Convenient Collection • Powerful Information

Check your Results:

Privacy Shield

EU-U.S PRIVACY SHIELD PRIVACY STATEMENT

Effective date: September 27, 2017

CoreMedica Laboratories Inc. (“CML”) and its affiliates, adhere to the EU-U.S. Privacy Shield Framework published by the U.S. Department of Commerce (the “Principles”) concerning the transfer of personal data from the European Union (“EU”) to the United States of America. CML commits to cooperate with EU data protection authorities (DPAs) and comply with the advice given by such authorities with regard to human resources data transferred from the EU in the context of the employment relationship. If there is any conflict between the policies in this privacy policy and the Principles, the Principles shall govern.

This privacy policy outlines our general policy and practices for implementing the Principles, including the types of information we gather, use, and retain regarding your Personal Information and the Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability pertaining to that Personal Information. This privacy policy applies to all Personal Information received by CML whether in electronic, paper or verbal format. This notice addresses individuals whose Personal Information we may receive from one of our customers, suppliers or other business partners in the EU. When CML receives Personal Information for processing pursuant to instructions of clients or their partners, we are acting as an agent for our client and do not provide notice to individuals regarding the collection and use of their Personal Information. Our clients remain responsible for providing notice, if and to the extent they believe such notice is necessary under applicable EU law.

To learn more about the EU-U.S. Privacy Shield program, and to view our certification,

please visit privacyshield.gov/welcome.

Definitions

“Personal Information” or “Information” means information that (1) is transferred from the EU to the United States; (2) is recorded in any form; (3) is about, or pertains to a specific individual; and (4) can be linked to that individual.

“Sensitive Personal Information” means personal information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual’s health.

Notice

CML notifies individuals about its adherence to the EU-US Privacy Shield principles through its publicly posted website privacy policy, available at: coremedicalabs.com/privacy-shield/.

Collection & Use

CML is a privately held clinical testing laboratory offering services in the areas of Employee Wellness, Pharmaceutical/Clinical Trials, Insurance Risk Assessment, and Drugs of Abuse Testing.

CML will collect only as much Personal Information as we need for the specific purposes for which it was collected. CML will not use it for other purposes without obtaining your consent, and keep your Personal Information only as long as we need it for the purposes for which we collected it, or as permitted by law.

CML may collect a person’s name or initials, gender, race/creed/national origin, date of birth, email address, mailing address, telephone number, personal identification number, group/health insurance policy numbers and amounts, and medical information (including test results).

CML may share your Personal Information pursuant to a lawful request or for national security.

CML will use your Personal Information in support of the services we offer, communicating with corporate business partners, processing on behalf of our business customers, complying with contractual and legal obligations, and conducting related tasks for legitimate business purposes.

Accountability of Onward Transfer

CML recognizes potential liability in cases of onward transfer to third parties. CML may provide Personal Information to third parties acting as agents, consultants, and contractors to perform tasks on behalf of and under our instructions. CML will not transfer any personal information to a third-party without first ensuring that the thirdparty adheres to the Principles.

CML does not transfer Client Personal Information to unrelated third parties, unless lawfully and contractually directed by a client, or in certain limited or exceptional circumstances in accordance with the EU-U.S. Privacy Shield Framework. For example, such circumstances would include disclosures of Personal Information required by law or legal process, or disclosures made in the vital interest of an identifiable person such as those involving life, health or safety.

In the event that CML transfers Personal Information to an unrelated third party, CML will ensure that such party is either subject to the EU-U.S. Privacy Shield Framework, subject to similar laws providing an adequate and equivalent level of privacy protection, or will enter into a written agreement with the third party requiring them to provide protections consistent with the EU-U.S. Privacy Shield Framework and CML’s

EU-U.S. Privacy Shield policy.

Should CML learn that an unrelated third party to which Personal Information has been transferred by CML is using or disclosing Personal Information in a manner contrary to this Policy, CML will take reasonable steps to prevent or stop the use or disclosure.

Personal Information is accessible only by those CML employees and consultants who have a reasonable need to access such information in order for us to fulfill contractual, legal and professional obligations. All of our employees and consultants have entered into strict confidentiality agreements, and/or have been subjected to thorough criminal background checks.

Data Integrity & Security

CML uses reasonable efforts to maintain the accuracy and integrity of Personal Information and to update it as appropriate. CML has implemented physical and technical safeguards to protect Personal Information from loss, misuse, and unauthorized access, disclosure, alternation, or destruction.

Access

Upon reasonable request and as required, CML allows individuals access to their Personal Information, in order to correct or amend such information where inaccurate. To submit such requests or raise any other questions, please contact the business that provided your Personal Information. You may also contact our EU-U.S. Privacy Shield Contact listed at the end of this notice. We reserve the right to take appropriate steps to authenticate an applicant’s identity, to charge an adequate fee before providing access and to deny requests, except as required by the EU-U.S. Privacy

Shield Framework.

To request erasure of Personal Information, Individual Customers should submit a written request to CML’s EU-U.S. Privacy Shield Contact.

Annual Assessment

CML will renew its EU-U.S. Privacy Shield certifications annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism. Prior to the re-certification, CML will conduct an in-house verification to ensure that its attestations and assertions with regard to its treatment of Personal Information are accurate and that the company has appropriately implemented these practices.

Enforcement

Protecting Personal Information is of the highest importance to CML. CML commits to resolve complaints about your privacy and our collection or use of your personal information. European Union individuals with inquiries or complaints regarding this privacy policy should first contact CML with questions, comments or complaints regarding CML’s EU-U.S. Privacy Shield or data collection and processing practices at:

CML’s EU-U.S. Privacy Shield Contact Information

CoreMedica Laboratories Inc.

Attn: Privacy Officer

200 NE Missouri Road #304

Lee’s Summit Missouri 64086

privacy@coremedicalabs.com

If your inquiry is not satisfactorily addressed, you may contact the JAMS International Dispute Resolution Process. JAMS International will serve as a liaison with the CML to resolve your concerns. jamsadr.com/eu-us-privacy-shield.

EU Persons (EU Data Subjects) may complain to their home data protection authority and can invoke binding arbitration for some residual claims not resolved by other redress mechanisms.

If you have a comment or concern that cannot be resolved with us directly, you may contact the competent local data protection authority.

EU-U.S. Privacy Shield Policy Effective Date: 9/27/2017