EU Personal Data Privacy Policy

Last Updated May 7, 2018

NanoString Technologies, Inc.

Summary

NanoString Technologies, Inc., on behalf of itself and its subsidiaries, (collectively, “NanoString”, “we”, “us”) carefully protects the confidentiality of Personal Data (defined below) provided to us by employees, customers, business partners, and others (“you”). We value the trust placed in us.  We will not release Personal Data about you to third parties for purposes other than to provide services to which you have agreed, or to comply with legal requirements. We are committed to upholding best practices in our use, collection, storage and disclosure of personal information.

The US Department of Commerce has agreed on requirements that permit U.S. companies to satisfy the mandate under European law and Swiss law that adequate protection is provided to Personal Data transferred from the European Union, European Economic Area, or Switzerland to the U.S. For EU citizens’ personal data, these requirements are memorialized in the EU-US Privacy Shield Framework. For Swiss citizens’ Personal Data, these requirements are memorialized in the Swiss-U.S. Privacy Shield Framework.

This EU Personal Data Privacy Policy (the “Policy”) sets forth the privacy principles that we follow with respect to Personal Data transferred from the European Union member countries and Switzerland to the United States of America.

Compliance with Privacy Shield and Swiss-U.S. Privacy Shield Framework; Federal Trade Commission Jurisdiction

We comply with the E.U.-U.S. Privacy Shield Framework Principles, including the Supplemental Principles and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce (collectively, the “Principles”). NanoString has certified that it adheres to the Principles. To learn more about the Principles and to view NanoString’s certification, please visit: https://www.privacyshield.gov/list. The Federal Trade Commission has jurisdiction over NanoString’s compliance with this Policy, the EU-US Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. NanoString commits to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.

Scope

This Policy applies to all Personal Data received by us in the United States of America from the European Union member countries and Switzerland, in any form including electronic.

Definitions

For purposes of this Policy, the following definitions shall apply:

“Agent” means any third party that collects or uses personal information under our instructions or to which we disclose personal information for use on our behalf. These third parties are most commonly: employee payroll, employee benefits, distribution, service, and billing partners.

“NanoString” means NanoString, and our successors, affiliates, subsidiaries, divisions and groups in the United States of America, EEA, and Switzerland. NanoString is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

“Personal Data” or “Personal Information” means any information or set of information that identifies or is used by or on behalf of us to identify an individual in the context of providing our services. Personal data does not include information that is encoded or anonymised.

“Process” or “Processing” means any operation which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Sensitive Personal Information” means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, criminal convictions or indictments, trade union membership, or that concerns health or sex life, and any other categories of information identified as sensitive personal information by the applicable local laws. We will treat any information received from a third party as sensitive personal information where that third party treats and identifies the information as sensitive personal information.

Privacy Shield Principles

The privacy principles in this Policy are based on the Privacy Shield Principles.

Notice: Where we collect Personal Data directly from individuals (such as employees or customers) in the EU and Switzerland, we will inform them about:

  • our participation in the Privacy Shield and the web address for the Privacy Shield list;
  • the types of Personal Data collected and the purposes for which we collect and use that information;
  • our commitment to apply the Privacy Shield Principles to all Personal Data received from the EU and Switzerland under the Privacy Shield;
  • how to contact us with any inquiries or complaints;
  • the type of Agents to which we disclose Personal Data, and for what purposes;
  • their right to access their own personal data;
  • the independent dispute resolution body (the ICDR/AAA, an alternative dispute resolution provider based in the United States) we have designated to address complaints, free of charge to a complainant;
  • our being subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission;
  • the possibility, in some circumstances, that the individual may invoke binding arbitration;
  • the requirement that we disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; and
  • our liability in cases of onward transfers to third parties.

Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to us, or as soon as possible thereafter, and in any event before we use or disclose the information for a purpose other than the original purpose for which it was collected.

Where we receive Personal Data from our subsidiaries, affiliates or other entities in the EU or Switzerland, we will use and disclose such information in accordance with the notices provided by such entities and the choices made by individuals regarding their Personal Data.

Choice: We do not use Personal Data for purposes other than for those for which it was collected. We do not share such information with non-Agent third parties, unless required by law.

Accountability for Onward Transfer (transfers to Agents): We only transfer Personal Data to Agents for limited and specified purposes, consistent with any notice provided to you and consent given. We transfer Personal Data to Agents only if the Agent agrees to provide the same level of privacy protection as is required by this Policy and Privacy Shield Principles. We require Agents to notify us if they determine that they can no longer provide the protections required by the Privacy Shield Principles. Where we know an agent is using or disclosing Personal Data in a manner contrary to the Privacy Shield Principles, we will take all reasonable steps to stop and remediate unauthorized processing of Personal Data. In cases of onward transfer to third parties of data of EU or Swiss individuals received pursuant to the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield, NanoString is potentially liable.

Security: We take all reasonable precautions to protect Personal Data in our possession from loss, misuse and unauthorized access. In addition, we will take all reasonable steps to prevent unauthorized disclosure, alteration and destruction of Personal Data.

Data Integrity and Purpose Limitation: We will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. We will take all reasonable steps to ensure that Personal Data we process is limited to only what is relevant to the purposes for which it was collected and that it is accurate, complete, and up-to-date.

Access: Upon request, we will grant individuals reasonable access to Personal Data that we hold about them, which consists mainly of information received from our customers. In addition, we will take reasonable steps to permit individuals to correct, amend, or delete information that is inaccurate, incomplete, or has been processed in violation of Privacy Shield Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the individual’s privacy, or where the rights of persons other than the individual requesting the data would be violated). We are unable to correct anything other than factual errors in any report we produce for our customers because the report is based on information provided by such customers. However, we will take all reasonable steps to facilitate amendments to information provided by our customers if an individual raises a query.

Recourse, Enforcement, and Liability: We will conduct compliance audits of our relevant privacy practices, for example our information and data processing systems, to verify adherence to this Policy. Any employee that we determine is in violation of this Policy will be subject to disciplinary action up to and including termination of employment.

Please direct any questions or concerns regarding the use or disclosure of Personal Data to NanoString’s General Counsel at the address below. At no cost to you, we will investigate and attempt to resolve complaints and disputes regarding use and disclosure of your Personal Data in accordance with the principles contained in this Policy. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit http://go.adr.org/privacyshield.html for more information on how to file a complaint. For complaints that cannot be resolved between us and a complainant, we have selected an independent recourse mechanism, the ICDR/AAA, an alternative dispute resolution provider based in the United States to resolve disputes pursuant to the Privacy Shield Principles. The services of ICDR/AAA are provided at no cost to you. The same chain of complaint resolution is available for possible unfair or deceptive practice and violations of laws or regulations governing privacy. In certain limited circumstances, individuals have the right to invoke binding arbitration by delivering notice to NanoString at the contact address below. For more information about binding arbitration under the Privacy Shield, please visit http://go.adr.org/privacyshield.html.

Swiss-U.S. Privacy Shield Framework Principles

We comply with the Swiss-U.S. Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use and retention of Personal Data from Switzerland. We adhere to the seven Swiss-U.S. Privacy Shield Framework Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement, and Liability. If there is any conflict between the policies in this Policy and the Swiss-U.S. Privacy Shield Framework Principles, the Swiss-U.S. Privacy Shield Framework Principles shall govern. To learn more about the Swiss-U.S. Privacy Shield Framework program, please visit https://www.privacyshield.gov, and to view NanoString’s certification page, please visit https://www.privacyshield.gov.

Limitation on Application of Principles

Adherence by us to these Privacy Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; and (b) to the extent expressly permitted by an applicable law, rule, or regulation.

Internet Privacy

We regard the Internet and the use of other technologies as valuable tools for communicating and interacting with our employees, customers, business partners, and others. We understand the importance of maintaining the confidentiality of information collected and/or stored online, and we have systems in place that protect data collected and/or stored online or via an electronic database. Personal Data that is transferred from the EEA or Switzerland to the United States of America will be treated in accordance with this Policy.

Rights of Access, Rectification, Erasure, and Restriction

Under the Privacy Shield, you may seek confirmation regarding whether NanoString is Processing your Personal Data, request access to Personal Data, and ask that we correct, amend, or delete your Personal Data where it is inaccurate or has been Processed in violation of the Privacy Shield Principles. Where otherwise permitted by applicable law, you may use any of the methods set out in this Privacy Policy to request access to, receive (port), restrict Processing, seek rectification, or request erasure of your Personal Data held by NanoString. Such requests will be Processed in line with local laws. Although NanoString makes good faith efforts to provide Individuals with access to their Personal Data, there may be circumstances in which NanoString is unable to provide access, including but not limited to: where the information contains legal privilege, would compromise others’ privacy or other legitimate rights, where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question or where it is commercially proprietary.  If NanoString determines that access should be restricted in any particular instance, we will provide you with an explanation of why that determination has been made and a contact point for any further inquiries.  To protect your privacy, NanoString will take commercially reasonable steps to verify your identity before granting access to or making any changes to your Personal Data.

Inquiries and Complaints

Inquiries, comments, or complaints should be submitted to NanoString’s General Counsel by mail as follows: NanoString Technologies, Inc., 530 Fairview Avenue N, Seattle, WA 98109, USA, Attn: General Counsel; or by email to legal@nanostring.com.

Changes to this Privacy Policy

We may amend this Policy from time to time by posting a revised Policy at https://www.nanostring.com/EUprivacy. We will only amend this Policy in a manner consistent with the requirements of the EU-US Privacy Shield, the Swiss-U.S. Privacy Shield Framework, and other applicable laws.