Annex – Privacy Statement in Relation to Records for Attendees
This privacy statement should, in conjunction with the statements in the above “Declaration of Consent and Granting of Rights in relation to Records for Attendees (the “Declaration of Consent”), provide you with information about how Merit Medical (“we”, “us”) processes your personal data as a controller in connection with the creation and sharing of video clips.
Should you have questions about data protection or about this privacy statement or would like to exercise your rights (see under Clause 6 of this privacy statement), please contact us using the contact details provided in Clause 1 of the Declaration of Consent.
1. Contact details of our data protection officer:
You can contact our data protection officer at the following email address: [email protected]
2. Legal basis of the processing activities: Merit Medical collects and processes the categories of personal data described under Clause 3 of the Declaration of Consent (which may include special categories of personal data in particular health data) belonging to you for the purposes listed under Clause 2 of the Declaration of Consent. We rely on your consent as the legal basis for the processing (Art. 9(2) a)) in conjunction with Art. 6(1) a) GDPR).
3. Categories of recipients: Merit Medical engages service providers who act as processors to provide services in relation to the publication of video clip (e.g. service providers who offer paid support services or IT hosting and maintenance services)
These service providers may have access to your personal data to the extent this is necessary for the performance of their services. These service providers are, under data processing agreements, contractually obliged to maintain appropriate technical and organizational security measures for the protection of the personal data and to process the personal data in accordance with our instructions.
Merit Medical may also pass your personal data on to official authorities, courts, external advisers and similar third parties where this is legally prescribed or permitted.
Furthermore, Merit Medical may transfer your personal data to [please include postal address] located in a third country (outside the EU/EEA) which does not provide a level of data protection equivalent to EU data protection law. The transfer will take place on the basis of your consent.
4. Length of the storage period: Merit Medical and/or our service providers will store your data in compliance with applicable data protection laws for no longer than we need to for the performance of our obligations and only for as long as is necessary to achieve the relevant processing purposes. If Merit Medical no longer requires your personal data for compliance with contractual or legal obligations or to achieve the above purposes, this will be erased from our systems or anonymized accordingly, so that no identification is possible unless we are required to retain information, including your personal data, in order to comply with legal or official obligations which are binding on Merit Medical, e.g. statutory retention periods that may arise.
5. Automated decision-making: Merit Medical will not carry out any automated decision-making including any profiling in connection with the video clip.
6. Your rights: Under the applicable data protection laws you have the right, in addition to the right to withdraw your consent under Clause 6 of the Declaration of Consent, to make a complaint to a data protection supervisory authority. In addition, you may be entitled to the following rights (though these rights may be restricted by national law). To exercise your rights, please contact us using the contact details provided in Clause 1 of the Declaration of Consent.
(a) Right of access: You may have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, to request access to the personal data. The right of access includes, among other things, the purposes of the processing, the categories of the personal data to be processed, and the recipients or categories of recipient to whom the personal data will be disclosed. However, this right is not unrestricted as the rights of other persons may limit your right of access.
In certain circumstances you have the right to receive a copy of the personal data processed by us. For further copies requested by you, we charge a reasonable fee, where relevant calculated on the basis of administrative costs.
(b) Right to rectification: You have the right, where relevant, to request the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including through the provision of a supplementary statement.
(c) Right to erasure (right to be forgotten): Subject to certain preconditions, you have the right to request us to erase personal data concerning you and we may be obliged to erase such personal data.
(d) Right to restriction of processing: Subject to certain preconditions, you have the right to request that we restrict the processing of your personal data. In that case, the data concerned will be marked and only processed by us for certain purposes.
(e) Right to data portability: Subject to certain preconditions, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and the right to transmit that data to a different controller without hindrance from us.
(f) Right to object: Subject to certain preconditions, you have the right to object at any time to the processing of your personal data by us on grounds arising from your particular situation, and we can be required not to process your personal data any longer.
If personal data is processed for direct marketing purposes, you have an additional right to object at any time to the processing of personal data in relation to you for the purpose of such marketing. This also applies to profiling where this is connected to direct marketing. In that case, the personal data will no longer be processed by us for these purposes.