Privacy Notice for European Users
GRAIL’s processing of your personal data may be subject to applicable privacy laws in the EEA and the UK, including the General Data Protection Regulation (EU) 2016/679 (“ EU GDPR”), the UK Data Protection Act 2018 (“DPA18”) and the EU GDPR as it forms part of the law of England, Wales, Scotland and Northern Ireland (together with the DPA18, the “UK GDPR”).
For the purposes of this privacy notice, “personal data” means any data or information that relates to and can identify a living individual. The data controller of your personal data is GRAIL, Inc., which can be contacted by post at 1525 O’Brien Drive, Menlo Park, California 94025 (Attn: Legal Department), by email at privacy@grailbio.com and by telephone at +1-833-694-2553
Depending on the context in which GRAIL collects and uses your personal data, this Privacy Notice for European Users may apply in addition to, or be superseded by, other privacy notices or policies that govern our processing of your personal data. For example, participants in GRAIL’s clinical research trials will receive a privacy notice or policy that is specific to each trial, whereas if you apply for a position at GRAIL Bio UK Ltd, our Applicant Privacy Notice will explain more about how we process your personal data in that specific context.
Provision of Personal Data.
We only process personal data where we have a legal basis for doing so. The legal bases are described in the section of our Privacy Policy titled “Purposes for which we will use your data”. Where we use your personal data to provide our products or services, in relation to your application for employment or to comply with our legal obligations, the provision of this personal data is mandatory. The failure to provide the requested personal data means that we may not be able to provide these products or services or process your application. The provision of all other personal data, such as the details you provide so we can send marketing communications, is optional.
Your Rights.
If you are an individual in the EEA or the UK, or GRAIL’s processing of your personal data is otherwise subject to the GDPR or the UK GDPR, you may have certain rights with respect to your personal data. You can exercise these rights at any time by contacting us at privacy@grailbio.com.
- Request Access to your Personal Data. You can request a copy of the personal data we hold about you.
- Request Correction of your Personal Data. You can ask us to correct any incomplete or inaccurate personal data we hold about you.
- Request Erasure of your Personal Data. You can ask us to delete your personal data where there is no legitimate reason for us continuing to process it.
- Request Restriction of your Personal Data. You can ask us to suspend the processing of your personal data (such as when you want us to establish its accuracy or the reason for processing it).
- Request Portability of your Personal Data. You can ask us to transfer your personal data to another data controller in a machine-readable form. This right will only apply where we process your personal data based on your consent or where the processing is necessary for the performance of a contract between us.
- Object to the Processing of your Personal Data. You can object to our processing where we are relying on a legitimate interest (or those of a third party) as our legal basis. You can also object at any time to our use of your personal data for direct marketing purposes.
- Withdraw your Consent. Where we are relying on your consent to process your personal data, you can withdraw consent at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent. However, where we are relying on your consent as the legal basis for processing, we may not be able to provide certain products or services to you following the withdrawal of such consent.
- You also have the right to complain to an EEA or UK data protection authority in the place you live, work or where you believe a breach of the GDPR or the UK GDPR occurred. However, GRAIL would appreciate the opportunity to address your concerns before you do this, so please contact us in the first instance at privacy@grailbio.com.
If necessary, we will notify any other parties (such as our suppliers or service providers) to which we have transferred your personal data of any changes that we make when you make a request under the GDPR or the UK GDPR. While we communicate to these parties, we are not responsible for the actions they take to answer your request. In some cases, you may also be able to access your personal data held by these third parties and correct, amend or delete it where it is inaccurate.
Your rights under the GDPR and the DPA 18 may be limited, such as where fulfilling your request would reveal personal data about another person or would infringe the rights of a third party (including our rights), or if you ask us to erase personal data that we are required by law to keep or have compelling legitimate interests in keeping. We will inform you of relevant exemptions we rely upon when responding to any request you make.
Transferring Your Personal Data.
When we transfer your personal data outside the EEA and the UK, and to the extent required by the GDPR and the UK GDPR, we rely on appropriate or suitable safeguards to transfer your personal data, including:
- Using standard contractual clauses approved by relevant authorities as ensuring adequate safeguards for personal data;
- Obtaining your consent to transfer personal data after first informing you about the possible risks of such a transfer;
- When the transfer is necessary for the performance of a contract between you and us or if the transfer is necessary for the performance of a contract between us and a third party that is entered into in your interest; and
- Where the transfer is necessary to establish, exercise or defend legal claims.
For further information, including to obtain a copy of the documents used to protect your personal data, please contact us at privacy@grailbio.com.
Retaining Your Personal Data.
We seek to only retain personal data described in this Privacy Notice and our Privacy Policy for as long as necessary to fulfill the purposes for which we collected such data, as set out in this Privacy Notice and our Privacy Policy, including for the purposes of satisfying any legal, accounting, or reporting requirements, subject to your rights, in certain circumstances, to have your personal data erased. We may be required in law to hold certain personal data for specific periods. In other cases, we will retain your personal data for an appropriate period after our relationship ends to protect ourselves from legal claims or to administer our business. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Contact
Have questions or concerns? Contact us:
GRAIL
Attention: Legal Department
1525 O’Brien Drive
Menlo Park
California 94025
By email: privacy@grailbio.com
By telephone: +1-833-694-2553
Last Updated: July 30, 2024.