EU-U.S. and Swiss-U.S. Privacy Shield Notice

Effective Date: November 19, 2020

This Privacy Shield Notice ("Notice") explains how IDEXX Laboratories, Inc., IDEXX Distribution, Inc., IDEXX Operations, Inc. and OPTI Medical Systems, Inc. (“IDEXX”) collect, use, and disclose certain personal information that we receive in the U.S. from the United Kingdom, Switzerland, the European Union and European Economic Area ("Personal Data").

This Notice supplements our IDEXX Laboratories Privacy Policy Statement (“Privacy Policy”) located at https://www.idexx.com/en/about-idexx/privacy-policy/, our Employee Personal Information Processing Notice (“Employee Privacy Notice”) and our Applicant Information Processing Notice (“Applicant Processing Notice”).

Please note that the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks have been invalidated as appropriate mechanisms to transfer Personal Data from the countries in the European Union, European Economic Area (EEA), the UK and Switzerland to third countries. The invalidation of these frameworks does not relieve IDEXX from its obligations under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as these frameworks continue to apply. IDEXX will continue to comply with the requirements of these Privacy Shield Frameworks, in line with the statements below. In addition to the Privacy Shield Frameworks, we are taking additional privacy protection safeguards. For more information on the international transfer of personal information by IDEXX and the additional measures it is taking, please see the Privacy Policy, Employee Privacy Notice and Applicant Processing Notice as referred to above.

IDEXX recognizes that the UK, Switzerland and the EU have established strict protections regarding the handling of Personal Data, including requirements to provide adequate protection for Personal Data transferred outside of the UK, Switzerland and the EU (and the EEA). To provide adequate protection for certain Personal Data about our customers, customer’s customers, employees, job applicants and website visitors received in the U.S., we elected to self-certify to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks administered by the U.S. Department of Commerce ("Privacy Shield") regarding the collection, use, and retention of personal information transferred from the UK, Switzerland, European Union (and the EEA) to the U.S. in reliance on Privacy Shield. IDEXX adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability. If there is any conflict between the terms in this Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov.

 

Personal Data Collection and Use

Our Privacy Policy, Employee Privacy Notice and Applicant Processing Notice describe the categories of Personal Data that we may receive in the U.S. as well as the purposes for which we use that Personal Data. We will only process Personal Data in ways that are compatible with the purpose that we collected it for, or for purposes the individual later authorizes. Before we use your Personal Data for a purpose that is materially different than the purpose we collected it for or that you later authorized, we will provide you with the opportunity to opt out. IDEXX maintains reasonable procedures to help ensure that Personal Data is reliable for its intended use, accurate, complete, and current.

 

Data Transfers to Third Parties

Third-Party Agents or Service Providers

We may transfer Personal Data to our third-party agents or service providers who perform functions on our behalf as described in our Privacy Policy, Employee Privacy Notice and Applicant Processing Notice. Where required by the Privacy Shield, we enter into written agreements with those third-party agents and service providers requiring them to provide the same level of protection the Privacy Shield requires and limiting their use of the data to the specified services provided on our behalf. We take reasonable and appropriate steps to ensure that third-party agents and service providers process Personal Data in accordance with our Privacy Shield obligations and to stop and remediate any unauthorized processing.

Liability

If a third party agent or service provider providing services on IDEXX’s behalf processes personal data in a manner inconsistent with the Privacy Shield Principles, IDEXX will be liable unless we can prove that we are not responsible for the event giving rise to the damage.

 

Security

IDEXX maintains reasonable and appropriate security measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration or destruction taking due account of the nature of the data and the risks involved in the processing.

 

Access Rights

You have the right to access Personal Data that we hold about you and to request that we correct, amend, or delete it if it is inaccurate, or has been processed in violation of the Privacy Shield Principles, except where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question, or where the rights of persons other than you would be violated. If you would like to request access to, correction, amendment, or deletion of your Personal Data see the “Contact us” section later in this notice. We will respond to your access request within a reasonable time frame. We may request specific information from you to confirm your identity.

 

Questions or Complaints

If you are located in the EEA, UK, or Switzerland, you can direct any questions or complaints about the use or disclosure of your Personal Data to us at chiefprivacyofficer@idexx.com or see the “Contact us” section later in this notice. We will respond to you within 45 days of receiving your questions or complaints.

For any EEA and UK complaints that cannot be resolved with IDEXX directly, we have agreed to cooperate with the EU data protection authorities (“DPAs”). The DPAs will establish a panel to investigate and resolve complaints brought under the Privacy Shield and IDEXX will cooperate with this panel. Furthermore, IDEXX will comply with the advice given by the DPAs and take necessary steps to remediate any non-compliance with the Privacy Shield Principles.

For any Swiss complaints that cannot be resolved with IDEXX directly, we have agreed to cooperate with the Swiss Federal Data Protection and Information Commissioner (“Commissioner”). IDEXX commits to cooperate with the Commissioner. Furthermore, IDEXX will comply with the advice given by the Commissioner and take necessary steps to remediate any non-compliance with the Privacy Shield Principles.

 

Investigatory and enforcement powers of the FTC

IDEXX is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”).

 

Binding arbitration

If you are located in the EEA, UK, or Switzerland and have exhausted all the means to resolve your concern regarding a potential violation of IDEXX’s obligations under the Privacy 3 Shield Principles, you may seek resolution via binding arbitration. For additional information about the arbitration process, please visit the Privacy Shield website: https://www.privacyshield.gov.

 

Disclosures for National Security or Law Enforcement

Under certain circumstances, we may be required to disclose your Personal Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements.

 

Contact Us

If you have any questions about this Notice or would like to request access to your Personal Data, please contact us as follows:

  • Email: chiefprivacyofficer@idexx.com
  • Phone: 00-1-888-557-6518
  • FAX: 00-1-888-557-6518 (Attention: Chief Privacy Officer)
  • Mail: IDEXX Laboratories, Inc., Attention: Chief Privacy Officer, One IDEXX Drive, Westbrook, Maine 04092, U.S.A.

 

Changes To This Policy

We reserve the right to amend this Policy from time to time consistent with the Privacy Shield's requirements.