Last updated: May 11, 2017
We self-certify compliance with: EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield| U.S. Department of Commerce
Polaris Management Partners, LLC (“Polaris”) assists life sciences companies (“Clients”) with their compliance, finance, sales and marketing processes by providing management consulting services. In providing these services, Polaris may make use of individuals’ Personal Data provided to Polaris by its Clients. Protecting this personal data is important to Polaris.
Polaris generally does not collect Personal Data directly from individuals, nor is Polaris’ website designed to obtain or collect Personal Data from individuals. Nonetheless, with respect to such Personal Data that Polaris does collect and receive from individuals residing in the European Union (“EU”) and Switzerland, Polaris complies with both the EU-U.S. Privacy Shield Framework, the Swiss-U.S. Privacy Shield Framework, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data from European Union member countries and Switzerland.
Accordingly, Polaris adheres to the Privacy Shield Privacy Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, liability and enforcement as this adherence pertains to Polaris’ participation in both the EU-U.S. Privacy Shield Framework and the Swiss-US Privacy Shield Framework.
Polaris is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
As used in this Policy, “Personal Data” or “Data” means any information or data that (1) is transferred from the EU to the United States and from Switzerland to the United States; (2) is recorded in any form; (3) is about, or pertains to, a specific individual; and (4) can be linked to that individual.
As used in this Policy, “Data Controller” means the party that determines the purposes for which and the manner in which any personal data is processed.
As used in this Policy, “Data Processor” means the party that processes the Personal Data on behalf of, and according to the instructions of, the Data Controller.
As used in this Policy, “Processing” broadly covers any activity taken with respect to the data, such as collecting, storing, transmitting and deleting data.
III. Types of Personal Data Collected or Processed by Polaris
Polaris assists life sciences companies with their compliance, finance, sales and marketing processes by providing automated solutions and management consulting services. In providing these services, Polaris may make use of Personal Data of individuals provided to Polaris by its Clients. Protecting this Personal Data is important to Polaris. Polaris does not collect Personal Data directly from individuals, nor is Polaris’ website designed to obtain or collect Personal Data from individuals. Instead, clients of Polaris may use software designed and supported by Polaris to collect Personal Data, and may make such information available to Polaris in order for Polaris to carry out the services purchased by them.
Personal Data processed by Polaris concern the following categories of data subjects: Employees, consultants or agents of Clients or their business partners; healthcare professionals, meaning those who are members of the medical, dental, pharmacy and nursing professions and any other persons who, in the course of their professional activities may prescribe, recommend, purchase supply or administer a pharmaceutical product; and patients who are prescribed or use any products supplied by Polaris’ customers.
Personal Data processed by Polaris concern the following categories of data: Name, address, contact information, log-in information, affiliation, information about payments made to healthcare professionals, and services provided by healthcare professionals.
IV. Third Parties to Which Polaris Discloses Personal Data and the Purposes for which Polaris Shares Personal Data with such Third Parties
A. Disclosure of Personal Data
1.Third Party Service Providers. As noted above, Polaris does not collect Personal Data directly from individuals. Instead, Clients may make Personal Data available to Polaris in order for Polaris to carry out the consulting services purchased by them. With respect to Personal Data made available to Polaris by Clients, Polaris may share such Personal Data with third party service providers to: Provide and maintain information technology services; to conduct quality assurance testing; to respond to help and other support requests; and/or to provide other services to Clients and their business partners. These third party service providers are required not to use Personal Data other than to provide the services contracted by Polaris. Polaris requires its service providers to whom it discloses Personal Data to contractually agree to provide at least the same level of protection for Personal Data as is required by the relevant Privacy Shield principles.
V. Commitment to Process Personal Data Only in Accordance with Privacy Shield Principles
In addition, certain Personal Data may be subject to more specific privacy policies of Polaris, which are also consistent with the requirements of the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework and the GDPR. For example, Personal Data obtained from or relating to clients or former clients is further subject to the terms of any specific privacy notice provided to the client, any contractual arrangements with the client, and applicable laws and professional standards.
While Polaris does not collect Personal Data directly from individuals, Clients may, from time to time, transfer Personal Data to Polaris consistent with the services contracted by the Client. When Personal Data is transferred to Polaris by a Client, the Client is the Data Controller and is responsible for extending the choice of how Personal Data is shared with a third party. Individuals wishing to exercise choice over their Personal Data should contact the Client and/or the entity that originally obtained their Personal Data. Should Polaris in the future collect Personal Data directly from individuals, Polaris will provide individuals an opportunity to choose (or “opt-out”) whether their Personal Data is shared.
3. Onward Transfers
As noted above, Polaris does not collect Personal Data directly from individuals. Should Polaris in the future collect Personal Data directly from individuals, when disclosing such Personal Data to a third party, Polaris shall ensure that the third party subscribes to the Privacy Shield Principles, and agrees in writing to provide at least the same protection as that required by the Privacy Shield Principles. Additionally, should Polaris in the future collect Personal Data directly from individuals, Polaris will provide individuals an opportunity to choose (or “opt-out”) whether their Personal Data is shared. The transfer of such data will be for limited and specified purposes. Polaris acknowledges it has potential liability in cases of onward transfer of such Personal Data to third parties. Upon notice, Polaris will take reasonable and appropriate steps to stop and remediate unauthorized processing.
4. Data Security
Polaris takes reasonable and appropriate security measures to account for the risks related to the processing and nature of Personal Data, including securing Personal Data and protecting it from loss, misuse, and unauthorized access, alteration and destruction, by using physical, electronic and managerial safeguards. Polaris cannot guarantee the security of Information on or transmitted via the Internet.
5. Data Integrity
Polaris shall only use Personal Data that is relevant to the purpose for which it was collected or subsequently authorized by the individual. To the extent necessary for those purposes, Polaris shall take reasonable steps to make sure that Personal Data is accurate, complete, current, reliable and relevant for its intended use.
Polaris acknowledges the right of individuals to have access to their Personal Data. As a Data Processor, Polaris is obligated to refer individuals who wish to access their Personal Data to the Client that controls their Personal Data.
A. Annual Assessment
By Email: EUPrivacyShield@polarismanagement.com
By Phone: 1.646.381.8982
Polaris has further committed to refer unresolved privacy complaints under the EU-U.S. and the Swiss-U.S. Privacy Shield Principles to an independent dispute
resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
Polaris has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs and/or the Swiss FDPIC for more information or to file a complaint. The services of EU DPAs and the Swiss FDPIC are provided at no cost to you.
Please note that if your complaint is not resolved through these channels, under limited circumstances a binding arbitration option may be available before a Privacy Shield Panel.