Privacy Notice
Last Revised: August 2022
This Privacy Notice informs you of important information about how Hologic, Inc. and our family of companies (together, “Hologic,” “we, “us” or “our”) to process the personal data that we collect in online and offline formats through the Services. The controller for your personal data will be identified when you purchase a product or service or interact with us.
When we use the term “Services” we mean to refer collectively to:
- The provision of medical technology and related services to our customers including technical support (“Customer Services”);
- The websites owned and controlled by us that link to this Privacy Notice (“Sites”); and
- Interactions with prospective customers and marketing and business development activities, including events we host, social media properties we operate, and emails that we send (“Marketing Activities”).
When we use the term “personal data” we mean data that reasonably can be used to identify a person, or that reasonably relates to a person.
This Privacy Notice applies only to our processing of personal data within the scope of the General Data Protection Regulation (“GDPR”) and/or the GDPR as it is incorporated into the laws of England and Wales, Scotland and Northern Ireland (“UK GDPR”) as follows:
- Processing of personal data by a Hologic company located in one or more of the European Union Member States plus Iceland, Lichtenstein and Norway (together known as the “European Economic Area” or “EEA”) and/or the United Kingdom (“UK”) and
- Processing of personal data by a Hologic company located outside of the EEA and/or the UK, but that is offering goods or services into the EEA and/or the UK or monitoring the behavior of individuals in the EEA and/or the UK, in which case this Privacy Notice applies only to the processing of personal data of individuals located in the EEA and/or the UK.
How We Collect and Use Personal Data
We collect and process personal data about a number of different individuals through the provision of the Services. These individuals include our customers, prospective customers and others who may be interested in our products and services, visitors to our offices, visitors to our Sites, vendors, and other individuals.
The majority of our customers and prospects are corporate entities and data about entities is not personal data. But we do process personal data of their employees, representatives and other personal data customers and prospects provide to us or allow us to collect on their behalf.
We collect the following personal data in the context of providing Customer Services and Marketing Activities:
- Names
- Job titles
- Email address
- Physical address
- Phone number
- Diagnostic solutions device log data (but not patient data)
We also obtain personal data about individuals who may be interested in our products or services from third-party sources such a lead generation list providers and conference organizers when they provide us personal data about conference attendees.
Our legal bases for processing personal data in connection with Customer Services and Marketing Activities are:
- To comply with legal obligations and professional responsibilities;
- To perform contracts;
- To pursue our legitimate interests of:
- ensuring that we deliver the best possible service to our customers,
- keeping individuals informed of developments in our technology, products, and services,
- business development and general marketing, and
- ensuring we build and maintain a good working relationship with you;
- Your consent, but where we make it clear to you in advance that we are relying on you consent (for example, when you sign up to our mailing list).
We often interact with the health care professionals in the conduct of our business. In connection with our Marketing Activities, we may contract with them to perform consulting or speaking engagements. We collect the following personal data about health care professionals:
- Names
- Job titles
- Email address
- Professional address
- Phone number
- Resume and work history details
- Financial and tax information (when we need to pay consultants and for speaking engagements)
Our legal bases for processing this personal data are:
- To comply with legal obligations and professional responsibilities (for example, transparency laws and codes governing the health care industry);
- To perform contracts;
- To pursue our legitimate interests of:
- ensuring that we deliver the best possible service to our customers,
- keeping individuals informed of developments in our technology, products, and services,
- business development and general marketing, and
- ensuring we build and maintain a good working relationship with health care professionals in the industry;
- Your consent, but where we make it clear to you in advance that we are relying on you consent (for example, when you sign up to our mailing list).
We collect certain personal data from visitors to our Sites. We generally collect this information directly from you when you fill out form fields, interact with our iStore, download product documentation, apply for a job, or register for and participate in our medical education services. In this variety of different circumstances on the Sites we collect:
- Name
- Customer account number
- Company name
- Your photo, if you provide it to us
- Email address
- Physical address
- Phone number
- Time zone
- Resume and work history details, if you apply for a job with us
- The products and medical education services you are interested in
The legal bases we rely on to process this personal data are:
- To pursue our legitimate interests of operating and growing our business, operating and improving the Sites, delivering the Customer Services and engaging in Marketing Activities; and
- Your consent, where we make it clear to you in advance that we are relying on you consent (for example, when you sign up to our mailing list).
For visitors to our offices we take a record of name and contact information. This information is recorded for legitimate business purposes and for health and safety purposes so that we know who is in the building in event of an emergency. If you attend one of our events and we serve food, we may have information about your dietary requirements.
The legal bases we rely on to process this personal data are:
- To comply with our legal obligations; and
- To pursue our legitimate interests in ensuring the safety and security or our employees and visitors.
We process personal data of vendors and business partners in the conduct of our business operations, including name, contact information, financial information, tax information, and information to verify identity. For vendors, we do this so that we can liaise about the services the vendors are providing to us now and in the future. For business partners, we do this to support, grow and maintain the relationship. For individual vendors and business partners, we hold financial information in order to pay invoices. Sometimes we receive this information from a third party who is recommending the service to us.
The legal bases we rely on to process this personal data are:
- To perform contracts;
- To comply with our legal obligations; and
- To pursue our legitimate interests of managing and operating our business, including through use of vendors and business partners.
Social media channels, pages and blogs offered as a service to users of the Services (“Social Media”) are hosted by third-party vendors. Those vendors normally require registrants to provide personal data, including name and email address among other kinds of information. This personal data is not collected by us but may be shared with us. We use this personal data to manage our online communities and for other purposes set forth in this Privacy Notice.
Additional Uses of Personal Data
In addition to the uses described above, we may use your personal data for the following purposes. Some of these uses may, under certain circumstances, be based on your consent, may be necessary to fulfill our contractual commitments to you, are necessary to serve our legitimate interests in the following business operations, or to comply with our legal obligations:
- Operating our business, administering the Services and managing your accounts;
- Contacting you to respond to your requests or inquiries;
- Processing and completing your transactions including, as applicable, order confirmation and delivering products or services;
- Providing you with newsletters, articles, alerts and announcements, event invitations, and other information that we believe may be of interest to you;
- Providing you with marketing information, and other information that is tailored to your interests;
- Conducting research, surveys, and similar inquiries to help us understand trends and customer needs;
- Analysing your interactions with us, and improving our products, services, programs, and other offerings;
- Preventing, investigating, or providing notice of fraud, unlawful or criminal activity, or unauthorised access to or use of Personal Information, our website or data systems; or to meet legal obligations; and
- Enforcing our Terms of Use and other agreements.
How We Share and Disclose Personal Data
We share personal data with the following categories of recipients.
We may disclose your personal data to third-party service providers to provide us with services such as website hosting, professional services, including information technology services and related infrastructure, customer service, e-mail delivery, auditing and other similar services.
We may disclose personal data to our affiliates for the purposes described in this Privacy Notice, including for their marketing purposes, and to be consistent with our goal of providing our the superior customer service and engagement experience that our customers have come to expect from us around the world.
In some regions, we sell our products through distributors rather than directly to buyers. In these regions, we may disclose personal data in order to provide the Services, complete transactions, address product deliver and warranties.
We may disclose personal data to third parties in order to perform services you request or functions you initiate, such as when you post information and materials on message boards and forums.
We may disclose your personal data to a third party in connection with a corporate reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or capital, including in connection with any bankruptcy or similar proceedings.
In addition, we may use or disclose your personal data as we deem necessary or appropriate: (1) under applicable law, including laws outside your country of residence; (2) to respond to requests from public and government authorities including public and government authorities outside your country of residence; (3) to comply with subpoenas and other legal processes; (4) to pursue available remedies or limit damages we may sustain; (5) to protect our operations or those of any of our affiliates; (6) to protect the rights, privacy, safety or property of Hologic, our affiliates, you and others; and (7) to enforce our terms and conditions.
E-mail Marketing
We may periodically send you relevant alerts and newsletters by e-mail. To help improve our marketing activities, we often receive a confirmation when you open an e-mail or click on a link included in one of these emails, if your computer supports such capabilities. Instructions on how to unsubscribe from these alerts and newsletters are included in each e-mail.
Data Retention
We retain personal data pursuant to our records retention program, for as long as is necessary for the purposes set out in this Privacy Notice, unless a longer period is required under applicable law or is needed to resolve disputes or protect our legal rights, in accordance with the principles set forth in Articles 5(1) of the GDPR and the UK GDPR, as applicable.
When deciding how long to retain personal data we take into account our legal and regulatory obligations, the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which we process personal data and whether we can achieve those purposes through other means. The specific criteria used to determine the period for which personal data about you will be stored varies depending on the legal basis under which we process such personal data:
Legitimate Interests
For a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of the data subjects.
Contractual Necessity
For the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the limitation period for legal claims that could arise from the contractual relationship.
Legal Obligation
For the duration of time we are legally obligated to keep the personal data.
Consent
For the period of time necessary to fulfill the underlying agreement with you, subject to your right, under certain circumstances, to have certain personal data about you erased (see Data Subject Rights below).
We may face any threat of legal claim and in that case, we may need to apply a “legal hold” that retains personal data beyond our typical retention period. In that case, we will retain the personal data until the hold is removed, which typically means the claim or threat of claim has been resolved.
Transfers of personal data across borders
Any personal data that you provide to us is stored and processed in, and transferred between, any of the countries in which Hologic and its agents, contractors and affiliated organisations have offices, in order to enable Hologic to use that personal data as set out in this Privacy Notice.
Not all of these countries have data protection laws equivalent to those in force in the EEA and/or the UK. In order to ensure the protection of your personal data outside of the EEA and/or the UK we rely on appropriate or suitable safeguards, including:
- Using standard contractual clauses approved by relevant authorities as ensuring adequate safeguards.
- Transferring personal data to countries that have been deemed to provide an adequate level of protection for personal data by relevant authorities.
- Obtaining your consent to transfer personal data after first informing you about the potential risks of the transfer.
- Transferring personal data when it is necessary for the performance of a contract between you and us, or if the transfer is necessary for the performance of a contract between us and a third party and the contract was entered into in your interest.
- Transferring personal data when it is necessary to establish, exercise or defend legal claims.
Data Security
We seek to use reasonable organisational, technical and administrative measures to protect personal data within Hologic. Unfortunately, no data transmission or storage system can be guaranteed to be secure at all times. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Contact Us” section below.
Data Subject Rights
Individuals whose personal data we process subject to the GDPR and/or the UK GDPR have certain rights as required by law, including the right of access, erasure and data portability, as well as the right to rectification, to restrict processing, to withdraw consent, and to object to processing as follows.
Individuals have the right to know if we are processing personal data about them and, if so, to access and obtain a copy of personal data about them, as well as information relating to the processing of that data.
Individuals have the right to have us correct or update any personal data about them that is inaccurate or incomplete without undue delay.
Individuals have the right to restrict or limit the ways in which we process personal data about them where the accuracy of the personal data is contested by them, where data has been obtained by us unlawfully, where the individual has objected to our processing of the data (see right of objection below) and we are considering whether to cease processing, or where we no longer need to process the personal data.
Individuals have the right to object to our processing of their personal data where we are relying on legitimate interests as our legal basis and their rights override our legitimate interests in processing their personal data. Individuals also have the right to object to our processing of their personal data for direct marketing purposes.
Where we rely on consent as the basis for processing personal data, individuals have the right to withdraw their consent.
Individuals have the right to request deletion or erasure of their personal data in a number of circumstances where required by law. These include where we no longer require the personal data for the purposes for which it was collected, the individual has withdrawn consent, or where we are relying on legitimate interests as a legal basis and the individual’s rights override our legitimate interests.
Individuals have the right to obtain a copy of the personal data we hold about you in a structured machine-readable format and to have it transmitted to another controller. This right only occurs where we are relying on your consent or performance of a contract as our legal basis and the processing is carried out automatically.
Individuals also have the right to make a complaint about our personal data handling practices to their local Supervisory Authority.
Cookie Notice
We use cookies and related technologies (“Cookies”) to provide Services, gather information when users navigate through the Sites to enhance and personalise the experience, to understand usage patterns, and to improve our Sites, products, and Services.
Cookies on our Sites are generally divided into the following categories:
- Required Cookies: These cookies are necessary to enable basic features of the Sites to function, such as providing secure log-in or remembering how far you are through an order.
- Functional Cookies: These cookies allow us to analyse your use of the Sites to evaluate and improve our performance. They may also be used to provide a better customer experience on the Sites, for example, by remembering your log-in details, saving what is in your shopping cart, or providing us information about how the Sites are used.
- Advertising Cookies: These cookies are used to show you ads that are more relevant to you. We may share this information with advertisers or use it to better understand your interests. For example, advertising cookies may be used to share data with advertisers so that the ads you see are more relevant to you, allow you to share certain pages with social networks, or allow you to post comments on our site.
You can review your Internet browser settings, typically under the sections “Help” or “Internet Options,” to exercise choices you have for certain Cookies. If you disable or delete certain Cookies in your settings, you may not be able to use features of the Sites.
The opt-outs described above are device- and browser-specific and may not work on all devices. If you choose to opt-out through any of these opt-out tools, this does not mean you will cease to see advertising. Rather, the ads you see will just not be based on your interests.
Links to Other Sites
Occasionally we provide links to other websites for your convenience and information. These sites operate independently from our Sites and are not under our control. These sites may have their own privacy notices or terms of use, which you should review if you visit any sites linked through our Sites. We are not responsible for the content or use of these unrelated sites.
Updates to this Privacy Notice
Although most changes are likely to be minor, Hologic may change its Privacy Notice from time to time, and at Hologic’s sole discretion. Hologic encourages visitors to frequently check this page for any changes to this Privacy Notice.
Contact Us
You may exercise your rights to review, know, correct, update, delete, restrict or object to the processing of your personal information at any time by completing Data Subject Access Request here.
You may exercise your rights to submit a complaint regarding the processing of your personal data at any time by completing a form here.
If you have any queries, questions or concerns about this Privacy Notice or our personal data handling practices, please email data.privacy@hologic.com or write to:
For UK:
Hologic Hub Ltd.
International Legal Department
Heron House, Oaks Business Park, Crewe Road, Wythenshawe, Manchester, M23 9HZ, UK
For EU:
Hologic BV
International Legal Department
The Corporate Village, Building Caprese 3th floor
Da Vincilaan 5
1930 Zaventem, Belgium