Quest Diagnostics Incorporated
Data Privacy Framework Policy
Under the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework as set forth by the U.S. Department of Commerce
Policy Issued: December 5, 2018
Policy Last Revised: February 13, 2024
This Policy is provided by Quest Diagnostics Incorporated (Quest Diagnostics) in relation to its certification to the EU-US Data Privacy Framework (EU-US Framework), the UK Extension to the EU-US Data Privacy Framework (UK Extension), and the Swiss-US Data Privacy Framework (Swiss-US Framework). The EU-US Framework, UK Extension and Swiss-US Framework are collectively referred to in this Policy as the “Data Privacy Framework.”
Quest Diagnostics Incorporated and its US operating subsidiaries and affiliates (collectively referred to as Quest) comply with the EU-US Framework, the UK Extension and the Swiss-US Framework as set forth by the U.S. Department of Commerce.
Quest has certified to the US Department of Commerce that it adheres to the principles set forth in the EU-US Framework with regard to the processing of personal data received from the European Union and European Economic Area (EU/EEA) in reliance on the EU-US Framework, from the United Kingdom (and Gibraltar) in reliance on the UK Extension and from Switzerland in reliance on the Swiss-UK Framework. To learn more about the US Department of Commerce Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Quest Data Privacy Framework Companies
Quest Diagnostics affiliated companies certified to the Data Privacy Framework include the following:
Quest Diagnostics Clinical Laboratories, Inc.
Blueprint Genetics, Inc.
Haystack Oncology, Inc
LabOne of Ohio, Inc.
ExamOne World Wide, Inc.
ExamOne World Wide of N.J., Inc.
Quest Diagnostics Nichols Institute, Inc. (California)
Quest Diagnostics Nichols Institute, Inc. (Virginia)
Quest Diagnostics Ventures LLC
Specialty Laboratories, Inc.
Scope of Certification
Quest’s EU-US Framework, UK Extension and Swiss Framework certification encompasses personal data transferred from the EU/EEA, UK and Switzerland respectively to the US that pertains to patients, clinical research participants and investigators, employees, former employees, beneficiaries identified by employees, job applicants, healthcare professionals, other customers (including customer workforce members, customers’ insurance applicants) and suppliers residing in the EU/EEA, UK or Switzerland, respectively.
Third-Party Transfers and Disclosures
Quest entrusts personal data to third-party partners who assist with business activities, or who have regulatory or legal oversight responsibilities in relation to certain business activities. Where it does so, Quest takes steps to ensure that the third parties entrusted with personal data uphold an equivalent level of protection for the data. Quest understands that it can be held responsible if its business partners entrusted with personal data violate those obligations.
Law Enforcement Requests
Quest may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
As of the date of this Policy, we have not been asked to do so and, if asked, will endeavor to notify the data exporter and/or the data subject with the exporter’s assistance. If such notice is not possible, we will seek to have restrictions on our ability to provide the notice waived. If and to the extent permissible, we will agree to share information regarding any such requests for disclosure of personal data with our data exporters.
Choices and Means to Limit Uses and Disclosures
Quest has mechanisms in place to respond to requests from individuals to limit the use and disclosure of their personal data transferred under the Data Privacy Framework. Should you wish to do so, you may contact us by email at Privacy@QuestDiagnostics.com or write to us at Quest Diagnostics Incorporated, Attention: Privacy Officer, 500 Plaza Drive, Secaucus, New Jersey 07094 USA. Please note that there are certain limitations on these rights, as described in the Data Privacy Framework.
Disputes and Independent Recourse Mechanisms
In compliance with the Data Privacy Framework, Quest commits to resolve complaints about our collection or use of your personal data. Individuals with inquiries or complaints regarding our handling of personal data received in reliance on the Data Privacy Framework should first contact Quest via email at: Privacy@QuestDiagnostics.com, or write to us at Quest Diagnostics Incorporated, Attention: Privacy Officer, 500 Plaza Drive, Secaucus, New Jersey 07094 USA. If you are not satisfied with our resolution of your inquiry or dispute, you may also contact the relevant data protection authority.
In compliance with the EU-US Framework, UK Extension and Swiss Framework Quest commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-US Framework, UK Extension and Swiss Framework.
Regulatory Oversight and Enforcement
As noted above, Quest is also subject to the investigatory and enforcement authority of the US, EU/EEA, UK and Swiss agencies that oversee the Data Privacy Framework, namely the US Federal Trade Commission, the relevant EU/EEA supervisory authorities, the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC). You have a right to file a complaint with these oversight agencies, particularly if you believe your complaint is not satisfactorily resolved through Quest.
Right to Binding Arbitration
Under certain conditions, more fully described on the Data Privacy Framework website at https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2, you may be able to invoke binding arbitration if other dispute resolution procedures have been exhausted.
Rights of Individuals to Access Their Data
Quest has committed to respect and uphold the rights of individuals in relation to their personal data covered under the Data Privacy Framework. Should you wish to exercise those rights, you may contact us by email at Privacy@QuestDiagnostics.com or write to us at Quest Diagnostics Incorporated, Attention: Privacy Officer, 500 Plaza Drive, Secaucus, New Jersey 07094 USA. Please note that there are certain limitations on these rights, as described in the EU-US Framework.
If there is any conflict between the terms in this Policy and the EU-US Framework, the EU-US Framework will govern.