Privacy Notice – EEA (Iceland and Norway)
Current version: 02 March 2021
This statement includes information about:
3.Personal Data and/or Sensitive Personal Data We Collect
4.How We Use Personal Data/Sensitive Personal Data We Collect and How We Justify it
5.Personal Data or Sensitive Personal Data We Share
6.How We Hold and Protect Personal Data
7.International Data Transfers
8.Your Rights and Choices
10.Updates to this EEA Privacy Notice
11.How to Contact Us
12.For More Information
In this European Economic Area (EEA) Privacy Notice, “KCI” means KCI L.P., Inc. and its affiliates, specifically the KCI corporate group.
The scope of this EEA Privacy Notice extends to all of KCI's operations based in Iceland and Norway. The respective companies responsible for Iceland and Norway personal data are listed in Annex A below.
If you are located in a country or region that is not listed in Annex A (such as an EU country for which our separate EU Privacy Notice will apply), please read our different Privacy Notice that applies to your country or region. Our Privacy Notices for different countries and regions are available to view here.
The privacy of our customers, our vendors and suppliers, patients who use our products or services, as well as the visitors of our websites is important to us and we are committed to protecting and maintaining your privacy.
This EEA Privacy Notice explains how KCI handles your personal and/or sensitive personal data and, in particular, details how we collect, store, use, process, transfer, or disclose, and enable you to access, rectify, erase or restrict the processing of your personal data and/or sensitive personal data. This EEA Privacy Notice applies to your personal data and/or sensitive personal data regardless of the way in which we collect it, for example, whether it is collected via our websites, when you contact our Customer Service team, when you submit a job application to KCI, when you use one of our products or services, or when you perform services or deliver products to KCI.
For the purposes of this EEA Privacy Notice, “personal data” is any information about an identified or identifiable living individual. Personal data revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning an individual’s sex life or sexual orientation, is referred to in this EEA Privacy Notice as “sensitive personal data”.
3. Personal Data and/or Sensitive Personal Data We Collect
The type of data we collect from you will depend upon the type of interaction you have with us:
- From our customers and vendors:
When you are a customer or vendor, we may collect the following types of personal data in the context of our interaction with you: full name, employer name, work contact details (including address, phone number, fax number and email address), account number, financial information (including card number, card expiration date, bank details and VAT-number), credit check information, logo, photos, biographies and CV’s for educational programs, contract information (including start and end date of rental of products), insurance information and order and delivery information (such as ship to locations);
- From patients who use our products or services:
When you are a patient using one of our products or services, we may collect the following personal data or sensitive personal data about you: your name, date of birth, date of death, gender, address, phone number, identification number, wound details (including descriptions, measurements and photographs), other health-related information, therapy information (including therapy date, prescription information and diagnosis), and health insurance details;
- From job applicants:
When you apply for a job at KCI we may collect the following personal data: full name, contact details (i.e., address, phone number and email address, etc), date of birth, driver’s license details, passport details, work permit if applicable, employment history and education details, names and contact details of referees, next of kin details (in the event of an emergency), bank details, tax code, previous employment with KCI entities. Information not relevant to the application will not be collected; and
- From visitors of our websites:
In addition to the data which you actively provide to us through our websites (for example, by completing online forms or asking us to remember your preferences), we may collect certain personal data by automated means, such as cookies, internet tags, web beacons and similar automated data collection means when you visit our websites.
A "cookie" is a file of information placed on your device when you visit a website. Cookies and similar technologies can enhance your user experience by saving your preferences, personalizing your online experience, holding items in your shopping cart, and sometimes providing you with advertising which is tailored to your interests.
KCI Internet Sites use "session cookies." A session cookie does not identify you personally and expires after you close your browser. For example, when you use the KCI Product Catalog, we place a session cookie to note what pages you have viewed. We can use this information to provide you recommendations of other products that may be of interest.
KCI Internet Sites also use "persistent cookies." These cookies do not expire when you close your browser. Persistent cookies stay on your computer until you delete them or they expire. By assigning your computer a unique identifier, we are able to create a database of your previous choices and preferences which can be provided by us automatically, saving you time and effort on future visits. For example, after you make a purchase, if you decide to make another purchase, your shipping address may have been retained and will only need to be confirmed.
At any time when visiting a KCI Internet Site for one of these countries, clicking on the "Cookie Preferences" link at the bottom of each page allows you to access information on cookies and change your settings.
Although you are not required to accept cookies when you visit a KCI Internet Site, you may be unable to use all of the functionality of the site if you reject certain cookies.
In addition, your browser may allow you to adjust settings to accept or reject cookies, or to alert you when a cookie is placed on your computer.
Analytics and Advertising. KCI uses third-party analytics services to better understand how users engage with KCI Internet Sites and Apps, including services provided by Google and Adobe. Please use the following links for more information about how Google and Adobe collect and use data when you visit their partners' websites or apps:
KCI also uses third-party advertising services to provide advertisements for KCI products or services that may be of interest to you when you visit websites or other online services.
KCI allows selected third parties, including these analytics and advertising services, to place cookies on our Internet Sites. These third parties may collect information about your online activities over time and across third-party websites.
These third parties may be members of industry self-regulatory groups such as the Network Advertising Initiative (NAI) and Digital Advertising Alliance (DAA). The websites for these groups provide more information on interest-based online advertising and how to opt out of receiving interest-based online ads from participating companies.
Do Not Track Browser Settings. Some browsers may transmit "Do Not Track" ("DNT") signals to the websites you visit. Because there is not common agreement about how to interpret DNT signals, KCI currently does not take action in response to them.
In general, we may collect the above mentioned personal data or sensitive personal data from individuals when they:
- contact us by phone, email, post or via the website;
- manage or change their accounts;
- subscribe to receive our newsletter or promotional materials or sign up to a mailing list; and/or
- participate in surveys or competitions and other promotional activities.
Furthermore, we may collect personal data in a variety of ways depending on your interaction with us:
- From our customers, when they:
- request the supply and/or delivery of one of our products or services;
- request a quote for our products or services;
- arrange payment for use of our products or services;
- register for and/or attend one of our education or training sessions; or
- submit an application for an educational or research grant.
- From our vendors or suppliers, when they enter into a contract for the delivery of products or services to us, as well as during the performance of such contract.
- From patients who use our products or services, we may collect personal data or sensitive personal data during the clinical management process directly from the patient when using our products or services, as well as from their treating doctor, clinic, hospital, nursing service providers, duly authorized representatives, and health insurers.
- From job applicants, when they apply for a job at KCI via post or in any other way, as well as from recruiters we have retained and from referees which have been provided by the job applicants in support of their job application (where required, consent is obtained from applicant before approaching previous employers).
- From visitors of our websites, when they visit and interact with our websites and any other webpage that we own and manage.
From time to time, you may be able to visit our websites or deal with us anonymously or by pseudonym. However, please be aware that, if you do not provide us with certain personal data that we require, we may not be able to provide you with the products and/or services that you seek.
4. How We Use Personal Data/Sensitive Personal Data We Collect and How We Justify it
- We process personal data when it is necessary for the purposes of the legitimate interests pursued by us and/or by a third party partner, except where such interests are overridden by the interests or fundamental rights and freedoms of individuals, such as the following:
- Collecting and analyzing product performance, service and reliability data;
- Organizing education and training sessions for healthcare professionals in respect of the use of our products;
- Carrying out market research and product development;
- Reviewing and processing Educational and Research Grant Applications;
- Training our staff; and
- Conducting our internal business and management processes, for example, accounting, auditing and master data management.
- We also process personal data when it is necessary for complying with our obligations under local national applicable law, including our statutory and financial reporting, adverse event reporting, and tax obligations.
- In addition, we process personal data when it is necessary for the performance of a contract to which the individual is a party or in order to take steps at the request of the individual prior to entering into a contract, such as the following:
- Service delivery and order fulfillment, for example, providing our products to hospitals for use with patients and arranging for the pick-up and delivery of our products to patients in their homes;
- Liaising with treating doctors, specialists, hospitals and nursing service providers in respect of the delivery of our products or services to patients and their ongoing treatment using our products or services;
- Liaising with private health insurers;
- Facilitating and managing the treatment of patients using our medical therapy products in their home;
- Invoicing, managing accounts and carrying out debt-recovery functions;
- Collecting and processing payments, including processing credit card payments;
- Performing credit checks;
- Providing customer and/or technical support and other customer relationship management functions (for example, enabling the fitting, activation, maintenance and management of a patient’s use of our products);
- Dealing with enquiries or complaints and resolving disputes; and
- Engaging and partnering with speakers and consultants for medical education programs.
- Finally, we process personal data when the individual has given (explicit) consent to the processing of his or her personal data for one or more specific purposes. This is the case for the following purposes:
- Marketing our products or services by post or, when you have given us permission to do so, by telephone, email, text messaging or other established electronic methods;
- Any other purposes of which we have informed you at the time of the data collection.
In addition to the purposes listed above, personal data and/ or sensitive personal data collected from you during your visit to our websites may be used to:
- provide better website services and customize the website based on your preferences and interests;
- compile statistics and analyze trends about the use of our websites;
- perform market research;
- create reports for internal use to develop programs, products, services and content; and
- provide aggregated “traffic statistics” and “response rates” to third parties.
KC limits the processing of your personal data and/or sensitive personal data to what is strictly necessary for the purposes for which it is collected.
5. Personal Data or Sensitive Personal Data We Share
KC discloses personal data or sensitive personal data to the following third parties in certain circumstances:
- to other members of the KC corporate group (including those who may be located outside the EEA or Switzerland) on a need to know basis to conduct global business operations;
- to third party partners who we engage to help us run our business - such as couriers and other delivery service providers to arrange the delivery/collection of our products, pay roll service providers, debt collection agencies and other parties that assist with debt-recovery functions, external partners supporting the delivery of our training activities/certifications;
- to our professional advisors, including lawyers, accountants, tax advisors and auditors;
- to law enforcement and/or regulatory bodies, Courts of law or to other third parties as otherwise required or authorized by law and/or for the purposes of resolving complaints or disputes both internally and externally or to comply with any investigation by one of those bodies;
- if our business is sold, restructured or integrated with another group of companies, to the new owner, to be used in the same ways set out in this EEA Privacy Notice and;
- any other person or for any other purposes of which we have informed you at the time of the data collection.
Certain personal data of patients who use our products or services will also be disclosed to their treating doctors, specialists, hospital staff, third party nursing service providers, care giver, duly authorized representatives and private health insurers.
Before KC does disclose any personal data and/or sensitive personal data to a third party partner, we take reasonable steps to ensure the third party partner will adequately protect such data in a manner consistent with this EEA Privacy Notice. Furthermore, when KC relies on a third party partner for all or any part of the processing of your personal and/or sensitive personal data, it will take reasonable measures to ensure that such third party partners have implemented appropriate technical and organizational measures to ensure that the personal data is protected against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing.
All KC third party partners are required to restrict their use of this information to the purpose for which it was provided. Where required by local national applicable law, KC will obtain consent before sharing data with third party partners, including the same group company entities.
6. How We Hold and Protect Personal Data
The security of your personal data and/or sensitive personal data is given a high priority. We have implemented appropriate technical and organizational measures in order to ensure a level of security appropriate to the risk, including both physical and electronic security measures, including:
Conducting Data Privacy Impact Assessments when processing is likely to result in a high risk to the rights and freedoms of individuals;
- The pseudonymisation and encryption of personal data, in particular when transferring sensitive data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, such as by storing information on secured networks consistent with industry standards, which are only accessible by those employees who have special access rights to such systems;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security
- The use of passwords, locked storage, cabinets in hosted facilities and secured storage rooms.
All electronic data, hardcopy documents, forms and other personal data held is securely stored and, when no longer required, is shredded, destroyed and/or otherwise disposed of, unless required by local national applicable law.
7. International Data Transfers
We may transfer your personal data and/or sensitive personal data to recipients located outside of the EEA or Switzerland, for example, when we store your data on servers that are located at our headquarters in the U.S. In each case, KC shall take the necessary measures to ensure that all personal data and/or sensitive personal data transferred to recipients in countries outside of the EEA or Switzerland receives an adequate level of protection as required by EEA and Swiss data protection laws. KC has implemented appropriate international data transfer agreements based on the EU Standard Contractual Clauses.
8. Your Rights and Choices
Where required by local national applicable law, with regard to your sensitive personal data, your explicit consent will be obtained.
If you provide us with personal data and/or sensitive personal data of other individuals, for example a doctor providing health or therapy information from individuals you acknowledge that you have informed the concerned individuals and/or their legal representative about the disclosure of their data to us and, obtained their consent for such disclosure. You may withdraw any consent you previously provided to us.
You may request access to the personal data and/or sensitive personal data we hold about you or request that we correct, amend, or restrict the processing. You also have the right to rectification or erasure, subject to record retention requirements. You may also have the right to data portability, the right to not be subject to automated decision-making producing legal effects such as profiling as well as the right to complain to the data protection authority.
You may also object to the processing of your personal data for direct marketing purposes or object at any time on legitimate grounds to the processing of your personal data or sensitive personal data, and we will apply your preferences going forward. To exercise one of these rights, send an email to Privacy_EU@mmm.com.
If you are a healthcare professional, we will use your personal data for the purposes of marketing our medical therapy products or services or to inform you of new products, promotions or events, including training sessions that we believe you may be interested in. We will obtain your opt-in consent for the use of your personal data for marketing purposes, where this is required by local national applicable law. In any event, you can always opt-out if you no longer wish to receive our marketing communications from us by:
- writing to us at the contact details set out in the marketing communications (or otherwise as set out in Annex A) and informing us that you no longer wish to receive these marketing materials;
- in relation to any direct marketing email, clicking the “unsubscribe” link at the bottom of each email; or
- informing your usual KC representative.
We take reasonable steps to ensure that the personal data and/or sensitive personal data we hold about you is accurate, complete and up-to-date. To ensure that we have your most current personal data, please contact us by writing to us at the contact details in Annex A or send an email to Privacy_EU@mmm.com. when your data changes.
9. Storage periods
We will retain your personal data for the period necessary to fulfill the purposes outlined in this Privacy Notice, unless a longer retention period is required by law. In addition, depending on the circumstances of each case, personal data may be stored until the statute of limitations in which legal claims can be brought against us has expired.
10. Updates to this EEA Privacy Notice
KC reviews its EEA Privacy Notice from time to time and reserves its right to modify its EEA Privacy Notice at any time without notice. We will publish any changes to this EEA Privacy Notice on our websites. By continuing to use our products or services or our websites, or by continuing to provide us with your personal data or sensitive personal data after the updated EEA Privacy Notice has been published on our websites, you confirm your acceptance of these amendments.
11. How to Contact Us
If you have any concerns or complaints about a breach of your privacy or have any questions about the way we handle your personal data or sensitive personal data, please contact us by sending an email to any of the KC Group of Companies listed in Annex A at Privacy_EU@mmm.com.
12. For More Information
For further information about this EEA Privacy Notice contact the Compliance or IT Department or refer to the “Related Resources” contained in the header of this document.
Compliance with this EEA Privacy Notice by KCI representatives is mandatory. Adherence to this EEA Privacy Notice is a continuing condition of employment for every KCI employee and is a continuing condition to the continuation of a professional relationship with KCI for every KCI contractor. Violations of this EEA Privacy Notice may result in disciplinary measures up to and including the termination of employment or other engagement. KCI personnel who are unsure whether an activity is permitted under this EEA Privacy Notice should consult with their manager or a representative from the Compliance Department. Any employee who observes or suspects a violation of this EEA Privacy Notice should promptly report the matter. KCI prohibits retaliation against any individual who makes a report of a compliance issue.
ANNEX A – KCI Entities Contact Information
For the purpose of this EEA Privacy Notice, below are country-specific contact details for KCI entities.
Responsible KCI entity
KCI Europe Holding B.V.
Utrecht, Netherlands 3528 BJ
KCI Medical AS
c/o Visma Services Norge AS