EU/UK Privacy Notice - Snow Companies

EU/UK Privacy Notice

Last Updated: October 2023

1.    PURPOSE OF THIS PRIVACY NOTICE

This EU/UK Privacy Notice (“Privacy Notice”) sets out how Snow Companies, LLC, and its affiliates MyPatientStory.com, LLC (d/b/a PatientWorthy), and WhatNext, LLC (collectively, “Snow”), “we”, “us”, or “our”) processes your personal data in connection with our business and the services we offer (“Services”). 

In particular, this Privacy Notice explains our approach to any personal data that we might collect from you (i) during any interactions with us, or (ii) when providing Services to our clients (including the personal data that we collect, why we collect it, and your rights in respect of our processing of your personal data).  Please take a moment to read and understand this Privacy Notice. 

This Privacy Notice is intended to meet the requirements of:

  • Regulation (EU) 2016/79 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU GDPR”).
  • Equivalent data protection laws in the United Kingdom (the “UK GDPR”) and Switzerland (“Swiss Data Protection Law”).

For ease of reference, in this Privacy Notice we use the term GDPR to collectively refer to the EU  GDPR, the UK GDPR, and the Swiss Data Protection Laws.  Where other privacy laws (other than the GDPR) apply, please see our Online Privacy Notice.  

2.    SCOPE OF THIS PRIVACY NOTICE

This Privacy Notice only applies to the use of your personal data obtained by us, whether obtained from you directly or from a third party.  It does not apply to personal data collected by third parties during your communications with those third parties or your use of their services.  Further, this Privacy Notice is not intended to cover the processing of human resources personal data.  Human resources personal data is covered by our Personal Information Protection Policy.  This Privacy Notice only applies where the GDPR applies.  Where other privacy laws apply, please see our Online Privacy Notice.

3.    CHANGES TO THIS PRIVACY NOTICE

We will update this Privacy Notice from time to time to reflect any changes or proposed changes to our use of your personal data, or to comply with changes in applicable law or regulatory requirements.  We may notify you by email of any significant changes to this Privacy Notice, but we encourage you to review this Privacy Notice periodically to keep up to date on how we use your personal data.  If we update this Privacy Notice, we will update the effective date at the top of the page.

4.    ABOUT US

Snow is a Virginia limited liability company with a registered office at 133 Waller Mill Road, Williamsburg, Virginia, 23185, United States.  In this Privacy Notice and for the purposes of GDPR, Snow shall be considered a data controller of your personal data unless we state otherwise. Please note that in many cases where we process data in relation to Services that we provide, we may carry out the activities referred to in this Privacy Notice in our capacity as a data processor acting on behalf of our clients.  We have made this distinction clear in the Privacy Notice.   

5.    HOW TO CONTACT US

If you have any questions about this Privacy Notice or want to exercise your rights as a data subject set out in this Privacy Notice, you can contact us using the following methods:

Email Send us an email at: [email protected]
Post Write to us at Snow Companies, LLC Attn: Privacy Officer
133 Waller Mill Road, Williamsburg, VA 23185 United States
Telephone Call us: 844-819-6925 (toll-free in the United States) or 757-345-6470

6.    TYPES OF PERSONAL DATA WE COLLECT AND PROCESS

When we talk about personal data, we mean any information which relates to an identified or identifiable living individual. Individuals might be identified by reference to a name, an identification number, location data, an online identifier (such as an IP address), or to other factors that are specific to them, such as physical appearance.  Categories of personal data we may collect and process about you include:

Identity Data First name; last name.
Contact Data Home address; billing address; email address; telephone number; social media handle.
Demographic Data Date of birth; gender; country; nationality; marital status; dietary requirements; any other personal data that you provide to us in connection with the Services.
Image Data Photos; video recordings.
Financial Data Bank account details (if we make a payment to you); payment details.
Technical Data IP address; browser type and operating system; geolocation, to ensure we’re showing you the correct notices and information; any other unique numbers assigned to a device.
Behavioural Data Data relating to your browsing activity, obtained through the use of cookies, pixel tags and other similar technologies; information about when your current or previous sessions started; details about any services you viewed through the Site.

For more information about the personal data that we collect, please refer to the section “How we use personal data” below.

7.    HOW WE COLLECT PERSONAL DATA

We may collect and receive your personal data in one or more of the following ways:

Personal data you provide to us We collect your personal data directly from you when you inquire about our engagement opportunities. You may submit a webform or speak directly with one of our representatives. If you are selected to participate in an engagement opportunity, we will collect information necessary for contracting and, if applicable, making travel arrangements on your behalf.
Personal data we collect automatically, including using cookies and other similar technologies If you visit our Website, we may collect certain Behavioural Data and Technical Data automatically, including through our use of cookies and other similar technologies (see the ‘Website insight and analysis’ section).
Personal data received from third parties We may receive personal data about you from third parties. Such third parties may include analytics providers and technical services providers so that we can provide our Site and our Services.

8.    WHO WE COLLECT PERSONAL DATA ABOUT

We collect and process personal data from the following people:

Site visitors We will collect and process your personal data in connection with your interaction with us and our Site.
People who contact us with enquiries If you contact us with an enquiry through our Site, submit a complaint or provide any feedback to us in our surveys and feedback forms, we will collect and process your personal data in connection with your interaction with us and our Site.
Program Participants If you provide services and/or content to us and/or are engaged to share your personal experiences on behalf of a client, we may collect or process your personal data, such as your Identity Data, Contact Data, Financial Data, in connection with such supply of services and/or content.
Partner/supplier personnel If you (or your organisation) partner with us as part of a disease awareness or educational campaign, we may collect and process your personal data in connection with that partnership. This may include personal data included in any email or telephone communications or recorded on any document.

9.    HOW WE USE PERSONAL DATA

A: OPERATION OF SITE, PROVISION OF SERVICES AND MARKETING

I. Operation of the Site

If you browse our Site
When you browse our Site, we may process Technical Data, including through our use of essential cookies and other similar technologies, to provide our Site to you.  

Our legal basis for processing
It is necessary for us to use your data to perform our obligations in accordance with any contracts that we may have, or it is in our legitimate interest to use data in such a way to ensure that we provide access to our Site in a secure and effective way.

If you link to social media sites and interact with our social media pages
If you click on one of the social media links on our Site or otherwise interact with our social media pages such as on Facebook or Instagram (including interacting with any ‘like’ or similar embedded features on our Site), we and the relevant social media platform may receive information relating to such interaction and may share your personal data in connection with this purpose. Where that data is collected through your use of our Site, the data may include certain Behavioural Data and Technical Data. For more information about how we use this personal data, please see the ‘Website insight and analysis’ section.

The relevant social media platform may also be a controller in respect of the personal data that is collected via your use of our social media pages and may use that personal data for additional purposes. For details of how the relevant social media platform uses your personal data, please see the privacy notice of the relevant social media platform.

Our legal basis for processing
It is in our legitimate interest to use personal data in the ways described above to ensure that we provide the Site in an effective way and to promote our Site via social media.

Website insight and analysis
We and our third-party partners use cookies, web beacons, pixel tags and other similar technologies (which we generically refer to as “Cookies”) to collect data from the devices that you use to access our Site. The data that is collected includes Behavioural Data and Technical Data, and certain Profile Data. Please see our Cookie Notice for further information, including details of our third-party partners.
We and our third-party partners use this data to analyse how you use our Site and our Services and the effectiveness of our Site and Services, including:

  • to analyse how you use, and the effectiveness of, our Site and Services;
  • to improve our Site and Services;
  • to count users who have visited our Site and collect other types of information, including insights about visitor browsing habits, which helps us to improve our Site and Services;
  • to measure the effectiveness of our content;
  • to learn what parts of our Site are most attractive to our users, which parts of our Site are the most interesting and what kind of features and functionalities our visitors like to see;
  • to help us understand the type of marketing content that is most likely to appeal to our visitors and customers.

Our legal basis for processing
Where your data is collected through the use of non-essential Cookies, we rely on consent to collect your personal data and for the onward processing purpose. Please see our Cookie Notice  for further details.

In certain circumstances, we may rely on another lawful basis when we use your personal data collected via the use of Cookies.  For example, where we use personal data collected through the use of analytics cookies to analyse how you use our Site, it is in our legitimate interest to use your personal data in such a way to improve our Site and Services. 

II. Provision of our Services

Client administration.
We may collect personal data about our client and potential client contacts to enable us to respond to client requests, to administer client accounts with us, and to verify and carry out financial transactions for payments made to or by us. The data that is processed includes Identity Data and Contact Data, and certain Transaction Data.

Our legal basis for processing

It is in our legitimate interests (and those of our clients) to process personal data in this way to ensure we provide the Services requested by our clients in an effective and efficient way.

Who do we share personal data with for this purpose?

We may share such personal data with our third party vendors (such as our payment service providers or IT providers), financial institutions, group companies, affiliates, professional advisors, regulatory bodies or other law enforcers or such other third parties as indicated in “Sharing Your Personal Data” below in connection with this purpose.

Social media.

We may collect or process individuals’ personal data (Identity Data, Contact Data and certain Profile Data and Publicly Available Data) who engage with us through our social media channels (including by visiting our social media pages or otherwise communicating with us via social media). We may also operate our client’s social media pages, accounts or channels acting on their behalf.

Our legal basis for processing

It is in our legitimate interests to process personal data in this way so that we can market ourselves and engage with the public. Where we carry out this activity on behalf of our clients as a data processor we do not require a legal basis for such processing.

We will only share personal data with the third-party providers of the social platforms, so that we can advertise our Services whilst the individual is using those social media platforms, where they have provided their consent.

Who do we share personal data with for this purpose?

We may share such personal data with our clients, group companies, affiliates, third party vendors (such as our IT providers) or professional advisers or such other third parties as indicated in “Sharing Your Personal Data” section below in connection with this purpose.

B: BUSINESS ADMINISTRATION, FINANCIAL AND LEGAL

Receipt of services

If we have engaged an organisation to provide us or our clients with services (for example, IT support or financial advice), we will collect and process your personal data (including Contact and Identity Data) if you are a contact within the relevant organisation in order to manage our relationship or our clients with the organization, to receive services from the organisation and, where relevant, to provide our services to others including our clients.

Our legal basis for processing

It is necessary for us to use personal data in this way to perform our obligations in accordance with any contract that we may have with the organisation, or it is in our legitimate interest to use personal data in such a way to ensure that we have an effective working relationship with the organisation and are able to provide our services to others in an effective way.  Where we do this on behalf of our clients as a data processor, we do not require a legal basis for such processing.

Business administration, finance, and legal compliance.

We may use an individual’s personal data (including Identity Data, Contact Data, Financial Data, Transaction Data) for the following business administration and legal compliance purposes:

  • to facilitate the operation or effective management of our business;
  • for financial, accounting and tax purposes;
  • to comply with our legal obligations;
  • to enforce or protect our legal rights;
  • to deal with complaints;
  • to protect the rights of third parties (including where health or security of an individual is endangered (e.g. a fire); and
  • in connection with a business transition or sale such as a merger, re-organisation, acquisition by another company, or sale of all or a portion of our assets.

Our legal basis for processing

Where we use personal data in connection with a business transition, to enforce our legal rights or to protect the rights of third parties, it is in our legitimate interest to do so. For all other purposes described in this section, we will rely on our obligation to comply with law (including any court order) to process such personal data.

We will not process any special (or sensitive) categories of personal data, or personal data relating to criminal convictions or offences except where we are able to do so under applicable legislation or with the individual’s explicit consent.

10.    SHARING YOUR PERSONAL DATA

We only share personal data with others when we are legally permitted to do so. When we share personal data with others, we put contractual arrangements and security mechanisms in place to protect the personal data shared and to comply with our data protection, confidentiality and security standards and obligations.

We are part of the Omnicom Group of marketing and advertising firms and (subject to the above) may share data within Omnicom Group companies, Omnicom Networks, or with our partner agencies.

Further (again subject to the above) we may share your personal data with third parties, as set out in the table below. This list is non-exhaustive and there may be circumstances where we need to share personal data with other third parties.

Our clients We may share personal data with our clients for the purposes of providing them with Services.
Third-party IT suppliers We may share personal data with third parties who support us in providing our Site and help provide, run, and manage our internal IT systems. Such third parties may include, for example, providers of information technology, cloud-based software-as-a-service providers, identity management, website design, hosting and management, data analysis, data back-up, security, and storage services. The servers powering and facilitating that cloud infrastructure and store the personal data that we collect are located in secure data centres in the United States.
Payment providers and banks We may share personal data with third parties who assist us with our invoicing and/or making/receiving payments.
Third-party post/email marketing and CRM specialists We may share personal data with specialist suppliers who assist us in managing our marketing database and sending out email marketing communications.
Auditors, lawyers, accountants and other professional advisers We may share personal data with professional services firms who advise and assist us in relation to the lawful and effective management of our organisation and in relation to any disputes we may become involved in.
Law enforcement or other government and regulatory agencies and bodies We may share personal data with law enforcement or other government and regulatory agencies or other third parties as required by, and in accordance with, applicable law or regulation.
Other third parties Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, or to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.

11.    INTERNATIONAL DATA TRANSFERS

Transfers by us – where we disclose personal data

We may transmit personal data to certain third parties (as listed in the “Sharing your personal data” section) located in countries that do not protect personal data to the same standard as the GDPR, including to our different offices in the Omnicom Group entities, networks or partners agencies.

These countries may not give you the same rights in relation to your personal data and may not have a data protection supervisory authority to help you if you have any concerns about the processing of your personal data.

However, when transferring your personal data, we will ensure that, where required by the GDPR, at least one of the following applies: (1) we will only transfer your personal data to countries or organisations that have been deemed to provide an adequate level of protection for personal data by the UK Government or the European Commission; or (2) we may use specific contracts approved by the UK Government or the European Commission referred to as the “Standard Contractual Clauses” or “SSCs” which give personal data the same protection it has in the UK and EU.

To find out more about the SCCs we use, please see: Standard contractual clauses for international transfers | European Commission (europa.eu) or please email us at: [email protected].

In addition, where we disclose personal data that we process in connection with our participation in the EU-U.S. Data Privacy Framework and/or the UK Extension to that framework, and/or the Swiss-U.S. Data Privacy Framework, we remain liable under those frameworks in relation to our onward transfer of personal data to these countries, unless we can show that we are not responsible for the event giving rise to the damage.

Transfers to us – where we receive personal data

As Snow is located in the United States, any data that you provide directly to us, or that is received from third parties, may be stored in the USA. In addition, it may be transferred by us to other countries (as described above).

Snow complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Snow has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Snow has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this privacy notice and the EU-U.S. DPF Principles, and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

12.    OBTAINING YOUR CONSENT

Where our use of your personal data requires your consent, you can provide such consent:

  • at the time that we collect your personal data following the instructions provided; or
  • by informing us by e-mail, post, or phone using the contact details set out in this Privacy Notice.

Please note that if you specifically consent to additional uses of your personal data, we may use your personal data in a manner consistent with the consent.

13.    CONFIDENTIALITY AND SECURITY OF YOUR PERSONAL DATA

We are committed to keeping the personal data you provide to us secure and we have implemented information security policies, rules and technical measures to protect the personal data under our control from unauthorised access, improper use or disclosure, unauthorised modification and unlawful destruction or accidental loss. In addition, all our employees and data processors (i.e. those who process your personal data on our behalf) are obliged to respect the confidentiality of the personal data of all users of our Site and those who participate in the programs and services we provide.

14.    YOUR DATA PROTECTION RIGHTS

You have the following rights in relation to the personal data we hold about you under certain circumstances:

  • To obtain the confirmation that we process personal data about you, to access and obtain copies of the information, as well as information relating to the processing we carry out.
  • To request your personal data be corrected where appropriate.
    • If personal data we hold about you is inaccurate or incomplete, you may request that data be amended. However, please be aware that it is every person’s responsibility to provide us with accurate personal data and to inform us of any changes (e.g. new home address or change of name).
  • To request your personal data be deleted, where appropriate.
    • If you demonstrate that the purpose for which the personal data is being processed is no longer legal or appropriate, the data will be deleted, unless we can demonstrate that we are required to retain the personal data by applicable law or otherwise.
    • If we have shared your personal data with others, we will let them know about the deletion where possible. If you ask us, where it is possible and lawful for us to do so, we will also tell you who we have shared your personal information with so that you can contact them directly.
  • To request that we restrict the processing of your personal data in some circumstances, such as where you contest the accuracy of the personal data, while we investigate your concern.
    • It will not prevent us from storing your personal information.
    • We will tell you before we lift any restriction.
    • If we have shared your personal information with others, we will let them know about the restriction where it is possible for us to do so.
    • If you ask us, where it is possible and lawful for us to do so, we will also tell you who we have shared your personal information with so that you can contact them directly.
  • Where processing is based on your consent, to receive your personal data in a commonly used electronic format, or ask that we move your personal data in that format to another provider, where your request relates to the personal data that you gave us directly and where technically possible.
  • To object to your personal data being processed where we are relying on ours or a third party’s legitimate interest to do so or for the purpose of direct marketing.
  • To withdraw your consent at any time when processing relies upon consent.

Data Subject Rights

Data subjects may exercise these rights verbally or in writing using our contact information provided in the ‘How to contact us’ section. We will endeavour to promptly respond to your requests.  Where you ask us to provide a copy of your personal data we are legally obliged to respond within one month of such request. If your request is denied, we will inform you about the reasons for denial.

Please note that in order for you to assert these rights, we may need to verify your identity to confirm your right to access your personal data.  This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. In order to verify your identity, we may need to gather more personal data from you than we currently have.

Lodging complaints

In addition, you may have the right to lodge certain complaints in relation to our processing of your personal data with regulators in your jurisdiction.

If you have a concern about any aspect of our privacy practices, including the way we have handled your personal data, we encourage you to first contact us using our contact information provided in the ‘How to contact us’ section.

If the GDPR applies, you can report your concerns to the following organisations:

European Economic Area You can find a list of supervisory authorities and their contact details for the EEA at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm
United Kingdom The Information Commissioner’s Office (“ICO”) is the supervisory authority in the United Kingdom. Contact details for the ICO can be found at https://ico.org.uk.
Switzerland The Federal Data Protection and Information Commissioner (“FDPIC”) is the supervisory authority in Switzerland. Contact details for the FDPIC can be found at https://www.edoeb.admin.ch/.
United States of America In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Snow commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States.

If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-data-privacy-framework for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Following the dispute resolution process, JAMS or you may refer the matter to the U.S. Federal Trade Commission, which has investigatory and enforcement powers over us. Under certain circumstances, you also may be able to invoke binding arbitration to address complaints about our compliance with DPF Principles.

15.    THIRD PARTY LINKS AND SERVICES

This Site contains links to third party websites and services. Please remember that when you use a link to go from our Site to another website or you request a service from a third party, this Privacy Notice no longer applies to these third-party websites and third-party service providers unless we are acting as joint controllers in respect of your personal data with such third party.

Your browsing and interaction on any other websites, or your dealings with any other third-party service provider, is subject to that website’s or third-party service provider’s own rules and policies. We do not monitor, control, or endorse the privacy practices of any third parties.

This Site may integrate with social networking services. You understand that we do not control such services and are not liable for the manner in which they operate.  While we may provide you with the ability to use such services in connection with our Site, we are doing so merely as an accommodation and, like you, are relying upon those third-party services to operate properly and fairly.

16.    HOW LONG DO WE KEEP YOUR PERSONAL DATA

We retain personal data only for as long as is necessary for the purposes described in this Privacy Notice, after which it is deleted from our systems.

If any personal data is only useful for a short period (e.g. for a specific event), we will delete it at the end of that period.  If you have opted out of receiving marketing communications from us, we will need to retain certain personal data on a suppression list so that we know not to send you further marketing communications in the future.

17.    PERSONAL DATA OF MINORS

Our Site is not intended for use by, or targeted at, minors (individuals under the age of 18) and we do not knowingly collect personal data of minors. However, due to the nature of our organisation and the Services we provide, we may from time to time collect and process personal data relating to minors. If we do collect personal data of minors, we will comply with all applicable laws and regulations relating to the processing of personal data of minors.

Privacy Center