GDPR NOTICE
Data Protection Notice For EU/EEA Patients and Other Individuals
Effective: August 6, 2020
Last Reviewed: September, 2023
Biodesix, Inc. (“Biodesix”) is providing this notice for individuals residing in the European Union/European Economic Area from whom we acquire biological (i.e., blood or urine) specimens, as well as other individuals involved in the healthcare process. It explains how we collect and process your personal data in connection with our clinical laboratory services.
Who We Are
Biodesix is a clinical laboratory company headquartered and principally operating in the United States. We collect biological samples (blood or urine) from patients for the following purposes:
- Clinical laboratory services. If ordered through your health care provider, we provide certain testing services for particular types of cancer. We may also receive biological samples for testing through collaborative agreements with other healthcare organizations.
Data Collection
We only collect personal data in relation to the services we provide, and limit our data collection to data which is appropriate and proportionate to the reasons for our collection. Generally, we will collect the following information in connection with our provision of testing services:
- Patient Name
- Patient mailing address
- Patient gender and age
- Patient email
- Patient phone number
- Patient Account Numbers for purposes of payment/insurance
- Contact information for the Patient’s healthcare provider(s) associated with the purpose of our testing
- Tests ordered
- We also obtain, in the course of our testing, medical information about the patient which is derived from the tests themselves.
If you are a healthcare provider or other individual involved in the treatment, payment, or operation of health care, we may, in connection with our provision of testing services, collect the following information about you:
- Name
- Mailing address
- Phone Number(s)
Data Processing
We use the personal data of patients and other individuals only for the intended health care purposes associated with:
- obtaining biological samples
- performing required testing
- reporting results, and
- obtaining payment.
If the patient’s healthcare professional contacts us directly, we will, after appropriate authentication, discuss our testing and results with them.
We may also use the data we collect to fulfill our regulatory and legal obligations, such as in relation to audits and checking to ensure that our testing equipment is working properly, and to comply with oversight agency inspections. We may use information in de-identified or anonymized format for public health purposes, such as to report outbreaks or similar irregularities to health officials to help keep communities and the people who live in them safe and healthy. In accordance with applicable laws, various de-identified or anonymized data may also be used to aid in tracking health trends and needed areas of research.
Access Limitations and Sharing Your Data We strictly limit access to patient personal data to authorized members of Biodesix’s workforce and contractors who assist in the testing and test reporting process. We train these individuals in advance, with annual refresher training, on appropriate privacy and security requirements. Before allowing any contractor access to the data, we enter into appropriate contractual provisions requiring contractor compliance with privacy law and our instructions on data processing.
We may also share certain personal data received in relation to the services described in this notice with third parties working with Biodesix, such as third-party laboratories with whom we have collaborations for performing certain specialized laboratory testing, as well as those that assist us with public health and safety aspects of our business. We never sell or share personal data pertaining to patients or other individuals with third parties for their own separate use. Should we share your data with a third party, the third party must provide written assurances that they will only process the data on behalf of Biodesix and subject to Biodesix’s instructions and that they will also ensure appropriate security measures to keep the personal data strictly confidential, consistent with applicable laws and regulations.
To the extent that we are required to provide access to any personal data to third parties who are not our business partners, such as in connection with regulatory audits, to fulfill regulatory reporting obligations to health oversight agencies, or in the event of any legal situations, we take steps to limit the data to that which is required for the specific purpose and take steps to ensure that the data are adequately safeguarded. For legal situations, where feasible, we take steps to inform the individual before any data is provided to the third-party, and if not feasible, will take reasonable steps to inform him/her as soon as practical thereafter.
Types of Cookies Used
| Cookie | Description | Duration | Type |
|---|---|---|---|
| __cfduid | The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information. | 1 month | Necessary View Service Privacy Policy |
| __cfruid | null | Other | |
| __cfduid | The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information. | 1 month | Necessary View Service Privacy Policy |
| _gcl_au | This cookie is used by Google Analytics to understand user interaction with the website. | 2 months | Analytics Opt-Out |
| __cfduid | The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information. | 1 month | Necessary View Service Privacy Policy |
| __cfduid | The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information. | 1 month | Necessary View Service Privacy Policy |
| UserMatchHistory | Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences. | 1 month | Other View Service Privacy Policy |
| lidc | This cookie is set by LinkedIn and used for routing. | 1 day | Functional View Service Privacy Policy |
| uid_syncd | null | 3 days | Other |
| lang | This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website. | Functional | |
| bcookie | This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page. | 2 years | Functional View Service Privacy Policy |
| bscookie | This cookie is a browser ID cookie set by Linked share Buttons and ad tags. | 2 years | Advertisement View Service Privacy Policy |
| ab | null | 1 year | Other |
| _pk_id.1343.3d15 | null | 1 year | Piwik Analytics Platform View Service Privacy Policy |
| _pk_ses.1343.3d15 | null | 30 minutes | Other |
| IDE | Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile. | 1 year | Advertisement
Google Ads Settings IBA Opt-Out extension for Chrome and Firefox View Service Privacy Policy |
| NID | This cookie is used to a profile based on user's interest and display personalized ads to the users. | 6 months | Advertisement
Google Ads Settings IBA Opt-Out extension for Chrome and Firefox View Service Privacy Policy |
| IQver | This cookie is set IntentIQ. The purpose is not known as of yet. | 2 years | Other |
| test_cookie | A session cookie used to check if the user’s browser supports cookies. | 15 minutes | Other |
| personalization_id | Used on sites that share Twitter content and with Twitter share plugin. Persistent cookie that is set for 730 days | 1 year 11 months 29 days | Twitter View Service Privacy Policy |
Data Transfers
Because Biodesix is headquartered in the United States, the personal data that we collect in relation to the services described in this notice are always processed in the U.S. The data will be stored on secure servers located in the U.S. As such, your data is only accessible to authorized, limited persons who require access to perform their job responsibilities and those persons may be located in countries other than your country of residence. Although there are variations in the data protection laws and level of protection of personal data from country to country, we take steps to ensure that your data is appropriately safeguarded and transferred in a manner consistent with the applicable data protection laws of your country, irrespective of its location.
Data Security
Biodesix uses appropriate technical and organizational security measures to prevent unauthorized or unlawful disclosure or access to, or accidental or unlawful loss, destruction, alteration or damage to the personal data that it collects about individuals for the services described in this notice. Irrespective of whether the data are stored in paper or electronic form, these measures are intended to ensure an appropriate level of security in relation to the risks inherent to the processing and the nature of the data to be protected, and are also applied in a manner consistent with applicable laws and regulations.
Data Accuracy
Biodesix takes reasonable steps to keep its personal data accurate, complete, and up-to-date in accordance with the purposes for which it was collected. Biodesix also relies on the healthcare professionals, insurers and other individuals who entrust us with personal data for purposes of providing the services described in this notice, to provide accurate information to us, and to amend or update that information if they later determine that it is incomplete or inaccurate.
Individual Rights
Individuals whose personal data is collected and processed by Biodesix can contact Biodesix at the address below, in relation to any questions about their data or to exercise their individual rights of access, amendment, objection or erasure. To protect privacy, we require individuals to authenticate themselves and will provide them with a form to obtain a copy of their data. In accordance with applicable laws, these rights, and particularly the right to amendment, objection or erasure, are limited.
For additional information about Biodesix’s privacy and security practices or to exercise your rights of access or rectification, kindly contact our Data Privacy Officer at Privacy@Biodesix.com.
Right to Withdraw Consent (Opt-Out)
In accordance with applicable data protection laws and requirements, Biodesix provides individuals with the right to withdraw consent (opt-out) in relation to personal data entrusted to us. To do so, you may contact us regarding privacy at Privacy@Biodesix.com. The right to withdraw consent is not absolute in all contexts, and may be limited by legal and regulatory obligations.
Retention Period
Biodesix retains the personal data of individuals referenced in this notice consistent with legal and business requirements, including any US Federal or State law requirements regarding retention of health care data, and then securely disposes of the information.
Questions, Claims or Contacts
Should you have any questions or concerns about your personal data, or if you wish to contact us for any other reason relating to your data, you may email us at Privacy@Biodesix.com. Please put “Privacy Request” in the subject line of your email.
If you believe that your data has been improperly collected, mismanaged, or if you are not satisfied with the resolution of any claim by Biodesix, you also have the right to contact the privacy (data protection) regulatory authorities.
Effective: November 10, 2019