Zimbis (“Zimbis”, “we”, “us”, “our”) has adopted and instituted the following procedures and policy related to any Biometric Data that may be collected as a result of our customers’ and their respective employees’ or agents’ use of the Zimbis products and services. Zimbis customers are responsible for developing and complying with their own Biometric Data collection, use, storage, retention and destruction procedures and policies as may be required under any and all applicable laws and regulations.
Biometric Data Definition
“Biometric Data” means any biological characteristics of a person, or information based upon such a characteristic, including, without limitation, characteristics such as those defined as “biometric identifiers”1,and information such as that defined as “biometric information”2, in each case under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq or any other similar characteristics or similar information under any comparable law or regulation.
See Exhibit A
Collection, Storage, Use, Retention, Destruction and/or Transmission of Biometric Data
Zimbis customers are responsible for compliance with any and all applicable laws and regulations governing any collection, storage, use, retention, destruction and/or transmission of Biometric Data they conduct, possess or facilitate. Zimbis customers agree to obtain the prior valid written consent of applicable third party users of Zimbis products and services in order for such third party user to use the fingerprint scanner device of the Zimbis inventory management devices (or any other device that is part of the Zimbis products and services that collects Biometric Data), which consent shall provide legal and valid authorization for the customers, Zimbis and/or Zimbis’s authorized vendors to collect, store, retain, use, and/or transmit Biometric Data.
Zimbis’s standard operating procedure does not call for the collection, storage, use, retention or transmission of Biometric Data by Zimbis. Zimbis products and services (i.e., the inventory management system and related software) provided to customers by Zimbis, allow for the collection, storage, use and retention of any and all Biometric Data to be maintained and isolated on each individual physical product device (i.e., the Biometric Data is not transmitted to any other device or store on the cloud or otherwise stored, used or retained elsewhere). If, however, Zimbis and/or its vendors do at any time collect, store, use, possession, retain and/or transmit Biometric Data during the course of conducting Zimbis’s operations and of providing products or services to Zimbis’s customers and their respective employees and agents (i) the collection, storage, use, retention and/or transmittal of any Biometric Data will be for the sole purpose of identity verification; and (ii) Zimbis customers agree to obtain written authorization from each applicable individual prior to the collection of such data on Zimbis’s and its vendors’ behalf.
Zimbis does not sell, lease or trade any Biometric Data that is received from customers or customer employees or agents as a result of their use of Zimbis products or services. Zimbis customers also shall agree not to sell, lease or trade any Biometric Data that is received from customers or customer employees or agent as a result of their use of Zimbis products or services.
Inventory Management Devices and Attached Scanners
Zimbis customers agree that, in light of the developing nature of the legal landscape and requirements that may apply to the collection, use and storage of Biometric Data, to the extent that such customers and their employees and agents use the fingerprint scanner device of the Zimbis inventory management devices (or any other device that is part of the Zimbis products and services made available to customers that collects Biometric Data), Zimbis customers agree and have the responsibility to:
- Generally, comply with all applicable laws and regulations regarding Biometric Data;
- Inform any participating employee or agent in writing that Biometric Data is being collected, stored, and used;
- Provide the specific purpose(s) for collecting Biometric Data and indicate the length of time for which the Biometric Data will be collected, stored, and used;
- Indicate to participating employee or agent the manner in which the Biometric Data will be destroyed; and
- Receive a prior written consent from each participating employee and/or agent authorizing the customer, to collect, use, store, and transmit the participating employee’s and/or agent’s Biometric Data.
Zimbis will not disclose, disseminate and/or transmit any customer’s employees’ or agents’ Biometric Data to any person or entity other than the customer and Zimbis’s authorized vendors without or unless:
First obtaining the customer’s employee’s written consent;
Disclosure is required by state or federal law; or
Disclosure is required pursuant to a valid warrant or subpoena.
Retention Schedule and Destruction
Zimbis inventory management devices locally maintain all Biometric Data collected by the device. Each device contains a hard drive that securely stores the Biometric Data collected for purposes of individual verification.
While unlikely, if, at any point, after obtaining the proper authorization from each applicable employee and/or agent of a Zimbis customer, any Biometric Data is shared with Zimbis during the course of a customer’s term of use of a Zimbis device, Zimbis will securely retain the Biometric Data until the customer notifies Zimbis that it has terminated the employee or agent or the employee or agent has discontinued using the applicable Zimbis device, or the customer’s employee or agent makes a written request to Zimbis that such Biometric Data be destroyed. At that time, any and all Biometric Data in Zimbis’s possession will be destroyed.
Customer’s User Opt-Out Option
All Zimbis customers and customer’s employees and agents understand that providing Biometric Data is not required to gain secure access to any of Zimbis’s inventory management devices and he or she is free to decline to provide Biometric Data and can be provided with a secure PIN for access to the Zimbis inventory management device. Additionally, any customer employee or agent may revoke consent to the collection of his or her Biometric Data at any time by notifying his or her employer or agent in writing. Upon written revocation, the customer employee will be provided a PIN to access the Zimbis medicinal storage solution device.
The Illinois Biometric Information Privacy Act, in relevant part, currently provides “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.
The Illinois Biometric Information Privacy Act, in relevant part, currently provides “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.