Effective date: November 30, 2017
We want to set the highest standard in data protection. As a globally operating corporation we view it as our duty to meet, and when possible exceed, requirements of all applicable laws and regulations and industry standards as well as implement the industry’s best practices.
As part of the overall compliance effort, and particularly as part of the participation in the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield, we are committed to comply with the Privacy Principles pertaining to (1) Notice, (2) Data Integrity and Purpose Limitation, (3) Choice, (4) Security, (5) Access, (6) Accountability for Onward Transfer, and (7) Recourse, Enforcement and Liability. Detailed explanation of these Principles can be found on the US-EU Privacy Shield website at https://www.privacyshield.gov.
Our managers and employees are obligated to adhere to the Varex Data Protection Policy and observe all applicable data protection laws and regulations.
DEFINITIONS. Throughout this Notice we use the terms “Personal Information“ and “Sensitive Personal Information”. The meaning of those terms may vary depending on the jurisdiction. For the purposes of the Varex Data Protection Policy and this Notice the following definitions will apply to those terms:
"Personal Information" means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
"Sensitive Personal Information" means personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information pertaining to the sex life of the individual.
INFORMATION WE COLLECT AND HOW WE USE IT. In order to provide our products and the service offerings, it is sometimes necessary for us to collect certain Personal Information about users of such service offerings, including, but not limited to, account user name, IP address (local and public), session information and other usage data. It is important to note that some of this Personal Information may be provided to us by our business partners. To the extent necessary for management of the service offerings and statistical purposes, we may retain collected Personal Information for a limited period of time, after which time the information will be discarded or destroyed. Where possible, any such retained Personal Information will be stripped of personal identifiers and rendered anonymous.
PRIVACY SHIELD. Varex Imaging Corporation in the Privacy Shield framework. Our certification with the Privacy Shield may be verified by accessing the Privacy Shield List at https://www.privacyshield.gov/Registration# .
PRIVACY SHIELD PRINCIPLES. We comply with the seven Privacy Principles established by the Privacy Shield:
- NOTICE. By providing this Notice we inform you about (1) our participation in the Privacy Shield and provide above a link to the Privacy Shield List, (2) the types of personal data we collect and the adherence of all our business units, subsidiaries and affiliates to the Principles, (3) our commitment to treat all personal data received from the EU in reliance on the Privacy Shield in accordance with the Principles, (4) the purposes for which it collects and uses personal information, (5) how to contact us with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints, (6) the type or identity of third parties to which we disclose personal information, and the purposes for which we do so, (7) the right of individuals to access their personal data, (8) the choices and means we offer individuals for limiting the use and disclosure of their personal data, and (9) the independent dispute resolution body designated to address complaints and provide appropriate and free-of-charge recourse, (10) being subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission, the U.S. Department of Transportation or any other U.S. authorized statutory body, (11) your right, under certain conditions, to invoke binding arbitration, (12) our requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and (13) our liability in cases of onward transfers to third parties.
- CHOICE. We offer you the opportunity to choose (opt out) whether your personal information is (1) to be disclosed to a third party or (2) to be used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by you. If this option is not offered to you automatically when the information is collected please contact us at the contact information provided below.
Please note that in some cases it is not necessary to provide choice when disclosure is made to a third party that is acting as an agent to perform tasks on behalf of and under the instructions of the organization. However, we will always enter into a contract with the agent.
For sensitive personal information, we will obtain the affirmative express consent (“opt-in”) from you if such information is to be (1) disclosed to a third party or (2) used for a purpose other than those for which it was originally collected or subsequently authorized by you through the exercise of opt-in choice. In addition, we should treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.
- ACCOUNTABILITY FOR ONWARD TRANSFER. To transfer personal information to a third party acting as a controller, we comply with the Notice and Choice Principles. We enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by you and that the recipient will provide the same level of protection as the Principles.
To transfer personal data to a third party acting as an agent, we: (1) transfer such data only for limited and specified purposes; (2) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (3) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the our obligations under the Principles; (4) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (5) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Privacy Shield organization upon request. In cases of onward transfer to third parties of data of EU or Swiss individuals received pursuant to the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield, we are potentially liable.
- SECURITY. We have in place reasonable and appropriate measures to protect the Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
- DATA INTEGRITY AND PURPOSE LIMITATION. Our processing of Personal Information is limited to the information that is relevant for the purposes of processing. We do not process Personal Information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by you. To the extent necessary for those purposes, we take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. We will adhere to the Principles for as long as it retains such information.
- ACCESS. We will provide you with access to your Personal Information that we hold and you will be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question, or where the rights of persons other than you would be violated.
- RECOURSE, ENFORCEMENT AND LIABILITY. Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. Therefore, our Policy provides for: (1) readily available independent recourse mechanisms by which your complaints and disputes will be investigated and expeditiously resolved at no cost to you and by reference to the Principles, and damages awarded where the applicable law or private-sector initiatives so provide; (2) follow-up procedures for verifying that the attestations and assertions we make about our privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of noncompliance; and (3) obligations to remedy problems arising out of our failure to comply with the Principles and compliance with any sanctions assessed against us.
VAREX RECOURSE MECHANISM. Any questions or concerns regarding the use or disclosure of personal information should be directed to address listed in the Contact section of this notice, below. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information by reference to the principles contained in this Policy. For complaints that cannot be resolved directly between us and you, we have agreed to participate in the following dispute resolution procedures in the investigation and resolution of complaints to resolve disputes pursuant to the Privacy Shield Principles: (1) for disputes involving employment-related personal information received by us from the EEA and Switzerland, we have agreed to cooperate with the data protection authorities and to participate in the dispute resolution procedures of the panel established by the European data protection authorities; (2) for disputes involving all other personal information received by us from the EEA and Switzerland, we have agreed to use International Centre for Dispute Resolution, a division of the American Arbitration Association dispute resolution (“ICDR/AAA”). Individuals who submit a question or concern to us and who do not receive acknowledgment of the inquiry or who think their question or concern has not been satisfactorily addressed should then contact the ICDR/AAA on the Internet (http://go.adr.org/privacyshield.html), by mail, phone or by fax. The website lists the addresses, phone/fax number for your location. Inquiries by mail or fax should identify Varex Imaging Corporation as the company to which a concern or question has been submitted, and include a description of the privacy concern, the name of the individual submitting the inquiry, and whether ICDR/AAA may share the details of the inquiry with us. ICDR/AAA will act as a liaison to our company to resolve these disputes. The dispute resolution process shall be conducted in English. Please note that we are also subject to the jurisdiction of the U.S. Federal Trade Commission and other U.S. government agencies. Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
TRACKING TECHNOLOGIES. Technologies such as cookies, beacons, tags, and scripts are used by Varex and some of our marketing partners, analytics partners, and service providers. These technologies are used in analyzing trends, administering the site, tracking users' movements around the site, and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.
CHILDREN'S PRIVACY. We do not structure our website to attract children. Accordingly, we do not knowingly collect personally identifiable information from anyone who is 13 years of age or younger.
THIRD PARTY SITES. Varex’s website may contain links to other sites. When you click on one of these links you are being transferred to a website operated by someone other than Varex and the operator of that website may have a different privacy statement. Varex does not share your personally identifiable information with these websites and is not responsible for their individual privacy practices. We encourage you to investigate the privacy policies of these operators.
When you are on our site, please be aware that we have links to other sites that may have the look and feel of our site. Be aware that you are on a site that is actually controlled by our third party hosting service provider.