RTI Surgical, Inc’s Web Privacy Policy and Transparency Disclosure Notice

RTI Surgical, Inc’s Web Privacy Policy and Transparency Disclosure Notice


General Information

RTI Surgical, Inc.and its subsidiary and affiliate entities (“RTI”) are committed to protecting the privacy and security of personal data in our custody.

RTI maintains a network of websites, including http://www.rtix.com/ and http://www.allograftinfo.com/ (collectively referred to as the “Site”). RTI Surgical, Inc.’s Web Privacy Policy and Transparency Disclosure Notice (“Policy”) describes how RTI collects and uses personal data received through its Site and is provided as part of RTI’s compliance with the European General Data Protection Regulation (“GDPR”).

All references to “you” and “your” in this document refer to the individual whose personal data may be processed by RTI.

It is important that you read this notice so that you are aware of and understand how and why we are using such information and how your personal data is processed.

RTI is a data controller. This means that we are responsible for deciding how we hold personal data about you. Our Data Protection Officer or his/her designee oversees compliance with issues in relation to this notice. If you have any questions about this notice, require this notice in a different language, or have a request to exercise your legal rights as set forth in this notice, please contact our Data Protection Officer using the details set out below:

Data Protection Officer
RTI Surgical, Inc.
11621 Research Circle
Alachua, FL 32615
dpo@rtix.com

This notice may be updated from time to time. This version is dated May 25, 2018. Previous versions may be obtained by contacting our Data Protection Officer. By agreeing to this Policy and continuing to use the Site, you are consenting the use of your personal data as outlined in this Policy and representing that you are sixteen (16) years of age or older or have the consent of a parent/legal guardian processing of your personal data related to your use of this Site. You will also be asked to review and consent to this Policy prior to submission of the webforms noted below

What Data We May Collect

General Browsing - when you visit our website, RTI collects information about you including:

  • IP address
  • Cookies
  • Device information
  • Log file

Some of this data may be “non-personally identifiable information,” meaning that standing alone it is insufficient to identify a specific individual. However, if combined with other personal information, it may be sufficient to identify an individual and will be treated as personal data for as long as it is combined.

Cookies are text files placed on your computer to collect standard internet log information and visitor behavior information. This information is used to track visitor use of the Site and to compile statistical reports on Site activity. For further information visit www.aboutcookies.org or www.allaboutcookies.org. You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. You will still be able to use our Site with cookies disabled, however, some of our Site features may not function as a result.

RTI’s Site also has multiple different areas from which additional personal data may be requested as part of webform submissions.

Donation and Sponsorship Request Form

As part of its corporate social responsibility policy, RTI provides financial and in-kind sponsorship to charitable organizations in the communities we have facilities as well as to charitable organizations that support science education, organ and tissue donation, and healthcare. These sponsorship requests are conducted via a web form at

https://www.rtix.com/en_us/about/corporate-social-responsibility (or via a similar address per your relevant location and language preferences as detected by IP address and/or cookies as noted under “general browsing”)

Personal data RTI collects from you to review these sponsorship request submissions includes:

  • Name
  • The charitable entity with which you are associated
  • Address of charitable entity with which you are associated
  • Title or job description of your position with the charitable entity
  • Email address
  • Age (verification that you are over the age of sixteen)
  • Identification of any officers or board members of your charitable organization that are healthcare professionals
  • Other data (some fields are free form so a user may include additional personal data in these fields)

Product Information Request Forms

On occasion, RTI hosts webforms allowing individuals to request additional information about RTI products. Personal data RTI collects from you when using these product information request forms includes:

  • Name
  • Email address
  • State
  • Relevant job type (i.e. – surgeon or medical device distributor)
  • Age (verification that you are over the age of sixteen)
  • Name
  • Email address
  • Phone number
  • Age (verification that you are over the age of sixteen)
  • Other data (some fields are free form so a user may include additional personal data in these fields)

Contact Us Forms

RTI hosts webforms on its website for individuals to contact us with comments, questions, concerns, compliments, or complaints on RTI Surgical, Inc. These webforms are located at

http://www.rtix.com/en_us/about/contact (or via a similar address per your relevant location and language preferences as detected by IP address and/or cookies as noted under “general browsing”)

Personal data RTI collects from you to when using these “Contact Us” webforms includes*:

  • Name
  • Subject
  • Email
  • Phone
  • Age (confirmation that you are older than 16 years)
  • Other information (there are some free fields in which the user can enter further personal data)

Where We Might Collect Data

RTI might collect your personal data from various sources, including:

  • You (e.g. by visiting our Site and/or filling out forms)
  • The charitable organization with which you are associated (i.e. – in requesting additional information to process donation and sponsorship request submissions)
  • Publicly available sources (i.e. - as part of due diligence research related to donation and sponsorship request submissions)

Purpose, Legal Basis, and Retention Period of Data Collected

General Browsing

Personal data collected for general browsing purposes is used to provide you a better experience in using our Site as well as for us to improve our Site design and services. The legal basis for this processing of your personal data is your consent. You are free to withdraw your consent by contacting our Data Protection Officer. RTI will not engage in further processing of your personal data after the point of revoking consent, however, returning to our Site would constitute renewed consent for collection of personal data related to general browsing.

Donation and Sponsorship Requests

RTI engages in donation and sponsorship activities via contracts with charitable organizations and or individuals engaged in charitable projects (i.e, healthcare professionals participating in Doctors Without Borders who wish to request in-kind donation of products).

All personal data collected related to donation and sponsorship requests is used by us for pre-engagement work – including due diligence screening - leading to the execution of a contract, communications during course of performance of a contract, renewals of a contract, disputes related to a contract, and/or resolution of a contract.

For contracts with individuals, the legal basis for this processing of your personal data is that it is necessary for the performance of a contract to which you are a party or necessary in order to take steps prior to entering into such a contract.

For contracts with charitable organizations, the legal basis for this processing of your personal data is your consent to serve as a contact point on behalf of your charitable organization related to the contracting process outlined above. You are free to withdraw your consent by contacting our Data Protection Officer. If consent is revoked at the initiation of the contracting process, RTI would securely destroy all your personal data. If consent is revoked at later stages of the contracting process, RTI may retain your personal data for its legitimate business interest of documenting the course of performance and business communications related to the contract prior to the point of revoking consent. RTI will not engage in further processing of your personal data after the point of revoking consent.

If you decline to provide this data, RTI may be unable to go forward with the contracting process with you or your charitable organization or may be unable to perform contract terms of an existing contract.

Product Information Requests and Contact Us Communications

Personal data collected by submitting Product Information Request or Contact Us webform submissions is used to respond to your inquiries. The legal basis for this processing of your personal data is your consent. RTI will not engage in further processing of your personal data after the point of revoking consent.

For messages to the ombudsman, any personal data submitted is used as part of the investigation of the ethical concern noted in your communication. Messages to the ombudsman are treated with confidentiality, and unless required to complete a full investigation of the matter alleged or required by law, personal data included in messages to the ombudsman is not shared with other individuals. RTI’s legal basis for this processing of your personal data is that RTI has a legal obligation to investigate allegations related to violation of law or breach of ethical duties.

Newsletter

Personal data collected by signing up for one of our newsletters is used to communicate with you regarding investment and/or tissue donation. The legal basis for this processing of your personal data is your consent. You are free to withdraw your consent by contacting our Data Protection Officer or by using the “unsubscribe” feature on the newsletter emails. RTI will not engage in further processing of your personal data after the point of revoking consent.

RTI does not use personal data collected from its Site for profiling or marketing - other than providing responses to the product information requests and contact us submissions noted above. Automated decision-making processing of personal data is limited to cookies and other web browsing tools that allow us to provide you with a better and more personalized experience on the Site (i.e., detecting your general location and related language to present the site in the language we believe you are most likely to be fluent).

Personal data will only be used for the purpose(s) outlined above unless RTI reasonably considers that it needs to use it for another reason that is compatible with the original purpose. If you wish to determine if your personal information has been used for another purpose and, if applicable, receive an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact our Data Protection Officer.

If RTI needs to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which would allow RTI to do so.

Please note that RTI may process your personal data without your knowledge or consent where such is required by law.

RTI only maintains personal data only as long as necessary to conduct the legitimate business purposes outlined above or as may be otherwise required by law. After this time, personal data is securely destroyed. RTI may, however, continue to store anonymous or anonymized information, such as Site visits, without identifiers, in order to improve our Site design and services. If you want further details related to the period of time your personal data will be stored, please contact our Data Protection Officer.

Identities of Data Controllers and Data Security Measures

To protect your personal data, RTI ensures that access to your personal data is limited to individuals performing functions related to the legitimate business purpose for which it was collected. Additionally, individuals engaged in compliance, internal audit, or data protection and security functions on behalf of RTI or individuals who may be involved in handling disputes related to a contract (for donation and sponsorship requests) may have access to your personal data. These individuals are usually RTI employees, however, on occasion RTI employees third parties for some of these functions. To protect your personal data, RTI requires that third parties with which it shares personal data contractually agree to the relevant privacy principles of this Policy or with relevant data protection principles called for under the GDPR or other relevant data protection laws based on the type of personal data shared.

Our Data Protection Officer can advise you on the identities of other parties or individuals with whom we have shared your personal data.

RTI has put into place appropriate security measures to prevent your personal data from being accidentally lost, used/accessed in an unauthorized way, altered, or disclosed.

RTI has put into place procedures to deal with any suspected data breach which exposes personal data and will notify you and any applicable data protection authority of a breach where we are legally required to do so.

Hyperlinks

RTI’s Site may contain links to websites operated by other entities. This Policy applies only to the websites outlined in the “General Information” section in which “Site” is defined. Privacy policies for any third party sites and services may differ from RTI’s Policy. Upon linking to a third party website, you should read and review their privacy policies to ensure protection of your personal data.

International Transfers

RTI’s has its headquarters in Alachua, Florida, USA. As such, personal data outlined above will be transferred outside of the European Economic Area (EEA). Such transfers would always be made in compliance with the requirements of the GDPR. If you would like further details on how your personal data would be protected if transferred outside the EEA, please contact our Data Protection Officer.

Your Rights

If you have any questions about this privacy notice or about RTI’s use of your personal data, please contact our Data Protection Officer. Under certain conditions, you may have the right to require RTI to:

  • Provide you with further details on the use RTI makes of your personal data
  • Provide you with a copy of the personal data you have provided to RTI in a format that facilitates portability of your personal data
  • Provide you with a copy of the personal data RTI has about you from other sources as well as the source from which RTI obtained this data, and if applicable, whether it came from a publicly accessible source(s)
  • Update any inaccuracies in your personal data RTI holds
  • Delete any personal data that RTI no longer has a lawful basis to hold or use
  • Where processing is based on consent, withdraw your consent so that RTI stops that particular processing
  • Object to any processing based on the legitimate interests ground unless RTI’s reasons for undertaking that processing outweigh any prejudice to your data protection rights
  • Restrict how RTI uses your personal data while a complaint is being investigated
  • Have RTI pass along to any entities with which it has shared your personal data your request to update inaccuracies, delete data, or restrict processing

In certain circumstances, RTI may need to restrict the above rights in order to safeguard the public interest (e.g. the prevention or detection of a crime) and RTI’s interests (e.g., the maintenance of legal privilege).

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, RTI may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

RTI may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to an unauthorized person (i.e. someone who may be impersonating you).

RTI tries to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made multiple requests. In this situation, RTI will notify you and keep you updated as to a timeline for the completion of your request.

For residents of the European Union, if you are not satisfied with RTI’s use of your personal data or RTI’s response to any request by you to exercise any of your rights, or if you suspect that RTI may have breached the requirements of the GDPR, then you have the right to lodge a complaint with a member state supervisory authority for data protection issues. You may locate the relevant data protection authority by consulting the European Commission’s online directory.

http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

General Data Protection Regulation (GDPR)

Information and Disclosures of Personal Data under the European Union General Data Protection Regulation (GDPR)

The European Union’s General Data Protection Regulation (GDPR) requires that personal data from the European Union (EU)/European Economic Area (EEA) is subject to special protection. The GDPR also provides EU-based individuals (“Data Subjects”) with certain individual rights with respect to their personal information. These include:

  • The right to be informed about the collection and use of their personal data
  • The right of access to find out what data is stored about them
  • The right to rectification of their personal data if it is inaccurate or incomplete
  • The right to erasure to enable an individual to request the deletion or removal of certain personal data where there is no compelling reason for its continued processing
  • The right to restrict processing to ‘block’ or suppress processing of personal data
  • The right to data portability allowing individuals to obtain and reuse their personal data for their own purposes
  • The right to object to the processing of personal data under certain circumstances

Various rights in relation to certain kinds of automated decision making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual).

RTI Surgical, including its affiliates and subsidiaries will make all reasonable efforts to abide by the GDPR and provide at least the same level of data protection for personal data received from the EU and processed, as the privacy protections set forth in our Notice of Privacy Practices (NPPs). We will also make reasonable attempts to accommodate requests by Data Subjects to exercise the rights listed above. Where necessary and appropriate we have implemented organizational and technical measures that include internal data protection policies and maintaining documentation on our processing activities. We have also appointed a Data Protection Officer.

1. How We Use Personal Data
We use Personal Data for purposes related to providing products and services for clinical research, medical care and advice, as well as for insurance reimbursement and health benefits administration purposes when requested. We also use your Data for certain administrative and corporate services. The services include providing appropriate products for medical treatment, consulting with your providers and to the extent requested for reimbursement assistance, maintaining information on your insurance programs.

Our administrative and corporate services include but are not limited to: accepting and processing applications for employment, keeping employment records, billing, and developing and marketing new products and services, processing information for sales and invoices. Please review the applicable Notice of Privacy Practices for additional information.

2. Who Receives Personal Data?
Members of our workforce use Personal Data in order for us to provide services to you. In addition, we share Personal Data as necessary with certain third parties who contract with us to provide services. We also share Personal Data with clients, e.g. group health plans, and some of their vendors for reimbursement assistance and insurance coverage for our products.

3. How long is Data stored?
We store data for as long as is necessary to provide the services and for a reasonable retention period. Our usual storage period is seven (7) years, but legal requirements and our corporate policies might lead to longer or shorter periods.

4. Your Rights with Respect to Your Personal Data
You have the right at any time to request access to and rectification or erasure of personal data that we hold. You can also request the restriction of processing of your Personal Data, and you have the right to data portability. If you would like to exercise any of these rights, please send a written request to our Data Protection Officer at the address listed below. Not all requests can be granted. If your request is denied, you will be provided with the reason for the denial.

5. Withdrawal of Consent
We collect consent for the processing of EU Personal Data. You have the right to withdraw consent at any time. You must withdraw your consent in writing, addressed to the Data Protection Officer listed below. In order to ensure timely and accurate processing of your withdrawal, you must include your name, address, your Identification Number (if the withdrawal is directed to Highmark concerning your health insurance coverage) and the specific processes for which you no longer consent in your request. Withdrawing consent will not affect the lawfulness of the processing that took place based on the consent you provided before the withdrawal.

6. Complaints
You have the right to lodge a complaint with the appropriate data protection authority.

7. Source of Data and Legal Basis for Our Data Processing
In order to provide services to you, we may receive Personal Data from you, from your providers of medical care, and from other third parties. We may need access to your Personal Data, such as name, address and medical information, regardless of who provides it, in order for us to provide the services described above.

8. Is Personal Data Used for automated decision-making or profiling?
We do not use automated decision- making processes and profiling of your data.

9. Location of Data Processing
Personal Data that we process is done so in the United States or Germany.

10. Additional Processing
If we intend to use Personal Data for a purpose other than the original purposes for which we collected the Data (see Notice of Privacy Practices and Item 1. above), prior to that additional processing, we will provide you with information on that other purpose and any further relevant information, insofar as you do not already possess such information.

11. Processors and Controllers
Depending upon the engagement and purpose, RTI Surgical and its Affiliates are either the Controllers, Data Processors and in some cases, Sub-Processors with respect to your Personal Data. Our address is 11621 Research Circle, Alachua, FL 32615.

Contact Data Protection Officer, Francisco Rivas, Esq., at frivas@rtix.com.

California Residents

The following provisions apply to the personal data of California residents collected by RTI, whether collected online or offline. These provisions supplement the other sections of the Privacy Policy.

We do not sell personal data about California residents.

During the past 12 months, we may have engaged in delivering online advertising that was tailored to your interests, which might be deemed to be a sale of data under the California Consumer Privacy Act, but we did not disclose data that would identify you by name, address or phone number.