EU WEBSITE PRIVACY NOTICE

Last updated: October 2019.

 

1. INTRODUCTION AND SCOPE

Houston Methodist is committed to processing your personal data responsibly and in compliance with Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”). This Houston Methodist Website EU Privacy Notice (the “Notice”) explains our data processing activities in connection with your use of any of the websites available at https://www.houstonmethodist.org/ and the services, features or content we offer on them (together, the “Service”). In particular, this Notice informs you about the personal data (as described further below) we collect about you via the Service, how we use it, what choices and rights you have when providing that data to us and how we endeavor to keep it safe and secure.

 

This Notice applies to and addresses individuals located in the European Economic Area (“EEA”) at the time of the data collection.

 

2. DATA CONTROLLER AND THE DATA PROTECTION OFFICER CONTACT DETAILS

Houston Methodist is the entity responsible for determining the purposes and means of the processing of your personal data in connection with your use of the Service. As such, Houston Methodist qualifies as the so-called “Data Controller” and is therefore responsible for compliance with GDPR requirements. Houston Methodist can be contacted as follows:

 

 Houston Methodist  Houston Methodist’s EU Representative
 The Methodist Hospital  IITR Cert GmbH
 6565 Fannin Street  Eschenrieder Str. 62 c
 Houston, TX 77030  D-82194 Gröbenzell
 USA  Germany
 
 
Houston Methodist’s data protection officer (“DPO”) can be contacted as follows: via mail at 1130 Earle Street, AX200, Houston, TX 77030, USA; or email at privacy@houstonmethodist.org

 

3. PERSONAL DATA WE PROCESS ABOUT YOU AND HOW WE COLLECT IT
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

Special categories of Personal Data consist of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation (also known as “Sensitive Data”).

 

The specific categories of Personal Data we collect about you depend on how you interact with our Service, as described further below.

 

4. PERSONAL DATA YOU PROVIDE TO US
At various points on our Service, you have the option of providing us with your Personal Data by (i) contacting us via our online form, by email, phone or via postal mail, (ii) requesting an appointment, (iii) signing up for MyChart/Patient Portal, (iv) subscribing to our (e)Newsletters and information alerts, including email communications regarding Houston Methodist’s educational programs, such as Pumps and Pipes, (v) registering to our career portal and (vi) conducting customer feedback and surveys.

In these cases, we process the following categories of Personal Data (including Sensitive Data):
  • Contact information: full name, home address, daytime phone number, email address and preferred communication channel; contact request reason, content of original and follow-up communications with you;
  • Patient information: full name, country of origin, phone number and email address, date of birth, gender, whether the patient is currently in the United States, payor type, specific doctor choice, specialty preference, reason for appointment; and
  • Job applicant information in the career portal: user name and password, full name, email address, phone number, home address, educational and work experience information (previous positions, degrees obtained, schools attended, applicable licensure and certification and prescreen questions to assess minimum qualifications required for the job, etc.), resume, job preferences (starting date, full-time/part-time, willingness to travel (in %), willingness to relocate, weekday availability, working hours per week, salary expectations, work location), languages, U.S. military status, references, criminal history, immigration compliance status and export control screening where required, tobacco information, previous employment at Houston Methodist and employment of relatives at Houston Methodist, and self-identity information (disability, veteran and diversity status).

The provision of certain categories of Personal Data is a requirement necessary for us to process your (e)Newsletter subscription, queries and applications.

We will collect the Personal Data as a general rule directly from you. However, our Service also allows users to provide Personal Data about others, for example in the context of a job or patient referral, or in case of a recommendation to attend an educational program. In addition, we will occasionally collect Personal Data from (i) previous employers, where allowed by the job applicant concerned; and (ii) immigration and law enforcement authorities, where allowed or required by law.

 

5. PERSONAL DATA WE COLLECT AUTOMATICALLY

We use a variety of technologies that automatically (or passively) store or collect certain information whenever you visit or interact with the Service. This includes information about your device, your browsing activity and log details.

Specifically, we process the following categories of Personal Data:

  • Data about your device and internet connection, device’s unique ID, IP address, your device functionality (browser type and version, operating system, hardware and software, mobile network information, host domain, language settings), web pages you viewed on our Service and search terms;
  • The URL that referred you to our Service;
  • The areas within our Service that you visit and your activities there, including remembering you and your preferences; 
  • Your device geolocation, where permitted; and
  • Log usage data consisting of traffic data, date and time of access and frequency, technical session and connection information.

In addition, when you subscribe to our (e)Newsletters, we automatically collect information about your interactions with it to determine if a(n) (e)Newsletter message has been opened and which links you have clicked on, as well as technical information such as time of retrieval, your IP address, browser type and operating system of the device used. The Personal Data collected is automatically aggregated and therefore anonymous.

 

5.1 COOKIES WE USE

Our Service uses various methods and technologies to store and collect Personal Data, including cookies. A cookie is a data file placed on your device and saved by your browser. Cookies help make our Service more user-friendly, efficient and secure.

Cookies are typically categorized as so-called "session cookies" or “persistent cookies”. Session cookies are stored in a temporary memory and erased when the browser is closed. Persistent cookies, on the other hand, store user preferences for current and successive visits. They remain valid when you restart your browser. Our Service uses both types of cookies.

You can configure your browser to inform you about the use of cookies so that you can decide on a case-by-case basis whether to accept or reject a cookie. Alternatively, your browser can be configured to automatically accept cookies under certain conditions, to always reject them, or to automatically delete cookies when closing your browser.

Cookies can be further categorized as follows based on their functions: strictly necessary cookies, performance cookies, functional cookies and advertising cookies.

  • Strictly necessary cookies are essential to use our Service. They ensure the functionality of our websites and can therefore not be deactivated. 
  • Performance cookies collect data for statistical purposes on how visitors use our Service. Information collected through performance cookies helps us understand how visitors use our Service, therefore enabling us to improve it as well as the user experience. We gather data on the numbers of visitors and visits to our Service, length of time spent on the websites, pages clicked on and where visitors have come from. The data collected via performance cookies is aggregated and thus anonymous.
  • Functional cookies are used to customize the user experience by storing language preferences, regions and user names. The data collected via functional cookies is aggregated and thus anonymous.
  • Advertising cookies are used to deliver personalized advertisements relevant to you. They are also used to limit the number of times you see an advertisement, as well as to measure the effectiveness of an advertising campaign by tracking user’s clicks.
 
You can manage your cookie preferences via our cookie tool [HERE]  

 

5.2 OTHER TRACKING TECHNOLOGIES

Besides cookies, our Service uses tracking technologies which include:

  • Web beacons: web beacons are small graphic images or other web programming code (also known as “GIFs” or “clear GIFs” which are included in webpages and messages. Web beacons and similar technologies are used to count visitors to the Service, to monitor how users navigate the Service, to count many emails that were sent were actually opened or to count how many particular articles or links were actually viewed. The data collected via web beacons and similar technologies is aggregated and thus anonymous;
  • Embedded scripts: an embedded script is programming code that is designed to collect information about your interactions with the Service, such as the links you click on. The code is temporarily downloaded onto your device from our web server, is only active while you are connected to the Service and is deactivated or deleted thereafter. The data collected via embedded scripts is aggregated and thus anonymous;
  • Browser fingerprinting: browser fingerprinting describes the collection and analysis of information from your device, such as your operating system, plug-ins, system fonts and other data, for purposes of identification;
  • ETag or Entity Tag: an ETag is a feature of the cache in browsers and used as a device identifier; and
    Recognition technologies: recognition technologies are technologies which attempt to recognize or make assumptions about users and devices (e.g., that a user of multiple devices is the same user).

 

5.3 SOCIAL MEDIA PLUGINS

When interacting with our Service you have the option of sharing information with social media sites and to access our social media profiles through so-called plugins. Social networks are able to retrieve Personal Data through those plugins, even if you don’t interact with them. Moreover, if you are logged onto a social network while visiting websites of our Service with social plugins embedded in them, the network can collect and store information about such visit and link it to your social network user account. As we have no control over the data collected by social media networks through their plugins, we encourage you to read their data protection polices to learn more about them. Our Service includes Facebook (https://de-de.facebook.com/policy.php), Twitter (https://twitter.com/privacy) LinkedIn (https://www.linkedin.com/legal/privacy-policy), Youtube (https://policies.google.com/privacy?hl=en-GB), Pinterest (https://policy.pinterest.com/en/privacy-policy). and Instagram (https://help.instagram.com/519522125107875/?helpref=hc_fnav&bc[0]=368390626577968&bc[1]=285881641526716) plugins.
 
5.4 PERSONAL DATA COLLECTED FROM SOCIAL MEDIA
 
a) Facebook Insights Data
When you use our Houston Methodist Facebook fan page, Facebook may collect insights data, i.e., how often you visit our Facebook fan page, whether you recommend it in a post or comment, etc. Subsequently, Facebook provides anonymous statistics and insights about the usage of the Houston Methodist Facebook fan page to us, (such as number of followers, number of interactions with a post, etc.) to help us understand how users are engaging with our Facebook fan page.
Our legal basis for processing this insights data is our legitimate business interest to steadily improve our Facebook online content and to better respond to the interests of our users. Houston Methodist is a joint controller together with Facebook Ireland for the insights data. However, Houston Methodist and Facebook Ireland have agreed that Facebook Ireland takes primary responsibility under the GDPR for the processing of your insights data. This means that Facebook is primarily responsible for providing you with information about the joint processing of the insights data and for enabling you to exercise your rights under the GDPR regarding insights data.
 
For more information about Facebook Page Insights Data please visit https://www.facebook.com/legal/terms/information_about_page_insights_data.
 
For information about Facebook joint controllership addendum, please visit https://www.facebook.com/legal/terms/page_controller_addendum.
 
b) Other Social Media
We may collect and/or receive Personal Data from Houston Methodist’s presence on social media platforms such as Youtube, Twitter, Linkedin, and Instagram, consistent with your settings within the social media platform, regarding gender and age, occupation, location, check-ins, famous posts, escape rate, access date and time, use of messaging functions, followers and likes. We aggregate this Personal Data and divide large groups of users into sub-groups based on the same type of shared characteristics such as geography, behavior, or demographics, in order to provide better, more personalized services for the users.

 

6. FOR WHICH PURPOSES WILL HOUSTON METHODIST PROCESS YOUR PERSONAL DATA
We process your Personal Data for a number of purposes which are identified in the table below together with the legal basis we rely on for such processing:

 

Purpose

Legal Basis

Management of your (e)Newsletters and information alerts subscription, including email communications regarding educational programs.

Your consent.

Statistical analysis of our (e)Newsletter campaigns

Our legitimate interests in understanding the impact of our Service in order to improve your experience and tailor our Service to your needs and preferences.

Process and answer your contact queries, including the scheduling of appointments with medical professionals and the processing of job applications.

(i) Your explicit consent, and/or
(ii) Our legitimate interests in managing our public communications relations and providing information about our products and services.

Ensure the functionality of our Service

Our legitimate interests in providing you with a fully operative Service.

Statistical analysis of the performance of our Service. This includes determining website traffic patterns, user frequency and time between user visits.

Our legitimate interests in understanding the impact of our Service in order to improve your experience and tailor it to your needs and preferences.

Advertise and promote Houston Methodist, our products and services

Your consent.

Conduct customer feedback and surveys

Your consent.

Statistical analysis of our applicant flow through our career portal. This includes determining website traffic patterns, user frequency, time between user visits, whether a visit includes an application submitted, including whether the visit resulted in a search of the job portal with or without assistance from our applicant chat bot, and the source data for all applicants.

Our legitimate interests in understanding the impact of our recruitment strategies and your application experience in order to improve your experience and tailor it to your needs and preferences.

Statistical analysis of individual demographic data for individuals who complete an application for employment through our career portal.

Compliance with a legal obligation. Executive Order 11246 requires all federal contractors to follow requirements identified by the OFCCP – Office of Federal Contracts Compliance. The OFCCP requires that employers with federal contracts analyze their applicants’ demographic data against their employee demographic data and compare it to the demographics of qualified available workers in the local labor market to evaluate whether the representation of racial/ethnic and gender representation is comparable to the availability in the market, and if not, set goals to improve that representation, called Affirmative Action Plans.

Social media related analytics.

Our legitimate interests consisting of offering personalized social media content and related services

Protect or defend the rights, safety or property of Houston Methodist or third parties.

(i) Compliance with a legal obligation and
(ii) Our legitimate interests in preventing and detecting fraud or misuse of our Service.

Comply with legal and regulatory obligations (e.g., pursuant to law enforcement inquiries, subpoenas or court orders)

Compliance with a legal obligation

 

Houston Methodist will not use your Personal Data for any purpose that is not included, or is incompatible with the purposes described in this Notice, unless it is required or authorized by law or you consent to such processing.

Which Categories of Recipients will receive your Personal Data?

 

Houston Methodist will only grant access to Personal Data on a need-to-know basis to a selected group of people and such access will be limited to the Personal Data necessary to perform the contractual or legal function for which access is granted. Authorization to access Personal Data will always be linked to the corresponding function.

 

Houston Methodist personnel – Your Personal Data will be processed by Houston Methodist employees, staff, medical professionals, and researchers in the United States as necessary to carry out the purposes identified in the table above. 

 

Houston Methodist-affiliated organizations – Houston Methodist will share your Personal Data with its affiliated organizations in the United States consisting of affiliated physician groups or health care providers, educational institutions, and quality improvement programs, as necessary to carry out the purposes identified in the table above.

 

Third parties – Where required and allowed by applicable law, Houston Methodist will share your Personal Data with third parties, such as U.S. and foreign government entities, private insurance payers to facilitate access to funding sources, service providers, contractors and consultants providing services for us, and/or in connection with a merger, consolidation, restructuring, the sale of substantially all of our interests and/or assets or other corporate change, including during the course of any due diligence process.

 

7. YOUR RIGHTS AS A DATA SUBJECT


As a Data Subject under the GDPR, you have certain rights. This Notice summarizes what these rights are and how you can exercise these rights.

 

Right of access

You have the right to request that Houston Methodist confirm whether it is processing your Personal Data or not. If Houston Methodist is processing your Personal Data, you have the right to review and obtain a copy of your Personal Data.

 

Right to request an amendment to your Personal Data

In the event that the Personal Data we have about you is incorrect or incomplete, you have the right to request that Houston Methodist rectifies your inaccurate Personal Data and that it completes your incomplete Personal Data.

 

Right to restriction of processing

You have the right to request that Houston Methodist restricts the processing of your Personal Data where such Personal Data is inaccurate, the processing is unlawful, or Houston Methodist no longer needs your Personal Data. If Houston Methodist grants your request to restrict processing, Houston Methodist will only process that Personal Data with your consent, for the protection of rights or another natural or legal person, for reasons of important public interest, for the establishment, exercise or defense of legal claims, or as otherwise required by applicable law.

 

Right to data portability

Where the basis for processing is either consent or performance of the contract you have entered with Houston Methodist, and where the processing is carried out by automated means, you have the right to receive the Personal Data that you have provided to Houston Methodist and to transmit such data to another Data Controller. In this case, Houston Methodist will provide your Personal Data in a structured, commonly used, machine-readable format. Where technically feasible and upon your request, Houston Methodist will transmit your Personal Data directly to another entity.

 

Right to withdraw consent

If the basis for processing your Personal Data is consent, you may revoke your consent at any time by sending a written notice to our DPO via mail at 1130 Earle Street, AX200, Houston, TX 77030, USA; or email at privacy@houstonmethodist.org. Upon receiving notice of your revocation of consent, and if there are no other legal grounds for the processing, Houston Methodist will stop processing your Personal Data. Please note that the withdrawal of your consent has effect for the future and it therefore does not legally affect the processing operations conducted prior to withdrawal.

 

Right to object to data processing

You have the right to object to the processing of your Personal Data in the following situations:

  • If the basis for processing your Personal Data is legitimate interests, you have the right to object to the processing of your Personal Data. Houston Methodist will stop processing your Personal Data unless it demonstrates overriding legitimate grounds for processing or the processing is necessary for the establishment, exercise, or defense of legal claims.
  • If Houston Methodist is using your Personal Data for direct marketing purposes (such as fundraising), you have the right to object at any time and Houston Methodist will honor your request.

 

Right to erasure

You have the right to request the erasure of Personal Data that Houston Methodist maintains about you in certain circumstances. Subject to applicable laws and Houston Methodist policies, and provided that there are no overriding legitimate grounds for Houston Methodist to retain the Personal Data, Houston Methodist will comply with your request and will inform any third parties with whom the Personal Data was shared, except where this proves impossible or involves disproportionate efforts.
Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority in the EU if you believe Houston Methodist’s processing of your Personal Data violates the GDPR.

 

8. INTERNATIONAL DATA TRANSFERS

International data transfer means a data transfer to countries outside of the EEA.

Houston Methodist is an entity based and established in the United States. Accordingly, your Personal Data collected via our Service is transferred outside of the EEA to the United States, where a different data protection regime applies and which is considered by the EEA as a country which does not provide an adequate level of protection of Personal Data. This means that your Personal Data will not receive a protection equivalent to the protection it would receive in the EEA.

The transfer of your Personal Data, including Sensitive Data, to the United States serves different purposes, for example, organizing all necessary arrangements upon your request to schedule a medical appointment and more generally providing you with our Service and all its features. The transfer of Personal Data will be limited to those categories of data strictly necessary for these purposes. For more detailed information regarding the purposes, please see the corresponding table above.

 

9. HOW IS YOUR PERSONAL DATA SECURED AND HOW LONG IS IT KEPT?

Houston Methodist and entities acting on Houston Methodist’s behalf will maintain appropriate technical and organizational measures designed to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Your Personal Data will only be retained for as long as it is necessary to achieve the purposes listed under section 6, or alternatively, until you object to the processing of your data or withdraw your consent which you have previously provided. However, where Houston Methodist is required by law, (such as for e.g. statutory obligations, as reflected in our Record Retention Policy, or under tax law, labor law, hospital licensing laws, or other applicable United States and Texas laws) to retain your Personal Data longer, or where your Personal Data is required for Houston Methodist to assert or defend against legal claims, we will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled.

 

10. EXTERNAL LINKS

As part of our effort to provide you with as much health-related information as possible, we feature external links from our Service to other sites on the Internet. Please be aware that we are not responsible for their content or privacy practices, nor does this Notice apply to them. These third-party sites may send their own cookies and other tracking devices to you, log your IP address and otherwise collect Personal Data from you. We therefore encourage you to carefully read the privacy policy of linked or referenced sites you enter.

 

11. CHILDREN

Our Service is not intended for children and we have no intention of collecting Personal Data from individuals under the age of 13. If you are a child under 13 years of age, you are not permitted to use the Service and should not send any Personal Data about yourself to us through the Service.

In the event we become aware that we have collected Personal Data from any child, we will erase the data without undue delay. If you are a parent or a guardian and you believe that your child under the age of 13 has provided us with Personal Data, please contact our DPO via mail at 1130 Earle Street, AX200, Houston, TX 77030, USA; or email at privacy@houstonmethodist.org.

 

12. MISCELLANEOUS

If you have any questions about the information contained in this Notice or would like to exercise any of your data subject rights, please contact our DPO via mail at 1130 Earle Street, AX 200, Houston, TX 77030, USA; or email at privacy@houstonmethodist.org.

We reserve the right to amend this Notice at any time to reflect and comply with changes in applicable laws. Appropriate notice of any amendments will be given and posted on this page. The date this Notice was last revised is identified at the top of the page.

 

Live Chat Available