Arthrex ANZ Privacy Notice

Our Commitment to Privacy

Arthrex (“Arthrex”, “we”, “us” and “our”) is strongly committed to protecting the privacy and security of all Personal Information provided to us, including complying with the Australian Privacy Principles contained within the Australian Privacy Act 1988 (Cth) and the Information Privacy Principles contained within the New Zealand Privacy Act 2020 (NZ).

This Privacy Notice governs how and why Arthrex collects, uses, stores and discloses Personal Information which it may collect from individuals who are connected to its operations and activities, including but not limited to individuals, healthcare professionals, participants in clinical trials, research or observation studies, applicants, employees, agents, consultants, contractors, vendors, service providers, business associates and users of our website.

The Arthrex may also provide separate privacy statements or privacy collection notices that apply to specific persons or circumstances, and the type of relationship you have with us. A separate statement or notice may be necessary due to the type of Personal Information being collected and to provide additional detail about how and why we collect and handle such information. This Privacy Notice should be read in conjunction with any such additional statement or notice.

Key Definitions

Act – means the Privacy Act 1988 (Cth) and/or the Privacy Act 2020 (NZ) (together, the “Acts”).

Arthrex – refers to Arthrex Inc., Arthrex Australia Pty Ltd (ABN 40 627 466 979), Arthrex New Zealand Limited (NZBN 9429 048 723 435) and all of their respective subsidiaries, related bodies corporate and related companies.

Personal Information – means information or an opinion about an identified individual, or about an individual who is reasonably identifiable either directly or indirectly, and as defined by the Acts.

Sensitive Information – means a sub-set of Personal Information, and includes origin, political opinions, political association membership, religious beliefs or affiliations, philosophical beliefs, professional or trade association membership, trade union membership, sexual orientation or practices or criminal record, and includes health information and genetic or biometric information.

1.  How We Collect Personal Information

Arthrex may collect Personal Information that is reasonably necessary for purposes that are directly related to our business functions or activities as a provider of medical devices. In certain instances, we are required by the Therapeutic Goods Act 1989 (Cth), or other applicable laws, to collect Personal Information in order to comply with our legal obligations. In relation to Sensitive Information, we will strive to limit the collection of such information to the minimum necessary amount required for the relevant purpose.

Arthrex collects Personal Information directly from you or from the person it is about unless it is unreasonable, unlawful or impracticable to do so. This includes when:

• You engage with us in relation to our business operations, including providing goods and services to us or receiving goods and services from us.
• You are a patient who is undergoing surgery or treatment using our products or services.
• You register as a healthcare professional and submit Personal Information as part of the use of your website.
• You are an attendee of a seminar, meeting or medical education event (for example, the submission of a consent form and questionnaire).
• You use our online platforms and websites, WiFi services and/or social networks.
• You call, post or email us.
• You are an existing employee or contractor, or you apply for an employment opportunity with us.

Arthrex may also collect your Personal Information indirectly. This includes when:

• You have consented or otherwise authorised third parties, such as contractors and social and community workers, to share your Personal Information with us.
• Your healthcare professional provides your Personal Information to us.

If we collect Personal Information about you from a third party and it is unclear whether you have consented to the disclosure of your Personal Information to us, we may take reasonable steps to contact you and ensure that you are aware of the circumstances surrounding the collection and purposes for which we collected your Personal Information.

The types of Personal Information that we may collect include but are not limited to:

• Name, residential or other postal addresses
• Email addresses
• Phone numbers
• Billing information, including but not limited to bank account or credit card details
• Professional information, including but not limited to Australian or New Zealand Business Number, job title, academic or medical specialty, name of organisation and clinical interests
• Medical records
• Service use information
• Usernames and passwords
• Date of Birth
• Gender
• Language preferences
• Photo, video and audio content
• Location information
• Website cookies and IP addresses

If you are a healthcare professional, the types of Personal Information we may also collect include:

• Medical specialty
• Details relating to the medical procedures you perform

If you are a patient or customer, the types of Personal Information we may also collect include:

• Specific information about treatment
• Medical records or medical history through your physician or a healthcare professional
• Credit card or debit card details for purposes of payment

If you are an employee, agent, contractor or other user, we may monitor detailed performance, security and usage data. We will only collect unique identifiers (such as employee numbers) where connected to a primary or secondary purpose.

2.  How We Use Your Personal Information

Arthrex may use your Personal Information for the primary purpose for which it is collected, which may include:

• Marketing: to communicate with you about sponsorships, products, services, campaigns, causes we support, webinars and events.
• Medical education: to communicate with you about medical education events and learning opportunities.
• Provision of goods and services: to provide you with goods and services, including logistics, customer support, and case support, and to evaluate and report on these goods and services.
• Research, including publishing: to conduct and/or fund research.
• Product development: to conduct and/or fund continuous product development.
• Compliance with regulatory requirements: to comply with any requirements under the Therapeutic Goods Act 1989 (Cth), the Medicines Act 1981 (NZ), or any applicable laws, such as maintaining a record of medical queries, complaints, adverse events and recalls relating to our products.
• General business: to facilitate the daily operations, activities and objectives of our business and its departmental functions, including for administrative, financial, security, logistical and payment purposes.
• Working with you: if you are a healthcare professional, consultant or third-party service provider, to collaborate and work with you.
• Other matters: to communicate with you in relation to our operations, activities and objectives, to verify your identity, to improve and evaluate our products, programs and services, including customer satisfaction surveys and to comply with any applicable laws.

There may be certain circumstances specific to you where we collect and/or use your Personal Information for a specific purpose not outlined above. These are set out in our privacy statements or privacy collection notices, which explain the primary purpose and any related secondary purposes for which we are collecting your Personal Information.

Data Aggregation

As part of our research and/or product development, we may aggregate Personal Information collected from you. Your Personal Information will be de-identified during the data aggregation process. Upon written request, your Personal Information may be re-identified and provided to you at any time, subject to Section 4 of this Privacy Notice.

Website Use Information and Cookies

When you access our website or use our products, we may use software such as Javascript, website cookies or web beacons to collect Personal Information about your search preferences and to continuously improve our online services. You may set your browser to adjust or disable cookies to provide you with an opportunity to either accept or reject cookies in each instance.

Arthrex may gather your IP address as part of our business activities and to assist with any operational difficulties or support issues with our services.

Arthrex uses cookies and web beacons to analyse the number of website visitors and to ensure our website is serving you effectively and efficiently. Certain cookies may contain Personal Information. However, most cookies and web beacons will not collect Personal Information that identifies individuals and instead collects general information such as how users arrive at and use our website. We share data from our website for these purposes, but we do so with respect for user privacy and in compliance with applicable privacy law.

Links to External Websites

Our website includes links to external websites that are not owned and managed by us. We are not responsible for the content or the privacy practices of those websites. We recommend that you examine each website’s privacy policy separately.

Electronic Communication

Arthrex may collect Personal Information via email, our website or through social media platforms. If these methods to collect Personal Information are of concern to you, then you may use other methods to communicate with us which may include telephone or by post (although these also have risks associated with them). We may also collect your email address or contact details when you send a message to us or subscribe to one of our mailing lists. Any Personal Information, including email addresses, will only be used or disclosed for the purpose for which it was provided to us.

Opting Out of Direct Marketing Communications

Where we use your Personal Information to send you marketing and promotional information by post, email or telephone, we will provide you with an opportunity to opt-out of receiving such information. By electing not to opt-out, Arthrex will accept your implied consent to receive similar information and communications in the future. We will always ensure that our opt-out notices are clear and accessible.

3.   Disclosure of Your Personal Information

Your Personal Information may be transferred to related Arthrex companies and affiliates, as well as third parties when reasonable and appropriate steps have been taken to maintain the required level of data protection as provided in this Privacy Notice, including the provision of notice and choice, where appropriate. Your Personal Information may be transferred and stored at a destination outside of Australia or New Zealand. This may include the United States of America, Germany, Japan and Singapore.

Third parties may include:

• Consultants, contractors, vendors or service providers who provide services to Arthrex, such as IT and security service providers, hosting service providers, analytics service providers, and cloud storage providers.
• External support services to healthcare professionals, professional advisors (such as lawyers, accountants or auditors), counsellors, service providers, agencies and not-for-profits that provide support services.
• Researchers and product developers including other research and scientific institutions.
• Government and regulatory authorities, including where required under the Act or any other applicable laws.

Arthrex expects and requires that all third parties to whom we may disclose your Personal Information comply with Arthrex’s Privacy Notice and the relevant Australian and New Zealand legislation.

There may be certain circumstances specific to you where we disclose your Personal Information for a specific purpose, or to certain recipients, not outlined above. These are set out in our privacy statements or privacy collection notices.

Patient Information

Personal Information about patients, including Sensitive Information or health information, may be disclosed to physicians or healthcare professionals in line with a relevant consent form. We may also disclose your Personal Information to healthcare professionals for treatment and research purposes. This may include de-identified information for publication of outcomes of clinical trials and patient-reported outcome measures.

Cross-border Disclosure of Your Personal Information

Personal Information may also be processed by staff, by other Arthrex entities, or by other third parties operating outside Australia or New Zealand who work for us or for one of our suppliers, agents or partners. Arthrex may use data hosting facilities and third-party service providers to assist us with our operations and our provision of products and services.

When your Personal Information is disclosed outside of Australia or New Zealand, we take reasonably necessary steps to ensure that any overseas third-party recipient of your Personal Information does not breach the Australian Privacy Principles or Information Privacy Principles.

By providing your Personal Information to us, including by using our services and/or accessing our website, you consent to the disclosure, transfer, storing or processing of your Personal Information outside of Australia or New Zealand.

4.  Access to Your Personal Information

Arthrex will provide you with access to your Personal Information in accordance with the relevant legislation and applicable regulations subject to a written request detailing the type(s) of information requested. We will provide access to your Personal Information as soon as reasonably practicable (and in this respect, we will endeavour to do so within 30 days of your request). Arthrex may charge a reasonable cost incurred for supplying you with access to this information.

Please note that your rights to access Personal Information are not absolute. Australia and New Zealand privacy laws state that we are not required to grant access in certain circumstances, which may include where:

• Access would pose a serious threat to the life, safety or health of any individual or to public health or public safety.
• Access would have an unreasonable impact on the privacy of other individuals.
• The request is frivolous or vexatious.
• Denying access is required or authorised by a law or a court or tribunal order.
• Access would be unlawful.
• Access may prejudice commercial negotiations, legal proceedings, enforcement activities or appropriate action being taken in respect of a suspected unlawful activity or serious misconduct.

If we refuse to grant you access to your Personal Information, we will provide you with an explanation for this decision (unless it is unreasonable to do so).

5.  Storage and Security of Your Personal Information

Arthrex takes reasonable steps to protect the Personal Information we hold from misuse, interference, loss and from unauthorised access, modification or disclosure. Your Personal Information will be transmitted and stored in encrypted, secure electronic databases on our servers or with cloud hosting service providers or other third-party service providers, to which employee access is restricted. Hard copy information is physically protected using locks and security systems. Personal Information may only be accessed by authorised personnel. Arthrex will maintain your Personal Information in accordance with document retention requirements under any applicable law.

When Personal Information is stored with a third party, Arthrex implements contractual arrangements which require those third parties to maintain the security of the information. We take reasonable steps to protect the privacy and security of Personal Information, but we are not liable for any unauthorised access or use of such information.

Arthrex will make reasonable efforts to ensure that Personal Information is accurate, updated, adequate, relevant, not excessive for the purposes for which the Personal Information is processed and kept only for the period necessary for permitted purposes.

6.  Data Breaches

If Arthrex suspects that a data breach has occurred, we will assess the circumstances of the suspected breach promptly upon becoming aware. When we ascertain that a data breach has occurred and where required by law, we will notify the Office of the Australian Information Commissioner (Australia) or the Office of the Privacy Commissioner (New Zealand) using the relevant protocols. We will also notify the affected individuals upon assessment of the data breach.

7.  Inquiries and Enforcement of Compliance

Arthrex commits to resolve complaints about your privacy and our collection or use of your Personal Information. If you have any questions, comments or suggestions about this Privacy Notice or Arthrex’s privacy practices, please contact the ANZ Privacy Officer at AskCompliance@arthrex.com.  

We will respond to your written complaint within 30 days by following our procedures for handling complaints and concerns about our practices relating to the Acts and relevant regulations. We will respond to your complaint in accordance with the relevant provisions of the Acts and their corresponding regulations. Alternatively, you may make your written complaint to the Office of the Australian Information Commissioner (Australia) or to the Office of the Privacy Commissioner (New Zealand).

8.  Compliance

Arthrex regularly evaluates its privacy policies and procedures to implement improvements and refinements. Therefore, Arthrex reserves the right to modify or amend this Privacy Notice at any time and for any reason. When this Privacy Notice is amended, Arthrex will revise the “last updated” date at the bottom of this Privacy Notice. Please review this Privacy Notice periodically and especially before you provide Personal Information to us. Your continued use of our website after any changes to our Privacy Notice indicates your agreement with the terms of the revised Privacy Notice.

Last updated: 20 June 2024