Merge Healthcare EU-U.S. Privacy Shield Policy

IBM Watson Health Support >> Watson Health Imaging Support >> Merge Healthcare EU-U.S. Privacy Shield Policy

Merge Healthcare Privacy Shield Privacy Policy

This Statement is effective as of September 4, 2020, and as modified effective May 27, 2021.


On 16 July 2020, the Court of Justice of the European Union issued a judgment declaring as invalid the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area to the United States.

On 8 September 2020, the Swiss Federal Data Protection and Information Commissioner (FDPIC) issued a position paper following his annual re-assessment of the Swiss-US Privacy Shield Framework. The FDPIC’s new position is that although the Swiss-US Privacy Shield guarantees special protection rights for persons in Switzerland, it no longer provides an adequate level of protection for data transfer from Switzerland to the US pursuant to the Swiss Federal Act on Data Protection (FADP).

Notwithstanding the above, please note that: (i) EU Standard Contractual Clauses (SCCs) remain a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area, the United Kingdom and Switzerland to the United States; and (ii) Section 7 of Merge’s Data Sheet (available at and referenced in Merge Healthcare’s customer agreement terms), already includes the required reference to the SCCs.

Special Note: While the EU-US and Swiss-US Privacy Shield Frameworks may no longer be used or relied upon for transfer of personal information, Merge Healthcare continues to comply with all EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework obligations. Doing so demonstrates Merge Healthcare’s serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals. More information can be found here: US Department of Commerce (Program Overview), and US Department of Commerce (FAQ #3).

To view the IBM Privacy Shield Policy, please visit: Merge Healthcare’s Privacy Shield Policy is detailed below.
As part of IBM, Merge Healthcare abides by IBM’s Privacy Policy ( and IBM’s Online Privacy Statement (

Merge Healthcare’s Privacy Shield-Certified technical support services may process content (which may include the personal information of individual end users) on behalf of Merge Healthcare clients. More specifically, Merge Healthcare’s technical support services are Privacy Shield-Certified for those instances when personal information of individual end users of Merge Healthcare clients is tangentially viewed and/or accessed by Merge Healthcare for the purpose of diagnosing and fixing issues relating to Merge Healthcare hardware or software solutions owned, operated and managed by Merge Healthcare clients. Personal information is defined as any information that could be used alone or together with other information to identify you or another individual. In this scenario, and as provided below, Merge Healthcare may direct inquiries from individual end users to the Merge Healthcare client that oversees the use of their personal information.

Merge Healthcare complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Economic Area (EEA), the United Kingdom and Switzerland to the United States in reliance on Privacy Shield. Merge Healthcare has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

All personal information received from the EEA, the United Kingdom and Switzerland in connection with Merge Healthcare support services is subject to the Privacy Shield principles as described in the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework, respectively, which apply to all Merge Healthcare affiliates that process personal information associated with Privacy Shield-Certified support services.

To learn more about the Privacy Shield Program, or to view the certification applicable to Merge Healthcare, please visit

Privacy Notice Scope

Merge Healthcare is responsible for the processing of personal information it receives, and any subsequent transfers to a third party acting as an agent on its behalf. Merge Healthcare complies with the Privacy Shield Principles for all onward transfers of personal information from the EEA, Switzerland or the United Kingdom, including the onward transfer liability provisions.

With respect to personal information received or transferred pursuant to the Privacy Shield Framework, Merge Healthcare is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Merge Healthcare may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Personal Information: Types and Purpose for Use

Personal information collected by Merge may include:

  • contact information, such as name, company name, job title, job function, expertise, email address, mailing address or phone number; billing information; and
  • preference information, such as product wish lists, order history or marketing preferences.

Merge Healthcare is a subsidiary of IBM Watson Health. Merge Healthcare processes personal information for client technical support purposes in diagnosing and fixing issues relating to Merge Healthcare hardware or software solutions. The client initiates the data processing by requesting support services. Merge Healthcare obtains personal information directly from clients who request support services. When providing support services, Merge Healthcare may tangentially view or otherwise access clients’ customers personal information and, if so, does so with the clients’ permission.

Our clients are required to ensure that they have consent or other lawful authority to transfer personal information to Merge Healthcare for processing. Any such information provided is solely for the purpose of providing troubleshooting, diagnostic, or other support services on the software products provided by Merge Healthcare.

While Merge Healthcare does sometimes need to send information to third parties, those third parties have been subcontracted to provide after-hours and complaint handling services for the client. There is no data that is transferred to other third parties for other business purposes. As noted in IBM’s posted privacy policy: “Where we reference that we use your personal information in relation to marketing, improvement or development of our products or services, for reasons of safety and security, or regulatory requirements other than in connection with your agreement or request, we do this on the basis of our or a third party’s legitimate interests, or with your consent. When we collect and use your personal information subject to the EU Privacy Legislation this may have consequences for Your Rights.”

Regulatory Authority and Disclosures

IBM is subject to investigatory and enforcement powers of the Federal Trade Commission in the United States in connection with its Privacy Shield program. IBM may also be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Dispute Resolution

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at In addition, and as described in the Privacy Shield Principles, you may also have the option of invoking binding arbitration after other dispute resolution procedures have been exhausted.

Account Data

Account data -- i.e., all information about IBM’s clients or their users provided to or collected by IBM (including through tracking and other technologies, such as cookies) – is covered by the IBM Online Privacy Statement, available at

Contacting Merge

If you have any questions or concerns about this Privacy Statement or Merge’s privacy practices, please contact our Privacy Officer at When contacting us, please be sure to provide us with your exact e-mail address, name, address, and/or telephone number(s) in order to be sure we handle your inquiry correctly.

You may also contact us at:

ATTN: Privacy Officer
Merge Healthcare
900 Walnut Ridge Drive
Hartland, WI 53029