RTI Surgical, Inc’s Web Privacy Policy and Transparency Disclosure Notice

RTI Surgical, Inc’s Web Privacy Policy and Transparency Disclosure Notice


General Information

RTI Surgical, Inc.and its subsidiary and affiliate entities (“RTI”) are committed to protecting the privacy and security of personal data in our custody.

RTI maintains a network of websites, including http://www.rtix.com/, http://www.rtidonorservices.org/ and http://www.allograftinfo.com/ (collectively referred to as the “Site”). RTI Surgical, Inc.’s Web Privacy Policy and Transparency Disclosure Notice (“Policy”) describes how RTI collects and uses personal data received through its Site and is provided as part of RTI’s compliance with the European General Data Protection Regulation (“GDPR”).

All references to “you” and “your” in this document refer to the individual whose personal data may be processed by RTI.

It is important that you read this notice so that you are aware of and understand how and why we are using such information and how your personal data is processed.

RTI is a data controller. This means that we are responsible for deciding how we hold personal data about you. Our Data Protection Officer or his/her designee oversees compliance with issues in relation to this notice. If you have any questions about this notice, require this notice in a different language, or have a request to exercise your legal rights as set forth in this notice, please contact our Data Protection Officer using the details set out below:

Data Protection Officer
RTI Surgical, Inc.
11621 Research Circle
Alachua, FL 32615
dpo@rtix.com

This notice may be updated from time to time. This version is dated May 25, 2018. Previous versions may be obtained by contacting our Data Protection Officer. By agreeing to this Policy and continuing to use the Site, you are consenting the use of your personal data as outlined in this Policy and representing that you are sixteen (16) years of age or older or have the consent of a parent/legal guardian processing of your personal data related to your use of this Site. You will also be asked to review and consent to this Policy prior to submission of the webforms noted below

What Data We May Collect

General Browsing - when you visit our website, RTI collects information about you including:

  • IP address
  • Cookies
  • Device information
  • Log file

Some of this data may be “non-personally identifiable information,” meaning that standing alone it is insufficient to identify a specific individual. However, if combined with other personal information, it may be sufficient to identify an individual and will be treated as personal data for as long as it is combined.

Cookies are text files placed on your computer to collect standard internet log information and visitor behavior information. This information is used to track visitor use of the Site and to compile statistical reports on Site activity. For further information visit www.aboutcookies.org or www.allaboutcookies.org. You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. You will still be able to use our Site with cookies disabled, however, some of our Site features may not function as a result.

RTI’s Site also has multiple different areas from which additional personal data may be requested as part of webform submissions.

Donation and Sponsorship Request Form

As part of its corporate social responsibility policy RTI provides financial and in-kind sponsorship to charitable organizations in the communities we have facilities as well as to charitable organizations that support science education, organ and tissue donation, and healthcare. These sponsorship requests are conducted via a webform at

http://www.rtix.com/en_us/about/corporate-social-responsibility (or via a similar address per your relevant location and language preferences as detected by IP address and/or cookies as noted under “general browsing”)

Personal data RTI collects from you to review these sponsorship request submissions includes:

  • Name
  • Charitable entity with which you are associated
  • Address of charitable entity with which you are associated
  • Title or job description of your position with the charitable entity
  • Email address
  • Age (verification that you are over the age of sixteen)
  • Identification of any officers or board members of your charitable organization that are healthcare professionals
  • Other data (some fields are free form so a user may include additional personal data in these fields)

Product Information Request Forms

On occasion, RTI hosts webforms allowing individuals to request additional information about RTI products. This is an example of such a form

http://www.rtix.com/en_us/healthcare-professionals/tetrafuse-3d-technology (or via a similar address per your relevant location and language preferences as detected by IP address and/or cookies as noted under “general browsing”)

Personal data RTI collects from you when using these product information request forms includes:

  • Name
  • Email address
  • State
  • Relevant job type (i.e. – surgeon or medical device distributor)
  • Age (verification that you are over the age of sixteen)
  • Name
  • Email address
  • Phone number
  • Age (verification that you are over the age of sixteen)
  • Other data (some fields are free form so a user may include additional personal data in these fields)

Contact Us Forms

RTI hosts webforms on its website for individuals to contact us with comments, questions, concerns, compliments, or complaints on both the RTI Surgical, Inc. site as well as the RTI Donor Services, Inc. site. These webforms are located at

http://www.rtix.com/en_us/about/contact (or via a similar address per your relevant location and language preferences as detected by IP address and/or cookies as noted under “general browsing”), and

http://www.rtidonorservices.org/contact

RTI also hosts a separate form for reporting to our ombudsman at

http://www.rtix.com/en_us/investors/report-to-the-ombudsman (or via a similar address per your relevant location and language preferences as detected by IP address and/or cookies as noted under “general browsing”)

Personal data RTI collects from you to when using these “Contact Us” webforms includes*:

*Note – to allow for confidential reporting of ethical concerns, the “name,” “email address,” and “phone number” fields are optional to include when submitting messages to the ombudsman.

Newsletters

RTI is a publicly traded company and manages a newsletter for individuals interested in investment related matters. The webform for signing up for this newsletter is located at

http://www.rtix.com/en_us/investors/email-alerts (or via a similar address per your relevant location and language preferences as detected by IP address and/or cookies as noted under “general browsing”)

RTI Donor Services, Inc. is a non-profit entity focused on tissue donation and manages a newsletter for those interested in learning more about tissue donation and the impact donation has on families and communities. The webform for signing up for this newsletter is located at

http://www.rtidonorservices.org/contact

Personal data RTI collects from you when signing up for these newsletters includes:

  • Name
  • Email address
  • Relationship status (i.e., community member, donor family member, healthcare professional, etc. for the RTI Donor Services newsletter only)
  • Company and job title (for the RTI investor newsletter only)
  • Age (verification that you are over the age of sixteen)

Where We Might Collect Data

RTI might collect your personal data from various sources, including:

  • You (e.g. by visiting our Site and/or filling out forms)
  • The charitable organization with which you are associated (i.e. – in requesting additional information to process donation and sponsorship request submissions)
  • Publicly available sources (i.e. - as part of due diligence research related to donation and sponsorship request submissions)

Purpose, Legal Basis, and Retention Period of Data Collected

General Browsing

Personal data collected for general browsing purposes is used to provide you a better experience in using our Site as well as for us to improve our Site design and services. The legal basis for this processing of your personal data is your consent. You are free to withdraw your consent by contacting our Data Protection Officer. RTI will not engage in further processing of your personal data after the point of revoking consent, however, returning to our Site would constitute renewed consent for collection of personal data related to general browsing.

Donation and Sponsorship Requests

RTI engages in donation and sponsorship activities via contracts with charitable organizations and or individuals engaged in charitable projects (i.e, healthcare professionals participating in Doctors Without Borders who wish to request in-kind donation of products).

All personal data collected related to donation and sponsorship requests is used by us for pre-engagement work – including due diligence screening - leading to the execution of a contract, communications during course of performance of a contract, renewals of a contract, disputes related to a contract, and/or resolution of a contract.

For contracts with individuals, the legal basis for this processing of your personal data is that it is necessary for the performance of a contract to which you are a party or necessary in order to take steps prior to entering into such a contract.

For contracts with charitable organizations, the legal basis for this processing of your personal data is your consent to serve as a contact point on behalf of your charitable organization related to the contracting process outlined above. You are free to withdraw your consent by contacting our Data Protection Officer. If consent is revoked at the initiation of the contracting process, RTI would securely destroy all your personal data. If consent is revoked at later stages of the contracting process, RTI may retain your personal data for its legitimate business interest of documenting the course of performance and business communications related to the contract prior to the point of revoking consent. RTI will not engage in further processing of your personal data after the point of revoking consent.

If you decline to provide this data, RTI may be unable to go forward with the contracting process with you or your charitable organization or may be unable to perform contract terms of an existing contract.

Product Information Requests and Contact Us Communications

Personal data collected by submitting Product Information Request or Contact Us webform submissions is used to respond to your inquiries. The legal basis for this processing of your personal data is your consent. RTI will not engage in further processing of your personal data after the point of revoking consent.

For messages to the ombudsman, any personal data submitted is used as part of the investigation of the ethical concern noted in your communication. Messages to the ombudsman are treated with confidentiality, and unless required to complete a full investigation of the matter alleged or required by law, personal data included in messages to the ombudsman is not shared with other individuals. RTI’s legal basis for this processing of your personal data is that RTI has a legal obligation to investigate allegations related to violation of law or breach of ethical duties.

Newsletter

Personal data collected by signing up for one of our newsletters is used to communicate with you regarding investment and/or tissue donation. The legal basis for this processing of your personal data is your consent. You are free to withdraw your consent by contacting our Data Protection Officer or by using the “unsubscribe” feature on the newsletter emails. RTI will not engage in further processing of your personal data after the point of revoking consent.

RTI does not use personal data collected from its Site for profiling or marketing - other than providing responses to the product information requests and contact us submissions noted above. Automated decision-making processing of personal data is limited to cookies and other web browsing tools that allow us to provide you with a better and more personalized experience on the Site (i.e., detecting your general location and related language to present the site in the language we believe you are most likely to be fluent).

Personal data will only be used for the purpose(s) outlined above unless RTI reasonably considers that it needs to use it for another reason that is compatible with the original purpose. If you wish to determine if your personal information has been used for another purpose and, if applicable, receive an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact our Data Protection Officer.

If RTI needs to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which would allow RTI to do so.

Please note that RTI may process your personal data without your knowledge or consent where such is required by law.

RTI only maintains personal data only as long as necessary to conduct the legitimate business purposes outlined above or as may be otherwise required by law. After this time, personal data is securely destroyed. RTI may, however, continue to store anonymous or anonymized information, such as Site visits, without identifiers, in order to improve our Site design and services. If you want further details related to the period of time your personal data will be stored, please contact our Data Protection Officer.

Identities of Data Controllers and Data Security Measures

To protect your personal data, RTI ensures that access to your personal data is limited to individuals performing functions related to the legitimate business purpose for which it was collected. Additionally, individuals engaged in compliance, internal audit, or data protection and security functions on behalf of RTI or individuals who may be involved in handling disputes related to a contract (for donation and sponsorship requests) may have access to your personal data. These individuals are usually RTI employees, however, on occasion RTI employees third parties for some of these functions. To protect your personal data, RTI requires that third parties with which it shares personal data contractually agree to the relevant privacy principles of this Policy or with relevant data protection principles called for under the GDPR or other relevant data protection laws based on the type of personal data shared.

Our Data Protection Officer can advise you on the identities of other parties or individuals with whom we have shared your personal data.

RTI has put into place appropriate security measures to prevent your personal data from being accidentally lost, used/accessed in an unauthorized way, altered, or disclosed.

RTI has put into place procedures to deal with any suspected data breach which exposes personal data and will notify you and any applicable data protection authority of a breach where we are legally required to do so.

Hyperlinks

RTI’s Site may contain links to websites operated by other entities. This Policy applies only to the websites outlined in the “General Information” section in which “Site” is defined. Privacy policies for any third party sites and services may differ from RTI’s Policy. Upon linking to a third party website, you should read and review their privacy policies to ensure protection of your personal data.

International Transfers

RTI’s has its headquarters in Alachua, Florida, USA. As such, personal data outlined above will be transferred outside of the European Economic Area (EEA). Such transfers would always be made in compliance with the requirements of the GDPR. If you would like further details on how your personal data would be protected if transferred outside the EEA, please contact our Data Protection Officer.

Your Rights

If you have any questions about this privacy notice or about RTI’s use of your personal data, please contact our Data Protection Officer. Under certain conditions, you may have the right to require RTI to:

  • Provide you with further details on the use RTI makes of your personal data
  • Provide you with a copy of the personal data you have provided to RTI in a format that facilitates portability of your personal data
  • Provide you with a copy of the personal data RTI has about you from other sources as well as the source from which RTI obtained this data, and if applicable, whether it came from a publicly accessible source(s)
  • Update any inaccuracies in your personal data RTI holds
  • Delete any personal data that RTI no longer has a lawful basis to hold or use
  • Where processing is based on consent, withdraw your consent so that RTI stops that particular processing
  • Object to any processing based on the legitimate interests ground unless RTI’s reasons for undertaking that processing outweigh any prejudice to your data protection rights
  • Restrict how RTI uses your personal data while a complaint is being investigated
  • Have RTI pass along to any entities with which it has shared your personal data your request to update inaccuracies, delete data, or restrict processing

In certain circumstances, RTI may need to restrict the above rights in order to safeguard the public interest (e.g. the prevention or detection of a crime) and RTI’s interests (e.g., the maintenance of legal privilege).

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, RTI may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternately, we may refuse to comply with your request in these circumstances.

RTI may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to an unauthorized person (i.e. someone who may be impersonating you).

RTI tries to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made multiple requests. In this situation, RTI will notify you and keep you updated as to a timeline for completion of your request.

For residents of the European Union, if you are not satisfied with RTI’s use of your personal data or RTI’s response to any request by you to exercise any of your rights, or if you suspect that RTI may have breached the requirements of the GDPR, then you have the right to lodge a complaint with a member state supervisory authority for data protection issues. You may locate the relevant data protection authority by consulting the European Commission’s online directory.

http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

RTI would appreciate the opportunity to deal with your concerns directly before you approach a supervisory authority and respectfully request you contact us prior to engaging a data protection authority. Please direct communication to

Data Protection Officer
RTI Surgical, Inc.
11621 Research Circle
Alachua, FL 32615
dpo@rtix.com