Privacy Shield

Privacy Shield Privacy Policy

Effective Date: September 30, 2016

DNA Diagnostics Center, Inc. (“DDC”, dba HomeDNA) is a leading provider of private DNA testing. Since 1995, DDC has performed hundreds of thousands of genetic tests. DDC offers comprehensive DNA testing services in several specialty areas, focusing primarily on relationship establishment. This Privacy Shield Privacy Policy (“Policy”) outlines how DDC and its subsidiaries, branches, divisions and business units in the United States, collect, use and disclose certain Personal Data that we receive in the United States from the European Economic Area (“EEA”), and the choices affected individuals have regarding DDC’s use of, and the individual’s ability to correct that information.

Protecting the privacy of its clients is important to DDC. DDC has elected to participate in the Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding Personal Data transferred to the United States from European Economic Area member states. DDC has certified that it adheres to the Privacy Shield Privacy Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability.

For the purposes of enforcing the Privacy Shield, DDC is subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”).To learn more about the Privacy Shield program, please visit the U.S. Department of Commerce’s Privacy Shield website. To review DDC’s certification, please visit the U.S. Department of Commerce’s Privacy Shield self-certification list.

This Policy is intended to supplement our HomeDNA Privacy Policy. In the event of any inconsistency, the terms of this Policy will govern.

Definitions
The following definitions apply throughout this Policy:

Agent
Any third party that uses Personal Data provided to DDC to perform tasks on behalf of and under the instruction of DDC.

DDC
DNA Diagnostics Center, its subsidiaries, branches, divisions, and business units in the United States.

Personal Data
Any information or set of information that identifies a living individual, or could reasonably be used to identify a living individual (in each case, whether alone or in combination with any other information in the possession, or likely to come into the possession of DDC).

Sensitive Personal Data
Personal Data that reveals racial or ethnic origin, political opinions, religious beliefs (or beliefs of a similar nature), trade union membership, physical or mental health or condition, sexual life, the commission or alleged commission of any offence or any proceedings for any offence committed or alleged to have been committed. In addition, DDC will treat as Sensitive Personal Data genetic data and any information received from a third party where that third party treats and identifies such information as sensitive.

Privacy Principles

Notice
When DDC collects Personal Data directly from individuals in the EEA, it will inform them about the purposes for which it collects their Personal Data and the choices and means, if any, that DDC offers individuals for limiting the use and disclosure of their Personal Data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to DDC, or as soon as practicable thereafter, and in any event before DDC uses or discloses the information for a purpose other than that for which it was originally collected. The HomeDNA Privacy Policy describes the categories of Personal Data that we may receive in the United States under the Privacy Shield Framework as well as the purposes for which we use such Personal Data.

If DDC receives Personal Data from its subsidiaries, affiliates, or other entities in the EEA, it will use such information in accordance with the notices such entities provided and the consents or choices made by the individual about whom such Personal Data relates.

Choice
DDC will offer individuals the opportunity to choose (“opt-out”) whether their Personal Data is (a) to be disclosed to a non-Agent third party (unless allowed or required by contract), or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.

For Sensitive Personal Data, DDC will give individuals the opportunity to affirmatively and explicitly consent (“opt-in”) to the disclosure of the information to a non-Agent third party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.

Accountability for Onward Transfer
We may transfer Personal Data to our third-party Agents or business partners as described in the HomeDNA Privacy Policy. Where required by the Privacy Shield, DDC will obtain assurances and enter into contracts with its Agents or business partners, stating they will safeguard Personal Data consistently with the Principles and limiting their use of the data to the specified services provided on our behalf. If DDC has knowledge that an Agent or business partner is using or disclosing Personal Data in a manner contrary to this Policy, DDC will take reasonable steps to prevent or stop the use or disclosure. Under certain circumstances, DDC may remain liable under the Principles if the third party Agents that it engages to process Personal Data on its behalf do so in a manner inconsistent with the Principles.

Access
Upon request, DDC will grant individuals reasonable access to Personal Data that it holds about them. In addition, DDC will take reasonable steps to permit individuals to correct, amend or delete that information where it is inaccurate, incomplete or has been processed in violation of the Principles. These access rights may not apply fully in some cases, including where providing access is unreasonably burdensome or expensive under the circumstances or where it would violate the rights of someone other than the individual requesting access.

If you would like to request access to, correction, amendment or deletion of your Personal Data, you can submit a written request to the contact information provided below. We may request specific information from you to confirm your identity. In some circumstances we may charge a reasonable fee for access to your information.

Recourse, Enforcement and Liability
DDC will conduct internal compliance reviews of its relevant privacy practices to verify adherence to this Policy. Any employee that DDC determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment.

Any questions or concerns regarding the use or disclosure of Personal Data should be directed to the DDC Privacy Department at the address given below. DDC will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the Principles contained in this Policy.

For complaints that cannot be resolved between DDC and the complainant, DDC has agreed to participate in dispute resolution using JAMS International (located in the United States) as a third party resolution provider to resolve disputes pursuant to the Privacy Shield Principles. You may submit, at no charge to you, your complaint to JAMS for mediation under the JAMS International Mediation Rules, which are accessible on the JAMS website.

You may have the option to select binding arbitration for the resolution of your complaint under certain circumstances, provided you have taken the following steps: (1) raised your compliant directly with DDC and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the U.S. Department of Commerce an opportunity to resolve the complaint at no cost to you. For more information on binding arbitration, see the U.S. Department of Commerce’s Privacy Shield Framework: Annex I (Binding Arbitration).

Limitation on Application of Principles
Adherence by DDC to these Privacy Shield Principles may be limited (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts. Consistent with the goal of enhancing privacy protection, DDC strives to implement these Principles fully and transparently, including indicating in our privacy policies where exceptions to the Principles permitted by (b) above will apply on a regular basis. For the same reason, where the option is allowable under the Principles and/or U.S. law, DDC will opt for the higher protection where possible.

Contact Information
Questions or comments regarding this policy should be submitted to:

DDC
Attn: Privacy Department—Privacy Shield
One DDC Way
Fairfield, OH 45014
privacy-officer@dnacenter.com
1-800-362-2368

Changes to this Policy
This Policy may be amended from time to time, consistent with the requirements of the Privacy Shield Principles. DDC will post appropriate notice about such changes and amendments, including by updating the effective date at the top of this Policy.