GHX GDPR Statement

GHX GDPR Statement

For nearly two decades, healthcare providers, suppliers, distributors, and group purchasing organizations have been entrusting their supply chain data to Global Healthcare Exchange, LLC and its subsidiaries (collectively, GHX).  With the European Union General Data Protection Regulation (GDPR) now in effect, GHX continues to work with our customers, vendors, and others to comply with GDPR and other applicable data privacy laws. 

What Types of European Personal Data Does GHX Process?

GHX customers rely on the GHX Exchange and our services to conduct their supply chain business electronically with their transaction partners.  In this context, GHX may process two general categories of European personal data: 1) business contact data of customer personnel and of their business partners and 2) data that customers or their business partners choose to include in transactions related to payment. 

Most of the European personal data GHX receives falls into the first category.  It may include data elements like names, business telephone numbers, business email addresses, job titles, and IP addresses.  These are needed to carry out the obligations of GHX and our customers under our customer agreements. 

GHX also processes a limited amount of data in the second category, consisting of data that customers or their trading partners decide are needed to complete electronic supply chain transactions.  For example, a customer or trading partner might require that invoicing for an implanted hip include a patient record number.  It is the responsibility of customers and their trading partners to determine that processing this data is necessary, and to limit the data appropriately. 

What is GHX Doing to Comply with GDPR?

As a trusted platform for the healthcare industry, GHX is committed to the privacy and security of the data in our care.  GHX has been preparing and continues to strengthen our controls to meet increasingly stringent legal and regulatory requirements.  Some highlights for GDPR include:

  • Establishing cross-functional GDPR leadership teams to address compliance across the company
  • Conducting a global data inventory
  • Updating internal policies and processes
  • Completing GDPR-ready contracting with customers, vendors, and others
  • Reviewing security measures and incident response procedures
  • Informing GHX personnel of GDPR requirements

Whom Do I Contact About My Personal Data?

For information about your personal data held by GHX, or to exercise your data rights under GDPR, please email us at