This Privacy Notice ("Notice") describes how Stericycle Inc. and its affiliates (collectively referred to as "Stericycle," “Stericycle Group,” "we," "us," or "our") collects, uses and shares personal data collected in the context of our websites, business contacts, suppliers, current and prospective customers who use Stericycle services or products or users affected by our services (together referred to as "you" or "your"). To the extent that these rights apply in your jurisdiction, this Notice also explains your ability to edit, update, correct, or delete your personal data and the security procedures that we have implemented to protect personal data.
California Residents: If you are a California resident, please refer to the Additional Information for California Residents section below for important information about the categories of personal information we collect and disclose, as well as your rights under California privacy laws, including your right to submit a “Do Not Sell My Info” request (i.e., to opt of the sale of your personal information by us).
Dosimetry Service Users: If you are a user of our dosimetry services (currently available in Portugal, Romania and Spain), please refer to the Additional Information for Dosimetry Service Users section of this Notice for important information about how we process your personal data.
The Stericycle entity responsible for your personal data will be the Stericycle Group company that originally collects information from or about you.
You can find out more about Stericycle at https://www.stericycle.com/international or by contacting us using the information in the Contact Us section.
In this section, you can find out more about:
We may collect personal data about you if you:
Personal data collected from Website Users is used to personalize your experience of our websites. We may use such information in the aggregate to understand how you use our services and the resources provided on our websites. We may also use the feedback you provide to improve our services.
You may use our websites as an unregistered user without (directly) providing any personal data. In this case, Stericycle collects the following metadata that result from your usage of our websites: referral page, date and time of access, type of web browser, IP address, geographic location as determined by your IP address, operating system and interface, language and version of browser software, and session information (such as download errors and page response times).
Your IP address will be used to enable your access to our websites. The metadata will be used to improve the quality and services of our websites by analyzing the usage behavior of Website Users.
If you commence direct communications via our websites’ enquiry form, by telephone or writing to us, the nature of the enquiry (e.g., as tick box selection from service type/careers/other options) and your message will also be collected and processed to respond to it and improve our services.
If you are a registered Website User or choose to register on a Stericycle website, we will process the data referred to in (a) above, and you may be asked to provide the following personal data: first and last name, work phone number, company name, email address, personal telephone number, Stericycle Customer No. or Ship to ID, postal address, and primary usage.
Stericycle will process such personal data in order to provide you with the services for registered Website Users, verify the legitimacy of your account, avoid fraudulent accounts being opened, provide you with our products, customer support, compliance trainings, contact form, marketing materials as selected by you, inform you about system issues, comply with legal obligations, and defend, establish and exercise legal claims.
If you purchase products from Stericycle, either via a Stericycle website or offline, you may be asked to provide the following personal data about you, your representative, and/or your contact person: first and last name, suffix, credentials, work phone number, personal phone number, fax number, email address, job title, mailing address, tax identification number, credit card information, ACH/eCheck payment information, billing address, types and amount of products ordered, reseller/promo code, auto-delivery selection, marketing preferences, and job information. Stericycle will use such personal data to process your order; deliver the products or services ordered; provide customer care services; provide marketing materials you selected; provide you with Stericycle updates and/or newsletters; maintain our client relationship management systems; detect, investigate, report and seek to prevent fraud and anti-money laundering, including know-your-customer checks, AML screening and other identity checks; comply with other legal obligations; defend, establish and exercise legal claims. We may also need to conduct credit and fraud checks on business customers and certain directors and officers of your business.
When providing certain services to a Customer to which you are related to (e.g., if you are an employee, a contractor, an apprentice, a trainee, a patient, etc., of our Customer), Stericycle may have to process the following personal data about you (as applicable, depending on the specific service provided): identification data, contact data, and professional data. Most of the personal data is obtained from our Customers.
We process such personal data in the context of the provision of services to a Customer. Please note that in such situations, our Customer is the controller of your personal data and you should refer to the Customer’s privacy notice to understand how your personal data is handled.
If you are a user of our dosimetry services (currently available in Portugal, Romania, and Spain), please refer to the Additional Information for Dosimetry Service Users section of this Notice.
If you work with us as a Business Partner or a service provider, we will collect personal data from you, your representative, and/or your contact person such as your full name, job title, email address, and phone number.
Most of the personal data is obtained directly from you. In addition, we will collect personal data from other sources such as credit reference agencies (e.g., Dun & Bradstreet Credit) who compile information from numerous sources, including publicly available information.
We use this information for the following reasons: to review/assess your suitability as a Business Partner or service provider; to comply with our legal obligations; to detect, investigate, report, and seek to prevent fraud (i.e., through know-your-customer checks); Anti-Money Laundering (AML) screening; and other identity checks. To meet our obligations under any contracts we have with you, we may also need to conduct credit and fraud checks on your business and certain officers or directors of your business.
We will only collect, use, and share your personal data when we have an appropriate legal basis. We carry out the processing of your personal data on the following legal bases:
In most cases, the provision of your personal data is not required by a statutory or contractual obligation. However, where applicable, the provision of your personal data will be necessary to enter into a contract with Stericycle or to receive our services and products as requested by you. In such situations, not providing your personal data may likely result in disadvantages for you, e.g., you may not be able to use the full functionalities of our websites or receive the products and services requested by you. However, unless otherwise specified, not providing your personal data will not result in legal consequences for you.
If you would like to find out more about the legal basis for which we process personal data, please contact us at email@example.com
How we use personal data to keep you up to date with our products and services
We may use your personal data to inform you about our products or services that we believe will be of interest to you and/or to provide you with our newsletter. We may contact you by email, post, or telephone, or through other communication channels. In all cases, we will respect your preferences for how you would like us to manage marketing activity with you.
We will obtain your consent prior to sending you marketing materials unless such consent is not required under applicable law.
How you can manage your marketing preferences
To protect privacy rights and to ensure you have control over how we manage marketing with you:
We share your personal data in the manner and for the purposes described below:
Those external service providers are contractually required to implement and apply security safeguards to ensure the privacy and security of your personal data. These third parties have agreed to confidentiality restrictions and to use any personal data we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us, except where they are required by law to use the personal data for other purposes. In the event of a corporate merger and acquisition, your personal data will be transferred to the third parties involved in the merger and acquisition in accordance with applicable law.
The personal data that we collect or receive about you may be transferred to and processed by recipients who are located in a jurisdiction where the level of data protection may not be equivalent to the level of protection applicable at your location.
Where local laws require, we will take steps to ensure that any transfer of personal data outside of the originating jurisdiction is carefully managed to protect your privacy rights and ensure that adequate safeguards are in place. Transfers of personal data from the UK or EEA to third countries will be made pursuant to Standard Contractual Clauses or other legally acceptable mechanisms approved by the relevant supervisory authority with jurisdiction over the relevant Stericycle exporter. If your location lacks international data transfer instructions or standard forms from the local supervisory authority, we may use other legally acceptable mechanisms from other jurisdictions.
Stericycle has also established an intra-group data transfer agreement to regulate cross-border transfers of personal data within the Stericycle Group.
Where applicable, you are entitled to receive a copy of the relevant agreements (such as the Standard Contractual Clauses) that provide proof that appropriate safeguards have been taken to protect your personal data during such transfer. You can obtain a copy by contacting us at firstname.lastname@example.org. However, please note that we are not required to share details of safeguards where sharing such details would affect our commercial position or create a security risk.
Some recipients outside of the UK or EEA are located in countries for which the European Commission (or the applicable supervisory authority) has issued an adequacy decision. For example, the European Commission recognized Canada (only for non-public organizations subject to the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)) as providing an adequate level of data protection for personal data.
Contact email@example.com for additional information regarding the identity, industry, sector and location of the relevant data recipients.
How long does Stericycle keep your personal data?
Your personal data will be retained for as long as it is required for the purposes for which the data was collected, e.g., as necessary to provide you with the services and products requested.
We retain your contact details and interests in our products or services for a longer period of time if you have agreed to receive Stericycle marketing materials. We also retain your personal data if needed to establish, exercise, or defend a legal claim, only on a need-to-know basis.
Personal Data Security
As technology continues to develop, we are committed to using our technological resources to provide privacy protection services that keep our customers and users confident about the security of their personal data. However, Stericycle is not responsible for any harm that you or any other person may suffer as a result of breach of confidentiality caused by your use of the Internet.
We have adopted appropriate data collection, storage, and processing practices, as well as technical, organizational, and security measures designed to protect against unauthorized access, alteration, disclosure, or destruction of the personal data that you share with us. For example, such measures include the following:
As the security of information depends in part on the security of the computer you use to communicate with us and the security you use to protect user IDs and passwords, please take appropriate measures to protect this information.
The rights listed below apply to residents of the European Economic Area, UK, and Brazil, as applicable and permitted by each jurisdiction.
Where required by applicable law, we will take steps to keep your personal data accurate, complete, and up to date.
Where permitted under applicable law, you can object to the use of your personal data which has our legitimate interests as its legal basis for processing, including for the purposes of marketing, without incurring any costs other than the transmission costs. Your rights are listed below.
(i) Right of confirmation and right of access: You have the right to obtain confirmation as to whether or not Stericycle is processing your personal data and, where that is the case, to request access to that personal data as well as information on who we share your personal data with (public and private entities). The accessed information will include the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipient to whom the personal data have been or will be disclosed.
You have the right to obtain a copy of your personal data undergoing processing. If you request additional copies, we may charge a reasonable fee for the administrative costs to produce those documents, where permitted by applicable laws.
(ii) Right to rectify and complete personal data: You can request to rectify inaccurate, outdated, or your incomplete personal data that Stericycle processes. You can submit a supplementary statement that includes the corrections to your personal data. We will inform relevant third parties to whom we have transferred your data about the rectification and completion if we are legally obligated to do so.
(iii) Right to erasure (or right to be forgotten, as applicable): You have the right to request the erasure of your personal data in limited circumstances where:
We are not required to comply with your request to erase personal data if the processing of your personal data is necessary for:
If you are a Brazil resident, you may request the erasure of your personal data that was processed with your consent, except where Stericycle’s retention of your personal data is permitted by applicable laws.
(iv) Right to restriction of processing: You have the right to restrict processing your personal data. In this case, the respective data will be marked and only be processed by us for certain purposes. This right can only be exercised where:
We can continue to use your personal data following a request for restriction, where:
(v) Right to data portability: You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format. Also, you have the right to transmit that data to another entity without hindrance from us, but only where:
If you are a Brazil resident, certain rules may be further established by the local supervisory authority for exercising this right.
(vi) Right to object: At any time, you have the right to object to any processing of your personal data where the processing is legally based on our legitimate interests. You may exercise this right without incurring any costs.
If you raise an objection to the processing of your personal data, we will have an opportunity to demonstrate that we have compelling legitimate interests which override your right to object.
The right to object does not exist, in particular, if the processing of your personal data is necessary to take steps prior to entering into a contract or to perform a contract already concluded.
If you are a Brazil resident, you have the right to object to any processing of your personal data based on any legal basis, other than consent, in case such processing is not in compliance with the applicable law.
(vii) Right to object to how we use your personal data for direct marketing purposes: You can request that we change the manner in which we contact you for marketing purposes. You can request that we not transfer your personal data to unaffiliated third parties for the purposes of direct marketing or any other purposes.
If you are a Brazil resident, you have the right to request the revision of decisions made solely based on automated processing of personal data affecting your interests, including decisions intended to define your personal, professional, consumer and credit profile, or aspects of your personality, where applicable.
(viii) Right to withdraw consent: If you have given us your consent for the processing of your personal data, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
(ix) Right to obtain a copy of personal data safeguards for transfers outside your jurisdiction: You can ask to obtain a copy of or reference to the safeguards under which your personal data is transferred outside the UK or EEA. We may redact data transfer agreements to protect commercial terms.
(x) Right to lodge a complaint with your local supervisory authority: You have a right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your personal data. If you are a Brazil resident, you also have the right to lodge a complaint with consumer defense entities.
(xi) Right to anonymize, block or delete personal data: If you are a Brazil resident, you have the right to request the anonymization, blocking or deletion of unnecessary or excessive personal data or data processed in noncompliance with the provisions of the applicable law.
When you request to enforce your rights as a data subject, we may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal data requested. We reserve the right to charge a fee to fulfil your request, where permitted by law, if your request is manifestly unfounded or excessive.
To exercise your rights please Contact Us using the contact information below. Subject to legal and other permissible considerations, we will make every reasonable effort to promptly honor your request or inform you if we require further information in order to fulfil your request.
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality that we owe to others or if we are legally entitled to deal with the request in a different way.
Stericycle reserves the right to change this Notice at any time. Any changes to this Notice will be effective immediately when posting the latest version on our websites.
The primary points of contact for all issues arising from this Notice can be contacted in the following way:
If you have any questions, concerns or complaints regarding our compliance with this Notice, the information we hold about you or if you wish to exercise your rights, we encourage you to first contact firstname.lastname@example.org.
We will investigate and attempt to resolve complaints and disputes and make every reasonable effort to honor your wish to exercise your rights as quickly as possible and, in any event, within the timescales provided by data protection laws.
Residents of Brazil, European Economic Area, and United Kingdom have a right to lodge a complaint with their local data protection supervisory authority (i.e., local to your place of habitual residence, your place of work, or the place of an alleged infringement). Please attempt to directly resolve any issues with us before you contact your local supervisory authority.
Last updated: February 8, 2022
In this section, we provide additional information to California residents about how we handle their personal information, as required under California privacy laws including the California Consumer Privacy Act (“CCPA”). This section does not address or apply to our handling of any of the following:
A. Categories of Personal Information Under the CCPA
While our collection, use, and disclosure of personal information varies based upon our relationship and interactions with you. In this section we describe, generally, how we have collected and disclosed personal information about consumers in the prior 12 months (from the Last Updated data above). As further described in the WHEN WE COLLECT PERSONAL DATA, THE TYPES OF PERSONAL DATA WE COLLECT AND THE PURPOSES FOR WHICH PERSONAL DATA IS COLLECTED sections above, we may collect personal information from the following sources:
The table below identifies the categories of personal information (as defined by the CCPA) we have collected about consumers, as well as how we have sold or disclosed for a business purpose such information. For more information about the business and commercial purposes for which we collect, use and disclose personal information, please see the WHEN WE COLLECT PERSONAL DATA; THE TYPES OF PERSONAL DATA WE COLLECT AND THE PURPOSES FOR WHICH PERSONAL DATA IS COLLECTED; and the HOW WE SHARE INFORMATION WITHIN STERICYCLE AND WITH OUR SERVICE PROVIDERS, REGULATORS AND OTHER THIRD PARTIES sections above.
Under the CCPA, a “sale” includes disclosing or making personal information available to a third party, in exchange for monetary compensation or some other value or benefit. While we do not disclose personal information in exchange for monetary compensation, we may make certain categories of personal information available in order to receive certain benefits or services, such as when we make browsing information available to third party ad companies (through third party tags on our Sites) in order to improve and measure our ad campaigns and reach users with more relevant ads and content.
|Personal Information Collected
|Do We Disclose this Information?
|Do We Sell this Information?
|Categories of Third-Party Entities to Whom We May Disclose this Information
Includes direct identifiers, such as name, alias user ID, username, account number or unique personal identifier; email address, phone number, address and other contact information; IP address and other online identifiers; SSN, driver’s license number, passport number, tax ID and other government identifiers; and other similar identifiers.
Includes personal information, such as name, account name, user ID, contact information, education and employment information, government identifiers, account number, and financial or payment information), that individuals provide us in order to purchase or obtain our products and services. For example, this may include information collected when an individual register for an account, purchases or orders our products and services, or enters into an agreement with us related to our products and services.
Includes records of personal property, products or services purchased, obtained, or considered, or other purchasing or use histories or tendencies. For example, this may include demographic information that we receive from third parties to better understand and reach our customers.
Includes browsing history, clickstream data, search history, access logs and other usage data and information regarding an individual’s interaction with our websites, mobile apps and other Services, and our marketing emails and online ads.
Includes precise location information about a particular individual or device.
Audio, Video and Electronic Data
Includes audio, electronic, visual, thermal, olfactory, or similar information such as, thermal screenings and CCTV footage (e.g., collected from visitors to our [facilities/offices/premises], photographs and images (e.g., that you provide us or post to your profile) and call recordings (e.g., of customer support calls).
Includes professional and employment-related information (such as current and former employer(s) and position(s), business contact information and professional memberships).
Information about an individual’s educational history (such as the schools attended, degrees you were awarded, and associated dates).
Physiological, biological, or behavioral characteristics that can be used alone or in combination with each other to establish individual identity. For example, we collect and process voiceprints for fraud detection and authentication purposes when you contact us by phone about your application or account. / For example, if you choose to set and use facial recognition / fingerprints to log-in for your account.
Includes characteristics of protected classifications under applicable/federal and state/federal and California laws, such as disability information and medical conditions (e.g., which we may collect in order to make available appropriate accommodations for events and other activities) / information that you voluntarily include in your account profile (e.g., gender, marital status and political affiliation).
Includes inferences drawn from other personal information that we collect to create a profile reflecting an individual’s preferences, characteristics, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes. For example, we may analyze personal information to identify the offers and information that may be most relevant to customers, so that we can better reach them with relevant offers and ads.
B. California Residents’ Rights
CCPA Rights. In general, California residents have the following rights with respect to their personal information:
Do-not-sell (opt-out): California residents have the right to opt-out of the sale of their personal information sold. Stericycle does not sell the personal information of any California residents, including those of whom we have actual knowledge are younger than 16, for any monetary benefit. However, we may disclose personal information about California consumers (only those who are the age of legal majority) by making certain categories of personal information available to third-parties in order to receive certain benefits or services, such as when we make browsing information available to third-party ad companies (through third party tags on our Sites). We make such disclosures to improve and measure our ad campaigns and reach users with more relevant ads and content, and this activity constitutes a “sale” under CCPA. California residents may opt out of “sales” of their personal information, by submitting a request here or by using our preference manager to opt out of “sales” via third party tags and cookies on our Sites.
Right of deletion: California residents can request a deletion of the personal information that we have collected about them and to have such personal information deleted (without charge), subject to certain exceptions.
Right to know: With respect to the personal information we have collected about them in the prior 12 months, California residents have the right to request that we disclose the following to them (up to twice per year and subject to certain exemptions):
categories of personal information collected;
categories of sources of personal information;
categories of personal information about them we have disclosed for a business purpose or sold;
categories of third parties to whom we have sold or disclosed for a business purpose their personal information;
the business or commercial purposes for collecting or selling personal information; and
a copy of the specific pieces of personal information we have collected about them.
Right to non-discrimination: California residents have the right not to be subject to discriminatory treatment for exercising their rights under the CCPA.
Submitting CCPA Requests. California residents may submit CCPA requests to opt out of sales, requests to know (access) and requests to delete their personal information through one of the following methods:
By visiting our California Rights Request Page or contacting us at 1-866-783-7422 (toll free).
In addition, California residents may opt of “sales” of their personal information by using our preference manager (to opt out of “sales” via third party tags and cookies on our Sites), or by submitting a request here.
When you submit a request to know or a request to delete, we will take steps to verify your request by matching the information you provide in your request with the information we have in our records. You must complete all required fields on our webform (or otherwise provide us with this information via the above toll-free number). In some cases, we may request additional information in order to verify your request or where necessary to process your request. If we are unable to adequately verify a request, we will notify you. Authorized agents may initiate a request on behalf of another individual by contacting us via the above link or by contacting us at DataProtection@Stericycle.com or at our toll free number (1-866-783-7422); authorized agents will be required to provide proof of their authorization and we may also require that the relevant consumer directly verify their identity and the authority of the authorized agent.
Your Privacy Rights Under California Shine the Light Law. Under California’s “Shine the Light” law (Cal. Civ. Code § 1798.83), California residents who provide certain personal information are entitled to request and obtain from us, free of charge, information about the personal information (if any) we have shared with third parties for that entity’s own direct marketing use. Such requests for information about any relevant third-party sharing may be made once per calendar year, for the prior calendar year. To submit a “Shine the Light” request, email us at DataProtection@Stericycle.com, and include your current California address and your attestation that you are a California resident in your request.
Do-Not-Track signals. Please note that our websites do not recognize or respond to any signal which your browser might transmit through the so-called 'Do Not Track' feature. If you wish to disable cookies on our Websites, you should not rely on any 'Do Not Track' feature your browser might have. For more information about do-not-track signals, please click here.
For more information about our privacy practices, you may Contact Us using the information in the section above.
Last updated: February 8, 2022
In this section, we provide additional information to dosimetry service users about how we handle their personal information.
Controller: To the extent we process your personal data as a controller in relation to our dosimetry services, we will provide you with a separate privacy notice that sets out the full name of the Stericycle entity that controls the processing of your personal data. We will also provide you with the specific contact information for the controller’s data protection officer.
Personal Data Processed: The categories of personal data processed in relation to the dosimetry services includes identification data, data relating to your physical characteristics, data relating to your employment, dosimetry monitoring data and health data.
Sources of the Data: Generally, the data is provided to Stericycle by the radiological practice, activity, or source to which you are related to, by your employer or, where applicable, directly by you.
Purpose: We process this data to provide technical assistance and consultancy services in radiological protection to the extent that such services have an impact on you. We also process the data to fulfil our reporting obligations to public authorities and pursuant to legal obligations applicable to controllers providing such services.
Legal Basis: We process your data to comply with legal obligations incumbent on dosimetry service providers and for reasons of public interest in the area of public health. The storage and provision of your personal data is a statutory requirement which we must comply with and/or is necessary in the public interest of measuring radiation.
Recipients: We will disclose your data to the public authorities legally responsible for radiological protection (or to the entities appointed by public authorities). To perform our activities, we engage external service providers such as IT support service providers and email administrators. When providing such services, the external service providers will have access to and process your personal data. We require those external service providers to implement and apply security safeguards to ensure the privacy and security of your personal data. These service providers have agreed to confidentiality restrictions and to use of any personal data we share with them or which they collect on our behalf solely for the purpose of providing the contracted services to us.
Retention Period: Your personal data will be retained for the period strictly necessary to provide the services of technical assistance, consultancy, and radiological protection, except if other statutory retention periods apply.
Rights: Your rights are as set out in this Notice. You also have the right, at any time, to lodge a complaint with your local supervisory authority.
Additional Information: For more information about how we process and secure personal data, please refer to the additional privacy notice issued by your dosimetry service provider.
Last updated: February 8, 2022