GDPR 

The GDPR (General Data Protection Regulation) is a new EU privacy regulation that provides higher levels of protection for EU citizen data. Here is a link to more information.

GDPR went into effect on the 25th May 2018.

The GDPR has a very far-reaching scope. It applies to all companies processing and holding personal data of data subjects residing in the European Union, regardless of the company’s location. The regulation also applies in Switzerland, Norway, Iceland, Liechtenstein, and will continue to apply in the UK post-Brexit.

Organizations can be fined up to 4% of annual worldwide turnover or €20 Million for serious GDPR breaches.

IDEXX considers the proper processing of personal data to be highly important and essential to fulfilling our Purpose and Guiding Principles. We have been working diligently toward GDPR compliance.

One of the requirements of the GDPR for both IDEXX and your veterinary practice is to have a Data Protection Agreement (“DPA”) in place when IDEXX processes personal data on your behalf (we are then known as a “data processor” under GDPR, and you are the “data controller”). This requirement applies to our VetConnect PLUS and SmartService products. This DPA helps you fulfil one of your obligations as data controller.  In order to align our VetConnect Plus Terms of Service and SmartService Agreement (“Terms”) with the DPA, we needed to make changes to these as well.

Regarding the revised VetConnect PLUS Terms of Service and SmartService Agreement – You need to read the new terms and 30 days after the new terms have been sent to you these will be considered approved by you. Regarding the DPA – The DPA describes the rights and obligations of both parties, data controller and data processor, as required by the GDPR so it is important for you to read and understand it. Additionally, you are requested to electronically confirm your acceptance to the DPA as it is part of your agreement with IDEXX. To do so, please go to GDPR Acceptance. If you fail to do so, you will not fulfil your obligation as a data controller to have a DPA in place and you will not be able to continue using these IDEXX’s services.

A data controller determines the purposes and means of processing of personal data. A data processor processes personal data on behalf of a data controller. IDEXX customers will typically act as the data controller for any personal data they provide to IDEXX in connection with their use of IDEXX services. IDEXX is the data processor and processes personal data on behalf of the data controller when the data controller is using IDEXX VetConnect PLUS and SmartService.

Not every type of customer relationship requires a DPA under the GDPR. Article 28 of the GDPR requires an agreement between “Controllers” and “Processors”. A Controller determines the purpose and means of processing the personal data. A Processor simply processes personal data on behalf of the Controller, and only on the documented instructions of the Controller. When IDEXX processes personal data for our own purpose in connection with customer order, then we are a Controller and do not need to have a DPA in place. For example, when our reference laboratory customers submit an order - which may include personal data – IDEXX is simply processing that personal data in order to perform the requested laboratory test and provide the result. As Controller, our GDPR requirement is to meet certain information requirements (Article 13) to disclose, among other things, the purposes of our processing, our legitimate interest of the processing, data subject rights, and our adequacy basis for cross-border transfer. We meet these information requirements with our revamped Privacy Policy.

We appreciate that some customers have already developed their own Data Processing Agreements/Data Protection Agreements. We fully understand that customers as data controllers have concerns about meeting their responsibilities under the new Regulation as far as the processing of their data is concerned. To help you meet this purpose, IDEXX has developed our own standard DPA as we are unable to agree to different DPA arrangements with each of our customers. We need to ensure we comply with GDPR in a consistent and reliable way across our customer base.