© 2018 Gilead Sciences, Inc. All rights reserved.
In the regular course of business, Gilead Sciences, Inc., including its wholly owned subsidiaries and successors (together referred to as “Gilead”) interacts and communicates directly with health care professionals, customers, clinical trial participants, consumers, business partners, regulatory authorities, and others. Through these interactions and communications, personal information may be provided to Gilead and processed electronically and/or manually. Gilead respects individual privacy and values the confidence of such individuals. This Privacy Statement sets forth Gilead's privacy principles with respect to Personal Information, including the privacy procedures and technical security measures Gilead follows in its normal course of business to keep Personal Information private and secure.
Gilead participates in both the EU – U.S. Privacy Shield and U.S. – Swiss Privacy Shield Frameworks. Gilead acknowledges its commitment to comply with the EU – U.S. Privacy Shield and U.S. – Swiss Privacy Shield Principles (“Principles”) for all Personal Information received from the EU or Switzerland which was provided in reliance on Privacy Shield. Gilead will collect, use and disclose Personal Information received from the EU or Switzerland only in accordance with the principles outlined in this Privacy Statement, the above-noted Privacy Shield Principles, and legal requirements. For purposes of Privacy Shield compliance enforcement, Gilead acknowledges that it is subject to the investigatory and enforcement powers of the United States Federal Trade Commission (FTC).
This Privacy Statement applies to Personal Information received by Gilead (including Personal Information received by third-party organizations or individuals acting as Agents of Gilead) from health care professionals, customers, clinical trial participants, consumers, business partners, and other individuals, in any format, including electronic and paper, as part of Gilead's business operations. Types of third-party organizations include Gilead subsidiaries and business partners, a current list of which is available upon request.
For the purposes of this Privacy Statement, the following definitions shall apply:
“Affiliate” means any third party which is under common control with Gilead.
“Agents” means a third party who represents and acts for Gilead pursuant to a duly executed contract or is otherwise duly authorized by Gilead to perform such representation and acts.
“Service Provider”means any consultants and contractors (including temporary employees) about whom Gilead has Personal Information, who are providing or have provided consulting or contracting services to Gilead.
"Gilead" means Gilead Sciences, Inc., its successors and subsidiaries.
“Personal Information”means any information or set of information that relates to a Data Subject. Identification of an individual can be either direct or indirect and can be made by or on behalf of Gilead.
“Pseudonymization” means the processing of Personal Information in such a manner that such information can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the PI is not attributed to a Data Subject.
“Principles” means the EU – U.S. Privacy Shield and U.S. – Swiss Privacy Shield Principles.
“Sensitive Personal Information (SPI)” means a Gilead-defined subset of Personal Information “PI” (similar to the EU-defined Sensitive Personal Data, with additional attributes), SPI includes information revealing unique government identifiers, financial information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation, or any criminal offenses (alleged or otherwise).
Gilead Privacy Statement
The collection, processing, storage, use, and disclosure of Personal Information in the business context is essential to the conduct of many of Gilead’s business functions. Gilead may collect, process, store, use, and disclose Personal Information from individuals directly and/or from third parties, subject to applicable law.
PURPOSE FOR COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION
Gilead processes Personal Information where you consent to us doing so. However, there are a number of instances where Gilead does not require your consent to engage in the processing or disclosure of Personal Information. Gilead may not solicit your consent for the processing or transfer of Personal Information for those purposes which have a statutory basis, such as:
- The transfer or processing is necessary for the performance of a contract between you and Gilead (or one of its affiliates);
- The transfer or processing is necessary for the performance of a contract, concluded in your interest, between Gilead (or one of its affiliates) and a third party;
- The transfer or processing is necessary, or legally required, on important public interest grounds, for the establishment, exercise, or defense of legal claims, or to protect your vital interests; or
- The transfer or processing is required by applicable law.
Gilead collects, uses and discloses your Personal Information in its normal course of business for the following purposes:
- Establishing and maintaining communications with you;
- Where you have requested participation in a clinical trial with Gilead or one of Gilead’s partners;
- Disease management, education, or decision support systems related to the use of Gilead products or services;
- Where you have requested a service from Gilead, assisting you in the completion of your application, the assessment of your eligibility for any such requested service, the processing and maintenance of the service, as well as any applicable renewal of such service;
- Responding to your inquiries about applications, trials and other services;
- Making proposals for future service needs;
- Allowing our affiliated companies to notify you of certain products or services offered by our affiliated companies;
- Processing transactions through service providers;
- Meeting legal, security, processing, and regulatory requirements;
- Protecting against fraud, suspicious or other illegal activities; and
- Compiling statistics for analysis of our sites and our business.
WHAT DATA WE COLLECT
When interacting with Gilead, you may choose to provide us with information to help us serve your needs. The Personal Information that we collect will depend on how you choose to interact with Gilead.
Where you participate in Clinical Trials
If you participate in a clinical trial with Gilead, or one of our partners, we will collect Personal Information about you as is necessary to fulfill the purpose of the clinical trial. This can include SPI such as biological and medical information about you. However, as required by the Principles, Personal Information will be Pseudonymized, as appropriate, to both protect your privacy as well as maintain the integrity of the clinical trial.
Where you request information about our services
If you request further information about our services, we require you to submit your name, e-mail address, the name of your organization, and the country in which you are based so we may send you the material you have requested, and to enable us to identify whether you have an existing relationship with Gilead.
Where you register with us and/or request services
If you register with us, or request a service available on the Site, we may ask you for your name, e-mail address, country, telephone number and the reason for your communication; as well as information about your position, organization, and such other information as is reasonably necessary so that we can provide you with the service. On the data submission form, we shall indicate by way of an asterisk, which information is optional and which information is mandatory. This information can include information you provide on applications or other forms, which may include your name, address, email address, and payment information.
Individuals should not provide Gilead with any Personal Information that is not specifically requested. Where Gilead receives Personal Information from its subsidiaries, affiliates, or other entities, it will use or disclose such Personal Information in accordance with the above procedures.
Gilead may consolidate or aggregate Personal Information in a non-identifiable form (anonymized/Pseudonymized data) to help Gilead improve product design and services, to enhance Gilead’s research activities, and to facilitate other business functions.
DISCLOSURE OF INFORMATION TO OTHERS
We do not disclose any Personal Information about you to any third parties except as stated in this Privacy Statement or as notified to you, or as otherwise permitted by law, or authorized by you.
Third parties to whom we disclose information are required by law and contractual undertakings to keep your Personal Information confidential and secure; and to use and disclose it for purposes that a reasonable person would consider appropriate in the circumstances, in compliance with all applicable legislation, which purposes are as follows:
- As is necessary to fulfill a clinical trial to which you are a participant;
- To provide the products and services you have requested from us;
- To notify you, or allow our affiliated companies to notify you of certain products or services offered by our affiliated companies;
- For legal, regulatory, and related purposes; and
- To process transactions through data processing service providers.
If these third parties wish to use your Personal Information for any other purpose, they will have a legal obligation to notify you of this and, where required, to obtain your consent. Contact us firstname.lastname@example.org for more information on these third parties.
In the normal course of performing services for our clients, Personal Information may be shared within Gilead and its affiliates for research and statistical purposes, drug safety and efficacy purposes, disease management, system administration and crime prevention or detection, or any purpose otherwise identified in this Privacy Statement.
Because a number of the service providers we use in pursuance of the purposes mentioned above are located in countries other than your own, your Personal Information will be processed and stored inside those other countries, and those countries’ governments, courts, or law enforcement or regulatory agencies may be able to obtain disclosure of your Personal Information under local laws.
As we continue to develop our business, we might sell or buy assets. In such transactions, user information, including Personal Information, generally is one of the transferred business assets. Also, if either Gilead itself or substantially all of Gilead assets were acquired, your Personal Information may be one of the transferred assets. Therefore, we may disclose and/or transfer your Personal Information to a third-party in these circumstances.
Other Legally Required Disclosures
Gilead reserves the right to disclose without your prior permission any Personal Information about you or your use of this Site if Gilead has a good faith belief that such action is necessary to: (a) protect and defend the rights, property or safety of Gilead, employees, other users of this Site, or the public; (b) enforce the terms and conditions that apply to use of this Site; (c) as required by a legally valid request from a competent governmental authority and/or to comply with a judicial proceeding, court order, or legal process; or (d) respond to claims that any content violates the rights of third parties. We may also disclose Personal Information as we deem necessary to satisfy any applicable law, regulation, legal process, or governmental request.
Where Gilead relies on consent for the fair and lawful processing of Personal Information, the opportunity to consent will be provided prior to when the Personal Information in question is collected. Your consent may be given through your authorized representative such as a legal guardian, agent, or holder of a power of attorney. Where Gilead relies on consent, you will be entitled to withdraw that consent at any time.
For SPI, Gilead will provide individuals the opportunity to affirmatively and explicitly authorize or consent to the collection, processing, transfer, or disclosure of their SPI to a non-Agent third party or the use of their SPI for a purpose other than the one for which the individual originally consented.
Gilead will not disclose your Personal Information to third parties except as otherwise stated in this Privacy Statement or otherwise notified to you.
Gilead maintains servers and other storage facilities in the United States, EU, and Asia. Gilead may transfer Personal Information outside of its country of origin for the purposes, and in the manner, set out above; including for processing and storage by Service Providers and Affiliates in connection with such purposes. In all situations, Gilead takes reasonable steps to ensure that your privacy is protected. Such steps include, but are not limited to: implementing privacy, security, and contractual controls; as well as steps noted above, as required by applicable law. To the extent that any Personal Information is sent out of an individual’s country, it is subject to the laws of the country in which it is held, and may be subject to disclosure to the governments, courts, or law enforcement or regulatory agencies of such other country, pursuant to the laws of such country, consistent with the Principles.
Accountability for Onward Transfers: Gilead will obtain assurances from its Service Providers and Affiliates that they will safeguard Personal Information consistent with this Privacy Statement. An example of appropriate assurances that may be provided by Service Providers and Affiliates includes a contractual obligation that they provide at least the same level of protection as is required by Gilead’s privacy principles set out in this Privacy Statement. Where Gilead has knowledge that a Service Provider or Affiliate is using or disclosing Personal Information in a manner contrary to this Privacy Statement, Gilead will take appropriate steps to prevent or stop the use or disclosure. Gilead also complies with the Privacy Shield Principle regarding liability for onward transfers.
Gilead has implemented reasonable physical, technical and managerial controls and safeguards to keep your Personal Information protected from unauthorized access, disclosure, alteration, and destruction. Such measures may include, but are not limited to: the encryption of communications via SSL, encryption of information while it is in storage, firewalls, access controls, separation of duties, and similar security protocols.
Access to Personal Information is limited to a restricted number of Gilead employees whose duties reasonably require such information, Agents with whom Gilead contracts to carry out business activities for Gilead, and, with an individual’s consent, certain companies with which Gilead may conduct joint programs. Gilead trains its employees on the importance of privacy and how to handle and manage Personal Information appropriately and securely. Personal Information handled by Agents, or companies with which Gilead may conduct joint programs, is governed by this Privacy Statement and the Principles.
Data Integrity and Purpose Limitation
Gilead will use Personal Information only in ways that are compatible with the purposes for which it was collected, or consented to by the individual. Gilead will have appropriate steps in place to ensure that Personal Information is relevant to its intended use, accurate, complete, and current. Gilead will only store Personal Information for as long as it is needed to fulfill the purposes for which it was collected, subject to applicable data retention periods imposed upon Gilead by applicable law. This may mean that your Personal Information is stored by Gilead for a number of years, depending on the purpose and need for that data to be processed. For more information about Gilead’s retention periods for Personal Information, please refer to the contact information section below.
Where individuals have rights under laws applicable to them and upon written request, Gilead will grant individuals access to Personal Information that it holds about them, subject to any legal restrictions. In addition, Gilead will permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete or to object to certain types of processing of such information or to data portability, in certain circumstances and subject to certain exceptions provided by law. Gilead may not be able to comply with a request where Personal Information has been destroyed, erased or made anonymous in accordance with Gilead’s record retention obligations and practices. In the event that Gilead cannot provide an individual with access to his/her Personal Information, Gilead will endeavor to provide the individual with an explanation, subject to any legal or regulatory restrictions.
Recourse Enforcement and Liability
Individuals may contact Gilead regarding any question or complaint regarding the collection, processing, and transfer of their Personal Information by completing the Gilead Privacy Inquiry Form and by emailing it to email@example.com. Gilead will promptly investigate and respond to complaints within 45 calendar days of their receipt. Gilead will attempt to resolve complaints, disputes and requests to revoke consent regarding collection, processing, transfer, and disclosure of Personal Information in accordance with the principles contained in this Privacy Statement, and the Principles.
Gilead will conduct periodic compliance audits of its relevant privacy practices to verify adherence to this Privacy Statement.
Independent Recourse Mechanism
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge), TRUSTe, athttps://feedback-form.truste.com/watchdog/request.
In the event that you cannot fully resolve your complaint through the above mechanisms, it is possible that you may use binding arbitration as a final resort. In order to invoke this arbitration option you must take the following steps prior to initiating an arbitration claim: (1) raise the claimed violation directly with Gilead and afford us an opportunity to respond to the issue within 45 days; (2) make use of the independent recourse mechanism, in this case TRUSTe, which is at no cost to you; and (3) raise the issue through your Data Protection Authority to the Department of Commerce and afford the Department of Commerce an opportunity to use best efforts to resolve the issue.
This arbitration option may not be invoked if your same claimed violation (1) has previously been subject to binding arbitration; (2) was the subject of a final judgment entered in a court action to which you were a party; or (3) was previously settled by you and us. In addition, you may not invoke this option where the Data Protection Authority of the country of your residence already has jurisdiction to resolve your complaint.
You may initiate binding arbitration, subject to the pre-arbitration requirements provision above, by delivering a “Notice” to the organization. The Notice shall contain a summary of steps taken to resolve the claim, a description of the alleged violation, and, at the choice of the individual, any supporting documents and materials and/or a discussion of law relating to the alleged claim. For more information on how to invoke arbitration under the Privacy Shield Framework, please visit https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
Finally, you may only use binding arbitration to ensure Gilead follows the data handling practices set out in this Privacy Statement. No other form of remedy is available by any arbitration under this section.
Any questions or concerns regarding handling of Personal Information by Gilead, or related to revocation of consent to collect, process, transfer, or disclose your Personal Information should be directed by email to firstname.lastname@example.org.
Any requests to opt-out of future communications from Gilead, or to opt-out of a particular Gilead program should be directed to Gilead by e-mail at email@example.com, or by phone at by telephone at +1 (800) GILEAD5 or +1 (650) 522-5775.
Alternatively, letters may be sent to the following address:
Gilead Sciences, Inc.
333 Lakeside Drive
Foster City, CA 94404
All communications to Gilead should include the individual’s name and contact information (such as e-mail address, phone number, or mailing address), and a detailed explanation of the request. E-mail requests to delete, amend, or correct Personal Information should include “Deletion Request” or “Amendment/Correction Request,” as applicable, in the subject line of the e-mail. Gilead will endeavor to respond to all reasonable requests in a timely manner, and in any case, within any time limits prescribed by applicable local law.
Changes To Gilead Privacy Statements
Gilead reserves the right to amend this Privacy Statement from time to time to reflect technological advancements, legal and regulatory changes, and Gilead’s business practices, subject to applicable laws. If Gilead changes its privacy practices, an updated version of this Privacy Statement will reflect those changes. Gilead will provide notice of such changes by updating the effective date listed on this Privacy Statement. It is your responsibility to check this Privacy Statement frequently to view any amendments. Your continued interaction with Gilead, in the activities covered above, will be subject to the then-current Privacy Statement.
If you are an EU citizen and/or accessing Gilead Websites in the European Economic Area, then this Supplement may apply in addition to the above.
Transfers of your Personal Information may be made to entities located outside the European Economic Area, including entities located in the United States, for processing consistent with the purposes above. Gilead will implement appropriate contractual measures (including our Privacy Shield certification and standard data protection clauses, a copy of which you can obtain by contacting firstname.lastname@example.org) to ensure that the relevant Gilead companies and third parties outside the European Economic Area provide an adequate level of protection to your Personal Information as set out in this notice and as required by applicable law.
For the processing of Personal Information relating to the European Economic Area, Gilead has assigned a data protection officer responsible for overseeing our compliance with EU data protection law, who you may contact at email@example.com in case of any questions or concerns regarding the processing of your Personal Information.
If Gilead’s processing of your Personal Information is covered by EU law you may also lodge a complaint with the corresponding data protection supervisory authority in your country of residence. You can find the relevant supervisory authority name and contact details underhttp://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.