1. Purpose
Merit Medical Systems, Inc. and its subsidiaries and affiliated companies (“Merit Medical”) seeks to ensure that it retains only data necessary to effectively conduct its business activities and work in fulfilment of its mission.
The need to retain data varies widely with the type of data and the purpose for which it was collected. Merit Medical strives to ensure that data is only retained for the period necessary to fulfil the purpose for which it was collected and is fully deleted when no longer required. This Data Retention Policy (the “Policy”) sets forth Merit Medical’s guidelines on data retention and is to be consistently applied throughout the organization.
2. Scope
This policy covers all data collected by Merit Medical outside of the United States of America (“OUS”) and stored on Merit Medical owned or leased systems and media, regardless of location. It applies to both data collected and held electronically (including photographs, video and audio recordings) and data that is collected and held as hard copy or paper files. The need to retain certain information may be mandated by federal or local laws and regulations, and legitimate business purposes, as well as applicable privacy laws.
The purpose of this Policy is to ensure that:
• Data Records are adequately protected and maintained.
• Data Records containing Personal Data, which are no longer required are discarded at the appropriate time.
• Merit Medical’s data retention principles will help Merit Medical to ensure the exercise of individuals’ data protection rights.
This Policy forms an integral part of the Merit Medical General Data Protection and Privacy Policy.
3. Guiding Data Retention Principles
These are Merit Medical’s guiding data retention principles:
• Fairness: All Processing of Personal Data must be fair, proportionate and compatible with the purposes for which the data were collected.
• Necessity: Personal Data is deleted when no longer needed.
• Security: Personal Data are protected by appropriate security measures.
Each principle set out in this paragraph should be followed whenever a Processing activity is envisaged or planned for or on behalf of Merit Medical.
4. Reasons for Data Retention
Merit Medical retains only that data that is necessary to effectively conduct its business activities, fulfill its mission and comply with applicable laws and regulations.
Reasons for data retention include:
• Providing an ongoing service to the data subject (e.g., executing all the rights and obligations for the employee under the employment agreement, sending newsletters, publication or ongoing program updates to an individual, ongoing training or participation in Merit Medical’s programs, processing of employee payroll and other benefits etc.).
• Compliance with applicable laws and regulations associated with financial and programmatic reporting by Merit Medical to its funding agencies and other donors.
• Compliance with applicable labor, tax and immigration laws.
• Other regulatory requirements.
• Security incident or other investigation.
• Intellectual property preservation.
• Litigation.
5. Retention Periods
General Retention Principle:
With regard to any category of documents that is not specifically defined elsewhere in this Policy, the retention period is seven (7) years from the date of creation of the document, unless otherwise mandated differently by applicable law.
Employee Data:
• Personal Information (e.g., name, address, contact details):
Retained for the duration of employment plus 7 years to comply with statutory requirements and potential legal claims.
• Payroll Records:
Retained for 7 years after the end of the fiscal year to comply with tax and audit requirements.
• Performance Reviews:
Retained for 5 years after the end of employment to support future employment references and legal claims.
• Health and Safety Records:
Retained for 40 years to comply with occupational health and safety regulations.
• Benefits:
Retained for 7 years after the end of employment to comply with statutory requirements and potential legal claims. Examples of benefits records include health insurance, retirement plans, and employee assistance programs.
Customer Data:
• Personal Information (e.g., name, contact details):
Retained for the duration of the customer relationship plus 5 years to comply with contractual obligations and potential legal claims.
• Transaction Records:
Retained for 7 years after the transaction date to comply with tax and audit requirements.
• Customer Support Records:
Retained for 3 years after the resolution of the support issue to ensure quality control and address any follow-up issues.
Supplier Data:
• Personal Information (e.g., name, contact details):
Retained for the duration of the supplier relationship plus 5 years to comply with contractual obligations and potential legal claims.
• Contractual Agreements:
Retained for 7 years after the end of the contract to comply with legal and audit requirements.
• Payment Records:
Retained for 7 years after the end of the fiscal year to comply with tax and audit requirements.
Financial Data:
• Accounting Records:
Retained for 7 years after the end of the fiscal year to comply with statutory and audit requirements.
• Tax Records:
Retained for 7 years after the end of the fiscal year to comply with tax regulations.
• Audit Records:
Retained for 7 years after the completion of the audit to comply with statutory and regulatory requirements.
Contractor Data:
• Personal Information (e.g., name, contact details):
Retained for the duration of the contract plus 5 years to comply with contractual obligations and potential legal claims.
• Contractual Agreements:
Retained for 7 years after the end of the contract to comply with legal and audit requirements.
• Payment Records:
Retained for 7 years after the end of the fiscal year to comply with tax and audit requirements.
6. Data Disposal
Data disposal ensures that Merit Medical manages the data it controls and processes it in an efficient and responsible manner. When the retention period for the data as outlined above expires, Merit Medical will actively destroy the data covered by this policy. If an individual believes that there exists a legitimate business reason why certain data should not be destroyed at the end of a retention period, he or she should identify this data to his/her supervisor and provide information as to why the data should not be destroyed. Any exceptions to this data retention policy must be approved by the Merit Medical’s data protection offer, as appointed by the Privacy Council. Such in consultation with legal counsel. In rare circumstances, a litigation hold may be issued by legal counsel prohibiting the destruction of certain documents. A litigation hold remains in effect until released by legal counsel and prohibits the destruction of data subject to the hold.
7. Data Access and Security
Access to personal data is restricted to authorized personnel only. Security measures, including encryption, access controls, and regular audits, have been implemented to protect personal data from unauthorized access, alteration, or destruction.
8. Review and Updates
This policy will be reviewed annually and updated as necessary to ensure compliance with applicable laws and regulations. Changes to the policy will be communicated to all employees and relevant stakeholders.
9. Contact Information
For any questions regarding this policy, please contact [email protected].
A PDF version of this policy is available here.