Business Partner Privacy Notice

Merit Medical Systems, Inc. (“Merit Medical” or “we” or “our”) provides this Business Partner Privacy Notice (“Notice”) to explain our practices as the responsible controller and business regarding the processing of personal data relating to corporate representatives of our vendors, customers, suppliers, and other business partners (collectively, “Business Partners”).

You can find information on the processing of personal data (i) under the General Data Protection Regulation (“GDPR”) in section A “Business Partner Data Protection Notice under the GDPR” and (ii) under the California Consumer Privacy Act (“CCPA”) in section B “Privacy Notice under the CCPA” below.

A. Business Partner Data Protection Notice under the GDPR

  1. Scope:

    The disclosures in this Section A applies to you if and to the extent the GDPR is applicable to the processing of personal data and you are a Business Partner of Merit Medical as an individual (e.g., a consultant or sole entrepreneur) or if you are an employee of a Business Partner who interacts with company on such Business Partner’s behalf.

  2. Categories of Personal Data and Source:

    Merit Medical processes the following categories of personal data about you. Merit Medical has obtained from you or from authorized third parties (e.g., your supervisor, public authorities or public resources):

    • Personal data relating to Business Partners who are individuals: name, business contact details (including email address, company name, job category, healthcare specialty and country), services or goods provided or offered, contract details, content of communication (such as email or business letters), payment information, invoice information, and business relationship history
    • Personal data relating to an employee of a Business Partner: name, business contact details, employer name, title/position, and content of communication (such as email or business letters)
  3. Processing Purposes, Legal Basis, and Consequences:

    Your personal data is processed for purposes of performing the contractual relationship with the Business Partner (including fulfilling the contractual obligations, invoice processing, communication, and legal and compliance activities), for purposes of marketing and CRM activities (e.g., newsletters), and for security and fraud prevention activities. Merit Medical relies on the following legal bases for such processing activities under the EU General Data Protection Regulation (“GDPR”):

    • performance of the contractual relationship with the Business Partner (Art. 6 lit. b GDPR);
    • legitimate interest of Merit Medical, Merit Medical’s affiliates or other third parties (such as governmental bodies or courts) (Art. 6 lit. f GDPR). The legitimate interest could be in particular group-wide information sharing, marketing and CRM activities (e.g., when Business Partner has subscribed to a newsletter for itself and/or its personnel), prevention of fraud, misuse of IT systems, or money laundering, operation of a whistleblowing scheme, physical security, IT and network security, internal investigations, or potential merger and acquisition activities;
    • consent (Art. 6 lit. a GDPR);
    • compliance with legal obligations (Art. 6 lit. c GDPR);

    The provision of personal data processed for the performance of the contractual relationship with the Business Partner is necessary for the conclusion and/or performance of the Business Partner contract, and is voluntary. However, if you do not provide the personal data, the affected Business Partner management and administration processes might be delayed or impossible.

  4. Categories of Recipients:

    Merit Medical may engage service providers, acting as processors, in order to provide IT and other administrative support (e.g., service providers who provide account payable support or IT hosting and maintenance support). Those service providers may have access to your personal data to the extent necessary to provide such services.

    Any access to your personal data is restricted to those individuals that have a need to know in order to fulfill their job responsibilities.

    Merit Medical may also disclose your personal data as required or permitted by applicable law to governmental authorities, courts, external advisors, and similar third parties.

  5. Retention Period:

    Your personal data is stored by Merit Medical and/or our service providers, to the extent necessary for the performance of our obligations and for the time necessary to achieve the purposes for which the information is collected, in accordance with applicable data protection laws (e.g., newsletters will be sent for as long as Merit Medical has consent to send out the newsletters). When Merit Medical no longer needs to use your personal data to comply with contractual or statutory obligations, we will remove it from our systems and records and/or take steps to properly anonymize it so that you can no longer be identified from it, unless we need to keep your information, including personal data, to comply with legal or regulatory obligations to which Merit Medical is subject, e.g. statutory retention periods or if we need it to preserve evidence within the statutes of limitation.

  6. Automated Decision-Making

    Merit Medical does not engage in automated decision-making in the context of the employment relationship.

  7. Your Rights:

    Pursuant to applicable data protection law, you may have the following rights:

    If you have declared your consent for any personal data processing activities, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.

    You have the right to: request access to your personal data, request rectification of your personal data; request erasure of your personal data, request restriction of processing of your personal data; request data portability, and object to the processing of your personal data. Please note that these aforementioned rights might be limited under the applicable national data protection law. For further information on these rights please refer to Appendix Your Rights.

    You also have the right to lodge a complaint with the competent data protection supervisory authority. To exercise your rights please contact us as stated in section (8.) below.

  8. Questions:

    If you have any questions about this Notice or your rights, please contact: Greg DiStefano, Chief Counsel, International at [email protected]

Appendix Your Rights

  1. Right of access: You may have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data. The access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed. However, this is not an absolute right and the interests of other individuals may restrict your right of access.

    You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.

  2. Right to rectification: You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
  3. Right to erasure (“right to be forgotten”): Under certain circumstances, you may have the right to obtain from us the erasure of personal data concerning you and we may be obliged to erase such personal data.
  4. Right to restriction of processing: Under certain circumstances, you may have the right to obtain from us restriction of processing your personal data. In this case, the respective data will be marked and may only be processed by us for certain purposes.
  5. Right to data portability: Under certain circumstances, you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.
  6. Right to object: Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, or where personal data are processed for direct marketing purposes at any time to the processing of your personal data by us and we can be required to no longer process your personal data.

    Moreover, if your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case your personal data will no longer be processed for such purposes by us.

B. Privacy Notice under the CCPA

We provide the disclosures in this Section B to Business Partners in California. These disclosures do not reflect our practices where an exception under the CCPA applies.

Information Categories and Purposes of Processing. We collect name, business contact details, employer name, title/position, services or goods provided or offered, contract details, content of communication (such as email or business letters), payment information, invoice information, and business relationship history. Personal data is processed for purposes of performing the contractual relationship with the Business Partner (including fulfilling the contractual obligations, invoice processing, communication, and legal and compliance activities), for purposes of marketing and CRM activities, and for security and fraud prevention activities. Merit Medical’s online CCPA Privacy Policy can be found here.

logo