Privacy Policy
Marquee Medical Transport (“MMT”) recognizes the importance of maintaining privacy of information. This Marquee Medical Transport Privacy Policy (“Policy”) addresses how MMT collects, uses processes and protects data and other information (“Data”). Data includes, but is not limited to personal information governed by the privacy principles under the EU-US Privacy Shield Framework (“Framework”), agreed to between the European Commission and the US Department of Commerce regarding the collection, use and retention of personal information from European Union (“EU”) member countries. As set forth with further detail below, where applicable CSC TCI complies with the EU-US Privacy Shield Framework. MMTI has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, please visit https://www.privacyshield.gov/.
I. Definitions
In addition to other terms defined herein, the following definitions shall apply to this Policy:
- “PI” means personal Data about an identified or identifiable individual, such as names and addresses.
- “Processing” or “Processes” are operations involving PI.
- “EU Person” is an individual in an EU member state.
- “EUPI” is PI that is within the scope of the Framework, received by MMT from an EU Person located in an EU member state, and recorded in any form.
II. Collection, Use and Disclosure
MMT only collects, obtains access to, Processes and uses Data as necessary for and/or relevant to its proper business purposes of: offering and providing non-emergency transportation services, backing up Data for business continuity, disaster recovery and archival purposes; maintaining security of services, systems, networks, and Data, and complying with laws, regulations, professional standards, contract terms, court orders, administrative or judicial processes, subpoenas and search warrants (“Purposes”). When appropriate, MMT provides clients and personnel with access to their Data to correct, amend or delete such Data. Unless restricted by law, regulation, professional standards or contract, MMT may disclose certain Data to its personnel or to third-parties: for Purposes; with regard to a merger, sale, assignment or other transfer of MMT; to protect MMT’s legal interests; in connection with internal business practices; with consent by the Data owner; and when necessary to respond to an emergency that may threaten risk of harm to or destruction of person, property or Data. Except as part of a merger, sale or other significant entity change, MMT will not sell, rent or lease PI. MMT requires most personnel to execute confidentiality agreements, and assesses all third-party agents and subcontractors for suitability and reliability, given the nature of the Processing activity and Data involved. Third-party contracts typically address confidentiality, privacy and security obligations, as well as notification of known or suspected security breaches, misappropriation, or unauthorized disclosure and use of Data.
III. Framework Principles
With regard to collection, use, retention and Processing of EUPI, MMT adheres to the Privacy Shield Principles set forth in the Framework.
1. Notice
If MMT obtains EUPI directly from any EU Person, it will notify such EU Person of: the purposes for which it collects and uses their EUPI; how the individual an contact MMT with inquiries or complaints about such use; the types of third parties (if any) to which MMT discloses such EUPI; and the choices and means that MMT offers for limiting the use and disclosure of their EUPI. Choices and means of limiting use and disclosure of PI may include use of encryption technology, limiting support options, providing separate backup mechanisms, and/or ceasing provision of certain products and services. Notice will be provided in clear and conspicuous language when MMT first asks any EU Person to provide PI to MMT, or as soon as practicable thereafter, and in any event before MMT processes such information for a purpose other than that which it was originally collected, or discloses it for the first time to a third party. If EUPI is provided to MMT by its entity clients, notice will not be provided to the relevant EU Person by MMT, however MMT will use and disclose such EUPI in accordance with the purpose for which it was originally collected by the client and with consents made, so long as the client makes MMT aware of such purpose and consents. MMT clients are responsible for providing notice to all EU Persons who are the subject of Data and PI provided by such client to MMT.
2. Choice
MMT will offer EU Persons providing EUPI directly to MMT, the opportunity to choose (opt-out) whether their PI will (a) be disclosed to a third party (unless that disclosure is required or allowed by contract),or (b) be used for a purpose that is incompatible with the purpose for which that information was originally collected or subsequently authorized by the EU Person. MMT will provide EU Persons with clear and conspicuous, readily available and affordable mechanisms to exercise their choices. For sensitive EUPI (which specifies medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or regarding gender and sexuality), MMT will give EU Persons the explicit choice to consent (opt-in) to disclosure to a third party, or use for a purpose other than that for which that information was originally collected or subsequently authorized by the EU Person via exercise of the opt in choice. If any EUPI is provided to MMT by its clients, choice will not be provided to the EU Person by MMT, however MMT will use and disclose such EUPI in accordance with the purpose for which it was originally collected by the entity client and with consents made, so long as the client makes MMT aware of such purpose and consents. MMT clients are responsible for obtaining consent from and providing choice to all EU Persons who are the subject of Data and PI provided by such client to MMT.
3. Accountability for Onward Transfer
MMT will apply the notice and choice principles in providing EUPI collected directly from a EU Person and thereafter provided to a third party. MMT is potentially liable in cases of onward transfers of EUPI to third parties. Accordingly, MMT will obtain assurances that its agents and subcontractors subscribe to the EU-US Privacy Shield Privacy Principles or otherwise use safeguards consistent with this Policy.
4. Security
MMT will take reasonable precautions to protect EUPI in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. MMT follows industry standard security measures, which include physical, administrative and technical safeguards and controls designed to protect EUPI and other Data from loss, misuse, unauthorized access, disclosure, alteration or destruction. MMT takes precautions in its efforts to ensure that access to EUPI is available only to those who are authorized. No protocol, encryption, or other precaution can provide complete security for electronic Data, so MMT does not provide a guarantee of total security. Moreover, the privacy of information regarding the employees, customers and business associates of MMT’s clients are the responsibility of such clients; MMT clients have the only direct relationship with these Data subjects. MMT follows commercially reasonable measures for retention and destruction of Data, including EUPI. Where appropriate, Data is deleted and/or disposed of effectively and securely. Even if destruction is requested by a client, personnel or EU Person, it may still be necessary for MMT to retain certain Data pursuant to law, contract terms or to comply with internal retention and destruction policies.
5. Data Integrity and Purpose Limitation
MMT will use EUPI only in ways that are relevant for the Purposes for which it was collected or authorized by the relevant EU Person. MMT will take reasonable steps designed so that EUPI Processing is performed as intended, and in an accurate, complete and current manner.
6. Access
Upon request, MMT will grant EU Persons reasonable access to their EUPI held by MMT, and will take reasonable steps to permit corrections, amendments, or deletions of inaccurate or incomplete EUPI, except where the burden or expense of providing access would be disproportionate to the risks to the EU Person’s privacy in the case in question, or whether the rights of other persons would be violated.
7. Recourse, Enforcement and Liability
8. Self-Assessment Verification
To ensure compliance with Framework Privacy Principles set forth in Section III of this Policy, MMT will conduct an annual independent audit of its practices, which shall include confirming (a) the Policy and posting revised versions of the Policy in a conspicuous place on MMT’s website where employees and clients can see them; (b) the Policy is accurate, comprehensive and conforms to the Framework’s principles; (c) annual renewal of EU-US Privacy Shield self-certification with the US Department of Commerce; (d) inclusion of MMT’s name on the US Department of Commerce’s EU-US Privacy Shield list of compliant companies; (e) appropriate employee training and internal procedures exist for periodic reviews of MMT’s compliance with the Policy. Any employee that MMT determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment.
9. Dispute Resolution
In compliance with the EU-US Privacy Shield Principles, MMT commits to resolve complaints about privacy and the collection or use of EUPI free of charge. EU Persons with inquiries or complaints regarding this Policy may first contact Marquee Medical Transportation, Attention Jake Ross, Owner, either by email at marqueetransport@gmail.com or by phone at (858) 412-0399. MMT has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. In addition, the Federal Trade Commission has jurisdiction to hear any claims of unfair or deceptive practices or violations of laws or regulations governing privacy. Under certain limited conditions, EU Persons may be able to invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission.
9.1 Limitations
MMT’s adherence to the Framework principles may be limited and MMT may be required to disclose EUPI in response to a lawful request by public authorities; to meet national security or law enforcement requirements; where there is a conflicting or overriding legal obligation; to the extent expressly permitted by any applicable law, rule or regulation; or where MMT receives EUPI as a Processor acting on the instructions of a client, in which case MMT will receive such EUPI merely for Processing in accordance with Purposes. MMT clients will remain responsible for compliance with applicable laws and the Framework Privacy Shield Principles with regard to all PI provided by such clients to MMT. MMT client contracts contain strict restrictions that prohibit clients from accessing or reviewing other clients’ Data.
IV. Application and Exceptions
This Privacy Policy applies to MMT’s internal business matters, website, hosting, and provision of products and services. Except with regard to Section III, Framework Principles: (a) MMT may modify or discontinue this Policy at any time, as it deems appropriate, without prior notice or consent, and new versions will become effective immediately, and (b) MMT’s compliance with this Policy may be limited in certain circumstances, such as when the burden or expense of providing access to or disclosure of Data is disproportionate to the privacy risks; when the rights of individuals would be violated; when necessary to protect MMT’s legal interests, or abide by laws, regulations, professional standards or contract terms; and when necessary to respond to a court order, administrative or judicial process, subpoena or search warrant. Employment with MMT or use of MMT’s website, hosting or other products and services is voluntary and signifies agreement and acceptance of the terms herein. Any person or entity that disagrees with this Policy should not provide MMT with access to any Data.
V. Questions
Questions and concerns regarding this Policy and its terms or regarding suspected misuse of Data should be directed to Marquee Medical Transportation, Attention Jake Ross, Owner, either by email at marqueetransport@gmail.com or by phone at (858) 412-0399. MMT will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Data in accordance with the principles contained in this Policy. The effective date of this Policy is: December 1, 2018.