Business Conduct Hotline Data Protection Notice
Merit Medical Systems, Inc. and its affiliates established the Merit Medical Business Conduct Hotline. The responsible controller for your personal data processed in the context of the Business Conduct Hotline is the Merit Medical entity you have a contractual relationship with (e.g. your employer if you are an employee of a Merit Medical entity or the Merit Medical entity you have a contract with if you are a customer or vendor). Please find in Appendix Merit Medical Entities a list of all Merit Medical entities with contact details. The respective Merit Medical entity you have a contractual relationship with is hereinafter referred to as “we” or “our” and provides this Business Conduct Hotline Notice (“Notice”) to explain the practices for the processing in the context of the Business Conduct Hotline.
This Notice applies to you if you are an employee, contractor, vendor, customer of us or have another relationship to us and report something via the Business Conduct Hotline. The Business Conduct Hotline may be used to report issues relating to internal controls in the areas of finance, accounting, banking and anti-corruption only.
2. NATURE OF COMPLAINTS
We strongly and expressly encourage you to provide the report strictly anonymously and not in an identified manner. You must not disclose your identity or any other personal data to us. Filing a report anonymously will have no negative consequences for you. Only by way of exception, we accept an identified report. If you would like to identify yourself, we may be obligated by applicable data protection law to disclose your identity to the individuals mentioned in the report and your consent is required. We may not keep confidential your identity.
3. CATEGORIES OF PERSONAL DATA AND SOURCE
We process the following categories of personal data about you that we have obtained from you:
• identification data, i.e. name and surname, contact data;
• relationship with us;
• reported infringements;
• documentation evidencing the reported infringements.
4. PROCESSING PURPOSES, LEGAL BASIS, AND CONSEQUENCES
The personal data will be processed to detect, investigate and evaluate from a legal point of view the suspected behaviour. If you voluntarily choose by way of exception to the rule of anonymous reporting to file the report in an identified manner, the legal basis for processing your personal data is your consent. With respect to the individuals, whose personal data is disclosed in a report and who are subject to a subsequent internal investigation, we will rely on the statutory justification ground of legitimate interests, i.e. we will conduct a balancing of interest test. Our legitimate interests are typically the protection from financial, reputational and regulatory harm as well as to ensure that the business activities are in compliance with the law.
Data of individuals mentioned in the report: The information provided to individuals mentioned in the report includes your identity, if you have voluntarily chosen by way of exception to the rule of anonymous reporting to file the report in an identified manner. In such case the right of access also includes your personal data.
5. CATEGORIES OF RECIPIENTS
Merit Medical engages the following service provider who act as processors to provide services in relation to the Business Conduct Hotline, IT and other administrative support: NAVEX Global.
We may also disclose your identity to the individuals mentioned in the report (see section 2 above).
Any access to your personal data is restricted to those individuals that have a need to know in order to fulfill their job responsibilities.
We may also disclose your personal data as required or permitted by applicable law to governmental authorities, courts, external advisors, and similar third parties.
6. RETENTION PERIOD
Personal data collected through the Business Conduct Hotline is usually erased within two months of completion of the investigation of the facts alleged in the report. The personal data may be stored for longer periods if legal proceedings or disciplinary measures are initiated. In such cases personal data will be kept until the conclusion of these proceedings and the period allowed for any appeal as stipulated by laws applicable to the respective case. Personal data relating to reports found to be unsubstantiated will be deleted without undue delay.
7. AUTOMATED DECISION-MAKING
We do not engage in automated decision-making in the context of the Business Conduct Hotline.
8. YOUR RIGHTS
You may withdraw your consent with effect for the future, however, the withdrawal does not affect the lawfulness of the processing based on the consent before its withdrawal. If you withdraw your consent one month after the submission of the report, the withdrawal does not have any effect because at this point your identity is typically already disclosed to other persons mentioned in the report.
Pursuant to applicable data protection law you may have the right to: request access to your personal data, request rectification of your personal data; request erasure of your personal data, request restriction of processing of your personal data; request data portability, and object to the processing of your personal data. Please note that these aforementioned rights might be limited under the applicable national data protection law. For further information on these rights please refer to Appendix Your Rights.
You also have the right to lodge a complaint with the competent data protection supervisory authority. To exercise your rights please contact us as stated in section (9.) below.
9. QUESTIONS AND DATA PROTECTION OFFICER
If you have any questions about this Notice or your rights, please contact our data protection officer: Greg DiStefano, Vice President, International Legal at [email protected].
APPENDIX: YOUR RIGHTS
(a) Right of access: You may have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data. The access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed. However, this is not an absolute right and the interests of other individuals may restrict your right of access.
You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.
(b) Right to rectification: You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
(c) Right to erasure (“right to be forgotten”): Under certain circumstances, you may have the right to obtain from us the erasure of personal data concerning you and we may be obliged to erase such personal data.
(d) Right to restriction of processing: Under certain circumstances, you may have the right to obtain from us restriction of processing your personal data. In this case, the respective data will be marked and may only be processed by us for certain purposes.
(e) Right to data portability: Under certain circumstances, you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.
(f) Right to object: Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us and we can be required to no longer process your personal data.
Moreover, if your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case your personal data will no longer be processed for such purposes by us.
APPENDIX: MERIT MEDICAL ENTITIES
• Merit Medical Systems, Inc, 1600 West Merit Parkway, South Jordan, Utah USA 84095
• Merit Medical Ireland Limited, Parkmore Business Park West, Galway, Ireland
• Biosphère Médical SAS, 383 Rue de la Belle Étoile, 95700 Roissy-en-France, France
• Merit Medical France SAS, 46 Avenue des Frères Lumière, 78190 Trappes-Saint-Quentin-en-Yvelines, France
• Merit Medical Coatings BV, Van Coehoornstraat 7, 5916 PH Venlo, the Netherlands
• Merit Medical Nederland B.V., Amerikalaan 42, 6199 AE Maastricht-Airport, the Netherlands
• MERIT MEDICAL GmbH, Alfred-Herrhausen-Allee 3-5, 65760 Eschborn, Germany
• Merit Medical Spain S.L.U., C/Rozabella nº 6, Planta 1ª, ofic 6. Edificio París, 28290- Las Rozas de Madrid, Spain
• Merit Medical Italy s.r.l., Via Cascina Venina, 7, 20090 Assago (MI), Italy
• Merit Medical UK Ltd., Unit 27, Suttons Business Park, Sutton Park Avenue, Earley, Reading, Berkshire, RG6 1AZ, United Kingdom
• Merit Medical Portugal SA, Av Da Liberdade 224, 1250-148, Lisbon, Portugal
• Merit Medical Belgium BVBA, Louis Schmidtlaan 24, 1040 Brussels, Belgium
• Merit Medical Denmark, Alhambravei 3, 1826 Frederiksberg C, Denmark
• Merit Medical Systems AB, Corporate Identity No. 556708-4115, P.O. Box 1485, 11479 Stockholm, Sweden
• Merit Medical Norway AS, Bygdog Alle 2, 0257 Oslo, Norway
• Merit Medical Finland Oy, Mannerheimintie 16 A-3, 00100 Helsinki, Finland
• MERIT MEDICAL AUSTRIA GMBH, Gertrude-Fröhlich-Sandner-Straße 1/Top 13, 1100 Wien, Austria
• Merit Medical Switzerland AG, c/o DD Immo Service Plus GmbH, Baarerstrasse 75, 6300, Zug Switzerland