1. Overview and Objectives

The protection of personal data, as well as compliance with privacy and data protection laws and regulations, is important to our organization and its affiliates (“we”, “us”, the “Company”). We do take it seriously and we aim to ensure the privacy rights of our employees, business contacts and customers when we handle information about them.

This Global Privacy Policy (this “Policy”) establishes a comprehensive governance framework for managing privacy and data protection risks. Specifically, Exhibit A and B of this Policy address certain requirements under Colombian and Mexican law, respectively, as provided in such Exhibits.

This Policy, together with any Exhibits, and supporting documents lay out processes and tools that deliver a consistent approach to privacy risk management across the organization. The protection of personal data of employees, business contacts and customers is fundamental to preserving employee, business partner and customer trust.

In particular, this Policy:

  1. sets out the data protection principles that underpin our global privacy framework;
  2. identifies and explains the data protection roles and responsibilities;
  3. establishes the Privacy Program;
  4. identifies the internal policies, procedures and standards which support this Policy and, together with this Policy, constitute our organization's privacy framework; and
  5. sets out a (non-exhaustive) list of the requirements that employees, contractors, consultants and anyone providing support or service to us must comply with in order to preserve the confidentiality and security of the personal data they handle.

This Policy does not provide an exhaustive list of permitted or prohibited conduct or set forth every rule. This Policy is not a substitute for the responsibility to exercise good business judgment and proper care. Individuals should continue to seek proper advice through appropriate channels in relation to any specific concerns and issues that are not specifically addressed in this Policy.

2. Scope and Enforcement

This Policy applies to all directors, managers, employees, contractors, consultants and anyone else supporting or servicing within our organization with respect to all our operations around the world which involve theprocessing of personal data.

It is the responsibility of every director, manager, employee, contractor, consultant and any anyone else supporting or servicing our organization to comply with this Policy. Acknowledgment and understanding of this Policy is required through contracts and mandatory training. Failure to comply with this Policy may be a breach of the terms of employment and may lead to disciplinary actions up to and including termination of employment or services contracts.

Senior management is ultimately responsible for ensuring adherence to this Policy. The Legal department in coordination with Internal Audit is responsible for monitoring compliance with this Policy. 




Data subject(s) or individual(s)

is any living individual to whom the personal data or sensitive data relates. Examples of data subjects are consumers, business contacts and employees, contractors, consultants and anyone else providing support or service to the Company.

Data protection laws

means any applicable laws, regulations, regulatory requirements and codes of practice relating to the protection of individuals regarding the processing of personal data including information security.

Data breach or incident

means any actual or suspected event where the security, confidentiality, integrity or availability of personal data has beenor could be compromised, leading to the accidental, unlawful or unauthorised destruction, loss, alteration, disclosure of or access to personal data, or any other unlawful use of personal data (e.g. an email with personal data is inadvertently sent to the wrong recipients; a paper record with personal data is lost or stolen; a cyber-attack has been carried out by hackers; a work laptop is lost or stolen).

Data processing or processing

means any use of personal data by our organization (or a third party on behalf of our organization), including datacollection, data sharing and data storage. The mere storage of data is processing.

Personal data

means any information relating to an individual that identifies the individual or could reasonably be used to identify theindividual regardless of the medium involved (e.g. paper, electronic, video, audio). Examples of personal data includecontact details, financial data, passwords, IP addresses, pictures, online search history, geolocation information. Unless otherwise stated, personal data is intended to include sensitive data (as defined below).

Sensitive personal data

means personal data about racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership,physical or mental health or condition, sexual life, genetic data (e.g. an individual's gene sequence), biometric data (e.g.fingerprints, facial recognition, retinal scans), criminal offences committed or alleged to have been committed.

3. Data Protection Principles

Our organization's business operations must, always, be consistent with the Data Protection Principles set out below. These principles are binding across all our businesses.

  1. Lawful, fair, and transparent processing
    Our organization only uses personal data in a way that is lawful, fair, and transparent.

    We comply with data protection and privacy laws within each of the jurisdictions in which we operate. Where required by the law, we are also committed to helping individuals understand what information we collect, how we use it and what choices they have. We explain this to employees, contractors, consultants and other workers, consumers and business contacts in a simple and clear way in our privacy statements. We review our privacy statements regularly to keep them up to date, and to ensure they match our internal practices.

  2. Purpose limitation
    We only collect personal data for specified, clear and legitimate purposes and we only collect as much personal data as we need to achieve those purposes. Though personal data helps us improve the services we provide, we only use it in ways which are proportionate to clear goals.

  3. Data accuracy
    We take steps to ensure that the personal data we hold is accurate, up-to-date and relevant to the purposes for which it is collected.

  4. Data retention
    We only keep personal data in an identifiable form for as long as is necessary for the purposes for which we are using it.

  5. Rights of the individuals
    We are fully committed to facilitate the privacy rights of individuals with respect to our processing of their personal data, in accordance with applicable laws.

  6. Information security
    We use appropriate physical, technical and organizational measures to keep personal data secure and ensure its integrity, confidentiality and availability across all systems at all times.

    We are also committed to ensure that our vendors and suppliers which may process personal data on our behalf preserve the confidentiality, integrity and availability of such data.

  7. International transfers of personal data
    Our organization is a global business and as such we have to transfer information internationally. We are fully committed to ensure that there are adequate safeguards in place, as required by the applicable laws, to protect the personal data we transfer to countries that do not have adequate data protection laws.

  8. Accountability
    We are all responsible for upholding the Data Protection Principles and respecting individual privacy rights. We have a collective and individual duty to protect the personal data of our employees, contractors, consultants and other workers, consumers and business partners. In order to create an environment of trust and to comply with applicable data protection laws, all individuals operating within or on behalf of our organization must comply with our privacy policies and help the organization to uphold its commitments to the protection of personal data.

4. Roles and Responsibilities

Different stakeholders at different corporate levels within our organization play a role in ensuring overall privacy risk management and data protection compliance. The following offices and employees have been identified as having specific roles and responsibilities:

  • The Legal department is responsible for promoting and ensuring privacy compliance, overseeing the overall privacy management and compliance program, responding to data subject queries and requests, responding to regulatory requests about data protection, liaising with the IT department where required to ensure information security which is a core part of personal data protection.
  • The IT department is responsible for safeguarding and monitoring our internal networks and systems and, in particular, ensuring that personal data stored, transferred, accessed and used across these networks and systems is adequately protected from data breaches. The IT department is also responsible for participating to some important data protection activities such as Data Protection Impact Assessment ("DPIA").
  • The HR department is responsible for handling the personal data properly of employees, contractors, consultants and anyone else providing services and supports and in compliance with the applicable laws. The HR department is also responsible for addressing requests from employees, contractors, consultants and other workers for the exercise of their data protection rights and escalating any further query or complaint to the Legal department. The HR department should also inform the Legal department regarding new processing activities which impact on the personal data of employees, contractors, consultants and other workers. The HR department should be engaged in performing DPIAs of new HR processing activities, updating privacy notices to employees, contractors, consultants and other workers and making them aware of their duties and responsibilities regarding personal data protection (including this Policy).

In addition, any business function which processes personal data is responsible for:

  • managing the privacy risk related to the processing carried out by the function;
  • consulting the Legal department when required by the internal policies and procedures;
  • ensuring the security of the personal data it processes; and
  • handling and escalating any privacy incidents as required.

All directors, managers, employees, contractors, consultants and workers are responsible for preserving the confidentiality of the personal data they use and for handling this information securely and in accordance with this Policy and any other supporting policies, procedures and standards (as identified below at "Policy Framework").

5.  Privacy Program

Our Legal department will supervise our Privacy Program, which provides a comprehensive, coordinated approach to managing privacy risk while serving business needs and strategies. Our Privacy Program comprises, at a minimum, the following components:

  • Policy framework
  • Legal compliance
  • One-stop-shop
  • Documentation of data protection compliance (decisions, implementation and audit)
  • Records of processing activities
  • Data protection impact assessment
  • Vendor privacy risk management
  • Data protection training
  • Data breach management
  • Data subject rights
    1. Policy framework
      Our organization must operate at all times in compliance with this Policy, the Code of Conduct and Business Ethics and all internal policies, procedures and standards relating to privacy such as the Acceptable Use Information Technology Policy, the Data Classification and Handling Policy, the Incident Response Policy and privacy notices to staff, online users and other individuals. Please note that these may, from time to time, be updated or replaced and the scope of the list below may be expanded to additional policies.

    2. Legal compliance
      The Legal department will at all times maintain processes that enable our organization to understand and comply with legal requirements in data protection such as providing privacy notices to data subjects and obtaining their consent to data processing where necessary. The Legal department will ensure that privacy laws are addressed consistently across the region where such laws apply.

    3. One-stop-shop
      The Legal department, jointly with senior management, will determine where our main establishment might be located based on our data processing activities to identify the lead supervisory authority within the European Union for cross-border processing. The decision should be documented. The Legal department will monitor the lead supervisory authority closely for guidance and other output issued and understand the enforcement priorities.

    4. Documentation of data protection compliance (decisions, implementation and audit)
      The Legal department, supported by the business functions concerned, will create and maintain records of the decisions and actions taken towards privacy risk management and compliance with data protection laws. This will also enable effective collaboration with the regulators as and when required and it will enable our organization to document and demonstrate its privacy compliance at all times.

      Where privacy related decisions and actions are taken at regional or business level, the relevant policies and procedures will establish ownership of and responsibility for maintaining appropriate records.

      The Legal department will also be responsible for ensuring and supervising the development of any additional records which may be required to demonstrate compliance under applicable data protection laws (e.g. consent forms, notices to data subjects, register of personal data breaches).

    5. Records of processing activities
      The Legal department will gather in a living document the list of all processing activities within our organization at a given time; this document will be updated from time to time to reflect changes in business operations. The IT department, the HR department and any other business functions involved in the processing of personal data should contribute to the record of processing activities (providing relevant information such as about the purposes of use of data and data transfers).

    6. Data protection impact assessments
      The Legal department will establish guidelines and procedures to perform DPIAs with respect to new products, technologies and business operations, where required by applicable laws or where this appears appropriate to manage privacy risk. The DPIAs will require the input and involvement of the relevant business functions.

    7. Vendor privacy risk management
      Risk management for engaging third party vendors that process personal data on our behalf ("data processors") is crucial to ensure our data protection compliance. The Legal department will provide guidelines and any privacy content necessary for third party risk assessment, keeping it up-to-date as necessary to address emerging privacy risks. Risks associated with a third party must be escalated to the Legal department.

      In particular, the Legal department will ensure that:
      • any data processor is subject to adequate due diligence on its information security measures before being selected as a business partner;
      • an appropriate processing agreement is in place with any data processor which imposes data protection obligations on the data processor; and
      • data processor compliance with the processing agreement and the applicable law is monitored from time to time.

    8. Data protection training
      Data protection training will be a part of the annual compliance training plan and mandatory for relevant staff upon joining the firm and on a regular basis thereafter. The Legal department will ensure that training content remains up to date and appropriate to our organization’s business operations, and that it is refreshed on a regular basis. Training completion rates will be monitored and documented (e.g. training log).

    9. Data breach management
      All business functions are responsible for monitoring business operations for incidents concerning the security of personal data, capturing them on a timely and consistent basis, and executing appropriate risk mitigation strategies.

      All employees and business functions are responsible for immediately escalating any actual or suspected data breaches according to our Incident Response Policy. Any relevant office and/or business function is required to take part in breach management according to such policy.

      The Legal department is jointly with the IT department will ensure that known incidents and risk events are identified, evaluated and remediated appropriately, and will evaluate trends so that root causes can be addressed. The Legal department will also handle breach notifications to the competent regulator or data subjects as and when required by the applicable laws.

    10. Data subject rights
      The Legal department will provide guidelines and assistance to the HR department and any other office to address any data subject right request (e.g. an individual's request to access personal data held by us in accordance with the applicable law), as well as to inform any data subject of their rights under the applicable law, which includes the right to lodge a complaint before the relevant data privacy government regulator(s) should the Company violate any applicable data privacy law in the processing of a data subject’s personal and sensitive personal data.

6.  What Employees, Contractors, Consultants and Workers Must Do

Apply the Data Protection Principles to the collection and use of personal data and follow the policies, procedures and standards regarding privacy.

In particular, compliance with the following policies is required:

  • Acceptable Use and Information Technology Policy
  • Confidential Data Policy
  • Data Classification and Handling Policy
  • Email Policy
  • Encryption Policy
  • Password Policy
  • Remote Access Policy
  • Third Party Software Policy
  • Data Retention Policy

You are also expected to complete all required data protection training.

Non-compliance with the terms of this Policy may result in disciplinary action up to and including termination of employment or business relationship, as well as legal action

7.  Reporting and Questions

ICU Medical personnel may report any concerns through an anonymous and confidential hotline at 1-844-330-0007. Anonymous and confidential reports can also be made by email to reports@lighthouse-services.com (must include Company name in the report), through confidential web submission at http://www.lighthouse-sercies.com/icumed, or via the Governance Reporting section in our corporate governance website at http://ir.icumed.com/governance.cfm. A Company Representative may also make confidential reports to his/her supervisor, HR, the Compliance Officer, or the General Counsel.

8.  Amendments to the Policy

The Legal department will review this Policy no less than once every year and recommend appropriate changes.

We will draw your attention to any changes where appropriate or required

9.  Exceptions and Escalations

Any exceptions to this Policy must be reviewed and approved by the Legal department. All exceptions to this Policy must be approved in writing before implementation.

The Legal department is responsible for resolving questions about the appropriate interpretation of this Policy in light of legal and regulatory requirements. The Legal department is responsible for addressing questions about interpreting this Policy.

Exhibit A

Global Privacy Policy – Exhibit for Colombia

ICU MEDICAL COLOMBIA LIMITADA ("ICU COLOMBIA"), domiciled in Colombia, is an affiliate of ICU MEDICAL, INC (the "Company") based in the United States.

This Exhibit is intended to complement the Company’s Global Privacy Policy ("GPP") in order to include certainelements that are only applicable to the extent that Colombian Data Protection Law applies. Colombian Data Protection Law applies only to the processing in Colombia of personal data and the processing of personal data of Data Subjects based in Colombia abroad, under certain circumstances.

Terms used herein shall have the meaning ascribed in the GPP unless otherwise defined herein.




To the extent that Colombian Law Data Protection Law applies, in addition to the definitions provided under the "Definitions" Section of the GPP, the following definitions shall be applied; and to the extent there is a conflict in the“Definitions” these definitions below control:

  1. Data Protection Laws: The applicable law, in this case, Colombian laws and regulations.
  2. Data Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
  3. Authorization: Prior, express and informed consent of the Data Subject to Process his/her Personal Data.
  4. Data Processor: Individual or legal entity, public or private, that either alone or in association with others, process personal data on behalf of the Data Controller.
  5. Data Controller: Individual or legal entity, public or private, that either alone or in association with others, decides on the database and/or on processing of the data.
  6. Data Subject: Any living individual to whom the personal data or sensitive data relates.
  7. Transfer: The Transfer of data occurs when the Data Controller and/or the Data Processor, located in Colombia,sends the information or the Personal Data to a receiver, which is also a Data Controller and is located inside or outside the Country.
  8. Transmission: Processing of Personal Data, which implies the communication of Personal Data, inside or outside Colombia, when it has the purpose of a Data Processing performed by a Data Processor on behalf of a Data Controller.

The Data Protection Principles

To the extent Colombian Data Protection Law applies, in addition to the principles provided under the "Data Protection Principles" Section of the GPP, the following principles shall be applied:

  1. Principle of Rule of Law Concerning Data Processing: Processing dealt with under the Colombian Data Protection Regime (Laws and Regulations) is a regulated activity that must be subject to its provisions.
  2. Principle of Purpose: the Data Processing should follow a legitimate purpose in accordance with the Constitution and the law, which must be informed to the Data Subject.
  3. Principle of Freedom: the processing can only be exercised with the express, prior and informed consent of theData Subject and cannot be obtained or disclosed without its authorization, or if there is not legal or judicial mandate that relieves the consent.
  4. Principle of Confidentiality: all people involved in the processing of Personal Data that are not of public nature are required to ensure the confidentiality of the information.

Purpose of the Processing of Personal Data and Sensitive Personal Data

The personal information that ICU COLOMBIA collects will be processed for the following purposes:

  1. Sending/processing information and documents related to the business relationship of the Data Subjects with ICU COLOMBIA.
  2. Provide contact information to the commercial force and/or distribution network of ICU COLOMBIA.
  3. International data transmission by hosting on external servers.
  4. International transfer of data by sending to other affiliate or any other related entity of ICU COLOMBIA.
  5. Transfer of information, requirements and notifications of ICU COLOMBIA to all its employees, suppliers, contractors, and other Data Subjects.
  6. Sending newsletters and emails and other data messages, informing about promotions and events or activities carried out by ICU COLOMBIA.
  7. Sending opinion polls on the satisfaction of customers, users and potential customers.
  8. Referral of information to comply with legal requirements and requirements of judicial authorities.
  9. The other purposes described in the consent forms.

Grounds for processing Personal Data

To the extent Colombian Law Data Protection Law applies, Personal Data and Sensitive Personal Data shall be subjectto the following requirements:

Personal Data
The legal grounds for processing Personal Data are those specified in Articles 9 and 10 of Law 1581 of 2012.

Sensitive Personal Data
The legal grounds for processing Personal Data are those specified in Article 6 of Law 1581 of 2012.>


The consent criteria referenced in the GPP shall apply under this Exhibit along with the following additional criteria:

  1. The processing of Personal Data and Sensitive Personal Data requires the prior, expressed and informedconsent of the Data Subject.
  2. The Data Controllers shall establish mechanisms to obtain the Data Subjects' authorization or whoever is entitledin accordance with the provisions of Article 20 of Decree 1377 of These mechanisms may include technical means that may facilitate the Data Processor to obtain automated consent. It should be understood thatauthorization complies with these requirements when it is provided (i) in writing, (ii) orally or (iii) by the Data Subject’s unequivocal behaviors that lead to reasonably conclude that authorization was In no case, silence may be understood as an unequivocal behavior.
  3. The consent form should include a specific box to authorize the collection, Processing and Transfer of Sensitive PersonalData. Such box must be different to the box used to consent the collection of non-sensitive Personal Data.

Fair Processing Information

The information required to be provided to the Data Subject referenced in the GPP shall apply under this Exhibit along with the following additional information:

  1. Name or company name, domicile, address, email and phone number of the Data Controller.
  2. The rights to which the Data Subject is entitled.
  3. Person or area that is responsible to attend requests, inquiries and complaints by means of which the Data Subject may exercise their rights to know, update, rectify and delete the data and revoke the Authorization.
  4. Procedure for Data Subjects to exercise their rights to know, update, rectify and delete information and revoke the Authorization.

Data Transfer/ Data Transmission with Third Parties

To the extent Colombian Data Protection Law applies, the following must be considered:

Where ICU COLOMBIA instructs a third party to process Personal Data on behalf of ICU COLOMBIA (Data Transmission) or for its own purposes (Data Transfer), the third party must enter into a written agreement with ICUCOLOMBIA. The agreements must include a number of provisions mandated by Articles 24 and 25 of Decree 1377 of2013 regarding International transfer and transmission of personal data and Personal data Transmission agreement.

In addition to the foregoing, in the case of transmissions, the Data Controller only needs to disclose to the Data Subject thatthere is a possibility of sharing data with third data processors and indicating if these processors are located abroad at the moment of obtaining the consent. In this case, there is an obligation to disclose the possibility of a transmission but there is no need to obtain prior and express consent to share the Personal Data with the third- party processor that hassubscribed a transmission agreement in compliance with applicable laws in Colombia.

As opposed to this, in the case of the transfer, the Data Controller will be sharing the data with a new Data Controller. Hence needs to obtain consent from the Data Subject to share this data with the new Data Controller and also needs to disclose the privacy policy that will apply (i.e. that of the new Data Controller). The respective agreements should reflectthese conditions, among other requirements.

International Transfers Of Personal Data

To the extent Colombian Law Data Protection Law applies, the following must be considered:

According to Law 1581 of 2012, Decree 1377 of 2013 and its attendant rules and regulations, Personal Data, whichever its nature may be, may only be transferred to countries that afford sufficient data protection levels. A country shall beconsidered to afford sufficient data protection levels provided and to the extent that it complies with the applicable standards set forth by the Superintendence of Industry and Commerce (“SIC”). The foregoing standards may under no circumstances provide for obligations less than those contained in the Colombian Data Protection Regime.

This prohibition shall not apply to:

  1. Information to which the Data Subject has expressly and unequivocally granted authorization for its transfer.
  2. Exchange of medical data where so required by the Data Subject’s Data Processing due to public health reasons.
  3. Bank or market transfers in accordance with applicable
  4. Transfers agreed upon under international agreements to which the Republic of Colombia is a party on the basis of the principle of
  5. Transfers necessary for executing a contract between the Data Subject and the Data Controller, or else for executing futurecontract measures provided that the Data Subject has granted consent.

Data Subject Rights

To the extent Colombian Law Data Protection Law applies, Colombian Data Subjects have a number of legal rights in relation to their Personal Data. These rights include:

  1. Access, update and correct their Personal Data before the Data Controller or Processor, due to partial, inaccurate, incomplete, split, deceptive data, or unauthorized/prohibited processing.
  2. Request proof of granted consent.
  3. Request what use or processing has been given to his/her Personal
  4. File complaints before the Superintendence of Industry and
  5. Revoke consent or request data deletion when principles have been breached when the Superintendence of Industryand Commerce determines that the processing by the Data Controller or Data Processor was contrary to the law and theColombian Constitution.

Consultation Procedure

At any moment and for no cost, the Data Subject and/or its successors may consult their Personal Data in possession ofICU COLOMBIA The consultation must be sent to the e-mail of the Data Protection Officer, which must be publicly available to the Data Subjects. ICU COLOMBIA shall respond to all consultations within ten (10) business days afterthe consultation is received. If ICU COLOMBIA is not able to respond within this term, the Data Subject shall be informed of this circumstance, the reasons for the delay and the date when the consultation will be answered,

which must be within five (5) business days following the expiration of the initial term.

Claims procedure

If the Data Subject and/or its successors consider that their Personal Data in possession of ICU COLOMBIA should be amended, updated or deleted, or if they have any claim related to their Personal Data in possession of ICU COLOMBIAor the processing of their Personal Data by the Company, they may submit a claim in the following terms:

  1. The claim must be filed using the format prepared by ICU COLOMBIA for these purposes.
  2. The claim must contain at least the following information: (i) the proper identification of the Data Subject; (ii) the description of the events that originated the claim; (iii) the contact details of the Data Subject and; (iv) any documents theData Subject considers relevant for the claim. If the claim is missing any of this information, within five (5) business days after the claim is received ICU COLOMBIA must request the Data Subject to update the claim format with the missing information.
    Within two (2) business days after a complete claim is received, a notice must be inserted in the database where the Personal Data subject of the claim is included, indicating that a claim related to information included in suchdatabase is in process. A brief explanation of the claim must also be inserted within the corresponding databaseuntil the claim is solved.
  3. ICU COLOMBIA shall have a term of fifteen (15) business days since the day the complete claim is received to deliver a response to the Data Subject. If ICU COLOMBIA is not able to respond within this term, it must inform the Data Subject of this circumstance, the reasons for the delay and the date when the claim will be responded,which must be within eight (8) business days following the expiration of the initial term.
    If ICU COLOMBIA receives a claim that should have been addressed to another entity, it must send the claim to thecorresponding entity and inform the Data Subject of this situation.

Data Protection Officer

As referred in the GPP, ICU COLOMBIA must appoint and have at all times a Data Protection Officer who has the following obligations:

  1. Respond Consultations and Claims from Data Subjects: The Data Protection Officer shall be responsible foranswering all consultations and claims from the Data Subjects or their successors related to their Personal Data inpossession of ICU COLOMBIA and the processing of their Personal Data.
  2. Providing assistance and support to other areas of the Company: Any questions within ICU COLOMBIA related tothe processing of Personal Data must be addressed and answered by the Data Protection
  3. Risk Management: Any situation that results or may result in a security breach of Personal Data must be informed to the Data Protection Officer, who will be responsible of preparing and implementing a plan for managing and solving the security breach or potential breach.
  4. Maintain and update data protection related registrations and submit filings before authorities: The Data Protection Officer must ensure that (i) the information of ICU COLOMBIA and its Data Subjects included in the National Registry of Databases managed by the SIC is properly maintained and updated; (ii) any new databases created by ICU COLOMBIAthat contain Personal Data are properly registered before the SIC; (iii) the claims filed by the Data Subjects are properly informed to the SIC; and (iv) any security incident related to the Personal Data is informed to the SIC.
Responsible for the Data Processing

The Data Controller of the Personal Data in Colombia is ICU MEDICAL COLOMBIA LIMITADA, identified with NIT. 830143035-2, domiciled in the city of Bogotá-Colombia, at Avenida Carrera 72 # 80-94.

All requests regarding the Processing of Personal Data shall be emailed to habeasdatacolombia@icumed.com.

Reporting and Data Protection Officer Contact Information

Concerns may be reported through an anonymous and confidential hotline at 1-844-330-0007. Anonymous andconfidential reports can also be made by email to reports@lighthouse-services.com (must include Company name in the report), through confidential web submission at http://www.lighthouse-services.com/icumed, or via theGovernance Reporting section in our corporate governance website at https://ir.icumed.com/corporate-governance. The DataProtection Officer may be contacted by emailing: ethicsandcompliance@icumed.com.

Date of Entry Into Force

The Exhibit referred to in this document will be effective as of 1 July of 2020, but may be modified at any time, in inwhich case the relevant will be communicated to the Data Subjects.

Exhibit B

Global Privacy Policy – Exhibit for Mexico

To the extent Mexican data protection laws or regulations apply, the following additional Mexico- specific basic elements and provisions apply and shall prevail over conflicting provisions in the existing Global Privacy Policy.




  1. 'Data protection law'means the Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares or FDPL) and its implementing Regulations.
  2. 'Sensitive Personal Data' means any data genetic, biometric and health-related data, as well as personal data revealing racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning a person’s sex life or sexual orientation. These are highly relevant because they are subject to a higher level of protectionand must be treated with extra security.

Data Protection of Principles

In addition to the principles provided in SectionError! Reference source not found., the provisions of Mexican data protection law set out key principles relating to processing of personal data, as follows:

  1. Consent: Processing and transfer of persona data is based on consent by the data Explicit consent isrequired to the processing of, and transfer of, Sensitive Personal Data, financial or real estate data. Prior to giving consent, the data subject shall be informed thereof. As an exception to the general rules, no consent is required for the transfer of data between our organization and a data processor as long as a data processing agreement is in place.
  2. Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes, as set forth in the corresponding Privacy Notice. Further processing for other purposes incompatible with the initial purposesshall get specific consent for the new purpose.
  3. Minimization principle: Processing shall be adequate, relevant and limited to what is necessary in relation to theprocessing purposes.
  4. Loyalty principle: Personal data shall be processed in a manner that ensures appropriate security of the personal data, giving priority to the protection of the interests of the data subject.
Privacy Notice

Our organization is required to record our purposes for collection and processing and specify them in a document fordata subjects. Under Mexican law, an adequate data Privacy Notice must, at least, contain the following information:

  1. Our identity, address (including street, number, city, zip code) and contact details
  2. Purposes of the processing for which the personal data are intended
  3. Categories of personal data concerned
  4. Specific information about our processing of sensitive personal data
  5. The existence of the right to withdraw consent to further process the personal data for a purpose other than for which the personal data were collected (e., marketing purposes)
  6. Where applicable, the fact that we intend to transfer personal data to a third party in Mexico or a third country
  7. Modalities for the exercise of the data subject rights
  8. How data subject can withdraw his or her consent to data processing
  9. Means to exercise the right to request from the Company restriction of processing or disclosure concerning thedata subject
  10. Cookies policy providing information about the types of cookies active on our website, what data they track, for what purpose, where in the world the data is sent, and detailed instructions on how they can set their cookie preferences
  11. Contact details of our Data Protection Officer or department
  12. Procedures and means to communicate changes to our Privacy Notice

This information shall be provided in writing, or by other means, including, where appropriate, by electronic means.

Conditions for Consent

Processing of personal data shall be lawful only if and to the extent that the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

The Company is required to obtain an express statement of consent by the data subject, for instance in a writtenstatement, when required by law of by the data subject, processing of sensitive personal data, financial or personal estatedata.

However, a data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

FDPL allows for express written consent to be obtained through technology means (including “I accept” buttons or boxes), as long as they are not previously selected. The main consent related rules may be summarized as follows:

  1. Opt-in is required for the collection of Sensitive Personal Data
  2. Opt-in is required for the collection of financial or personal-estate related data
  3. Check boxes to obtain consent should not be pre-ticked
  4. Consent is not required in certain exceptional cases set forth in the FDPL, including data collection for theperformance of a contract
  5. Non-essential data processing The text of the Privacy Notice must differentiate between those data processing purposes which are necessary for the existence, maintenance, and compliance of the legal relationshipbetween our organization and the data subject, which cause the relationship to exist, from those purposes whichare not essential (e.g., processing personal data for the purposes of direct marketing)
  6. Prior opt out rule. For the case of unnecessary or secondary processing purposes, the Privacy Notice must include themechanism for the data subject to exercise the right to withdraw consent to data processing for this purpose.
Consent Exemptions

Our organization is not required to obtain consent to the processing of personal data when:

  1. personal data is required to be processed by law, by any governmental or other authority, or by a court or other authority of competent jurisdiction;
  2. processing related to personal data which are publicly available;
  3. personal data is subject to a disaggregation process;
  4. processing is necessary for the performance of a contract to which the Company and the data subject are parties;
  5. processing is necessary to protect the vital interests of an individual;
  6. processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health care or treatment or management of health care systems and services, where the data subject is physically or legallyincapable of giving consent.
Data Subject Rights

We shall facilitate the exercise of data subject rights and not refuse to act on the request of the data subject for exercising the following rights: (i) right to access personal data stored by us, and to obtain information regarding our processing practices; (ii) right to rectification of inaccurate personal data concerning the data subject; (iii) right to request the deletion of personal data if data is not being processed under the law or if it is no longer necessary; and (iv) right toobject at any time to processing of personal data concerning him or her which is based on legitimate grounds or for aspecific purpose. These rights are known as ‘ARCO Rights’.

Data subjects shall have the right to withdraw his or her consent at any time for the processing of his or her personal data.

In addition, we shall provide data subjects with further information on its right to lodge a complaint with the supervisory authority.

Communication of a Personal Data Breach

When the personal data breach is likely to result in a high risk to the rights of individuals, our organization shallcommunicate the personal data breach to the data subject without undue delay. The communication to the data subject shallat least describe the nature of the personal data breach, personal data involved, recommended measures to be taken by the data subject to protect his or her interests, describe the measures taken or proposed to be taken by the Company to address the personal data breach, and the name and contact details of our Data Protection Officer or other contact point within ourorganization where more information can be obtained.

Data Protection Officer/department

Our organization is required to appoint and name an employee or department as a Data Protection Officer or department, respectively. This Data Protection Officer or department shall be responsible for taking action on the requests of data subjects.