RMPDS Privacy Notice

RMPDS Privacy Notice

RMPDS Privacy Notice
(Version March 2023)

Rocky Mountain Poison Drug Center (“RMPDS”) is a division of Denver Health and Hospital Authority (“DHHA”), a body corporate and political subdivision of the State of Colorado, (with offices located at 601 Broadway, Denver, Colorado 80203). This Privacy Notice will explain how RMPDS uses the personal data collected from individuals who contact us, use our website or whose data we process on behalf of our clients or partners for services we provide.

RMPDS is committed to protecting your privacy, and so we provide this notice explaining our information practices and the choices you can make about the way your information is collected and used. This notice outlines the processes for complying with applicable privacy laws and regulations, including the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA) and other similar regulations. This Privacy Notice applies to personal data, including electronic, paper, and orally provided personal data of RMPDS existing/potential clients or partners, information collected on behalf of clients or partners, vendors/suppliers, contacts, and visitors to the RMPDS website.

This notice, along with our Website Privacy Policy, Social Media Policy, and any other sources referred to in these documents notifies you of our practices regarding your personal data and how we will handle the data. By visiting our website, you acknowledge the processing described in these policies, notices, and related documents

Topics:
What data do we collect and how do we collect your data?

RMPDS collects the following types of personal information:

Category of Information Example Data How do we collect your data? Source of the Data
Individual identifiers and demographic information First and Last name Home or work address Telephone number Email Address Comments Employer Occupation

  • Voluntarily complete a customer survey or provide feedback on any of our message boards or via email.
  • Web Chats
  • Online Help Tools
  • Contact Us
  • Inquiries on behalf of our clients (data controllers) in which we serve as a data processor
  • Research surveys
  • Voice recordings to collect information on behalf of our clients (data controllers) in which we serve as a data processor
Note: When RMPDS is acting on behalf of our clients (data controllers), our clients will be responsible for responding to those consumers providing personal data and directed to the applicable Privacy Policy/Notice or other contact information from the client.
Health and Medical Information Medical history Medical History Medications Symptoms Prescriptions Physician

  • Voluntarily complete a customer survey or provide feedback on any of our message boards or via email.
  • Web Chats
  • Online Help Tools
  • Contact Us
  • Inquiries on behalf of our clients (data controllers) in which we serve as a data processor
  • Research surveys
  • Voice recordings to collect information on behalf of our clients (data controllers) in which we serve as a data processor For further information, see our Internal Call Recording Policy Policy in this Privacy Notice.
Note: When RMPDS is acting on behalf of our clients (data controllers), our clients will be responsible for responding to those consumers providing personal data and directed to the applicable Privacy Policy/Notice or other contact information from the client.
Internet or Technical Information Cookies Google Analytics Use or view our website via your browser's cookies.
Financial Information Credit Card number Credit Card expiration date Credit Card billing zip code Credit Card CVV Full name on Credit Card RMPDS does not collect this information for the services provided.
Cookies

We may use cookies, web beacons, tags, scripts, advertising identifiers (including mobile identifiers) and similar technology in connection with your use of our Websites or Services. In addition, we may allow third parties to incorporate their third-party SDKs, cookies or other technologies into our Websites and Services to perform services on our behalf, such as analytics or advertising services. For more information about how we use cookies, please see our Cookie Policy on the RMPDS website.

How will we use your data?

Information collected by RMPDS is used for the purpose of:

  • Donations, when applicable
  • Management of customer, client, and supplier relationships and any associated legal obligations (contractual or public health)
  • Research opportunities
  • Communications specific to job applications
  • Possibly use personal information to inform you of other products or services available from RMPDS and its partners and research sponsors.
  • Contact you via surveys to conduct research about your health habits, opinion of current services or potential new services that may be offered.
  • Process requests and orders. For those that require payment, we may send your data to, and also use the resulting information from, credit reference agencies to prevent fraudulent purchases. RMPDS may, from time to time, contact you on behalf of companies that have contracted with RMPDS for drug services customer support.

RMPDS also may offer, through external business partners about a particular offering that may be of interest to you. In the case involving external business partners, your personal information (e-mail, name, address, telephone number) is not transferred to the third party.

RMPDS may access and/or disclose your personal information if required to do so by law or in the good faith belief that such action is necessary to:

  1. conform to the edicts of the law or comply with legal process or
  2. protect and defend the rights or property of RMPDS, including its website; or
  3. act under exigent circumstances to protect the personal safety of users of RMPDS or the public.
What is the purpose for processing your data?
Category of Information Purpose of Processing
Individual identifiers and demographic information
  • To provide customer service to you
  • To improve our service to you
  • To gather your opinion
  • To communicate with you
  • To process your job application
  • To process your donation
  • To market services to you
  • To facilitate medical research, supplier and other diversity programs that require racial and ethnic data to be collected.
  • To collect religion or beliefs as needed to meet an Individual’s specific needs for medical treatment
  • To record for compliance and other legitimate business purposes, such as participating in customer service calls.
Health and Medical Information

  • To provide you with drug information
  • To recommend medical protocols
  • To answer questions about potential or real poisons, contraindications and other information about medications, substances, or poisons
  • To aggregate health and medical information for pharmacological research and development
  • To accommodate a person’s disability or dietary needs, address emergency health needs
  • To report to public health authorities
  • To comply with safety reporting, pharmacovigilance, clinical trials, and regulatory reporting
Internet or Technical Information

  • To improve our service to you
  • Keeping you signed in
  • Understanding how you use our website
  • Improving your online experience
Financial Information

  • To process billing of donations, if applicable
  • To process payments for product/services provided, as applicable
Internal Call Recording Policy

This policy explains how we use recording of phone calls to provide customer service on behalf of our clients. When a call is recorded, we collect:

  • A digital recording of the telephone conversation
  • The telephone number of both parties (internal and external)

Personal data revealed during a telephone call will be digitally recorded. For example, name and contact details to deliver appropriate services.

At times, ‘special category’ personal information may be recorded where a customer voluntarily discloses health, religious, ethnicity or criminal information to support their request for reporting information, advice and/or services. Personal information is also recorded for the purpose of collecting medical information and reporting Adverse Events and Product Complaints to the FDA and to protect the vital interests of the data subjects.

Call recordings are retained in accordance with RMPDS’ Record Retention Schedule and are deleted after 275 days.

How do we secure your personal information data?

RMPDS, along with DHHA, implements a variety of security measures to maintain the safety of your personal information when you place a donation, communicate with us, receive drug information and other customer support, or apply for a position.

All supplied sensitive/credit information is transmitted via Transport Layer Security (TLS) technology and then encrypted into our Payment gateway provider’s database only to be accessible by those authorized with special access rights to such systems and are required to keep the information confidential. After a transaction, your private financial information (credit cards, social security numbers, financials, etc.) will not be stored on our servers.

When applicable, RMPDS securely stores your data under strict privacy and security practices. Where partners/suppliers of RMPDS secure your data, partners/suppliers have undergone comprehensive risk assessment, validation of systems and requirements for strict privacy and security standards for storage and processing data.

RMPDS will transfer your personal data to/from other countries, including the USA. When these transfers take place, we ensure Standard Contractual Clauses are in place to require an adequate level data protection.

How long does RMPDS store your data?

RMPDS has implemented retention schedules so that records containing Personal Data are only retained as needed to fulfill the applicable business purposes, to comply with applicable legal requirements, or as advisable in light of applicable statutes of limitations.

Category of Data Length of time stored
Personal data when serving as “Processor” for our clients

Retained according to client directives or indefinitely when the basis for processing is legal and for public health reasons, neither of which allow rights for deletion of safety or quality information.
Other data not subject to legal or public health requirements when RMPDS serves as data processor:
For the duration of the period for which RMPDS serves as the Processor and then turned over to the client upon contract expiration and deleted.

Call Recordings – For services provided to clients that require recording of calls received. RMPDS ensures that these

Call recordings are created, managed, and disposed of in accordance with applicable regulatory record-keeping requirements and business needs. These call recordings are deleted after 275 days, unless otherwise requested under contractual obligations

Anonymized Personal Data

No time limits. This data cannot identify you and is used for statistical purposes where we have a legitimate and/or lawful interest in doing so.

Personal data when serving as the “Controller”

Retained as needed to fulfill the applicable business purposes, to comply with applicable legal requirements, or as advisable in light of applicable statutes of limitations.

How does RMPDS share your data?

We occasionally hire other companies to provide limited services on our behalf, such as handling the processing and delivery of email or mailings, providing customer support, processing transactions, performing statistical processing of data, or performing statistical analysis of our services. We will only provide those companies the personal information they need to deliver the service. They are required to maintain the confidentiality of your information and are prohibited from using that information for any other purpose.

Category of Information Category of Service Provider or Data Recipient Purpose of Processing
Individual identifiers and demographic information
  1. Medical Information Management Systems
  2. Survey Management and Processing
  3. Call Recording Collection
  1. Collect and process data for clients.
  2. Collects and process data for research data
  3. Provides mechanism for recording calls for collection of data.
Health and Medical Information
  1. Medical Information Management Systems
  2. Survey Management and Processing
  3. Call Recording Collection
  4. Pharmacovigilance Services (PV)
  1. Collect and process data for clients.
  2. Collects and process data for research data
  3. Provides mechanism for recording calls for collection of data.
  4. Processes for clients needing pharmacovigilance services.
Internet or Technical Information Cookies To collect information on visitors, use of our Websites or Services
Financial Information None None
Marketing

RMPDS does not currently collect contact information on our website for marketing purposes.

What are your data protection rights?

RMPDS would like to make sure you are fully aware of all of your data protection rights. You may make the following requests regarding your personal information at no charge by contacting us using the channels further below. A response will be sent to you within one month.

  • Access to Your Personal Information
  • Receive Copies of Your Personal Information where possible
  • Deleting Your Personal Information where possible: Note that we retain your personal information to inform you about poison, drug indications or contraindications if you contact our service center or for public health regulatory reporting. Some information may be retained as required by law.
  • Restrict the Processing of Your Personal Information:
  • Opting Out: You may stop the delivery of promotional e-mail by responding directly to any email you receive with a request to remove you from the mailing list. You may also opt out of any of the public cookies defined in our Cookie Policy. If you wish to opt-out of RMPDS’ partner advertising campaigns, you will need to contact that vendor directly or opt-out of their cookies.
  • Shine the Light: If you are a California resident, you may ask us for a notice describing what categories of personal information we share about you with third parties for our direct marketing purposes. This notice will identify the categories of information shared and will include a list of the third parties with which it is shared, along with their names and addresses. You may request a copy of this notice by submitting a written request to us at the addresses listed below.
How to Access your Information (Data Subject Access Request)

You have the right to ask for all the information we have about you. This can be done using a Data Subject Access Request (DSAR). To make an online Subject Access Request please select this link : DSAR-RMPDS.To download a PDF form of the DSAR, please select this link: Data Subject Access Request Form .

Submitting a complaint with the applicable supervisory authority: If you consider that the processing of your personal data infringes privacy regulations and we are not able to assist, you have a right to issue a complaint with a supervisory authority in relevant EU Member State, USA state, or other jurisdictional regulator. Each country may have numerous rights related to your data privacy. For additional information for your country, please visit the website of your local data privacy authority.

Privacy Notices or Policies of Other Websites

The RMPDS website may contain links to other websites. Our privacy notice applies only to our website, so if you click on a link to another website, you should read their privacy notice or privacy policy.

Children’s Privacy

RMPDS is concerned about the privacy and safety of children when they use the Internet. We will never knowingly request or collect personally identifiable information online from children without prior verifiable parental consent. Our Site is not intended for children. Accordingly, we do not intentionally collect Personal Information from children under the age of 13 in the U.S. and under 16 in the EU through the RMPDS Site. If you are a child, you are not permitted to sign up for any information or service through the Site. If you become aware that we have collected Personal Information from a child without parental consent, please notify us promptly. If we become aware that a child under the age of 13 in the U.S. or under 16 in the EU has provided us with Personal Information without parental consent, we will take steps to remove it.

CCPA Specific Information

The California Consumer Privacy Act of 2018 (CCPA) went into effect on January 1, 2020. CCPA provides California residents with specific rights regarding their personal information. California consumers may exercise their rights under the CCPA twice within a 12-month period.
RMPDS does not sell or share any personal information of its employees, contractors, customers, third parties, or any other affiliation to others.
Scope of CCPA Specific Information: This information describes the rights of consumers, visitors, users, and others that reside in the state of California in connection with the CCPA. This CCPA information is to be read in conjunction with the entire Privacy Notice. To the extent that there is any conflict between other information contained in this Privacy Notice and this CCPA specific information – this information shall take precedence in respect of any matters relating to the CCPA and how we handle personal information.
The CCPA Specific Information covers:

  • Personal information as defined by the CCPA
  • Categories of personal information shared by RMPDS
  • Sale of personal information
  • Employee information
  • California consumer rights and choices
Personal Information as defined by the CCPA

Any information that could be reasonably linked, directly or indirectly, with a particular California consumer or household.
Consumer - A natural person who is a California resident. Household - A collective of individuals - such as a family or occupants at a residential address.
Personal information under the CCPA does not include:

  1. Publicly available information from government records.
  2. Information excluded from the CCPA's scope, such as health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (‘’HIPAA’’) and personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (‘’FCRA’’), or the Gramm-Leach-Bliley Act (‘’GLBA’’).
  3. De-identified or aggregated consumer information. De-identified information is data that has had all personally identified information removed from it. Aggregated information is numerical or non-numerical information that is compiled into data summaries or summary reports for data statistics or public reporting.
Categories of personal information shared by RMPDS

see What data do we collect? found in this Privacy Notice.

Sale of personal information

In the preceding twelve (12) months we have not “sold” personal information for the purposes of the CCPA. RMPDS does not ever sell or share the personal information of its employees, contractors, customers, third parties, or any other affiliation to others. RMPDS works diligently to continuously protect your personal information.

Employee Information

RMPDS does not have employees based in California and does not sell, lease, or rent any employee personal or family data to any third party.

California Consumer Rights and Choices

Under the CCPA, California residents have specific rights regarding their personal information.

Right to Know and Data Portability

California residents have the right to request that we disclose certain information to you about our collection and use of your personal information over the past twelve (12) months, including:

  • The right to know which categories of personal information are being collected.
  • The right to know the categories of sources for the personal information being collected.
  • The right to know if personal information is being sold or shared, and to whom.
  • The right to object to the sale of personal information.

A Right to Know request may only be submitted twice within a 12-month period. RMPDS does not provide a ‘right to know’ or data portability disclosure for any B2B personal information.

Right to Delete

California residents have the right to request the deletion of your personal information that is collected from you and retained by RMPDS, subject to certain exceptions.


RMPDS is not required to delete personal information if it is still needed in order to complete the transaction for which the information was collected, provide a good or service requested by you (or that we reasonably anticipate based on our relationship with you), perform a contract with you, comply with legal obligations, or accomplish any other objective recognized as an exception to the right to deletion under CCPA. RMPDS does not provide deletion rights for B2B personal information.

Exercising Your Rights

RMPDS will never charge you or discriminate against you for choosing to exercise your rights. RMPDS will make reasonable efforts to comply with all consumer rights requests. Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

RMPDS reserves the right to verify your identity before any request to update or delete your personal information that processed by us. The verifiable consumer request must provide sufficient information that allows RMPDS to reasonably verify you are the person about whom we collected personal information or an authorized representative, as well as describe your request with sufficient detail that allows RMPDS to properly understand, evaluate, and respond to your request. The CCPA grants businesses 45 days to respond to your consumer rights request. An extension period is allowed up to an additional 90 days.

Information provided in response to an access request may be delivered by mail or electronically. If provided electronically, all personal information provided must be “portable” and to the extent technically feasible, in a readily usable format that allows you to transmit the information to another entity without hindrance.

Changes to our Privacy Notice

If any changes are made to this notice we will let you know by updating the version date published above. Continuing to interact with us after notification and/or posting of changes will constitute your acknowledgement and acceptance of such terms.

Contact, Questions, Further Information

If you have any questions about our Privacy Notice, the data we hold about you, or if you would like to exercise one of your data protection rights, please contact us by email at privacy.rmpds@rmpds.org or via mail at:

RMPDS Data Protection Officer
777 Bannock Street, Mail Code 0180
Denver, CO 80204

To contact RMPDS via Phone: (303) 389-1100