security measures, administrative or criminal proceedings and sanction which are treated outside pending proceedings, or other personal data that Kipu receives from a third party which the third party identifies as sensitive personal data), Kipu will obtain affirmative express consent (unless otherwise permitted or required by contract or law) from individuals (through an “opt-in” choice) if such information is to be (1) disclosed to a third party controller or (2) used for a purpose other than those for which it was originally collected or subsequently authorized by the individual through the exercise of opt-in choice.
Accountability for Onward Transfer
Kipu does not share personal data with third party data controllers without the individual’s consent, unless the requirement to disclose personal information is in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Subject to the above, Kipu will enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as Kipu and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to re-mediate.
Personal Data controlled by Kipu may be disclosed to service providers for processing personal data on behalf of Kipu and subject to Kipu’s instruction. Kipu limits the data transferred to a service provider to data that is necessary to carry out the function Kipu has contracted with the third party data transferee to perform. Kipu will first ascertain that the third party is obligated to provide at least the same level of privacy protection as is required by the Privacy Shield Principles. Kipu will enter into a written contract with the third party, which also puts in place adequate safeguards to ensure a sufficient level of data protection, e.g. by using only service providers acting as data processors that are based within the EEA, or are certified under the EU-U.S. Privacy Shield program. Kipu will take reasonable and appropriate steps to ensure that the third party effectively processes the personal information transferred in a manner consistent with Kipu’s obligations under the Principles. If Kipu learns that a third party is using or disclosing personal data in a manner contrary to these Privacy Guidelines, Kipu will take all reasonable and appropriate steps to prevent or stop the use or disclosure and remediate unauthorized processing. Third parties are also required to notify Kipu if they can no longer meet its obligation to provide the same level of protection as is required by the Privacy Principles. Kipu will provide a summary or a representative copy of the relevant privacy provisions of its contract with that third party to the Department upon request.
Kipu also may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. In cases of onward transfer to third parties of data of EU individuals received pursuant to the EU-US Privacy Shield, Kipu is potentially liable.
Kipu takes all reasonable and appropriate measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and/or destruction, taking into due account the risks involved in the processing and the nature of the personal data. Kipu accordingly has put in place appropriate physical, electronic and managerial security measures to safeguard and secure any personal data under Kipu’s control from loss, misuse and unauthorized access, disclosure, alteration and/or destruction.
Kipu processes personal data only in a way that is compatible with and relevant to the purpose for which it was collected or subsequently authorized by the client data controller or individual. To the extent necessary for those purposes, Kipu takes reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. Kipu will adhere to this Principle for as long as it retains such information.
Kipu acknowledges that, subject to certain legal limitations, individuals have the right to access the personal information/data that we maintain as a controller about them. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data held by Kipu as a data controller, should direct his query to the contact information listed below. Kipu will respond to such request within a reasonable timeframe. When acting as a data processor, Kipu supports any access request addressed to a Kipu client.
Recourse, Enforcement and Liability
Kipu uses a self-assessment approach to verify compliance with the Privacy Shield Principles and periodically conducts objective reviews that its published privacy policies regarding personal information received from the EEA are accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible, and in conformity with the Privacy Shield Principles. Kipu periodically trains employees on its privacy policies regarding personal information during implementation, and disciplines them for failure to follow the policy.
Kipu has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to JAMS, at no cost to the individual. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by Kipu, please visit the JAMS web site at www.jamsadr.com/eu-us-privacy-shield for more information and to file a complaint.
Should your complaint remain fully or partially unresolved after a review by Kipu, JAMS and the relevant DPA, you may be able to, under certain conditions, seek arbitration before the Privacy Shield Panel. For more information, please visit www.privacyshield.gov.
An individual who decides to invoke this arbitration option must take the following steps prior to initiating an arbitration claim: (1) raise the claimed violation directly with Kipu and afford Kipu an opportunity to resolve the issue within 45 days of receiving the complaint; (2) make use of the independent recourse mechanism, JAMS; and (3) raise the issue through their EU DPA to the Department of Commerce and afford the Department of Commerce an opportunity to use best efforts to resolve and respond to the DPA within 90 days.
Swiss-U.S. Privacy Shield
Kipu has further committed to refer unresolved privacy complaints under the Swiss-U.S. Privacy Shield to the independent dispute resolution mechanism operated by JAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information and to file a complaint.
In the United States:
In the EU
Kipu has appointed DPR Group as its Data Protection Representative for the purposes of GDPR*.
Kipu, which processes the personal data of individuals in the European Union in either the role of “data controller” or “data processor,” has appointed DataRep as its Data Protection Representative for the purposes of GDPR.
If Kipu has processed or is processing your personal data, you may be entitled to exercise your rights under GDPR in respect of that personal data. For more details on the rights you have in respect of your personal data, please refer to the European Commission (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en) or the national Data Protection Authority in your country.
Kipu takes its clients’ (and the customers of their clients) data protection seriously, and has appointed DataRep as their Data Protection Representative in the European Union so that you can contact them directly in your home country. Data Rep has locations in each of the 27 EU countries and the UK, so that Kipu’s customers can always raise the questions they want with them.
If you want to raise a question to Kipu or otherwise exercise your rights in respect of your personal data, you may do so by:
- sending an email to DataRep at firstname.lastname@example.org quoting <Kipu Health LLC> in the subject line,
- contacting us on our on line webform at www.datarep.com/data-request, or
- mailing your inquiry to Data Rep at the most convenient of the addresses here.
PLEASE NOTE: when mailing inquiries. it is ESSENTIAL that you mark your letters for ‘DataRep’ and not ‘Kipu,’ or your inquiry may not reach us. Please refer clearly to Kipu Health LLC in your correspondence. On receiving your correspondence, Kipu is likely to request evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you.
These Privacy Guidelines may be amended from time to time consistent with the requirements of the Privacy Shield. We will post any revised policy on this website.
Effective Date: April 25, 2017
Last Updated: December 30, 2020