STERICYCLE INC. PRIVACY NOTICE
This Privacy Notice ("Notice") describes how Stericycle Inc. and its affiliates, now part of the WM group, including Waste Management Service Center, Inc. and its affiliates (collectively referred to as "Stericycle," “Stericycle Group,” "we," "us," or "our") collects, uses and shares personal data collected in the context of our websites, business contacts, suppliers, current and prospective customers who use Stericycle services or products or users affected by our services (together referred to as "you" or "your"). To the extent that these rights apply in your jurisdiction, this Notice also explains your ability to edit, update, correct, or delete your personal data and the security procedures that we have implemented to protect personal data. 
Residents of certain U.S. states with comprehensive privacy laws can view our state-specific privacy disclosures by clickinghere.If you are a California resident, please refer to theAdditional Information for California Residentssection below for important information about the "Personal Information" we collect, process and disclose, as well as your rights under California privacy laws, including your right to submit a "Do Not Sell or Share My Personal Information" request (i.e., to opt of the “sale” or “sharing” of your Personal Information by us). 
Canadian residents can view our Canada-specific disclosures by clicking here.
Dosimetry Service Users: If you are a user of our dosimetry services (currently available in Portugal, Romania and Spain), please refer to theAdditional Information for Dosimetry Service Userssection of this Notice for important information about how we process your personal data. 
In this Notice, you can find out more about each of the following (as applicable to you):
Controller
Important information about Stericycle: 
The Stericycle entity responsible for your personal data will be the Stericycle Group company that originally collects information from or about you. 
You can find out more about Stericycle at https://www.stericycle.com/international or by contacting us using the information in theContact Us section. 
WHEN WE COLLECT PERSONAL DATA, THE TYPES OF PERSONAL DATA WE COLLECT AND THE PURPOSES AND LEGAL BASIS FOR WHICH PERSONAL DATA IS COLLECTED
When we collect personal data
We may collect personal data about you if you:
Use one of our websites or online services, you are a registered user or chose to register on our         websites (Website Users);
Purchase one of our services (Customers);
Are affected by our services (Users);
Work with us as a business partner (Business Partners).
The types of personal data we collect and how we use personal data
Website Users
Personal data collected from Website Users is used to personalize your experience of our websites. We may use such information in the aggregate to understand how you use our services and the resources provided on our websites. We may also use the feedback you provide to improve our services.
a.    Unregistered Website Users
When you visit our websites as an unregistered user, Stericycle collects the following information that result from your usage of our websites: referral page, date and time of access, type of web browser, IP address, geographic location as determined by your IP address, operating system and interface, language and version of browser software, and session information (such as download errors and page response times).
Your IP address will be used to enable your access to our websites. The metadata will be used to improve the quality and services of our websites by analyzing the usage behavior of Website Users.
If you commence direct communications via our websites’ enquiry form, by telephone or writing to us, the nature of the enquiry (e.g., as tick box selection from service type/careers/other options) and your message will also be collected and processed to respond to it and improve our services.
b.   Registered Website Users
If you are a registered Website User or choose to register on a Stericycle website, we will process the data referred to in (a) above, and you may be asked to provide the following personal data: first and last name, work phone number, company name, email address, personal telephone number, Stericycle Customer No. or Ship to ID, postal address, and primary usage. 
Stericycle will process such personal data in order to provide you with the services for registered Website Users, verify the legitimacy of your account, avoid fraudulent accounts being opened, provide you with our products, customer support, compliance trainings, business communications solutions (e.g., answering services, appointment reminders, follow-up services, virtual receptionists), contact form, marketing materials as selected by you, inform you about system issues, comply with legal obligations, and defend, establish and exercise legal claims.
Customers
If you purchase products from Stericycle, either via a Stericycle website or offline, you may be asked to provide the following personal data about you, your representative, and/or your contact person: first and last name, suffix, credentials, work phone number, personal phone number, fax number, email address, job title, mailing address, credit card information, ACH/eCheck payment information, billing address, types and amount of products ordered, reseller/promo code, auto-delivery selection, marketing preferences, and job information. Stericycle will use such personal data to process your order; deliver the products or services ordered; provide customer care services; provide marketing materials you selected; provide you with Stericycle updates and/or newsletters; maintain our client relationship management systems; detect, investigate, report and seek to prevent fraud and anti-money laundering, including know-your-customer checks, AML screening and other identity checks; comply with other legal obligations; defend, establish and exercise legal claims. We may also need to conduct credit and fraud checks on business customers and certain directors and officers of your business.
Users
When providing certain services to a Customer to which you are related to (e.g., if you are an employee, a contractor, an apprentice, a trainee, a patient, etc., of our Customer), Stericycle may have to process the following personal data about you (as applicable, depending on the specific service provided): identification data, contact data, and professional data. Most of the personal data is obtained from our Customers.   
We process such personal data in the context of the provision of services to a Customer. Please note that in such situations, our Customer is the controller of your personal data and you should refer to the Customer’s privacy notice to understand how your personal data is handled.    
If you are a user of our dosimetry services (currently available in Portugal and Spain), please refer to the Additional Information for Dosimetry Service Users section of this Notice.   
Business Partners
If you work with us as a Business Partner or a service provider, we will collect personal data from you, your representative, and/or your contact person such as your full name, job title, email address, and phone number.    
Most of the personal data is obtained directly from you. In addition, we will collect personal data from other sources such as credit reference agencies (e.g., Dun & Bradstreet Credit) who compile information from numerous sources, including publicly available information.    
We use this information for the following reasons: to review/assess your suitability as a Business Partner or service provider; to comply with our legal obligations; to detect, investigate, report, and seek to prevent fraud (i.e., through know-your-customer checks); Anti-Money Laundering (AML) screening; and other identity checks. To meet our obligations under any contracts we have with you, we may also need to conduct credit and fraud checks on your business and certain officers or directors of your business.    
Purposes and legal basis for the processing of personal data (if applicable)
We will only collect, use, and share your personal data when we have an appropriate legal basis where required by applicable law. We carry out the processing of your personal data on the following legal bases:      
The processing is necessary for the performance of a contract to which you are a party or to take steps, at your request, prior to entering into a contract. For example, when you purchase our products or services, we will collect your payment information to process your payment and your address to facilitate delivery of the product or service. We will also collect your email address and phone number to update you on the progress of your purchase and to answer any of your queries.
The processing is necessary for compliance with a legal obligation to which we are subject. For example, to set you up as a business customer or business partner, we are obliged to carry out certain “know-your-customer checks” to prevent money laundering and fraudulent activities. This will involve the collection and verification of your personal data.
You have provided your consent to us to use your personal data. For example, if you have agreed to receive marketing communications.
The processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, namely, to provide you with our products and services, except where such interests are overridden by your interests or fundamental rights and freedoms. For example, we use personal data in the aggregate to understand how Website Users use our services and the resources provided on our websites and use this information to improve our services. We will also have a legitimate interest to process the personal data of a contact person to facilitate the development of a contractual relationship.
In most cases, the provision of your personal data is not required by a statutory or contractual obligation. However, where applicable, the provision of your personal data will be necessary to enter into a contract with Stericycle or to receive our services and products as requested by you. In such situations, not providing your personal data may likely result in disadvantages for you, e.g., you may not be able to use the full functionalities of our websites or receive the products and services requested by you. However, unless otherwise specified, not providing your personal data will not result in legal consequences for you.
If you would like to find out more about the legal basis for which we process personal data, please contact us at DataProtection@Stericycle.com.
DIRECT MARKETING AND HOW YOU CAN MANAGE YOUR MARKETING PREFERENCES
How we use personal data to keep you up to date with our products and services 
We may use your personal data to inform you about our products or services that we believe will be of interest to you and/or to provide you with our newsletter. We may contact you by email, post, or telephone, or through other communication channels.  In all cases, we will respect your preferences for how you would like us to manage marketing activity with you.   
We will obtain your consent prior to sending you marketing materials unless such consent is not required under applicable law. 
How you can manage your marketing preferences
To protect your privacy rights and to ensure you have control over how we manage marketing with you: 
You can ask us to stop direct marketing at any time.  You can ask us to stop sending email marketing by clicking on the "unsubscribe" link you will find on all the email marketing messages we send you. Alternatively, you can contact DataProtection@Stericycle.com
Please specify whether you would like us to stop all forms of marketing or just a particular type (e.g., email).
You can change the way your browser manages cookies, which may be used to deliver online advertising, by following the settings on your browser as explained in ourCookie Policy.
If our website detects that your browser is transmitting a “global privacy control”—or GPC— signal, we will apply that to opt that browser on your device out of targeting cookies on our website.  If you come to our website from a different device or from a different browser on the same device, you will need to apply GPC for that browser and/or device as well. See the Additional Privacy Information for California Residentssection for more information about GPC. 
As discussed in more detail below under Cookies and Third Party Links and in our Cookie Policy, we work with ad networks, channel partners, mobile ad networks, analytics and measurement services, and others (“ad networks”) to personalize content, as well as to manage our advertising on third-party websites, mobile apps, and online services. You can control how participating ad networks use the information that they collect about your visits to our websites by visiting the Network ‎Advertising Initiative (https://optout.networkadvertising.org/?c=1) or the Digital Advertising Alliance (https://aboutads.info/choices).
Stericycle will take steps to limit direct marketing to a reasonable and proportionate level and will only send communications we believe may be relevant to you.
HOW WE SHARE INFORMATION WITHIN STERICYCLE AND WITH OUR SERVICE PROVIDERS, REGULATORS, AND OTHER THIRD PARTIES 
We share your personal data in the manner and for the purposes described below: 
     With Other Stericycle Entities Within Our Group
Your personal data may be shared between different Stericycle entities. We make such transfers of data where it is necessary to provide you with our services or to manage our business.
     Where Required by Law
Your personal data may be shared with law enforcement agencies, governmental authorities, or other public authorities (or entities appointed by them) where required under applicable laws. 
     With Third Parties Who Help Manage Our Business and Deliver Services
Stericycle engages external service providers such as legal services, website service providers, marketing service providers, IT support service providers, fulfillment providers, delivery service providers, email administrators, payment processors, and customer service providers. When providing such services, the external service providers have access to and process your personal data on our behalf. 
If we, or our affiliates, are acquired by, merged with, or invested in by another company, or if any of our assets are or transferred to another company, whether as part of a bankruptcy or insolvency proceeding or otherwise, we may transfer the information we have collected from you to the other company.  We may also share certain personal data as necessary prior to the completion of such a transaction or corporate transactions, such as financings or restructurings, to lenders, auditors, and third-party advisors, including attorneys and consultants, as part of due diligence or as necessary to plan for a transaction.
INTERNATIONAL TRANSFERS OF PERSONAL DATA (If applicable)
The personal data that we collect or receive about you may be transferred to and processed by recipients who are located in a jurisdiction where the level of data protection may not be equivalent to the level of protection applicable at your location.  
Where local laws require, we will take steps to ensure that any transfer of personal data outside of the originating jurisdiction is carefully managed to protect your privacy rights and ensure that adequate safeguards are in place.  Transfers of personal data from the UK or EEA to third countries will be made pursuant to Standard Contractual Clauses or other legally acceptable mechanisms approved by the relevant supervisory authority with jurisdiction over the relevant Stericycle exporter. If your location lacks international data transfer instructions or standard forms from the local supervisory authority, we may use other legally acceptable mechanisms from other jurisdictions.    
Stericycle has also established an intra-group data transfer agreement to regulate cross-border transfers of personal data within the Stericycle Group.
Where applicable, you are entitled to receive a copy of the relevant agreements (such as the Standard Contractual Clauses) that provide proof that appropriate safeguards have been taken to protect your personal data during such transfer. You can obtain a copy by contacting us at DataProtection@Stericycle.com. However, please note that we are not required to share details of safeguards where sharing such details would affect our commercial position or create a security risk. 
Some recipients outside of the UK or EEA are located in countries for which the European Commission (or the applicable supervisory authority) has issued an adequacy decision. For example, the European Commission recognized Canada  (only for non-public organizations subject to the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA))  as providing an adequate level of data protection for personal data . 
Contact DataProtection@Stericycle.com  for additional information regarding the identity, industry, sector, and location of the relevant data recipients.
COOKIES AND THIRD-PARTY LINKS
Stericycle websites use cookies. Generally, we use cookies to understand how our services are used, to track bugs and errors, improve our services, verify account credentials, allow logins, track sessions, prevent fraud, and to protect our services. Additionally, we also use cookies for targeted marketing and advertising, to personalize content and for analytics purposes.  For further information please view our Cookie Policy or contact DataProtection@Stericycle.com.
Our websites contain links to websites operated and maintained by third parties over which Stericycle has no control. Any information you provide to third-party websites will be governed under the terms of each website’s privacy policy, and we encourage you to investigate and ask questions before disclosing any information to the operators of third-party websites. We have no responsibility or liability whatsoever for the content, actions, or policies of third-party websites. The inclusion of third-party websites on our site in no way constitutes an endorsement of such websites’ content, actions, or policies.
HOW LONG WE STORE AND PROTECT PERSONAL DATA
How long does Stericycle keep your personal data?
Your personal data will be retained for as long as it is required for the purposes for which the data was collected, e.g., as necessary to provide you with the services and products requested. Your personal data may also be retained as needed for reasonable business purposes, i.e., even once the original purpose has been fulfilled.
We retain your contact details and interests in our products or services for a longer period of time if you have agreed to receive Stericycle marketing materials. We also retain your personal data if needed to establish, exercise, or defend a legal claim, only on a need-to-know basis.  
Personal Data Security
As technology continues to develop, we are committed to using our technological resources to provide privacy protection services that keep our customers and users confident about the security of their personal data. However, Stericycle is not responsible for any harm that you or any other person may suffer as a result of breach of confidentiality caused by your use of the Internet.  
We have adopted appropriate data collection, storage, and processing practices, as well as technical, organizational, and security measures designed to protect against unauthorized access, alteration, disclosure, or destruction of the personal data that you share with us.
As the security of information depends in part on the security of the computer you use to communicate with us and the security you use to protect user IDs and passwords, please take appropriate measures to protect this information.  
MODIFICATIONS TO THIS NOTICE
Stericycle reserves the right to change this Notice at any time. Any changes to this Notice will be effective immediately when posting the latest version on our websites (provided that we will seek your consent where required by applicable law).
CONTACT US
The primary points of contact for all issues arising from this Notice can be contacted in the following way: 
• Initial Email: contact at 
DataProtection@Stericycle.com
  
• Escalation Email: 
DPO@Stericycle.com
     
• Phone: +1-847-367-5910 
• Mail: Stericycle, Inc. | Attn: Data Protection Office | 2355 Waukegan Road | Bannockburn | IL | 60015
If you have any questions, concerns, or complaints regarding our compliance with this Notice, the information we hold about you, or if you wish to exercise your rights, we encourage you to first contact DataProtection@Stericycle.com. We will investigate and attempt to resolve complaints and disputes and make reasonable effort to honor your wish to exercise your rights as quickly as possible and, in any event, within the timescales provided by data protection laws.
Residents of European Economic Area and United Kingdom have a right to lodge a complaint with their local data protection supervisory authority (i.e., local to your place of habitual residence, your place of work, or the place of an alleged infringement). Please attempt to directly resolve any issues with us before you contact your local supervisory authority. 
Last updated: November 4, 2024
PRIVACY RIGHTS FOR EUROPEAN ECONOMIC AREA AND UNITED KINGDOM
Where required by applicable law, we will take steps to keep your personal data accurate, complete, and up to date. 
Where permitted under applicable law, you can object to the use of your personal data which has our legitimate interests as its legal basis for processing, including for the purposes of marketing, without incurring any costs other than the transmission costs. Your rights are listed below.
(i)  
Right of confirmation and right of access: You have the right to obtain confirmation as to whether or not Stericycle is processing your personal data and, where that is the case, to request access to that personal data as well as information on who we share your personal data with (public and private entities). The accessed information will include the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipient to whom the personal data have been or will be disclosed. 
You have the right to obtain a copy of your personal data undergoing processing. If you request additional copies, we may charge a reasonable fee for the administrative costs to produce those documents, where permitted by applicable laws.
(ii) 
Right to rectify and complete personal data: You can request to rectify inaccurate, outdated, or your incomplete personal data that Stericycle processes. You can submit a supplementary statement that includes the corrections to your personal data. We will inform relevant third parties to whom we have transferred your data about the rectification and completion if we are legally obligated to do so.
(iii)
Right to erasure (or right to be forgotten, as applicable): You have the right to request the erasure of your personal data in limited circumstances where:
• it is no longer needed for the purposes for which it was collected; or
• you have withdrawn your consent (where the data processing was based on consent); or
• following a successful request to object to processing; or
• it has been processed unlawfully; or
• the data must be erased to comply with a legal obligation to which Stericycle is subject.
We are not required to comply with your request to erase personal data if the processing of your personal data is necessary for:
• compliance with a legal obligation; or
• the establishment, exercise, or defense of legal claims. 
(iv)
Right to restriction of processing: You have the right to restrict processing your personal data. In this case, the respective data will be marked and only be processed by us for certain purposes. This right can only be exercised where:
• the accuracy of your personal data is contested, to allow us to verify its accuracy; or
• the processing is unlawful, but you do not want the personal data erased; or
• it is no longer needed for the purposes for which it was collected, but you still need it to establish, exercise, or defend legal claims; or
• you have exercised the right to object, and verification of overriding grounds is pending.
We can continue to use your personal data following a request for restriction, where:
• we have your consent; or
• to establish, exercise or defend legal claims; or
• to protect the rights of another natural or legal person.
(v) 
Right to data portability: You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format.  Also, you have the right to transmit that data to another entity without hindrance from us, but only where:
• the processing is based on your consent or on the performance of a contract with you; and
• the processing is carried out by automated means.
(vi)
Right to object: At any time, you have the right to object to any processing of your personal data where the processing is legally based on our legitimate interests. You may exercise this right without incurring any costs.
If you raise an objection to the processing of your personal data, we will have an opportunity to demonstrate that we have compelling legitimate interests which override your right to object. 
The right to object does not exist, in particular, if the processing of your personal data is necessary to take steps prior to entering into a contract or to perform a contract already concluded.
(vii)
Right to object to how we use your personal data for direct marketing purposes: You can request that we change the manner in which we contact you for marketing purposes. You can request that we not transfer your personal data to unaffiliated third parties for the purposes of direct marketing or any other purposes.
(viii)
Right to withdraw consent: If you have given us your consent for the processing of your personal data, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
(ix)
Right to obtain a copy of personal data safeguards for transfers outside your jurisdiction: You can ask to obtain a copy of or reference to the safeguards under which your personal data is transferred outside the UK or EEA. We may redact data transfer agreements to protect commercial terms.
(x) 
Right to lodge a complaint with your local supervisory authority: You have a right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your personal data.
Please note that the aforementioned rights might be limited under the applicable national data protection law in your jurisdiction.
When you request to enforce your rights as a data subject, we may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal data requested. We reserve the right to charge a fee to fulfil your request, where permitted by law, if your request is manifestly unfounded or excessive.
To exercise your rights please Contact Us. Subject to legal and other permissible considerations, we will make every reasonable effort to promptly honor your request or inform you if we require further information in order to fulfil your request.
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality that we owe to others or if we are legally entitled to deal with the request in a different way. 
ADDITIONAL INFORMATION FOR RESIDENTS OF CERTAIN U.S. STATES
A.Additional Information for Texas Residents
Residents of Texas, may have additional rights under the Texas Data Privacy and Security Act (“TDPSA”), subject to certain limitations, which may include:
Access. The right to confirm whether we are processing their personal information and to obtain a copy of their personal information in a portable and, to the extent technically feasible, readily usable format.
Delete. The right to delete their personal information provided to or obtained by us.
Correct. The right to correct inaccuracies in their personal information, taking into account the nature and purposes of the processing of the personal information.
Opt-Out. The right to opt out of certain types of processing, including: (i) to opt out of the “sale” of their personal information, as such term is defined under the TDPSA; (ii) to opt out of targeted advertising by us; and (iii) to opt out of any processing of personal information for purposes of making decisions that produce legal or similarly significant effects
If you are a Texas resident, you may submit a request to exercise most of your privacy rights under the TDPSA online using our Individual Privacy Rights Request Page or by contacting us at DataProtection@Stericycle.com.
To opt out of sales and targeted advertising by us, you can adjust your cookies settings by clicking on the “Manage Consents” cookie icon on a Stericycle webpage or download an opt-out preference signal, such as the GPC. We will respond to your request as required under applicable privacy law. If we deny your request, you may appeal our decision by emailing us at DPO@Stericycle.com.
B.Additional Information for California Residents
This section of the Notice provides additional information for California residents and describes our information practices pursuant to applicable California privacy laws, including the California Consumer Privacy Act, as amended (the “CCPA”). This section does not address or apply to our handling of publicly available information or personal information that is otherwise exempt under the CCPA. Depending on how you interact or engage with us, we may provide you with other privacy notices with additional details about our privacy practices.
Categories of Personal Information Collected and Disclosed 
The table below identifies, generally, the categories of personal information we have collected about California residents subject to this policy (“Personal Information”), as well the categories of third parties to whom we may disclose this information for a business or commercial purpose, as more fully described in the HOW WE SHARE INFORMATION WITHIN STERICYCLE AND WITH OUR SERVICE PROVIDERS, REGULATORS AND OTHER THIRD PARTIES section above.
Personal Information Collected
Categories of Third-Party Entities to Whom We May Disclose this Information
Categories
Description
Identifier
Includes identifiers, such as name, alias user ID, username, account number or unique personal identifier; email address, phone number, address and other contact information; IP address and other online identifiers; and other similar identifiers.
•advisors and agents
•government entities and law enforcement
•affiliates and subsidiaries 
•advertising networks
•data analytics providers
•social networks
•internet service providers
•operating systems and platforms
•business customers/clients  
Customer Records
Includes Personal Information, such as name, account name, user ID, contact information, education and employment information, account number, and financial or payment information, that individuals provide us in order to purchase or obtain our products and services.  For example, this may include information collected when an individual registers for an account, purchases or orders our products and services, or enters into an agreement with us related to our products and services.
•advisors and agents
•government entities and law enforcement
•affiliates and subsidiaries 
•advertising networks
•data analytics providers
•internet service providers
•operating systems and platforms
•business customers/clients  
Commercial Information
Includes records of personal property, products or services purchased, obtained, or considered, or other purchasing or use histories or tendencies. For example, this may include demographic information that we receive from third parties to better understand and reach our customers.
•advisors and agents
•government entities and law enforcement
•affiliates and subsidiaries 
•advertising networks
•data analytics providers
•internet service providers
•operating systems  and platforms
•business customers/clients  
Internet or Other Electronic Network Activity Information
Includes browsing history, clickstream data, search history, access logs and other usage data and information regarding an individual’s interaction with our websites, mobile apps and other Services, and our marketing emails and online ads.
•advisors and agents
•government entities and law enforcement
•affiliates and subsidiaries 
•operating systems and platforms
•business customers/clients  
Geolocation Data
Includes location information about a particular individual or device.
•advisors and agents
•government entities and law enforcement
•affiliates and subsidiaries 
•advertising networks
•data analytics providers
•social networks
Professional or Employment-related information
Includes professional and employment-related information (such as current and former employer(s) and position(s), business contact information and professional memberships).
•advisors and agents
•government entities and law enforcement
•affiliates and subsidiaries 
•business customers/clients  
Sensitive Personal Information  
In some circumstances, we may collect payment information and login credentials for our customer portal.
Includes ACH/eCheck payment information, login credentials for customer portals.
•affiliates and subsidiaries 
Sources of Personal Information
In general, we may collect Personal Information from the following sources:
• Directly or indirectly from you. 
• Vendors and service providers.
• Advertising networks.
• Data analytics providers.
• Social networks.
• Internet service providers.
• Operating systems and platforms.
• Government entities.
• Data brokers.
• Business customers.
Purposes for Collecting, Using and Disclosing Personal Information
In general, we collect, use, disclose, and otherwise process the above categories of Personal Information for the following business and commercial purposes, as more fully described in the WHEN WE COLLECT PERSONAL DATA, THE TYPES OF PERSONAL DATA WE COLLECT AND THE PURPOSES AND LEGAL BASIS FOR WHICH PERSONAL DATA IS COLLECTED section above:
• Operate our business;
• Communicate with you;
• Marketing and promotions;
• Customization and personalization;
• Research and development;
• Surveys and feedback;
• Promotions and contests;
• Planning and managing events;
• Audits and assessments;
• Compliance and legal process;
• Auditing, reporting, and other internal operations; and
• General business and operational support.
Generally, we may disclose the Personal Information we collect in order to provide our Services to you, respond to and fulfill your orders and requests, as otherwise directed or consented to by you, and for the purposes otherwise described in the HOW WE SHARE INFORMATION WITHIN STERICYCLE AND WITH OUR SERVICE PROVIDERS, REGULATORS AND OTHER THIRD PARTIES section above, including:, including:
• Services and support;
• Analytics and improvement;
• Marketing, advertising, and campaign management;
• In support of business transfers;
• Compliance, governance and legal requirements; and
• Security and protection of rights.
Retention
We retain your Personal Information for as long as it is required for the purposes for which the data was collected, e.g., as necessary to provide you with the services and products requested (consistent with applicable law). Your Personal Information may also be retained as needed for reasonable business purposes, i.e., even once the original purpose has been fulfilled. We retain your contact details and interests in our products or services for a longer period of time if you have agreed to receive Stericycle marketing materials.
When deciding how long to keep your Personal Information, we consider whether we are subject to any legal obligations (e.g., any laws that require us to keep records for a certain period of time before we can delete them) or whether we have taken any legal positions (e.g., issued any legal holds or otherwise need to preserve the information). 
Rather than delete your data, we may also de-identify it in accordance with the CCPA, by removing identifying details. If we de-identify data, we will not attempt to re-identify it.
Sensitive Personal Information. 
Notwithstanding the purposes described above, we do not collect, use, or disclose “Sensitive Personal Information” (as defined in the CCPA) beyond the purposes authorized by applicable privacy law. Accordingly, we only use and disclose sensitive personal information as reasonably necessary and proportionate: (i) to perform our services requested by you; (ii) to help ensure security and integrity, including to prevent, detect, and investigate security incidents; (iii) to detect, prevent and respond to malicious, fraudulent, deceptive, or illegal conduct; (iv) to verify or maintain the quality and safety of our services; (v) for compliance with our legal obligations; (vi) to our service providers who perform services on our behalf; and (vii) for purposes other than inferring characteristics about you.
Sales and Sharing of Personal Information 
CCPA defines "sale" as disclosing or making available to a third-party Personal Information in exchange for monetary or other valuable consideration, and “sharing” as disclosing or making available Personal Information to a third party for purposes of cross-context behavioral advertising. While we do not “sell” Personal Information to third parties in the traditional sense (e.g., for money), our use of third-party analytics and advertising cookies may be considered “selling” or “sharing” under CCPA. We may “sell”/ “share”: the following with third parties: identifiers and Internet or other electric network activity information to third-party advertising networks, analytics providers, and social networks for purposes of marketing and advertising. We do not sell or share Sensitive Personal Information, nor do we sell or share any Personal Information about individuals who we know are under sixteen (16) years old.
California Residents’ Rights
The CCPA provides California residents with certain rights regarding Personal Information. This section describes those rights and how to exercise them. California residents can make CCPA requests up to twice a year and subject to certain exceptions and carveouts. CCPA provides the following rights, subject certain conditions and exceptions:
Right to Opt-Out of Sales and Sharing: You have the right to opt-out of “sales” and “sharing” of your Personal Information, as those terms are defined under the CCPA, including by using an opt-out preference signal such as GPC. While we do not “sell” Personal Information in the traditional sense (i.e., for money), our use of third-party analytics and advertising cookies may be considered “selling” and “sharing” under CCPA.
To exercise your right to opt-out of the “sale” or “sharing” of your Personal Information, please click on the “Manage Consents” cookie icon on a Stericycle webpage or by using the Individual Privacy Rights Request Page.
We honor your right to opt out of “sales” and “sharing” as signaled by a universal opt out signal or Global Privacy Control (“GPC”). To enable GPC, you can visit the Global Privacy Control page at https://globalprivacycontrol.org. If you download a supported browser or extension and exercise your privacy rights with GPC, we will turn off third-party advertising cookies on our website after our website detects a GPC signal. 
Please note these preferences are device and browser specific. If you visit our website from a different device or from a different browser on the same device, you will need to opt-out, or use an opt-out preference signal, for that browser and/or device.
Right to Delete: You have the right to request we delete your Personal Information.
Right to Correct: You have the right to request that we correct inaccuracies in your Personal Information.
Right to Know/Access: You have the right to request that we correct inaccuracies in your Personal Information.
The categories of Personal Information we collected about you;
The categories of sources from which we collected your Personal Information;
The business or commercial purpose for collecting, selling, or sharing your Personal  Information:
The categories of third parties to whom we have disclosed your Personal Information; and
The specific pieces of Personal Information we have collected about you.
Right to Limit Use: You have the right to limit the use and disclose of your Sensitive Personal Information. We do not engage in uses or disclosures of Sensitive Personal Information that would trigger the right to limit use of Sensitive Personal Information under the CCPA.
Right to Non-Discrimination: You have the right not to be subject to discriminatory       treatment for exercising your rights under the CCPA.  
Submitting CCPA Requests. California residents may exercise their CCPA rights through the following methods
By completing our online request form: Individual Privacy Rights Request Page
By calling us at 1-866-783-7422 (toll free).
Verification. Before responding to your request, we must first verify your identity using the Personal Information you have provided to us. You must provide us with your full name and email address. We will take steps to verify your request by matching the information provided by you with the information we have in our records. In some cases, we may request additional information in order to verify your identity, or where necessary to process your request. If we are unable to verify your identity after a good faith attempt, we may deny the request and, if so, will explain the basis for the denial.
Authorized Agents. You may designate someone as an authorized agent to submit requests and act on your behalf. Authorized agents will be required to provide proof of their authorization in their first communication with us, and we may also require that the relevant consumer directly verify their identity and the authority of the authorized agent.
We reserve the right to reject: (1) authorized agents who have not fulfilled the above requirements, or (2) automated CCPA requests where we have reason to believe the security of the requestor’s Personal Information may be at risk.
Changes to this Policy. The Policy is current as of the last updated date set forth below. We may change, update, or modify this Policy from time to time, so please be sure to check back periodically. If we make any changes to this Policy that materially affect our practices regarding our use of the Personal Information that we have previously collected from you, we will endeavor to provide you with notice.
For more information about our privacy practices, you may  Contact Us using the information in the section above. 
Last updated: November 4, 2024
ADDITIONAL INFORMATION FOR CANADIAN RESIDENTS
This section of the Policy provides additional information for Canadian residents.
Limits on Collection, Use, Disclosure, and Retention
We will limit collection of ‎personal data to ‎that ‎which is reasonable and necessary and as otherwise authorized by law.  We will only use or disclose your personal ‎data for the purposes set out above and as required or authorized by law. We ‎will retain your personal data as long as is reasonable to serve the original ‎purpose for which we collected the ‎‎data, and for so long as retention is ‎necessary for a legal or business purpose‎.
Consent
We will process your personal data only with your knowledge and consent, ‎except where exempted, required or permitted by applicable laws. The form of ‎consent may vary depending on the circumstances and the type of data being ‎requested.
Your consent can be express, implied, or given through an authorized representative‎. ‎Consent may be ‎provided orally, in writing, electronically, through inaction (such as ‎when you fail to ‎notify ‎us that you do ‎not wish your personal data collected or ‎used for various purposes ‎after you ‎have received notice ‎of those purposes) or ‎otherwise.‎ ‎Taking into account the sensitivity of your personal data, purposes ‎of collection, and your reasonable expectations, we will obtain the form of consent that ‎is appropriate to the personal data being processed.
By using our services, or ‎otherwise by choosing to provide us with your personal data, you acknowledge ‎and consent to the processing of your personal data in accordance with this ‎Notice and as may be further identified when the personal data is collected. ‎When we process your personal data for a new purpose, we will document that ‎new purpose and, if required, ask for you consent again.
If you do not consent to the processing of your personal data in accordance ‎with this Notice, please do not access or continue to use any aspect of the services or ‎otherwise provide any personal data to us.
You may refuse to provide consent or notify us at any time that you wish to withdraw ‎or change your consent to the processing of your personal data, without ‎penalty, subject to legal or contractual restrictions and reasonable notice. However, if ‎you withdraw or change your consent, we may not be able to provide you with the ‎applicable services and you may not be able to use certain features or functionality of our services or websites.
Disclosure and Cross-Border Transfer of Personal Data
As described in more ‎detail under the "HOW WE SHARE INFORMATTION WITHIN STERICYCLE AND WITH OUR SERVICE PROVIDERS, REGULATORS, AND OTHER THIRD PARTIES"section above, we may transfer and ‎disclose personal data to third parties for ‎storage and processing. Those third parties may be ‎located in jurisdictions outside of ‎your province of residence in Canada, or outside of Canada. ‎Applicable ‎‎laws in any ‎such jurisdictions might permit that jurisdiction’s governments, courts, law ‎‎enforcement or ‎‎regulatory agencies to ‎‎access the data in that jurisdiction.‎ In ‎these cases, we will comply with applicable local law requirements relating to the conditions for disclosure or release of personal data.
We may also disclose your personal data without your consent if authorized or ‎required by law.‎
Right to Access Your Personal Data
You have the right to access your personal data in our custody or control.‎
Upon written request, we will provide you with access to your personal data in ‎our custody or control, information about the ways in which that data is ‎being used, and ‎a description of the individuals and ‎organizations to whom that ‎data has been disclosed.
We may need to request specific information from you to help us confirm your identity ‎and your ‎right to access the information (or to exercise any of your other ‎rights).
In some situations, we may not be able to provide access to certain personal ‎data (for example, if ‎‎disclosure would reveal personal data about another ‎individual, or if the personal data is ‎‎protected by solicitor/client privilege).  We ‎may also be prevented by law from providing access to certain personal ‎‎data.‎ If ‎we refuse an access request, we will notify you in writing, document the reasons for ‎refusal, and ‎‎outline further steps that are available to you.‎
Right to Correct Your Personal Data
We will make a reasonable effort to ensure that the personal data we are using or ‎disclosing is ‎‎accurate and complete.  ‎If you demonstrate the inaccuracy or incompleteness of your personal data in ‎our custody or control, we will update the ‎‎data as required.  If required by applicable law, we ‎will send the amended data to third parties to whom ‎‎the data has been ‎disclosed.
If a challenge regarding the accuracy of your personal data is not resolved to ‎your satisfaction, ‎we ‎will annotate the personal data under our control with a ‎note that the correction was requested ‎‎but not made.
Quebec Residents
If you are a resident of the province of Quebec, the following specific provisions ‎and ‎‎rights apply to you under the Act respecting the protection of personal information ‎in the ‎private ‎sector, (CQLR c. P-39.1). Unless otherwise specified, these are in addition ‎to the other provisions, rights and protections set out in this Policy and that apply to ‎all residents of Canada.
Consent
We will only collect your personal data with your clear, free and informed ‎consent. We will not collect your personal data automatically without your ‎consent.‎
We will not knowingly or specifically solicit or collect personal data from minors ‎under the age of 14 residing in Quebec. If you believe we have unintentionally ‎collected such personal data, please notify us as set out in in the Contact Us section.
Privacy Rights
In addition to the rights set out above, Quebec residents have the ‎right ‎to: 
• Request, in certain circumstances, that we cease disseminating your personal data or to de-index any hyperlink that allows access to that personal data by technological means, if such dissemination contravenes ‎applicable law or a court; and 
• Request that a copy of your personal data that we hold be communicated to ‎you in a structured, commonly used ‎‎technological format, and that this ‎information be communicated to any person or organization authorized by law to ‎collect such data.‎
ADDITIONAL INFORMATION FOR DOSIMETRY SERVICE USERS:
In this section, we provide additional information to dosimetry service users about how we handle their personal information.
 

Controller: To the extent we process your personal data as a controller in relation to our dosimetry services, we will provide you with a separate privacy notice that sets out the full name of the Stericycle entity that controls the processing of your personal data. We will also provide you with the specific contact information for the controller’s data protection officer.  
Personal Data Processed:The categories of personal data processed in relation to the dosimetry services includes identification data, data relating to your physical characteristics, data relating to your employment, dosimetry monitoring data and health data.
Sources of the Data:Generally, the data is provided to Stericycle by the radiological practice, activity, or source to which you are related to, by your employer or, where applicable, directly by you. 
Purpose:We process this data to provide technical assistance and consultancy services in radiological protection to the extent that such services have an impact on you. We also process the data to fulfil our reporting obligations to public authorities and pursuant to legal obligations applicable to controllers providing such services.

Legal Basis:We process your data to comply with legal obligations incumbent on dosimetry service providers and for reasons of public interest in the area of public health. The storage and provision of your personal data is a statutory requirement which we must comply with and/or is necessary in the public interest of measuring radiation. 
Recipients:We will disclose your data to the public authorities legally responsible for radiological protection (or to the entities appointed by public authorities). To perform our activities, we engage external service providers such as IT support service providers and email administrators. When providing such services, the external service providers will have access to and process your personal data. We require those external service providers to implement and apply security safeguards to ensure the privacy and security of your personal data. These service providers have agreed to confidentiality restrictions and to use of any personal data we share with them or which they collect on our behalf solely for the purpose of providing the contracted services to us. 
Retention Period:Your personal data will be retained for the period strictly necessary to provide the services of technical assistance, consultancy, and radiological protection, except if other statutory retention periods apply.
Rights:Your rights are as set out in this Notice.You also have the right, at any time, to lodge a complaint with your local supervisory authority.
Additional Information:For more information about how we process and secure personal data, please refer to the additional privacy notice issued by your dosimetry service provider. 

Last updated: February 8, 2022