Last updated: December 2022
1. Scope and information that this Online Privacy Notice covers
This Online Privacy Notice (this “Privacy Notice”) applies only to Personal Information (defined below) collected on our websites, mobile applications, or cloud-based services and communication platforms with a link to this Privacy Notice (collectively, the “Site”). This Privacy Notice includes information on how ICU Medical, Inc (“ICU Medical”, “we” or “our”) collect, use, disclose, and otherwise process Personal Information since this Privacy Notice was posted. References to “Personal Information” in this Privacy Notice means information that identifies or can reasonably identify users of the Site (“you”) personally. ICU Medical is the controller of Personal Information that we collect, use, disclose, and otherwise process as described in this Privacy Notice.
Summary of Key Points
We generally collect Personal Information that you provide to us. Additionally, the computer systems used to operate the Site may acquire some of your Personal Information.
|We generally use Personal Information to collect anonymous statistical information on the use of the Site and to ensure it is working properly. The data collected is deleted immediately after processing. Further information about the use of your Personal Information in support of our business activities is available below.
|We only process and disclose your Personal Information to the extent reasonably necessary to fulfil your requests and meet our legitimate business and legal objectives. Personal Information is accessible to our duly authorized personnel as necessary and is disclosed to third parties in the following cases: (i) when disclosure is required by laws and regulations applicable to legitimate third-party recipients; and (ii) disclosure to third parties in the event of extraordinary transactions. Personal Information is also disclosed to our service providers. We provide such parties only with the data necessary to perform the agreed services. Further information about the use, processing, and disclosure of your Personal Information is available below.
|Data Transfers Abroad
|Depending on the program or service, we will retain your Personal Information only for the period necessary to fulfil the purposes outlined in this Privacy Notice, unless a longer retention period is required or permitted by a law or regulation that applies to us or the data retention for the program or service.
|Persons under the age of 16 are ineligible to use any services on our Site.
|ICU Medical, Inc. can be contacted by writing to 951 Calle Amanecer, San Clemente, CA 92673, USA or email: firstname.lastname@example.org.
2. Collection of Information
Registration and other information provided
You are not required to create a personal account. For public areas of our Site, we generally collect and process only Personal Information you voluntarily provide to us. We don’t require you to give us Personal Information to access certain public areas of our Site. This is true unless you live in a jurisdiction that defines Personal Information to include network identifiers like your Internet Protocol addresses. For some secure areas of our Site, however, we require you to provide Personal Information, including your login credentials. We also collect your Personal Information on the Site to perform services on our Site, enhance the services we offer you, maintain and improve the Site, to secure you and our Site, comply with legal obligations, and inform you about other services and products that may be available through us, our affiliated companies, and our marketing partners.
If you choose not to provide us with the Personal Information that we legitimately require, we may be unable to provide you with the information or services you have requested. Public areas of our Sites ask for Personal Information from you when you engage in the following activities:
- Register for an account with us;
- Sign up for newsletters or general information about our programs and services;
- Apply to join our team; and
- Request customer or technical support.
Personal Information may include any or all of the following:
- First name and surname;
- Postal or billing address;
- E-mail address;
- Telephone or mobile number;
- Location via IP address;
- Previous login history with our Site; and
- Other relevant data, including any information you provide when contacting us.
Even if you do not send us any Personal Information, we may collect certain non-personal information about how you use our Site. This non-personal information cannot reasonably identify you and is used for statistical purposes.
Information Collected Through Technology
We may also obtain information in other ways through technology. Some of this information may be linked to you personally. We process this information to help our Sites function correctly, and better understand the needs of our customers.
Depending on the permissions you’ve granted and other factors, we may receive information about your location and your mobile device, including a unique identifier for your device. In particular, we collect the following information:
- Attributes such as the operating system, hardware version, device settings, battery and signal strength, and device identifiers.
- Certain device locations, including specific geographic locations, such as through GPS, Bluetooth, or WiFi signals are gathered if you enabled the functionality within our product configuration.
- Connection information such as the name of your mobile operator or ISP, browser type, language and time zone, mobile phone number and IP address.
- Gathering of IP address is used for our enhanced security.
Most mobile devices require you to provide your consent for location services, and allow you to turn off location services, and we encourage you to contact your device manufacturer for detailed instructions on how to do that.
3. Processing Your Information
Purpose of the processing
We do not disclose your Personal Information to unaffiliated third parties solely for their own direct marketing purposes. We do not sell your Personal Information. Whatever the purpose may be – whether we disclose the personal information to service providers or other external entities – we only process and disclose your Personal Information to the extent reasonably necessary to fulfill your requests and meet our legitimate business and legal objectives.
Providing the above registration information is necessary in order to create an account and also:
- to respond to and manage questions, complaints, reviews of our services, requests for information, and/or user feedback;
- to provide the services requested through the Site, including registration and subsequent updates and to manage the activities organized through the Site;
- to carry out statistical analysis and surveys;
- to manage sales activities; and
- to provide sales and after-sales services, such as administration, accounting, returns and guarantee management, fraud prevention, customer relationship management, including compliance with legal obligations, regulations and EU regulations (including anti-money laundering regulations) and to exercise rights in legal proceedings
Any refusal by you to provide this information would still allow you to use the Site but would prevent you from using some of our services reserved for registered users.
In addition, your Personal Information must be processed in order to fulfill the contractual relationship arising from the purchase of ICU Medical products. You are free to disclose your data to us or not, but in the absence of the requested data you will not be able to purchase ICU Medical products and it will not be possible to handle your requests.
Further purposes of the processing
If we receive your consent, we will use your Personal Information for other purposes such as commercial or advertising communications, direct sales, in-store sales support worldwide through email (newsletter), telephone, SMS/MMS, or other marketing related communications. You may, at any time, indicate your preferred means of contact from among those listed above and you may refuse the receipt of promotional communication by any or all of these means of contact.
With your consent, which is optional, ICU Medical collects information about your preferences, habits and lifestyle as well as details of purchases made in order to use these to create group and individual profiles (“profiling”) and to send you personalized communications. Personalized communication may be sent by email (newsletter), phone, SMS, MMS, chat, instant messaging, social networking and traditional mail. You may at any time indicate your preferred means of contact from among those listed above and you may refuse the receipt of promotional communication by any or all of these means of contact.
Consent for the above marketing and profiling purposes is optional and refusal will not have any consequences. Data may be provided by you on registration at our points of sale by means of paper and/or electronic forms, acquired during visits to our stores belonging to the ICU Medical Group or through interaction with websites, internet applications and mobile applications belonging to the ICU Medical Group.
Legal grounds for the collection, use, disclosure and other processing of Personal Information
Certain jurisdictions require the identification of the legal grounds for the collection, use, disclosure, and other processing of Personal Information. We rely on the following legal grounds for the collection, use, disclosure, and processing of Personal Information as described in this Privacy Notice:
- Necessary to provide information or otherwise carry out the performance of a contract with you as an individual;
- Our legitimate interests, including:
- Performance of the contract with you;
- Implementation and operation of a group-wide matrix structure and group-wide information disclosures;
- Customer relationship management and other forms of marketing and analytics;
- Fraud prevention, misuse of company IT systems, or money laundering;
- Whistle-blower scheme operations;
- Physical, IT, and network perimeter security;
- Internal investigations; and
- Intended mergers and acquisitions;
- Compliance with legal obligations and/or defense against legal claims, including those in the areas of healthcare, labor, social security, data protection, tax, and corporate compliance laws.
- Protection of the vital interests of any individual;
- Performance of a task carried out in the public interest or in the exercise of official authority vested in us; and
- Consent, as permitted by applicable law.
Authorized Service Providers. We use other companies and individuals to perform certain functions on our behalf. Those functions include payment card processing, analyzing or hosting data on cloud-based servers, website support and design, and other companies that help us improve our products and services. We may disclose certain Personal Information to these companies and other individuals performing services in the United States or other locations where we conduct business.
Sale of the Businesses. If we sell all or part of our business, Personal Information may be transferred to the purchaser in connection with that transaction. We will use reasonable efforts to include contractual provisions that require the purchaser to treat your Personal Information consistent with the terms of this Privacy Notice.
Other Disclosures. We may otherwise disclose Personal Information as permitted or required by law, when we believe in good faith it is necessary for safety purposes, required for legal reporting, or to protect our legal rights or enforce our Site’s terms and conditions or any applicable rules, or to protect the rights of others. We may also disclose Personal Information to our auditors, legal advisors, or to respond to a subpoena. We may also aggregate information that we gather about you (e.g., online sales, traffic patterns) and provide these statistics to others in aggregate form.
The recipients identified above may be located inside or outside the European Economic Area (“EEA”) or United Kingdom (“UK”). Recipients outside the EEA or UK might be located in countries that do not offer an adequate level of protection from an EEA or UK data protection law perspective. We will take all necessary measures to ensure that transfers out of the EEA or UK are adequately protected as required by applicable data protection law. With respect to transfers to countries not providing an adequate level of data protection, we may base the transfer on appropriate safeguards, such as the EU standard contractual clauses (or equivalent standard contractual clauses approved under UK data protection laws for transfers of personal data outside of the UK), approved codes of conduct together with binding and enforceable commitments of the recipient, or approved certification mechanisms together with binding and enforceable commitments of the recipient. You can request a copy of the appropriate safeguards by contacting us as set out in the Questions section below.
Any access to your Personal Information is restricted to those individuals who have a need to receive or access this data in order to fulfill their job responsibilities. We may also disclose your Personal Information as required or permitted by applicable law to governmental authorities, courts, external advisors, and similar third parties.
On the Site you may also find social buttons/widgets, in other words those distinctive “buttons” showing social network icons like Facebook, Instagram and Twitter. These buttons allow users who are browsing the Site to share and interact with social networks with a simple “click”.
Cookies for our Services generally fall into the following categories:
- Technical Cookies: Technical cookies are necessary for the functioning of the Site, including the provision of the services offered by the Site. This category of cookies includes session and functionality cookies, used by the owner to, for example, collect information, in aggregate form, about the number of users and how they use the Site or to save your browsing preferences, such as the language. Under certain laws, cookies that are strictly necessary for the functioning of the Site do not require the user’s consent.
- Analytics Cookies: Analytics cookies are used to carry out statistical analyses by allowing us to recognize and count the number of users of our Site and see how those users navigate the Site. These cookies are collected anonymously and exclusively for statistical purposes. This helps to improve how our Site works, for example, by ensuring that users can find what they are looking for easily.
- Our Own-, and Third-Party Profiling Cookies: Our own and third-party profiling cookies are designed to create user profiles and used to send and display advertising messages in line with the preferences expressed by users during their browsing. This category of cookies always requires the user’s optional consent.
The above cookies may be:
- temporary, when they are automatically deleted at the end of the connection;
- permanent, when they remain on the user’s hard drive, unless the user deletes them;
- first party, when they are issued and managed directly by the Site administrator;
- third party, when they are managed by a domain other than the one visited by the user.
5. Cross-Border Data Transfers
Yoxur Personal Information may be transferred outside of your home country to third party recipients established within the EU or the UK, and to third party countries, not belonging to the EU or outside of the UK, which do not guarantee the same level of data protection as the EU or UK (as applicable). If you are located in a jurisdiction that does not consider the outside country to provide an adequate level of protection as the EU or the UK, cross-border transfer of your information is necessary for the conclusion or performance of a transaction that you requested, and for the establishment, exercise, and defense of legal claims. However, you are advised that such transfer to third party countries will always be in accordance with the provisions of the Privacy Notice, i.e., by obtaining your consent, when necessary, or by adopting appropriate safeguards. For example, with respect to transfers to countries not providing an adequate level of data protection, we may base the transfer on appropriate safeguards, such as the EU standard contractual clauses (or equivalent standard contractual clauses approved under UK data protection laws for transfers of personal data outside of the UK), approved codes of conduct together with binding and enforceable commitments of the recipient, or approved certification mechanisms together with binding and enforceable commitments of the recipient. You can request a copy of the appropriate safeguards by contacting us as set out in the Questions section below. To the extent permitted by local law, your use of this Site or provision of any Personal Information constitutes, where legally permitted, your consent to the cross-border transfer of Personal Information and other activities identified in this Privacy Notice.
6. Security of Information
Our security measures include contractual arrangements with any contractor (e.g., service providers) or other party intended to protect the security and confidentiality of your Personal Information, prevent unauthorized access or disclosure of Personal Information in our custody or control, and maintain data accuracy in accordance with the provisions of our Privacy Notice.
7. Data Retention
We store personal information as long as necessary to provide you with any products or services that you requested, and to fulfil the other purposes set forth in this Privacy Notice, as appropriate. Otherwise, we will only retain your personal information in accordance with storage periods as required or permitted by applicable laws and regulations (e.g., to account for statutory periods of limitation).
The Site is not intended for persons under 16 years of age, and we do not knowingly solicit or collect personal information from or about children. Our products are intended for use by providers of healthcare, and we do not knowingly market our products or services to children.
9. User Rights
Certain jurisdictions maintain local data protection regulations that confer certain data protection rights on individuals. We will address those rights as required by applicable laws. If you wish to exercise any of these rights, please contact us as specified below. If you have declared your consent regarding certain types of processing activities, you can withdraw this consent at any time with future effect. This withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal. To the extent you’ve provided your consent and wish to withdraw it, you can contact us as stated below.
Pursuant to applicable data protection law you may also have the right to: (1) request access to Personal Information; (2) request rectification of your Personal Information; (3) request erasure of your Personal Information; (4) request restriction of processing of your Personal Information; (5) request data portability of your Personal Information; and/or (6) object to the processing of your Personal Information. Please note that these rights might be limited under the applicable national data protection law.
Below is a general description of your rights and how to exercise them:
- Right of access: You may have the right to obtain from us confirmation as to whether or not Personal Information concerning you is processed, and, to request access to the Personal Information. The access information includes, among other things, the purposes of the processing, the categories of Personal Information concerned, and the recipients or categories of recipient to whom the Personal Information have been or will be disclosed. This is not, however, an absolute right, and the interests of other individuals may restrict your right of access. You may have the right to obtain a copy of their Personal Information undergoing processing.
- Right to rectification: You may have the right to obtain from us the rectification of inaccurate Personal Information about you. Depending on the purposes of the processing, you may have the right to have incomplete Personal Information completed, including by means of providing a supplementary statement.
- Right to erasure: Under certain circumstances, you may have the right to obtain from us the erasure of Personal Information concerning you, and we may be obligated to erase that Personal Information, as long as it is not required for legal or regulatory purposes.
- Right to restriction of processing: Under certain circumstances, you may have the right to obtain from us restriction of processing your Personal Information. In that case, your data will be marked and may only be processed by us for certain limited purposes.
- Right to data portability: Under certain circumstances, you may have the right to receive the Personal Information about you, which you have provided to us, in a structured, commonly used and machine-readable format, and you may have the right to transmit that data to another entity without hindrance from us.
- Right to object: Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your Personal Information by us, and we can be required to no longer process your Personal Information. For example, where we process your Personal Information on the basis of our legitimate interests. However, as we process and use your Personal Information primarily for purposes of carrying out the contract for services and in furtherance of our relationship, we have a compelling legitimate interest for the processing which may override your objection request, unless the request relates to marketing activities.
To exercise your rights, please contact us at email@example.com.
You also have the right to lodge a complaint with a competent data protection supervisory authority.
A list of local data protection authorities in European countries is available here: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
For the United Kingdom, you may contact the Information Commissioner’s Office at: https://ico.org.uk/
Phone: 0303 123 1113, Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
For Argentina, you may contact La Agencia de Acceso a la Informacion Publica at https://www.argentina.gob.ar/aaip/datospersonales
For Colombia, you may contact the Superintendencia de Industria y Comercio at https://www.sic.gov.co/
The Mexican data protection authority is the National Institute for Transparency, Access to Information and Personal Data Protection (Instituto Federal de Acceso a la Información y Protección de Datos (INAI)), and can be accessed here: https://gobierno.com.mx/ifai.html
For Peru, you may contact the Directorate for the Protection of personal data, which is part of the General Directorate of Transparency, Access to Public Information and Protection of Personal Data (NDPA) at https://www.gob.pe/minjus.
10. California Notice Obligations
The additional disclosures in this section entitled "California Notice Obligations" apply only if you reside in California. This Notice does not reflect our processing of California residents’ personal information where an exception under California law applies. Please see Section 2 above for information about the categories of personal information that we collect from you when you use our Site. These categories correspond with the following categories under the CCPA's definition of "personal information":
- Identifiers, including name, address, phone number, e-mail address, account username, account password, information collected via cookies, and IP address;
- Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, address, and telephone number.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Internet or Other Electronic Network Activity, including browser, time and date of access, operating system, application version, device ID, and pages shown.
- Geolocation data (but not precise geolocation data).
- Professional information.
- Audio, electronic, visual or similar information.
- Education or employment-related information if you submit a job application.
Please see Section 3 above for the purposes for which we process personal information, and Section 7 above for the criteria we use to determine how long to retain each category of personal information we collect. We do not sell or share for cross-context behavioral advertising any of the personal information that we collect about California residents. We do not collect sensitive personal information unless you voluntarily submit it to us, we do not use sensitive personal information to infer characteristics about users of the Site residing in California, and we only use sensitive personal information for purposes referred to under Subsection 1798.121(a) of the CCPA. Our CCPA Privacy Notice is available at https://www.icumed.com/ccpa-privacy-notice.
11. Philippines Privacy Rights
If you are a Philippine (“PH”) citizen or resident, please note that the laws applicable to your personal data include Republic Act No. 10173, or the Philippine Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and the related issuances of the Philippine National Privacy Commission (NPC). In this regard and in addition to those matters contained in this Privacy Notice, please note the following information that specifically apply to you and the processing of your personal data:
- PH Personal Data. Consistent with the “Collection of Information” section above, we may collect personal information about you, such as your name, address, phone number, e-mail address, information collected via cookies, and IP address.
In the event that we will be collecting your sensitive personal information as defined under the DPA, we will only do so upon your express consent and only for the purposes it was provided, or in accordance with the applicable law.
- Processing of PH Personal Data. We process your personal information on the basis of your express consent (Section 12(a), DPA) whenever we deem appropriate or to the extent required by applicable law, such as when the transfer of personal data constitutes data sharing under the DPA. Otherwise, we base our processing of your personal information on our legitimate interests (Section 12(f), DPA) or when required by the applicable law (Section 12(c), DPA).
In the event that we will be processing your sensitive personal information as defined under the DPA, we will only do so upon your express consent and only for the purposes it was provided, or in accordance with the applicable law.
- Rights of Data Subjects. As a PH citizen or resident, you acknowledge the existence of your rights as a data subject under the DPA, its Implementing Rules and Regulations, and the relevant issuances of the NPC.
12. Questions or Complaints
If you believe that your Personal Information has not been correctly processed, or if you would like to exercise any of your rights under applicable privacy or data protection laws, you may email us at firstname.lastname@example.org.
Access Notice in Alternative Formats. Individuals who need assistance accessing this Privacy Notice in an alternative format can do so by contacting us toll-free.
13. Changes to this Notice
ICU Medical reserves the right to modify or update this Privacy Notice from time to time. The modified Privacy Notice will be published in visible places in our Site. Any changes will be effective immediately upon the posting of the revised Privacy Notice or as of the effective date shown in the Privacy Notice. Unless applicable laws require us to obtain your consent in another manner, your continued use of our Site after we publish on the Site a material modification to this Privacy Notice means that you consent to us processing your personal information as described in the revised Privacy Notice. ICU Medical encourages you to review periodically our Privacy Notice.