Last updated: December 2019.
Houston Methodist is committed to processing your personal data responsibly and in compliance with Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”).
This Houston Methodist Fair Processing Privacy Notice (the “Notice”) explains how Houston Methodist collects, processes, transfers and discloses, either directly or through its affiliates, your Personal Data (as defined further below) for the purposes of evaluating your application materials, facilitating your employment relationship and organizing your training or work experience at Houston Methodist as further described in this Notice. This Notice also describes the rights you have regarding Houston Methodist’s use of your Personal Data, the measures Houston Methodist takes to protect the security of the data, and how you can contact Houston Methodist regarding its data protection practices.
This Notice applies to and addresses the following groups:
1. Who are the Data Controller and the Data Protection Officer (“DPO”)?
Houston Methodist is the entity responsible for determining the purposes and means of the processing of your personal data in connection with your employment relationship. As such, Houston Methodist qualifies as the so-called “Data Controller” and is therefore responsible for compliance with GDPR requirements. Houston Methodist can be contacted as follows:
Houston Methodist
The Methodist Hospital
6565 Fannin Street
Houston, TX 77030
USA
Houston Methodist’s EU Representative
IITR Cert GmbH
Eschenrieder Str. 62 c
D-82194 Gröbenzell
Germany
Houston Methodist’s DPO can be contacted as follows: via mail at 1130 Earle Street, AX200, Houston, TX 77030, USA; or email at privacy@houstonmethodist.org.
2. What is “Personal Data” and which Categories of Personal Data are processed by Houston Methodist?
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In the context of your employment relationship, Houston Methodist will process the following categories of Personal Data about you:
In addition, Houston Methodist will also process special categories of Personal Data about to you. Special categories of Personal Data consist of data revealing racial or ethnic origin, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation (also known as “Sensitive Data”). In particular, we will collect the following Sensitive Data about you:
We will collect the Personal Data as a general rule directly from you. However, in line with applicable law, Personal Data may also be collected from third parties. In particular, Houston Methodist may collect background check information through the relevant employment screening and verification vendor as well as sick leave information from the responsible health insurer if required and where applicable in a specific case. Further, with regard to visiting researchers, information will also be gathered from the institution where the visiting researchers are originally based.
3. For which purposes will Houston Methodist process your Personal Data?
We need your Personal Data for a number of purposes which are identified in the table below together with the basis we rely on for such processing:
What are the purposes for processing your Personal Data?
On what basis will we process your Personal Data?
The provision of your Personal Data occurs entirely on a voluntary basis. However, please note that if you refuse to provide us with your Personal Data we will not be able to provide you with an offer to train or work at our facilities.
Houston Methodist will not use your Personal Data for any purpose that is not included, or is incompatible with the purposes described in this Notice, unless it is required or authorized by law or you consent to such processing.
4. Which Categories of Recipients will receive your Personal Data?
Houston Methodist will only grant access to Personal Data on a need-to-know basis to a selected group of people and such access will be limited to the Personal Data necessary to perform the contractual or legal function for which access is granted. Authorization to access Personal Data will always be linked to the corresponding function.
Houston Methodist personnel – Your Personal Data will be processed by Houston Methodist employees and staff in the United States (and possibly the United Arab Emirates and Saudi Arabia) as necessary to carry out the purposes identified in the table above.
Houston Methodist-affiliated organizations – Houston Methodist will share your Personal Data with its affiliated organizations in the United States consisting of affiliated physician groups or health care providers, educational institutions, as necessary to carry out the purposes identified in the table above.
Third parties – Where required and allowed by applicable law, Houston Methodist will share your Personal Data with third parties such as U.S. and foreign government entities, employment screening or verification vendors, human resources consultants, outside legal counsel, or compensation and benefit administrators.
5. What are Your rights as a Data Subject?
As a Data Subject under the GDPR, you have certain rights. This Notice summarizes what these rights are and how you can exercise these rights; however, Houston Methodist may not be able to comply with certain requests if they are in violation of other applicable laws.
Right of access
You have the right to request that Houston Methodist confirm whether it is processing your Personal Data or not. If Houston Methodist is processing your Personal Data, you have the right to review and obtain a copy of your Personal Data.
Right to request an amendment to your Personal Data
In the event that the Personal Data we have about you is incorrect or incomplete, you have the right to request that Houston Methodist rectifies your inaccurate Personal Data and that it completes your incomplete Personal Data.
Right to restriction of processing
You have the right to request that Houston Methodist restricts the processing of your Personal Data where such Personal Data is inaccurate, the processing is unlawful, or Houston Methodist no longer needs your Personal Data. If Houston Methodist grants your request to restrict processing, Houston Methodist will only process that Personal Data with your consent, for the protection of rights or another natural or legal person, for reasons of important public interest, for the establishment, exercise or defense of legal claims, or as otherwise required by applicable law.
Right to data portability
Where the basis for processing is either consent or performance of the contract you have entered with Houston Methodist, and where the processing is carried out by automated means, you have the right to receive the Personal Data that you have provided to Houston Methodist and to transmit such data to another Data Controller. In this case, Houston Methodist will provide your Personal Data in a structured, commonly used, machine-readable format. Where technically feasible and upon your request, Houston Methodist will transmit your Personal Data directly to another entity.
Right to withdraw consent
If the basis for processing your Personal Data is consent, you may revoke your consent at any time by sending a written notice to our DPO. Upon receiving notice of your revocation of consent, and if there are no other legal grounds for the processing, Houston Methodist will stop processing your Personal Data. Please note that the withdrawal of your consent has effect for the future and it therefore does not legally affect the processing operations conducted prior to withdrawal.
Right to object to data processing
You have the right to object to the processing of your Personal Data in the following situations:
Right to erasure
You have the right to request the erasure of Personal Data that Houston Methodist maintains about you in certain circumstances. Subject to applicable laws and Houston Methodist policies, and provided that there are no overriding legitimate grounds for Houston Methodist to retain the Personal Data, Houston Methodist will comply with your request and will inform any third parties with whom the Personal Data was shared, except where this proves impossible or involves disproportionate efforts.
Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority in the EU if you believe Houston Methodist’s processing of your Personal Data violates the GDPR.
6. International Data Transfers
In order to be able to train or work at Houston Methodist, you must disclose and transfer your Personal Data to Houston Methodist, which is based in the United States and subject to United States and Texas law. By sending your Personal Data to Houston Methodist, you are sending your Personal Data to the United States, where a different data protection regime applies and which is considered by the EEA as a country which does not provide an adequate level of protection of Personal Data. This means that your Personal Data will not receive a protection equivalent to the protection it would receive in the EEA.
The transfer of Personal Data will be limited to those categories of data strictly necessary for these purposes. For more detailed information regarding the purposes, please see Section 3 above.
7. How is your Personal Data Secured and how long is it kept?
Houston Methodist and entities acting on Houston Methodist’s behalf will maintain appropriate technical and organizational measures designed to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Your Personal Data will only be retained for as long as it is necessary to achieve the purposes listed under Section 3, or alternatively, until you object to the processing of your data or withdraw your consent which you have previously provided. However, where Houston Methodist is required by law, (such as for e.g. statutory obligations, as reflected in our Record Retention Policy, or under tax law, labor law, hospital licensing laws, or other applicable United States and Texas laws) to retain your Personal Data longer, or where your Personal Data is required for Houston Methodist to assert or defend against legal claims, we will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled.
8. Miscellaneous
If you have any questions about the information contained in this Notice or would like to exercise any of these rights, please contact our DPO via mail at 1130 Earle Street, AX200, Houston, TX 77030, USA; or email at privacy@houstonmethodist.org.
This Notice may be amended from time to time to reflect changes in applicable laws. Appropriate notice of any amendments will be given.