EU-U.S. Data Privacy Framework (EU-U.S. DPF), UK Extension to the EU-U.S. DPF and Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Notice
Effective Date: September 15, 2023
This Notice ("Notice") explains how IDEXX Laboratories, Inc. and its subsidiaries and affiliates in the United States ("IDEXX”) collect, use, and disclose certain personal information that we receive in the U.S. from the United Kingdom (and Gibraltar), Switzerland, the European Union and European Economic Area ("Personal Data").
This Notice supplements our IDEXX Laboratories Privacy Policy Statement (“Privacy Policy”) located at https://www.idexx.com/en/about-idexx/privacy-policy/, our Employee Personal Information Processing Notice (“Employee Privacy Notice”) and our Applicant Information Processing Notice (“Applicant Processing Notice”).
IDEXX recognizes that the UK, Switzerland and the EU have established strict protections regarding the handling of Personal Data, including requirements to provide adequate protection for Personal Data transferred outside of the UK (and Gibraltar), Switzerland and the EU (and the EEA). To provide adequate protection for certain Personal Data about our customers, customer’s customers, employees, job applicants and website visitors received in the U.S., we elected to self-certify to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPFand the Swiss-U.S. DPF administered by the U.S. Department of Commerce ("Data Privacy Framework") regarding the collection, use, and retention of personal information transferred from the UK (and Gibraltar), Switzerland, European Union (and the EEA) to the U.S.
IDEXX complies with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce. IDEXX has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union (and the EEA) in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. IDEXX has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Personal Data Collection and Use
Our Privacy Policy, Employee Privacy Notice and Applicant Processing Notice describe the categories of Personal Data that we may receive in the U.S. as well as the purposes for which we use that Personal Data. We will only process Personal Data in ways that are compatible with the purpose that we collected it for, or for purposes the individual later authorizes. Before we use your Personal Data for a purpose that is materially different than the purpose we collected it for or that you later authorized, we will provide you with the opportunity to opt out. IDEXX maintains reasonable procedures to help ensure that Personal Data is reliable for its intended use, accurate, complete, and current.
Data Transfers to Third Parties
Third-Party Agents or Service Providers
We may transfer Personal Data to our third-party agents or service providers who perform functions on our behalf as described in our Privacy Policy, Employee Privacy Notice and Applicant Processing Notice. Where required by the Data Privacy Framework, we enter into written agreements with those third-party agents and service providers requiring them to provide the same level of protection the Data Privacy Framework requires and limiting their use of the data to the specified services provided on our behalf. We take reasonable and appropriate steps to ensure that third-party agents and service providers process Personal Data in accordance with our Data Privacy Framework obligations and to stop and remediate any unauthorized processing.
Liability
If a third party agent or service provider providing services on IDEXX’s behalf processes Personal Data in a manner inconsistent with the Data Privacy Framework Principles, IDEXX will be liable unless we can prove that we are not responsible for the event giving rise to the damage.
Security
IDEXX maintains reasonable and appropriate security measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration or destruction taking due account of the nature of the data and the risks involved in the processing.
Access Rights
You have the right to access Personal Data that we hold about you and to request that we correct, amend, or delete it if it is inaccurate, or has been processed in violation of the Data Privacy Framework Principles, except where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question, or where the rights of persons other than you would be violated.
If you would like to request access to, correction, amendment, or deletion of your Personal Data see the “Contact us” section later in this notice. We will respond to your access request within a reasonable time frame. We may request specific information from you to confirm your identity.
Questions or Complaints
If you are located in the EEA, UK, or Switzerland, you can direct any questions or complaints about the use or disclosure of your Personal Data to us at chiefprivacyofficer@idexx.com or see the “Contact us” section later in this notice. We will respond to you within 45 days of receiving your questions or complaints.
For any EEA and UK complaints that cannot be resolved with IDEXX directly, we have agreed to cooperate with the EU data protection authorities (“ EU DPAs”), UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA). The EU DPAs, UK ICO and GRA, will establish a panel to investigate and resolve complaints brought under the Data Privacy Framework and IDEXX will cooperate with this panel. Furthermore, IDEXX will comply with the advice given by the EU DPAs, UK ICO and GRA and take necessary steps to remediate any non-compliance with the Data Privacy Framework Principles.
For any Swiss complaints that cannot be resolved with IDEXX directly, we have agreed to cooperate with the Swiss Federal Data Protection and Information Commissioner FDPIC (“Commissioner”). IDEXX commits to cooperate with the Commissioner. Furthermore, IDEXX will comply with the advice given by the Commissioner and take necessary steps to remediate any non-compliance with the Data Privacy Framework Principles.
Investigatory and enforcement powers of the FTC
IDEXX is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”).
Binding arbitration
If you are located in the EEA, UK or Switzerland and have exhausted all the means to resolve your concern regarding a potential violation of IDEXX’s obligations under the Data Privacy Framework Principles, you may seek resolution via binding arbitration.
For additional information about the arbitration process, please visit the Data Privacy Framework website: https://www.dataprivacyframework.gov/.
Disclosures for National Security or Law Enforcement
Under certain circumstances, we may be required to disclose your Personal Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements.
Contact Us
If you have any questions about this Notice or would like to request access to your Personal Data, please contact us as follows:
- Email: chiefprivacyofficer@idexx.com
- Phone: 00-1-888-557-6518
- FAX: 00-1-888-557-6518 (Attention: Chief Privacy Officer)
- Mail: IDEXX Laboratories, Inc., Attention: Chief Privacy Officer, One IDEXX Drive, Westbrook, Maine 04092, U.S.A.
Changes To This Policy
We reserve the right to amend this Policy from time to time consistent with the Data Privacy Framework’s requirements.