1. Data protection

Data Protection Policy

1. Introduction

CENTOGENE AG (CENTOGENE) is a worldwide leader in the field of genetic diagnostic testing for rare hereditary diseases, with a broad test portfolio covering genetic testing, biochemical tests, biomarker and clinical whole exome sequencing and whole genome sequencing. CENTOGENE is dedicated to the highest quality genetic and biochemical diagnostic testing for the global medical community. CENTOGENE’s mission is to support medical professionals with in-depth medical expertise to diagnose early and safe the genetic reason for the patients’ burden. To support its mission of diagnosing and detecting, CENTOGENE uses Personal Information in the diagnosis of rare hereditary diseases, marketing of innovative products, partnering with health care professionals and researchers, and in relation to its Associates. CENTOGENE respects the data protection rights of any person whose Personal Information we are entrusted with, and CENTOGENE complies with laws and regulations protecting Personal Information. This Policy explains the relevant data data protection principles for the protection of Personal Information and how such principles are to be implemented.

2. Definition

Anonymize or Anonymizationmeans the process by which Personal Information is irreversibly stripped of all identifiers and can no longer or only with means not reasonably likely to be usedbe linked back to the person. Once this is done, it is no longer considered Personal Information.
Associatesmeans directors, officers, managers and employees of CENTOGENE AG and its affiliates (“CENTOGENE”).
Consentmeans any freely given, specific, revocable and informed indication of the Individual’s agreement to the processing of his/her Personal Information.
Personal Data Breachmeans any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information transmitted, stored or otherwise processed, including incidents where the confidentiality of Personal Information may have been compromised.
Data processing on
Behalf
means that a provider is hired to process Personal Information as a data processor, thus without being assigned responsibility for the related data processing activities.
Healthcare Service
Provider
can be any laboratory and/or hospital and/or other institute which is involved in the counselling and/or treating of a Patient and in which one or more Physicians are being active.
HCPin this document means both Physicians and Healthcare Service Providers.
Individual means the natural person to whom the Personal Information relates, this can be a Patient, a Physician, a Healthcare Service Provider or any other person.
Patientis any person on which a genetic testing is performed at CENTOGENE or which is interested in such genetic testing for himself/herself and accordingly contacts CENTOGENE.
Physicianis the responsible physician counselling and/or treating one or several Patients.
Personal Informationmeans all information that relates to an Individual where that Individual can be identified by us or others. In some cases, the Individual can be identified directly (e.g., by name or photograph) or the Individual can be identified indirectly (e.g., a medical insurance number, position in a company or by means of a study code assigned in a clinical trial). In some countries, Personal Information may also include information such as medical device serial numbers, biological samples, IP addresses or information relating to a company (“Legal Person”).
Data Protection Noticemeans an oral or written statement that Individuals are given when Personal Information about them is being collected. The Data Protection Notice describes who is collecting Personal Information, why Personal Information is being collected, how it will be used, shared, stored and any other relevant information of which the person should be aware. Oral notices may need to be recorded to establish evidence that notice was provided to the person and these requirements should be stated in local SOPs, if applicable.
Process or Processingmeans any operation or set of operations performed upon Personal Information. This definition includes, but is not limited to, collection, recording, organization, storage, retrieval, use, disclosure, anonymization, pseudonymisation or deletion.
Pseudonymise or
Pseudonymization
means replacing a person’s name and most other identifying characteristics with a label, code or other artificial identifiers in order to protect against identification of the person. Pseudonymised data is still considered Personal Information.
Third Partyis any person, including a legal entity, with whom CENTOGENE interacts and that is neither a CENTOGENE company or Associate nor the Individual himself.
Transfermeans any disclosure of Personal Information by someone other than the person to whom the personal data belongs. The term “Transfer” may include the physical movement of Personal Information or the provision of access to Personal Information.
Websitesare the websites provided and maintained by CENTOGENE, particularly www.centogene.com; www.centomd.com and www.centoportal.com.

3. Mandatory information under the EU-GDPR

3.1 Responsible data controller and contact

Data controller and responsible entity for the processing of Personal Information is

CENTOGENE AG
Am Strande 7
18055 Rostock

represented by the Executive Board members as can be found on our website. Any Individual can reach our data protection officer under the same address with the addition “Attn: Data Protection Officer” or by email: dataprivacy(at)centogene(dot)com.

3.2 Data collection and processing at CENTOGENE

Depending on which of our services are being used or which Individual is involved, CENTOGENE processes and stores different combinations of Personal Information as follows and Individuals have the inalienable rights listed below in respect of their Personal Information processed by CENTOGENE within the scope of this Policy.

3.2.1 Personal Information collected from Patients

Through our test order forms and based on and by virtue of the respective Consent provided by the Patient through his/her Physician, we collect and process Personal Information of a Patient including up to the following:

  • Personal details (including first and middle name, last name, birth date and/or age)
  • Family relations insofar as provided
  • Address (insofar as provided)
  • Gender
  • Ethnicity (insofar as provided)
  • Nationality (insofar as provided)
  • Disease
  • Symptoms and other medical information
  • The study material / sample involving genetic data
  • Information on Patient’s insurance (where provided)
  • Identifiable genetic information, and
  • (genetic) test results and findings.

Such collected Personal Information is used primarily to provide the best possible service and test result to a Patient and to achieve the best result in a genetic analysis and to perform the respective billing. All the collected Personal Information of a Patient will be stored as long as agreed to in the Patient’s consent declaration. The Personal Information will be processed – partially also in Third Party data centers - for the performance of the genetic analysis requested and for informing the Patient’s Physician of the results of such analysis, in each case on the basis of the Consent provided (Art. 6 para. 1 a) GDPR). CENTOGENE will pseudonymize and thereby protect the Patient Personal Information in internal and external processes insofar as possible.

In case a Patient has consented accordingly, his/her Personal Information and Patient’s remaining sample will also be stored and processed for up to 20 years for those further purposes as specified in the Consent declaration, namely in anonymized form to support further research, development and improvement of diagnostic methods and possibly therapeutic solutions. Such measures may in the future also enable and support medical advice and guidance to the Patient and the Patient’s family members, e.g. related to the diagnosis and treatment of a potential genetic disease.

In such cases where Patient’s Personal Information was provided to CENTOGENE from HCP’s from outside of Germany and/or the Europe Union, we may need to transfer a Patient’s Personal Information including test results back to the respective HCP to fulfill our contractual obligations. In such case, the Patient’s Personal Information may be transferred (also electronically) to third countries outside of the Europe Union. CENTOGENE offers adequate encryption and protection measures to allow for protection of the Patient Personal Information during such transmission.

3.2.1 Data collected from HCP’s

In order to provide the services requested from us (including the respective billing, etc.) we will mainly collect and process the following Personal Information from HCPs:

  • Personal details (including first name, surname, title)
  • Phone and fax number (where provided)
  • Business address and department and
  • Email address.

All the HCP’s collected Personal Information will be stored until the Personal Information of the last of the HCP’s Patients will be deleted. The Personal Information will be processed to inform the HCP of the Patient’s test results, the HCP’s other requests and for invoicing matters on the basis of legal provisions allowing to process personal data for the purpose of performing a contract (e.g. Art. 6 para. 1 c) GDPR). We may further use the HCP’s Personal Information for customer relation management measures. Such data usage is based on legal provisions which authorise the data processing because we have an overriding legitimate interest in maintaining a good customer relationship (Art. 6 para. 1 f) GDPR). Any newsletter and/or marketing measures will only be provided to the HCP if he agreed accordingly (double-opt in).

In order to maintain the HCP’s Personal Information and to provide the aforementioned services we may use data processors, which have been carefully selected and are subject to our instructions and to regular monitoring. The aforementioned disclosures to data processors may result in such data being processed in countries outside of the EU (third country). For each such transmission of data to a third country it is safeguarded that either an adequate level of protection or reasonable guarantees through concluding a data processing agreement containing EU standard data protection clauses (retrievable at: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm) exist.

3.3 Data collected from Internet users of CENTOGENE’s websites

CENTOGENE is maintaining several Websites, which in each case provide information to internet users and partially allow for additional information and function after a login procedure.

  • Generally, an Individual is able to visit the Websites without revealing his/her identity and Personal Information, except as may be necessary to provide a product or service at his/her request. Data are collected on the Website only to the extent technically necessary. In some cases we may recognize personal data like the IP-address as well as non-personal data like the name of the Individual’s involved internet service provider, the website from which the Individual used to link to our side, the pages that the Individual visits on our Website and what the Individual clicks on any given page. This data could possibly lead to the Individual’s identification, but we do not use it to do so.
  • The data will be automatically evaluated for statistical and performance purposes only but we process the data in anonymous or pseudonymous form so that we do not identify the Individual. Any technically generated, additionally available telecommunication data may be solely collected, processed and used for material purposes including fraud prevention, internal quality control or other security or quality reasons and always in accordance with all applicable data protection laws. The processing of the data is carried out on the basis of legal provisions which authorise the data processing because we have an overriding legitimate interest in a demand-oriented design as well as the statistical evaluation of our Websites (e.g. Art. 6 para. 1(f) GDPR, Sec. 15 para. 3 German TMG); or on the basis of a provided consent (e.g. by clicking accept on our cookie banner). 
  • Cookies are small text files that are stored in the Individual's local browser cache. By using such cookies it is possible to recognize the Individual's browser in order to optimize the website and simplify its use. Data collected via cookies will not be used to determine the personal identity of the website visitor/Individual. Most browsers are configured to accept cookies automatically.
  • You can prevent cookies from being stored on your hardware by selecting "do not accept cookies" in your browser settings. Please refer to the instructions of your browser manufacturer to find out how this works in detail. You can delete cookies already set on your computer at any time. If you do not accept cookies, however, this can lead to functional restrictions of our services.
  • A detailed overview of the cookies used on our Websites and their storage period can be found in Annex 1 hereto. External (third party) cookies used are as follows:

     

    • Pardot Marketing Automation System
      CENTOGENE use the Pardot Marketing Automation System (“Pardot MAS”) from Pardot LLC, 950 E. Paces Ferry Rd. Suite 3300 Atlanta, GA 30326, USA (“Pardot”) on some of its Websites. Pardot is a specialist software for gathering and evaluating information about how a website is used by its visitors.
      When an Individual visits our Websites, Pardot MAS records his/her click path through the site and creates an individual usage profile using a pseudonym. By clicking accept on the cookie acceptance banner when first using our website or by continuing to use our website that makes use of cookies, the Individual agrees to the use of cookies by Pardot.
      Any Individual may withdraw his/her acceptance at any time with effect for the future. Please use the contact information provided in this privacy statement to do this.
    • Google analytics
      Our websites also use Google Analytics, a web analytics service provided by Google, Inc.(“Google”). The information generated by the cookie about an Individual’s use of the Websites will be transmitted to and stored by Google on servers in the United States. The Individual’s IPaddress will be truncated within the area of Member States of the European Union or other parties to the Agreement on the European Economic Area. Only in exceptional cases the whole IP-address will be first transferred to a Google server in the United States and truncated there. Google will use this information on behalf of CENTOGENE for the purpose of evaluating Individual’s use of the Website, compiling reports on website activity for website operators and providing them other services relating to website activity and internet usage. The IP-address the Individual’s browser conveys within the scope of Google Analytics will not be associated with any other data held by Google. The Individual can opt-out from being tracked by Google Analytics with effect for the future by downloading and installing the Google Analytics Opt-out Browser Add-on for your current web browser: tools.google.com/dlpage/gaoptout.

  • A detailed overview of the cookies used on our Websites can be found in Annex 1 hereto.
  • All personal data collected on our websites is in general only stored for a period of 4 weeks, unless the data collected is necessary to manage your account and/or login details (e.g. In that case, the data is being stored for as long as necessary to manage such account.

3.4 Data collected if CENTOGENE is addressed by email

Should an Individual address us by email we may store and process up to the following Personal Information solely for the process of addressing the respective Individual’s request and in each case depending on the service used:

  • Sender name
  • Email address
  • IP-address; and/or
  • other personal data if and insofar provided by the respective Individual in his/her email.

We process your data in order to process your request and answer your inquiries. The processing of the data is carried out on the basis of legal provisions which authorise the data processing because it is necessary in order to process your request ((e.g. Art. 6 para. 1 b) GDPR). In such cases where social media services are used, we do not have any influence on the further storage and processing of the provided Personal Information by the respective social media service.

3.5 Data subjects rights if data was collected

If an Individual wants to address or use any of the rights listed below, please address us via the contact information provided above.

3.5.1 Right to be provided with information about and to have access to the personal data stored

The Individual can demand communication to him/her in an intelligible form of the Personal Information processed in relation to him/her, of any available information as to its source, and the purpose of the processing. The Individual also has the right to information about the identity of the controller and, in the event of the transfer of Personal Information; the Individual also has the right to information about the recipients or categories of recipients. The right to information also covers the logical structure of automated processing operations, to the extent that automated decisions are affected. When provided for by applicable local law, the Individual does not have a right to information if it would involve considerable impairment of business purposes, including specifically if the disclosure of business secrets and the interest in safeguarding the business secrets outweighs the Individual’s interest in disclosure. Local legal regulations may restrict the Individual’s right to information if this right is exercised repeatedly within a short period of time, unless the Individual can show a legitimate reason for the repeated assertion of claims for information. CENTOGENE may charge the Individual a reasonable fee for providing the information, to the extent that the applicable law permits this. This right to access to information may be limited by statutory law (as e.g. the German Genetic Diagnostic Act), particularly where the patient file contains genetic information which may only be disclosed to a patient by a physician.

3.5.2 Right to request data portability

The Individual shall have the right to receive the Personal Information concerning him/her, which he/she has provided to CENTOGENE, in a structured, commonly used and machine-readable format and has the right to request having transmitted those data to another controller without hindrance from CENTOGENE. This right to data-portability may be limited by statutory law (as e.g. the German Genetic Diagnostic Act), particularly where the Patient file contains genetic information which may only be disclosed to a Patient by his/her responsible Physician.

3.5.3 Right to request rectification or erasure

The Individual can request rectification if his/her Personal Information is found to be incorrect or incomplete. The Individual also has the right to demand that CENTOGENE erases the Personal Information relating to him/her under the prerequisites described in Art. 17 GDPR. These prerequisites establish especially a right to erasure if the Personal Information is no longer necessary for the purposes for which they were collected or otherwise processed as well as in situations involving illegal processing, the existence of a right to object or withdraw a consent, the existence of a duty to erase under the law of the European Union or the law of the Member States governing CENTOGENE or when the Personal Information were collected with regard to services offered in the information society services pursuant to Art. 8 para. 1 GDPR. For the period of data retention, see also the explanations for the respective user groups above.
Please be aware, that CENTOGENE may be required to store certain data even after receiving an Individual’s request of erasure for statutory reasons, particularly with regard to patient files once a report for a genetic testing was provided to the patient’s physician. In such cases, CENTOGENE is obliged to store the patient file for a mandatory period of 10 years.

3.5.4 Right to request restriction of processing

An Individual has the right to demand that CENTOGENE restricts the processing of his her Personal Information in accordance with Art. 18 GDPR. This right exists especially if the accuracy of the Personal Information is contested between the Individual and CENTOGENE; for a period enabling CENTOGENE to verify the accuracy of the Personal Information, as well as in the event that the Individual demands a restriction on processing instead of erasure in the event that there is a right to erasure, and also in the event that the Personal Information are no longer needed for the purposes intended by CENTOGENE when the Individual, however, needs the Personal Information for the  establishment, exercise or defence of legal claims , as well as in the situation when the successful exercise of an objection is still disputed between CENTOGENE and the Individual.

3.5.5 Right to object

The Individual has the right to submit an objection against (1) the processing of Personal Information relating to him/her which is based on Article 6 para. 1 e) or f) GDPR, including profiling based on those provisions, and (2) the processing of Personal Information for direct marketing purposes at any time for reasons resulting from his/her particular situation. CENTOGENE will stop processing the Individual’s Personal Information unless CENTOGENE can prove important reasons for the processing which deserve protection which outweigh the Individual’s interests, rights and freedoms or if the processing serves to assert, exercise or defend against legal claims.

3.5.6 Right to lodge a complaint

The Individual has the right to lodge a complaint with a supervisory authority regarding the processing of his/her Personal Information.

3.5.7 Right to withdraw a consent

Insofar as the processing of Personal Information is based on consent, such consent may be withdrawn at any time with effect for the future.

3.5.8 Applicable local laws

As far as you are entitled to further or modified rights beyond the rights set forth herein under applicable national law, these remain unaffected by the rights and claims set forth herein.

3.6 Procedure

Whenever possible, CENTOGENE will respond to Individuals’ requests for access to their Personal Information immediately but at the latest within one (1) month of receiving the request. If the Individual’s request for information regarding their Personal Information processed by CENTOGENE, or their request to correct, amend or rectify Personal Information processed by CENTOGENE does not contain sufficient detail to allow CENTOGENE to respond, CENTOGENE will request additional information from the Individual in an effort to fulfil the request. Before denying a request to access, rectify, delete, or object to processing of Personal Information, Associates must seek the advice of CENOTGENE’s legal department. CENTOGENE will provide the Individual with an explanation for any denied requests.

4 Reporting potential misconduct

Any Associate, who learns of a potential violation of applicable laws and/or this Policy, is required to report his or her suspicion promptly to its supervisor, legal department or management. Associates who report potential misconduct or who provide information or otherwise assist in any inquiry or investigation of potential misconduct will be protected against retaliation.

5 Breach of this Policy

Breaches of this Policy may lead to disciplinary and other actions up to and including termination of employment or contract (for Third Parties).

6 Responsibilities

It is the responsibility of every CENTOGENE manager, director or supervisor to adhere to this Policy within his or her area of functional responsibility, to lead by example, and to provide guidance to those Associates reporting to him or her. All Associates are responsible for adhering to the principles and rules set out in this Policy.

7 Security measures relating to personal data

CENTOGENE has taken extensive measures to ensure the secure processing of Personal Information, including the following:

  • Organizational measures: Preparation and implementation of an internal control plan; regular employee training and education;
  • Technical measures: management of access rights to the system for processing Personal Information, installation of an access control system, encryption of certain identification information, installation of security programs; and
  • Physical measures: Restriction of access to the internal data centers (e. g. computer room, data storage room) and contractual measures regarding obligations of Third-Party data centers in this respect.

8 Changes to this Policy

The services provided by CENTOGENE can be changed from time to time, especially in order to continue to improve the services. Such changes can have an effect on the processing of Personal Information. CENTOGENE accordingly reserves the right to amend this Policy at any time. The respectively current version is available at www.centogene.com. Please inform yourself accordingly in regular intervals about the current status of this Policy.

This version of the Data Protection Policy is effective from 25 May 2018.
Rostock, June 2018

Annex 1: Overview of cookies used

www.centogene.com
NamePurposeLifespan
HPSESSIDThis is a general purpose identifier used to maintain user session variables.Duration of the session:
the cookie is deleted when the browser is closed.
_gaGoogle Analytics Cookie tracks site visits.10 min
_gatGoogle Tag Manager Cookie10 min
cookieNotificationVisitedTo check, if visitor read cookie notification1 year
permissioncookieTo check, if visitor allowed to use cookies1 year
visitor_id486591Pardot cookie: Marketing automation for existing customers and double-opt in leadsDuration of the session:
the cookie is deleted when the browser is closed.
_hjIncludedInSampleDetermin es if the user's navigation should be registered in a certain statistical place holder.This is a general purpose identifier used to maintain user session variables.Duration of the session:
the cookie is deleted when the browser is closed.
GPSRegisters a unique ID on mobile devices to en able tracking based o n geographical GPS locationDuration of the session:
the cookie is deleted when the browser is closed.
YSCRegisters a unique ID to keep statistics of what videos from You Tube the user has seenDuration of the session:
the cookie is deleted when the browser is closed.

www.centomd.com
NamePurposeLifespan
JHPSESSIDThis is a general purpose identifier used to maintain user session variables.Duration of the session:
the cookie is deleted when the browser is closed.
_gaGoogle Analytics Cookie tracks site visits.Duration of the session:
the cookie is deleted when the browser is closed.
_gatGoogle Analytics Cookie: This cookie does not store any user information, it's
just used to limit the number of requests that have to be made to doubleclick.net.
Duration of the session:
the cookie is deleted when the browser is closed.
_gidGoogle Analytics Cookie for storing randomly generated ids about the
user.
Duration of the session:
the cookie is deleted when the browser is closed.

www.centoportal.com
NamePurposeLifespan
JHPSESSIDThis is a general purpose identifier used to maintain user session variables.Duration of the session:
the cookie is deleted when the browser is closed.
XSRF-TOKENThis is a security token used to prevent unauthorized commands to the serverDuration of the session:
the cookie is deleted when the browser is closed.
connect.sidThis is a general purpose identifier used to maintain user session variables.Expires after 1 hour
currentUserThis cookie is used to store general user information.Duration of the session:
the cookie is deleted when the browser is closed.
permissioncookieTo check, if visitor allowed to use cookies1 year
visitor_id486591Pardot cookie: Marketing automation for existing customers and double-opt in leadsDuration of the session:
the cookie is deleted when the browser is closed.