Skip to content. Skip to main navigation.
We certify self-compliance with:
Cerner Corporation and its subsidiaries ("Cerner") are committed to protecting the privacy and security of its clients, partners, and associates and therefore operate under a set of strict privacy principles. Cerner is required to comply with certain legal requirements in respect of any personal data it collects, holds and/or processes in the European Economic Area (“EEA”). These requirements are set out in the European Data Protection Directive and the local laws of each country in the EEA.
As a result of these legal requirements, Cerner has certified compliance to the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks concerning the transfer of personal data from the EEA and/or Switzerland to the United States of America. Accordingly, Cerner follows the U.S.-EU and U.S.-Swiss Safe Harbor Privacy Principles published by the U.S. Department of Commerce. If there is any conflict between the policies in these EEA and Swiss Safe Harbor Privacy Guidelines (these "Privacy Guidelines") and the principles published by the U.S. Department of Commerce, the latter principles shall govern to the extent permissible by the local laws of each country in the EEA. To learn more about the Safe Harbor program, and to view Cerner's self-certification, please visit http://www.export.gov/safeharbor/.
These Privacy Guidelines set forth the privacy principles Cerner follows with respect to any transfer of personal data from the EEA and/or Switzerland to the United States. These Privacy Guidelines apply to all personal data received from the EEA and Switzerland by Cerner regardless of the medium or format in which the information is stored. If you require further information regarding European data protection laws, please read the Cerner EEA Data Protection Policy.
Cerner’s data processing roles:
Cerner has two separate roles when processing personal data:
Firstly, as a “data controller” where Cerner has the right to determine the purposes for which and the manner in which it processes the relevant personal data. In the event Cerner, acting as a data controller, is collecting personal data from individuals in the EEA and/or Switzerland and is transferring such information to the U.S., Cerner will inform the individuals concerned about the purpose for which Cerner collects and uses their personal data.
Secondly, as a "data processor" where Cerner does not own or determine the purposes for which it processes the personal data, but rather its client does. In this capacity, Cerner receives and processes personal data merely on behalf of its client, and often in such circumstances Cerner has no direct relationship with the individuals to whom such personal data relates. As a data processor acting on behalf of a Cerner client who is the data controller, Cerner is required to perform its services in accordance with the Safe Harbor Privacy Principles and its contract with the client concerned and any data privacy protections incorporated therein. Cerner, however, is otherwise dependent upon its client, the data controller, to comply with applicable EEA and/or Swiss data protection law at the time that the personal data is originally collected or received by the client.
These Privacy Guidelines are to be read subject to this distinction.
In the event Cerner is processing personal data in the United States from individuals in the EEA and/or Switzerland for a client, Cerner will inform the client about the purpose for which Cerner uses the personal data relevant to that client. The client, as the "data controller," is responsible for ensuring that the personal data is processed in accordance with the rights and requirements of the individuals concerned under European data protection law. Cerner also provides information about how individuals can contact Cerner with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means Cerner offers for limiting use and disclosure of the information. If Cerner, acting as data processor, receives personal data of individuals from its subsidiaries or affiliates or any other entities in the EEA or Switzerland it will use such information only in accordance with the notices such entities have provided to the individuals concerned and any consents that such individuals have provided.
How and why Cerner processes personal data:
Cerner in the U.S. receives, holds and processes the following personal data from the EEA and/or Switzerland:
As a manufacturer of clinical and management information systems, Cerner assists its clients worldwide in the implementation and support of Cerner solutions in their healthcare institution(s). Since Cerner provides implementation and support for different healthcare institutions, Cerner may receive, hold, and process personal data from clients within the EEA and/or Switzerland, including patient data provided by clients for the purpose of troubleshooting specific computer system hardware and software problems and issues in accordance with business and/or service agreements. Cerner also provides managed services such as remote hosting, remote system monitoring, disaster recovery, data warehousing and application management services, in which it may act as the custodian of patient health information for certain clients.
Further, Cerner receives, holds, and processes personal data from employees of Cerner's wholly-owned European subsidiaries, which are transferred to Cerner Corporation in the U.S. for purposes of human resource administration. Where Cerner is acting as a data controller, Cerner will comply with the Safe Harbor Privacy Principles. The details of processing of personal data will be notified to individuals in an appropriate data collection notice. Any such personal data is collected and processed only for job related purposes, for other legitimate purposes reasonably related to an individual's employment, their performance of job responsibilities and Cerner's ability to make employment services and benefits available to them. Cerner particularly processes personal data for the proper management of global operations, including for payroll management, headcount, promotions and performance review measures, vacation, tax and social security withholding, enrollment in company benefit programs, stock purchase and stock option programs, relocation or immigration assistance, and the mandatory compliance with all applicable labor, employment and tax laws and Cerner is a data controller in respect of such personal data. If you work for Cerner in Europe, please read the Data Protection Policy for more information about how your personal data is processed by Cerner.
Cerner will offer individuals the opportunity to choose (through an 'opt out' choice) whether their personal data is (1) to be disclosed to a third party (unless permitted or required by contract or law) or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.For sensitive personal data (that is personal data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual or other personal data that Cerner receives from a third party which the third party identifies as sensitive personal data), Cerner will generally give individuals or require data controllers to give individuals, the opportunity to affirmatively or explicitly consent (through an 'opt in' choice) or obtain appropriate approvals from relevant regulatory authorities before individuals’ personal data is to be disclosed to a third party (unless permitted or required by contract or law) or if it is to be used for a purpose other than its original purpose or a purpose authorized subsequently by the individual.
Cerner only transfers personal data to third parties (i.e. entities outside of Cerner) that are acting as an agent to perform task(s) on behalf of and under the instructions of Cerner. Before making disclosure to an external third party, Cerner will first apply the principles noted above under "Notice" and "Choice" to the extent required. Unless the disclosure is legally required, Cerner will not transfer personal data to any third parties outside of the EEA unless that third party is subscribed to the Safe Harbor Privacy Pprinciples, is subject to the EU Directive on Data Protection or another adequacy finding, or enters into a written agreement with Cerner requiring that the third party provide at least the same level of privacy protection as is required by the relevant Safe Harbor Privacy Principles. If Cerner learns that an agent is using or disclosing personal data in a manner contrary to these Privacy Guidelines, Cerner will take all reasonable steps to prevent or stop the use or disclosure. Cerner limits the data transferred to a third party agent to data that is necessary to carry out the function Cerner has contracted with the agent to perform.
Cerner takes all reasonable measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration and/or destruction. Cerner accordingly has put in place appropriate physical, electronic and managerial security measures to safeguard and secure any personal data under Cerner's control from loss, misuse, unauthorized access or disclosure, alteration or destruction. However, Cerner cannot guarantee the security of personal data on or transmitted via the Internet.
Cerner will process personal data only in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, Cerner will take reasonable steps to ensure that personal data is accurate, complete, current and reliable for its intended use.
Subject to any statutory exceptions or applicable local laws, Cerner will allow an individual access to their personal data upon request and will provide reasonable measures to allow the correction, amendment or deletion of information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.
Enforcement and Dispute Resolution:
Cerner uses a self-assessment approach to assure compliance with the Safe Harbor Privacy Principles and periodically verifies that its data processing activities are accurate, comprehensive for the information intended to be covered, prominently displayed, implemented and accessible and in conformity with the most current Safe Harbor Privacy Principles.
Cerner encourages interested persons to raise any concerns using the contact information provided below and it will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of personal data in accordance with the Safe Harbor Privacy Principles. Cerner has further committed to refer unresolved privacy complaints under the U.S.-EU and U.S.-Swiss Safe Harbor Privacy Principles to an independent dispute resolution mechanism, the BBB EU SAFE HARBOR, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by Cerner, please visit the BBB EU SAFE HARBOR web site at www.bbb.org/us/safe-harbor-complaints for more information and to file a complaint.
Cerner Ireland Limited:FAO: Duncan Hall6th Floor, The Point, 37 North Wharf Road, London, W2 1AFPhone: +442071073298Email: Duncan.Hall@Cerner.com
Cerner Limited:FAO: Clive Tomsett6th Floor, The Point, 37 North Wharf Road, London, W2 1AFPhone: +44 79 5124 7552Email: Clive.Tomsett@Cerner.com
Cerner France SAS and Cerner Iberia S.L.:contactCIL@cerner.com
Cerner Deutschland GmbH:Giuseppe DraganiCunoweg 1, 65510 Idstein, Germany Phone: + 49(0) 6126-952147Email: firstname.lastname@example.org
FAO: Marc E. Elkins, Chief Compliance Officer2800 Rockcreek Parkway North Kansas City, Missouri 64117-2551Phone: 816-221-1024Email: email@example.com
These Privacy Guidelines may be amended from time to time consistent with the requirements of the Safe Harbor. We will post any revised policy on this website. Effective Date: September 21, 2001; Updated November 17, 2009; Updated November 19, 2012; Updated January 6, 2014; Updated November 21, 2014
Copyright © 2014 Cerner Corporation. All rights reserved.