EMPLOYEE FAIR PROCESSING PRIVACY NOTICE

Last updated: December 2019.

Houston Methodist is committed to processing your personal data responsibly and in compliance with Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”).

This Houston Methodist Fair Processing Privacy Notice (the “Notice”) explains how Houston Methodist collects, processes, transfers and discloses, either directly or through its affiliates, your Personal Data (as defined further below) for the purposes of evaluating your application materials, facilitating your employment relationship and organizing your training or work experience at Houston Methodist as further described in this Notice. This Notice also describes the rights you have regarding Houston Methodist’s use of your Personal Data, the measures Houston Methodist takes to protect the security of the data, and how you can contact Houston Methodist regarding its data protection practices.

This Notice applies to and addresses the following groups:

 

  • prospective and existing employees; and
  • individuals such as visitors, learners, and researchers who are at Houston Methodist but are not employees (e.g., post-docs, students, and visiting researchers), provided that they are based in the European Economic Area (EEA) at the time of the data collection. For the purposes of this Notice all groups together are hereafter referred to as “employees”, except where explicitly stated otherwise. Similarly, any references to “employment,” “employment relationship,” or “work” encompass all variations of training or work experience at Houston Methodist.

 

1. Who are the Data Controller and the Data Protection Officer (“DPO”)?


Houston Methodist is the entity responsible for determining the purposes and means of the processing of your personal data in connection with your employment relationship. As such, Houston Methodist qualifies as the so-called “Data Controller” and is therefore responsible for compliance with GDPR requirements. Houston Methodist can be contacted as follows:

 

Houston Methodist
The Methodist Hospital
6565 Fannin Street
Houston, TX 77030
USA

 

Houston Methodist’s EU Representative
IITR Cert GmbH
Eschenrieder Str. 62 c
D-82194 Gröbenzell
Germany

 

Houston Methodist’s DPO can be contacted as follows: via mail at 1130 Earle Street, AX200, Houston, TX 77030, USA; or email at privacy@houstonmethodist.org.

2. What is “Personal Data” and which Categories of Personal Data are processed by Houston Methodist?

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


In the context of your employment relationship, Houston Methodist will process the following categories of Personal Data about you: 

 

  • Identification and contact details such first and last name, home address, telephone number and email address;
  • Background information such as academic and professional qualifications, educational details, skills, grades obtained and CV/resume;
  • Financial information such as tax ID number, bank details, social security number and payroll details;
  • Criminal history such as records of convictions for criminal liability, violations of U.S. sanctions and export control laws and regulations, and exclusions, suspensions, debarment or otherwise ineligibility to participate in federal or state health care procurement or non-procurement programs;
  • Employment details such as job title and position, location of workplace, department, offer letter, start date, termination date, performance history and evaluation, time off, sick or medical leave of absence, time management data, work and/or residence permit where applicable;
  • Travel information such as passport and/or national ID number, driver’s license details; for foreign nationals this includes non-immigrant classification details and supporting documentation such as copies of your visa, I-94, I-20, DS-2019, or other documents; and
  • Communication information such as network log-in details, computer system and any other usage data from devices provided by Houston Methodist, Houston Methodist email address


In addition, Houston Methodist will also process special categories of Personal Data about to you. Special categories of Personal Data consist of data revealing racial or ethnic origin, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation (also known as “Sensitive Data”). In particular, we will collect the following Sensitive Data about you:

 

  • Immunization and/or vaccination record
  • Health information related to sick or medical leaves of absence and drug/alcohol testing


We will collect the Personal Data as a general rule directly from you. However, in line with applicable law, Personal Data may also be collected from third parties. In particular, Houston Methodist may collect background check information through the relevant employment screening and verification vendor as well as sick leave information from the responsible health insurer if required and where applicable in a specific case. Further, with regard to visiting researchers, information will also be gathered from the institution where the visiting researchers are originally based.

 

3. For which purposes will Houston Methodist process your Personal Data?

 

We need your Personal Data for a number of purposes which are identified in the table below together with the basis we rely on for such processing:

 

What are the purposes for processing your Personal Data?

 

  • Creation, performance and termination of the employment relationship
  • Assess your work capacity and eligibility to work on Houston Methodist’s premises
  • Administration and payment of salary, calculation of compensation and benefits including retirement account management, business expense reimbursement
  • Recruitment, promotion, performance review, career development, succession planning and talent management
  • Houston Methodist’s organization management including administration of the employees’ time management data
  • Administration of employees’ IT system access and usage as well as management of IT security

 

On what basis will we process your Personal Data?

 

  • (i) Your consent and (ii) our legitimate interests in receiving visiting researchers to promote our facilities, lower administrative costs and achieve scientific development 
  • Your specific explicit consent
  • (i) Your consent, (ii) legal obligation and (iii) our legitimate interests in fulfilling our obligations with respect to affiliation or similar agreements allowing individuals to train or work at our facilities
  • (i) Your consent and (ii) our legitimate interests in promoting Houston Methodist’s growth and progress and managing Houston Methodist’s internal organization
  • (i) Your consent, (ii) legal obligation and (iii) our legitimate interests in ensuring the proper functioning of Houston Methodist and its daily business
  • (i) Your consent, (ii) legal obligation and (iii) our legitimate interests in ensuring the functionality of our IT systems and preventing misuse and misconduct

 

The provision of your Personal Data occurs entirely on a voluntary basis. However, please note that if you refuse to provide us with your Personal Data we will not be able to provide you with an offer to train or work at our facilities.

 

Houston Methodist will not use your Personal Data for any purpose that is not included, or is incompatible with the purposes described in this Notice, unless it is required or authorized by law or you consent to such processing.

 

4. Which Categories of Recipients will receive your Personal Data?

 

Houston Methodist will only grant access to Personal Data on a need-to-know basis to a selected group of people and such access will be limited to the Personal Data necessary to perform the contractual or legal function for which access is granted. Authorization to access Personal Data will always be linked to the corresponding function.

 

Houston Methodist personnel – Your Personal Data will be processed by Houston Methodist employees and staff in the United States (and possibly the United Arab Emirates and Saudi Arabia) as necessary to carry out the purposes identified in the table above.
Houston Methodist-affiliated organizations – Houston Methodist will share your Personal Data with its affiliated organizations in the United States consisting of affiliated physician groups or health care providers, educational institutions, as necessary to carry out the purposes identified in the table above.

 

Third parties – Where required and allowed by applicable law, Houston Methodist will share your Personal Data with third parties such as U.S. and foreign government entities, employment screening or verification vendors, human resources consultants, outside legal counsel, or compensation and benefit administrators.

 

5. What are Your rights as a Data Subject?


As a Data Subject under the GDPR, you have certain rights. This Notice summarizes what these rights are and how you can exercise these rights; however, Houston Methodist may not be able to comply with certain requests if they are in violation of other applicable laws.

 

Right of access


You have the right to request that Houston Methodist confirm whether it is processing your Personal Data or not. If Houston Methodist is processing your Personal Data, you have the right to review and obtain a copy of your Personal Data.


Right to request an amendment to your Personal Data

 

In the event that the Personal Data we have about you is incorrect or incomplete, you have the right to request that Houston Methodist rectifies your inaccurate Personal Data and that it completes your incomplete Personal Data.


Right to restriction of processing


You have the right to request that Houston Methodist restricts the processing of your Personal Data where such Personal Data is inaccurate, the processing is unlawful, or Houston Methodist no longer needs your Personal Data. If Houston Methodist grants your request to restrict processing, Houston Methodist will only process that Personal Data with your consent, for the protection of rights or another natural or legal person, for reasons of important public interest, for the establishment, exercise or defense of legal claims, or as otherwise required by applicable law.

 

Right to data portability


Where the basis for processing is either consent or performance of the contract you have entered with Houston Methodist, and where the processing is carried out by automated means, you have the right to receive the Personal Data that you have provided to Houston Methodist and to transmit such data to another Data Controller. In this case, Houston Methodist will provide your Personal Data in a structured, commonly used, machine-readable format. Where technically feasible and upon your request, Houston Methodist will transmit your Personal Data directly to another entity.


Right to withdraw consent

 

If the basis for processing your Personal Data is consent, you may revoke your consent at any time by sending a written notice to our DPO. Upon receiving notice of your revocation of consent, and if there are no other legal grounds for the processing, Houston Methodist will stop processing your Personal Data. Please note that the withdrawal of your consent has effect for the future and it therefore does not legally affect the processing operations conducted prior to withdrawal.


Right to object to data processing

 

You have the right to object to the processing of your Personal Data in the following situations:

 

  • If the basis for processing your Personal Data is legitimate interests, you have the right to object to the processing of your Personal Data. Houston Methodist will stop processing your Personal Data unless it demonstrates overriding legitimate grounds for processing or the processing is necessary for the establishment, exercise, or defense of legal claims.
  • If Houston Methodist is using your Personal Data for direct marketing purposes (such as fundraising), you have the right to object at any time and Houston Methodist will honor your request.

 

Right to erasure

 

You have the right to request the erasure of Personal Data that Houston Methodist maintains about you in certain circumstances. Subject to applicable laws and Houston Methodist policies, and provided that there are no overriding legitimate grounds for Houston Methodist to retain the Personal Data, Houston Methodist will comply with your request and will inform any third parties with whom the Personal Data was shared, except where this proves impossible or involves disproportionate efforts.

 

Right to lodge a complaint


You have the right to lodge a complaint with a supervisory authority in the EU if you believe Houston Methodist’s processing of your Personal Data violates the GDPR.

 

6. International Data Transfers

 

In order to be able to train or work at Houston Methodist, you must disclose and transfer your Personal Data to Houston Methodist, which is based in the United States and subject to United States and Texas law. By sending your Personal Data to Houston Methodist, you are sending your Personal Data to the United States, where a different data protection regime applies and which is considered by the EEA as a country which does not provide an adequate level of protection of Personal Data. This means that your Personal Data will not receive a protection equivalent to the protection it would receive in the EEA.

 

The transfer of Personal Data will be limited to those categories of data strictly necessary for these purposes. For more detailed information regarding the purposes, please see Section 3 above.

 

7. How is your Personal Data Secured and how long is it kept?

 

Houston Methodist and entities acting on Houston Methodist’s behalf will maintain appropriate technical and organizational measures designed to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

 

Your Personal Data will only be retained for as long as it is necessary to achieve the purposes listed under Section 3, or alternatively, until you object to the processing of your data or withdraw your consent which you have previously provided. However, where Houston Methodist is required by law, (such as for e.g. statutory obligations, as reflected in our Record Retention Policy, or under tax law, labor law, hospital licensing laws, or other applicable United States and Texas laws) to retain your Personal Data longer, or where your Personal Data is required for Houston Methodist to assert or defend against legal claims, we will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled.

 

8. Miscellaneous

 

If you have any questions about the information contained in this Notice or would like to exercise any of these rights, please contact our DPO via mail at 1130 Earle Street, AX200, Houston, TX 77030, USA; or email at privacy@houstonmethodist.org.

 

This Notice may be amended from time to time to reflect changes in applicable laws. Appropriate notice of any amendments will be given.