We live in the same connected world you do. Although headquartered in the United States, we conduct business, among other places, in Switzerland and many of the countries comprising the European Economic Area (“EEA”). Since our commitment to transparency and trust in matters of privacy does not end at the U.S. border, for information transferred from those countries to our United States operations, we comply with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce. You can verify our good standing under the Privacy Shield by searching our name here. Incyte does not currently use the Privacy Shield Frameworks as the basis for international transfers; however, we are committed to abiding by the Privacy Shield principles.
This Privacy Shield Statement sets forth the privacy principles Incyte follows in connection with the transfer and protection of personal information from the European Economic Area (“EEA”) and Switzerland to the United States, in addition to the EU and Swiss Standard Contractual Clauses we have with third parties and our Intragroup Data Transfer Agreement between our affiliates that provide the actual basis for these data transfers. The EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework were developed to provide U.S. organizations with a means of satisfying the requirements under the EU Directive on data protection and Article 6 of the Swiss Federal Act on Data Protection respectively, and Incyte continues to abide by these Frameworks while not using them as the basis for our data transfers.
Consistent with Incyte’s goal to protect personal privacy, Incyte is fully committed to complying with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information from EEA member nations and Switzerland to the United States. Incyte has certified to the Department of Commerce that it adheres to both the EU-U.S. and Swiss-U.S. Privacy Shield Principles of Policy, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement and Liability as set forth below (the “Principles”). The United States Federal Trade Commission (FTC) has jurisdiction over our compliance with the Privacy Shield and we are subject to the FTC’s investigatory and enforcement powers. Information regarding the Privacy Shield program and evidence of our certification can be found by visiting https://www.privacyshield.gov/.
This Privacy Shield Statement is effective as of December 19, 2022, and has not been amended since that date.
Scope
This Privacy Shield Statement governs all personal information received by Incyte in the United States from Incyte’s operations and business partners in the EEA and Switzerland. As used in this Privacy Shield Statement, “personal information” has the meaning given to it under the applicable local law of the country from which it was originally collected. Generally, it means information that identifies or can directly or indirectly lead to the identification of an individual, including such things as an individual’s name, address, telephone number, fax number, email address, social security number and date of birth.
Privacy Shield Principles
The Privacy Shield is predicated on seven core Principles:
- Policy
- Choice
- Accountability for Onward Transfer
- Security
- Data Integrity and Purpose Limitation
- Access
- Recourse, Enforcement and Liability
We adhere to and have implemented policies and procedures regarding these core Principles in the following ways:
Policy. When we collect personal information from individuals in the EEA and Switzerland, we tell them about the types of personal information being collected, the purposes of our collection and the nature of our intended uses. We also advise them of the types of third parties—such as vendors with cloud-based software licensed in support of our operations and clinical research organizations—to whom we further disclose such information, the purposes for which we disclose to such third parties, and the choices and means, if any, we offer for limiting use and disclosure, as well as how to contact us with inquiries or complaints. We use a variety of different context-specific means to provide such policy information. For instance, in our research activities, we use industry-standard informed consent forms.
Choice. We will offer those individuals whose personal information we have collected a choice. They may “opt-out” of having their personal information disclosed to third parties and/or used for purposes other than for the purposes for which it was originally collected or subsequently authorized. For the types of personal information that the laws of Switzerland and the EEA countries deem “sensitive,” rather than having to opt-out after the fact, we afford affected individuals, at the time of collection, an opportunity to “opt-in” and specifically consent to have their information disclosed to third parties or used for purposes other than those for which it was originally collected or subsequently authorized. Just as we do in fulfilling our Policy obligations, we use a variety of different, context-specific means to provide the choices described here or otherwise required by the Privacy Shield.
Accountability for Onward Transfer. Our accountability for the personal information we receive and subsequently transfer to third parties is described in the Privacy Shield Principles. In summary, we remain responsible and liable under the Privacy Shield Principles if third-party agents that we engage to process your personal information on our behalf do so in a manner inconsistent with the Principles, unless we can prove that we are not responsible for the event that gives rise to any harm you may incur.
Security. At a minimum, we take reasonable precautions to protect the personal information in our possession from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
Data Integrity and Purpose Limitation. We only use the personal information we collect in ways that are consistent with the purposes for which it was originally collected or for which we subsequently obtained authorization from the affected individuals. We take reasonable steps to ensure that the information is reliable for its intended use, accurate, complete and current. To accomplish this, we necessarily rely on individual data subjects to exercise their Access rights to keep us apprised of any changes in their personal information.
Access. If an individual from whom we have collected data writes to us and asks to have access to their personal information, we will take all reasonable steps to ensure such access is granted. Obviously, the relevant information must be in our possession or under our reasonable control for us to do so. Once such access is granted, affected individuals have the right under the Privacy Shield to have us correct, amend or delete their information where it is determined to be factually inaccurate. There are, however, certain limitations to an individual’s rights to such access. These include situations where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy, or where the rights of persons other than the individual would be violated.
Recourse, Enforcement and Liability. We implement processes and procedures to verify our compliance with this Privacy Shield Statement. If individuals believe that we are not compliant, or if they have other complaints related to this Privacy Shield Statement or our conduct under it, we encourage those individuals to contact us using the contact information listed at the end of this Privacy Shield Statement. We commit to investigate and attempt to remedy all such valid complaints.
Dispute Resolution. In compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Principles, Incyte commits to resolve complaints about your privacy and our collection or use of your personal information. European Union or Swiss individuals with inquiries or complaints regarding this privacy policy should first contact Incyte at:
Global Data Privacy Officer
1801 Augustine Cut-off
Wilmington, Delaware 19803
USA
privacy@incyte.com
Incyte has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit BBB EU Privacy Shield Process For Consumers for more information and to file a complaint. This service is provided free of charge to you.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
Additionally, for disputes involving human resources data, Incyte cooperates and complies with the EU Data Protection Authorities and/or the Swiss Federal Data Protection and Information Commissioner, as applicable, with respect to such data.
Limitation of Principles
Adherence to this Privacy Shield Statement may be limited to the extent required to satisfy legal obligations (including, but not limited to, subpoenas and court orders) and/or meet national security, law enforcement or public interest requirements. We may be required, under certain circumstances, to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. The law also provides certain express exceptions and variations to our obligations under this Privacy Shield Statement. For instance, some of the Access and consent principles are modified for pharmaceutical companies like us who use personal information to engage in ongoing research for the good of the public health.
Changes to this Privacy Shield Statement
We reserve the right to change or update this policy from time to time. Please check our site periodically for such changes since all information collected is subject to the policy in place at that time. Typically, we will indicate the effective/amendment date at the beginning of this policy. If we feel it is appropriate, or if the law requires, we will also provide a summary of changes we have made near the end of a new policy.