Statement Concerning Transfer of Personal Data of the European Data Subjects to the United States

  1. Arthrex's Commitment to Safe Data Transfers

Arthrex ensures that all transfers of personal data to our organization fully comply with relevant data protection regulations. We prioritize the protection of your personal data and remain dedicated to upholding the standards set forth by the EU-US Data Privacy Framework.

In our products, systems, and processes, Arthrex implements the necessary safeguards to guarantee that any onward transfer of personal data is protected with highest standards.

To provide you with the information about the protection of your personal data throughout its journey, please refer to the Data Processing Agreement that we sign with you, the Arthrex Privacy Notice, or the specific privacy notice provided to you in the context of the product and service you are using.

  1. Ensuring Secure Transatlantic Data Flows with EU-US Data Privacy Framework

Arthrex complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Arthrex has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Arthrex has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To view our certification, please visit https://www.dataprivacyframework.gov/.

If you have any inquiries or complaints about Arthrex handling of your personal information under the Data Privacy Framework, or about our privacy practices generally, please contact us at: privacy@arthrex.com. We will respond to your inquiry promptly. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://www.adr.org/. If neither Arthrex nor our third-party dispute resolution provider resolves your complaint, you may pursue binding arbitration through the Data Privacy Framework Panel. To learn more about the Data Privacy Framework Panel, visit here.

You can review Arthrex Data Privacy Framework registration here. The Arthrex is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). Arthrex may be required to disclose personal information that we handle under the Data Privacy Framework in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

  1. Assessment of United States Authorities’ Interest in Arthrex Personal Data Transfers

In addition to the EU – U.S. DPF adequacy decision, we have conducted an extensive risk assessment of the Arthrex’s personal data transfers, considering the following factors:  the purpose(s) for which the personal data is transferred and processed (eg marketing, HR, data storage, IT support, clinical trials).    

  • The types of entities involved in the processing (eg public/private; controller/processor).
  • The sector in which the transfer occurs (eg medical, telecommunication, financial, etc).
  • The categories of personal data transferred (eg personal data relating to children may fall within the scope of specific legislation in the third country).
  • Whether the personal data will be stored in the third country or whether there is only remote access to the personal data stored within the EEA.
  • The format of the personal data to be transferred (eg in plain text, pseudonymized or encrypted).
  • The possibility that the personal data may be subject to onward transfers from the third country to another (or within the same) third country.

These factors and particularly the nature of the personal data transferred is supporting an argument that the U.S. government is unlikely to seek to acquire the transferred information. As a medical device company, Arthrex is not involved in an industry with heightened national security concerns (e.g., defense contracting, intelligence community support, government contracting, or provision of critical infrastructure). Instead, the company’s transferred information typically includes personnel personal data, data system security, online learning user credentials and account information, and medical records that may contain personal data.  These medical records are primarily used to develop specific surgical tools and plans, monitor patient recovery and progress in certain post-surgery circumstances, and, in limited instances, to provide technical support for surgical video recording processes. Arthrex is receiving the personal data from its EU subsidiary in order to support its routine business efforts, which are not sensitive in terms of national security or counter-intelligence considerations. The personal data is not transferred to additional countries from the United States, and when transmitted to the United States it is either sent in an encrypted format, or securely accessed remotely from the United States. Arthrex has not received, and is unlikely to receive, any U.S. government request regarding personal data processed by Arthrex. Therefore, it could not be reasonably expected that any personal data processed by Arthrex would be of particular national security interest.

  1. Supplementary Measures

Arthrex has implemented additional measures to ensure the adequate protection of personal data, even in instances where the legal regime of the destination country poses low or no material risk. These supplementary measures are classified into three categories: (i) contractual safeguards, (ii) organizational safeguards, and (iii) technical safeguards.

   a) Contractual

As explained above, Arthrex will establish contractual agreement outlining safeguards for transferring personal data to the United States.

When the processing of personal data of European data subjects is mandated by a contract, Arthrex will:

  (i) agree to be directly bound by the Data Processing Agreements outlining the organizational and technical measures Arthrex has in place to protect the personal data of European data subjects.

  (ii) enter into an appropriate processor to processor SCCs with each subprocessor located in a third country without adequate protection, where the sub-processing leads to onward transfers to a third country.

   b) Organizational

The concerns raised by the CJEU regarding the transfer of personal data to the United States were primarily centered around the United States government's data collection practices as outlined in U.S. Executive Order 12333 ("EO 12333") and Section 702 of the Foreign Intelligence Surveillance Act ("FISA § 702"), particularly concerning "upstream" surveillance under FISA § 702. However, the risks associated with these specific legal provisions do not apply to the processing of personal data by Arthrex or can be effectively mitigated by implementing appropriate organizational safeguards offered by Arthrex. Additionally, Arthrex intends to use available legal mechanisms to challenge demands for personal data access by U.S. authorities.

It is important to emphasize that Arthrex neither assists nor can be compelled to assist U.S. authorities in their information collection efforts under Executive Order 12333. Arthrex does not engage in and will not provide any form of assistance to U.S. authorities engaged in surveillance activities under EO 12333. EO 12333 does not grant the U.S. government the power to compel companies to provide assistance in such activities, and Arthrex will not engage in voluntary cooperation. Consequently, Arthrex does not participate in, and cannot be compelled to undertake any actions facilitating, the type of bulk surveillance under EO 12333 that was deemed problematic.

Arthrex is not eligible to receive "upstream" or bulk surveillance orders under FISA § 702, as it does not provide the relevant services. The U.S. government's interpretation and application of FISA § 702 confirm Arthrex's ineligibility for the specific order. The processed personal data of Arthrex's customers is highly unlikely to be relevant to foreign intelligence activities governed by FISA § 702. If such data were relevant, the government would likely pursue alternative legal avenues, such as obtaining a search warrant, as it is a faster and simpler process than issuing directives under FISA § 702.

   C) Technical

Arthrex implements technical measures that successfully mitigate the primary concerns, namely bulk surveillance under FISA § 702 and bulk interceptions under EO 12333.

Arthrex encrypts all personal data at rest in our system and in transit with encryption that is compliant with GDPR state-of-the-art requirements. The encryption measures implemented by Arthrex serve the purpose of preventing unauthorized access to personal data in an intelligible format and safeguarding against unauthorized wiretapping or tampering during the transmission of personal data between two endpoints.

Arthrex enforces stringent administrative, technical, and physical protocols to safeguard personal data stored on its servers. Access to personal data is restricted through the use of login credentials, limited solely to employees who need such access to carry out their job responsibilities. Arthrex utilizes access controls such as multi-factor authentication, restricted access to administrative accounts, Single Sign On, principle of least privilege, and robust password controls. Furthermore, Arthrex implements data minimization methods to restrict the transfer of personal data from the EU to third country jurisdictions. This may involve pseudonymization or de-identification of personal data, when appropriate.

  1. Additional Considerations

Where applicable, Arthrex will exclusively store and process personal data of the European data subjects within the European Union. In such cases, the personal data is not retained in the United States, and any access to such data from the United States is based on a need-to-know requirement, such as fulfilling customer support requests, providing specific security assistance, or conducting technical troubleshooting.

Transfer of personal data to US is done strictly on need-to-know/need-to-have bases according to Data Processing Agreements outlining the organizational and technical measures Arthrex has in place to protect the personal data of European data subjects.

Arthrex acknowledges that in the event of an order to grant personal data access to US authorities, Arthrex would be obliged to inform customers, enabling them to terminate their agreement with us and halt personal data transfers to our organization. It is important to note that Arthrex has never had to issue such a notification, and based on the aforementioned evaluation, it is highly improbable that such circumstance will arise in the future.

  1. Conclusion

Based on the comprehensive analysis outlined above, we assert with confidence that the risk of harm to the data subjects is minimal. This conclusion is based on the rigorous protective measures and safeguards implemented by Arthrex, along with the highly improbable likelihood of requests for personal data access by US authorities in relation to our product and services. Therefore, taking into account these factors and in compliance with relevant legal obligations, we affirm that the risk of harm to the data subjects is considered insignificant.

Regardless of low-risk exposure concerning the transfer of personal data of the European data subjects to the US, Arthrex is fully committed to maintaining compliance with the principles and safeguards outlined in the EU-US Data Privacy Framework and all relevant regulations, as well as best practices in data protection. By upholding these standards, we ensure the secure and lawful transfer of personal data, demonstrating our unwavering dedication to protecting our customers' privacy.