European Union Data Processing and Transfer Policy
Change synopsis: In light of the recent approval of EU-US Privacy Shield, this policy has been revised to reflect SJM’s commitment to comply with the Privacy Shield Framework, to abide by the applicable regulations, and to protect personal information; and to reflect SJM’s practices in collecting, processing, and transferring data from the European Union to the United States.
St. Jude Medical (SJM) respects and protects personal information that we process. As part of our commitment to data privacy and security, SJM works to ensure that all data transfers from the European Union (“EU”) to the United States (“US”) are appropriate and allowed under applicable laws, regulations, certifications, contractual agreements, and consent forms.
This policy describes the principles SJM follows with respect to transfers of personal information belonging to employees, patients enrolled in clinical trials, and customers and patients enrolled in the Merlin.net™ Patient Care Network (“Merlin.net”), whether in electronic, paper, or verbal format, between the EU and the US.
European Union data transfers
St. Jude Medical is committed to complying with all applicable laws and regulations for personal information we process; as well as with the EU-US Privacy Shield Framework, the information transfer mechanism which allows for the transfer of personal information from individuals in the European Union to the United States. St. Jude Medical adheres to the Privacy Shield Principles as described in this policy. Additionally, SJM has and will continue to maintain contractual agreements with our customers and SJM’s European entities, and consent agreements with patients enrolled in clinical trials or Merlin.net. Furthermore, SJM has and will continue to work with and comply with the applicable Data Protection Authorities in the EU.
Agent - Any third party that processes personal information under the instructions of, and solely for, SJM or to which SJM discloses personal information for use on SJM’s behalf.
Customer - A hospital or clinic that provides treatment using SJM devices and Merlin.net, and/or the individual medical personnel (i.e. physicians and nurses) that use Merlin.net.
Data Controller - The legal entity responsible for determining the means and purposes of processing personal information and sensitive personal information. SJM’s customers are data controllers of information related to SJM’s customers and patients enrolled in clinical trials, and customers and patients enrolled in Merlin.net. SJM is the data controller of information related to SJM’s employees.
Data Processor - The legal entity who processes personal information or sensitive personal information on behalf of the data controller. SJM is the data processor as we are processing information on behalf of our customers.
Employee - An individual employed by a SJM affiliate located in the EU.
Patient - An individual in the EU enrolled in a clinical trial sponsored by St. Jude Medical or one of its affiliated companies, or an individual or customer enrolled in Merlin.net by their physician or clinic.
Personal Information - Any information or set of information that identifies or could be used by or on behalf of SJM to identify an employee, patient enrolled in a clinical trial, or patient and customer in Merlin.net. Personal information does not include information that is encoded or anonymized and is not subject to re-identification, or publicly available information that has not been combined with non-public personal information.
Process (and any derivative of) - Retrieval, collection, access, use, management, transfer, disclosure, storage, editing, alteration, correction, disposal, or destruction of personal information.
Sensitive Personal Information - Personal information that receives heightened protection under various laws of countries in which St. Jude Medical operates, including but not limited to: race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information that concerns health or sexual orientation.
St. Jude Medical or SJM - St. Jude Medical, Inc. For employee data, SJM includes St. Jude Medical, Inc. (Corporate) and St. Jude Medical Cardiology Division, Inc., in the United States and territories. For patient data from clinical trials conducted in the EU, SJM includes St. Jude Medical, Inc. (Corporate), St. Jude Medical Cardiology Division Inc., Pacesetter, Inc., St. Jude Medical Atrial Fibrillation Division, Inc., Irvine Biomedical, Inc., and Advanced Neuromodulation Systems, Inc., and CardioMEMS, LLC. For patient data collected in the EU and processed by Merlin.net, SJM includes St. Jude Medical, Inc. (Corporate) and Pacesetter, Inc., and CardioMEMS, LLC.
SJM adheres to the following privacy principles when transferring data from the EU to the US. These privacy principles have been compiled from the EU-US Privacy Shield Framework and have been integrated into SJM’s data privacy framework. The framework is based on the ISO 29100:2011 standard; ISO standards are issued by the International Organization for Standardization and are accepted internationally as risk-based auditable principles. These privacy principles are followed by SJM as part of our commitment to using best practices in transferring, processing, and protecting data.
To learn more about the Privacy Shield Framework, please visit www.privacyshield.gov/.
Where SJM collects personal information directly from employees, customers, or patients enrolled in clinical trials, we will inform them of the types of data being collected about the purposes for which we process their personal information, the types of non-agent third parties to which SJM may disclose that information, and the choices and means, if any, SJM offers individuals for limiting the processing and disclosure of their personal information. Notice will be provided in clear and plain language at the time of collection, or as soon as practicable thereafter, and in any event, before SJM uses the information for a purpose other than that for which it was originally collected. Personal information about patients enrolled in clinical trials may be used in a manner consistent with the general research purpose for which the data were originally collected; this includes use in future medical and pharmaceutical research activities that are unanticipated at the time of original collection. Where SJM acts as a data processor for Merlin.net, we will provide information to the data controller (the Customer) about how the system processes personal information, and the data controller will be responsible for informing its patients and staff about the processing and will obtain consent from patients and, where necessary, from their staff as part of the enrollment process for Merlin.net. The personal information of individuals enrolled in Merlin.net may be used in a manner consistent with the consents obtained or information provided by the Customer at the time of enrollment.
Where SJM collects personal information directly from employees, or patient enrolled in clinical trials, in the EU, we will offer the opportunity to choose (opt-out) whether their personal information is (a) to be disclosed to a non-agent third party or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized. SJM will provide individuals with reasonable mechanisms to exercise their choices. Where SJM receives personal information as a data processor for Merlin.net, SJM will work with the data controller to provide reasonable mechanisms for individuals to exercise their choices and process the data as directed by the data controller.
For sensitive personal information, SJM will give employees, or patients enrolled in clinical trials, the opportunity to affirmatively and explicitly consent (opt-in) to the disclosure of the information to a non-agent third-party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the employee or patient. Where SJM is the data processor for Merlin.net, SJM will process the data as directed by the data controller.
Accountability for onward transfers to third parties
SJM is responsible for personal information in our possession or custody, including personal information that we may transfer to third parties for processing, including storage. In connection with the purposes described in the “Notice” Section above, SJM may transfer your personal information to other companies within the St. Jude Medical group of companies or to third parties such as external service providers. In cases of onward transfers to third parties, SJM will limit the personal information shared to the minimum amount necessary, and will obtain assurances from third party business partners (agents) that they will safeguard personal information consistent with our policies. Examples of appropriate assurances that may be provided by third party business partners include: a contract obligating the third party to provide at least the same level of protection as is required by the applicable laws and regulations, including the EU Directive 95/46/EC (the EU Data Protection Directive), standard contractual clauses as approved by the European Commission, certification under the EU-US Privacy Shield, or being subject to another European Commission adequacy finding. Where SJM has knowledge that a third party business partner is using or disclosing personal information in a manner contrary to the company policy, SJM will take reasonable steps to prevent or stop the use or disclosure. SJM remains responsible and liable under the Privacy Shield Principles if a third-party business partner uses or discloses personal information in a manner inconsistent with the Privacy Shield Principles, unless SJM proves that we are not responsible for the event giving rise to the damage.
SJM will take reasonable precautions to protect personal information in its possession from loss, misuse, and unauthorized processing.
SJM will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the employee or patient enrolled in a clinical trial. Where SJM is a data processor for patient or customer data in Merlin.net, SJM will process that data consistent with the direction of the data controller. SJM will take reasonable steps to ensure that personal information is accurate, complete, current, and relevant to its intended use.
Upon request, SJM will grant employees, or patients enrolled in a clinical trial, reasonable access to personal information that it holds about them. In addition, SJM will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete. Where SJM is a data processor for Merlin.net, SJM will act at the direction of the data controller.
SJM will use a self-assessment verification approach and conduct compliance audits of its applicable privacy practices to verify adherence to this policy. St. Jude Medical’s employees receive an annual training on SJM’s privacy principles and practices.
Enforcement and dispute resolution
In compliance with the Privacy Shield Principles, SJM commits to resolve complaints about our collection or use of personal information. Individuals in the European Union with inquiries or complaints regarding our Privacy Shield policy should first contact St. Jude Medical, Inc. by sending the inquiry or compliant to:
Chief Privacy Officer
St. Jude Medical, Inc.
One St. Jude Medical Drive
St. Paul, MN 55117 USA
SJM will respond within 45 days of receiving any complaints. Any complaints or concerns that cannot be resolved internally will be referred to JAMS Privacy Shield Program, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit http://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS Privacy Shield Program are provided at no cost to you.
Any complaints or concerns regarding human resources data transferred from the EU, in the context of the employment relationship between SJM and our employees located in the EU, that cannot be resolved internally will be referred to the applicable EU Data Protection Authorities to address complaints and provide appropriate recourse, which will be provided free of charge to the individual. SJM is committed to following the determination and advice of these authorities. Under certain circumstances, an individual may choose to invoke binding arbitration to resolve any disputes that have not been resolved by other means.
SJM complies with the Privacy Shield Principles and is subject to the investigatory and enforcement powers of the FTC.
Any employee that SJM determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment.
Limitation on scope of principles
Adherence by SJM to this policy may be limited to the extent required to meet legal, governmental, or national security obligations, including requirements to cooperate with law enforcement.
Changes to this policy
This policy may be amended from time to time, consistent with the requirements of applicable laws and regulations. The revisions will take effect on the date of publication of the amended policy, as stated. The change synopsis, found at the beginning of this policy, will state any material changes to the policy.
Complaints, questions, comments, or concerns on this policy, data collection, or data processing practices should be sent to:
Chief Privacy Officer
St. Jude Medical, Inc.
One St. Jude Medical Drive
St. Paul, MN 55117 USA