DataFirst Corporation Data Privacy Framework Notice
Effective Date: October 12, 2023
Last Updated: October 16, 2023
DataFirst Corporation (“DataFirst,” “we,” “us,” or “our” ) has certified certain services, for which we act as a service provider for customers in the European Economic Area (“EEA”), the United Kingdom, and Switzerland, under the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) (collectively, the “Data Privacy Frameworks”).
We provide this Notice to describe and explain the measures we take to protect the privacy of data subjects in the EEA, the United Kingdom, and Switzerland and to comply with applicable law and our obligations under the Data Privacy Frameworks.
This Notice does not apply to information that DataFirst collects from visitors to our website, or that we access or receive through other services or solutions that are not specifically identified below. For information about how we collect and use this information, please see DataFirst’s Privacy Policy.
DataFirst’s Participation in the Data Privacy Frameworks
DataFirst provides data migration services to customers (typically healthcare providers) in the EEA, the United Kingdom, and Switzerland that involve converting and migrating data between computer systems (such services, “Data Migration Services”). This Notice, and DataFirst’s Data Privacy Frameworks certifications, apply only to these Data Migration Services.
DataFirst complies with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the EEA, the United Kingdom, and Switzerland to the United States in connection with its performance of Data Migration Services. With respect to its provision of these Data Migration Services, DataFirst has certified to the Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF, and that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF.
DataFirst commits to subject to the EU-U.S. DPF Principles all personal data received from the EEA and the United Kingdom, and to the Swiss-U.S. DPF Principles all personal data received from Switzerland, in reliance on the relevant Data Privacy Frameworks.
If there is any conflict between the terms in this Notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (collectively, the “DPF Principles”), the DPF Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certifications, please visit https://www.dataprivacyframework.gov.
The Federal Trade Commission has jurisdiction over DataFirst’s compliance with the Data Privacy Frameworks.
Types of Data Processed and Purposes of Processing
When performing Data Migration Services, DataFirst may be given access to data, including personal data, which is stored on computer systems maintained and operated by customers (such data, “Migration Services Data”). While the customer decides what data will be processed, Migration Services Data typically include data about the customer’s patients, including medical images and related medical records that may include sensitive information about those patients’ health status, medical assessments, and test results.
During the performance of Data Migration Services, all Migration Services Data to which DataFirst may be given access remains on systems located at the customer’s facilities. DataFirst personnel in the United States may access Migration Services Data through a remote connection to the customer’s systems to (a) perform data conversion and migration services; (b) provide troubleshooting and support for issues arising during data conversion and migration; and (c) confirm successful conversion and data migration.
DataFirst may also receive basic business contact information pertaining to customer personnel in the EEA, the United Kingdom, or Switzerland with whom we work to perform Data Migration Services (such information, “Customer Contact Data”). Customer Contact Data may include name, business email address, mailing address, and business telephone number. DataFirst uses Customer Contact Data to coordinate the performance of data conversion and migration services and to manage and respond to related customer requests for service or support.
In performing Data Migration Services, DataFirst acts as a data processor for the customer (who acts as the data controller), or as a sub-processor for the customer’s other service providers. DataFirst processes Migration Services Data and Customer Contact Data pursuant to the customer’s instructions and in accordance with contractual agreements between DataFirst and the customer or the customer’s other service providers.
Disclosures of Migration Services Data and Customer Contact Data to Third Parties
DataFirst may disclose Migration Services Data and Customer Contact Data to a limited number of third-party service providers who act as our agents to assist in our performance of Data Migration Services. DataFirst maintains contracts with these service providers that restrict their access, use, and disclosure of personal data and that require them to provide at least the same level of protection as required by the DPF Principles. DataFirst is responsible for these service providers’ compliance with these obligations, and shall remain liable under the DPF Principles if they process such personal data in a manner inconsistent with the DPF Principles, unless DataFirst proves that it is not responsible for the event giving rise to the damage.
In addition, DataFirst may be required to disclose Migration Services Data and Customer Contact Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Access and Choice
Individuals in the EEA, the United Kingdom, and Switzerland have a right to access personal data about them, and to limit the use and disclosure of their personal data. As part of its certification to the Data Privacy Frameworks, DataFirst is committed to respecting those rights.
DataFirst acts as service provider to customers in the EEA, the United Kingdom, and Switzerland with respect to Migration Services Data and Customer Contact Data and is subject to strict contractual limitations on its ability to disclose that personal data to third parties or to use that personal data for purposes other its performance of Data Migration Services. For these reasons, DataFirst assumes that the customers from who it receives Data Migration Services or Customer Contact Data will provide these individuals a means to access any personal data about them, and to request that their personal data be corrected, amended, or deleted. DataFirst further assumes that customers obtain from these individuals appropriate consent to transfer their personal data to us and for us to process their personal data consistent with this Notice and our agreements with those customers or their service providers.
If you are an individual who believes your personal data is included in Migration Services Data or Customer Contact Data that we process on behalf of a customer in the EEA, the United Kingdom, or Switzerland and would like to exercise your rights of access or choice, please contact that customer directly. Alternatively, you may contact DataFirst in accordance with the “Inquiries and Complaints” section of this Notice, in which case you should provide the name of the customer in the EEA, the United Kingdom, or Switzerland who acts as the controller for your personal data. We will refer your request to that customer and will support them as needed in responding to your request.
Inquiries and Complaints
In compliance with the Data Privacy Frameworks, DataFirst commits to resolve DPF Principles-related complaints about our collection and use of personal data received in reliance on the Data Privacy Frameworks. Individuals with inquiries or complaints regarding our handling of personal data received in reliance on the Data Privacy Frameworks should first contact DataFirst by sending an email to privacy@datafirst.com or by regular mail to the attention of:
DataFirst Corporation
2700 Sumner Blvd.
Suite 130
Raleigh, NC 27616
Attn: Privacy
In compliance with the Data Privacy Frameworks, DataFirst has further committed to refer unresolved complaints concerning our handling of personal data received in reliance on the Data Privacy Frameworks to JAMS, an alternative dispute resolution provider located in the United States who DataFirst has designated to provide appropriate recourse to individuals free of charge. If you do not receive timely acknowledgement of your DPF Principles-related complaint from us, or if we have not resolved your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
Individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Data Privacy Framework compliance that are not resolved by any of the other Data Privacy Framework mechanisms. For additional information about the arbitration process please see Annex I of the DPF Principles: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.