EU / Swiss Safe Harbor Privacy Policy

EU / Swiss Safe Harbor Privacy Policy


Effective: May 1st, 2015

RTI Surgical, Inc., a United States company (“RTI”), is committed to protecting the data privacy of our personnel, patients, and of those who do business with us. As part of our commitment, RTI has certified to the U.S. - European Union Framework and the U.S.- Swiss Safe Harbor Framework for personal information of RTI’s European controlled affiliates’ personnel and personal health information of patients gathered in the course of clinical trials in the European Economic Area (EEA) - EU.

This page describes the principles we follow with respect to transfers of personal information of personnel and patients enrolled in clinical trials recorded in any form, between countries in the EEA - EU / Switzerland, and the United States.

Safe Harbor

The United States Department of Commerce and the European Commission and the Federal Data Protection and Information Commissioner of Switzerland have agreed on a set of data protection principles and frequently asked questions (the “Safe Harbor Principles”) to enable U.S. companies to satisfy EEA - EU / Switzerland requirements for adequate protection of personal information transferred from the EEA - EU / Switzerland to the United States.

RTI has subscribed to and will adhere to the Safe Harbor Principles by adopting and implementing the Safe Harbor Principles. This Policy applies to RTI in the United States. To learn more about the Safe Harbor program, and to view RTI’s certification, please visit http://www.export.gov/safeharbor/

Definitions

The following terms are used throughout this document and are defined here for clarification.

Agent – Any third party that processes Personal Information on behalf and under the direction of RTI.

Customer – A hospital, medical personnel, physician, nurse or clinic that provides treatment using RTI devices. Customers are data controllers and RTI receives information to process it on behalf of Customers.

Personal Information – Any information or set of information that identifies or could be used by or on behalf of RTI to identify or is about (i) Personnel and (ii) a Patient enrolled in a clinical trial. Personal Information does not include information that is encoded or anonymized and is not subject to re-identification, or publicly available information that has not been combined with non-public personal information.

Sensitive Personal Information – Personal Information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health or sexual orientation.

Patient – An individual in one of the EEA - EU member countries or Switzerland (i) enrolled in a clinical trial sponsored by RTI or one of its affiliated companies, or (ii) have a consumer relationship with our Customers.

Personnel – Current, former, and prospective employees and their dependents, contractors and contingent workers in the EEA - EU or Switzerland.

RTI – RTI Surgical, Inc.

Privacy Principles

Personal Information We Collect
In connection with its clinical research and certain legal and regulatory compliance activities, RTI collects and receives Personal Information about Patients. RTI also receives Personal Information about or from Personnel for human resource management, operations management, security management, transaction and vendor due diligence, and in connection with pre-merger or acquisition activity. Depending on the purpose for the processing, such information may include name, address, telephone number, date of birth, gender, marital status, physical attributes, prescriber information, email address, social security and benefits information, governmental identification numbers, racial or ethnic origin, political affiliations, data concerning health or sex life or medical records, and data relating to information technology use.

Notice
Where RTI and/or its controlled affiliates collect Personal Information as controller directly from Patients and Personnel, we will inform them about the purposes for which we collect, process and use Personal Information about them, the types of non-agent third parties to which RTI discloses that information, and the choices and means, if any, RTI offers individuals for limiting the use and disclosure of their Personal Information. Personal Information about Patients may be used in a manner consistent with the general research purpose for which the data were originally collected; this includes use in future medical and pharmaceutical research activities that are unanticipated at the time of original collection.

RTI relies on its Customers to assume responsibility for the protection of Personal Information they collect and provide to us for processing. Customers are responsible for informing Patients about the purpose for which information about them is collected and used, for protecting that information once it has been collected, and for not disclosing that information without providing clear notice to the Patient.

Choice
Where RTI and/or its controlled affiliates collect Personal Information as controller directly from Patients or Personnel, we will offer the opportunity to choose (opt-out) whether their Personal Information is (a) to be disclosed to a non-agent third party or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. RTI will provide individuals with reasonable mechanisms to exercise their choices.

For Sensitive Personal Information, RTI will give such Personnel and Patients the opportunity to affirmatively and explicitly consent (opt-in) to the disclosure of the information to a non-agent third-party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by such Personnel or Patient.

RTI relies on its Customers to assume responsibility for providing any notices and choice with respect to Personal Information (including Sensitive Personal Information) they collect from their Patients and that is provided to us for processing.

Third Party Transfers
RTI will only transfer personal data to a non-agent third party where consistent with (i) the notice provided by RTI and its controlled affiliates and consent that those individuals have given, or (ii) as permitted by Customers.

RTI sometimes contracts with Agents to perform functions or services on our behalf or on behalf of Customers. They may have access to Personal Information needed to perform their functions, but are restricted from using the Personal Information for purposes other than providing such services. RTI requires Agents that access Personal Information received from the EEA – EU and Switzerland either subscribe to the Safe Harbor Principles or are subject to the EU Privacy Directive and the Swiss Federal Act on Data Protection or another adequacy finding, or enter into a written agreement with RTI that requires at least the same level of protection as is required by the relevant Safe Harbor Principles. RTI will also obtain assurances from Agents that they will safeguard Personal Information consistent with our policies. Where RTI has knowledge that a third party business partner is processing Personal Information in a manner contrary to the company policy or Customer’s instructions, RTI will take reasonable steps to prevent or stop such processing.\

Security
RTI will take reasonable precautions to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.

Information Integrity
RTI will use Personal Information only in ways that are compatible with the purposes for which it was collected or authorized by Personnel, Patients, and Customers. RTI will take reasonable steps to ensure that Personal Information is relevant to its intended use, accurate, complete, and current.

Access
Upon request, RTI will permit Personnel and Patients reasonable access to Personal Information that it holds about them. In addition, RTI will take reasonable steps to permit individuals to correct, amend or delete information that is demonstrated to be inaccurate or incomplete.

Enforcement and Dispute Resolution
RTI will use a self-assessment approach to assure compliance with this Policy and will periodically verify that this Policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the Safe Harbor Principles. RTI encourages Personnel, Patients, and interested persons to raise any concerns using the contact information provided and will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Information in accordance with the Safe Harbor Principles.

RTI will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that RTI determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment.

RTI has selected the European Data Protection Authorities Panel and the Swiss Federal Data Protection and Information Commission as its external dispute resolution mechanism in the event that a complaint cannot be resolved internally. RTI commits to following the determination and advice of this body.

Limitation on Scope of Principles
Adherence by RTI to this Policy may be limited to the extent required to meet legal, governmental or national security obligations, including requirements to cooperate with law enforcement.

Changes to This Policy
This Policy may be amended from time to time, consistent with the requirements of the Safe Harbor Principles. The revisions will take effect on the date of publication of the amended policy, as stated. The change synopsis will notify you of any material changes to this Policy.

Contact Information
Please contact us with any questions about the way in which we use personal data:

RTI Surgical, Inc.
11621 Research Circle
Alachua, FL 32615
Office: 386.418.8888 x4480
cgingras@rtix.com