Transfer of Personal Data of the European Data Subjects to the United States
Arthrex ensures that all transfers of personal data to our organization fully comply with relevant data protection regulations. We prioritize the protection of your personal data and remain dedicated to upholding the standards set forth by the EU-US Data Privacy Framework.
In our products, systems, and processes, Arthrex implements the necessary safeguards to guarantee that any onward transfer of personal data is protected with highest standards.
To provide you with the information about the protection of your personal data throughout its journey, please refer to the Data Processing Agreement that we sign with you, the Arthrex Privacy Notice, or the specific privacy notice provided to you in the context of the product and service you are using.
Arthrex complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Arthrex has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Arthrex has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
The following Arthrex U.S. entities or Arthrex U.S. subsidiaries are adhering to the EU-U.S. DPF Principles, including as applicable under the UK Extension to the EU-U.S. DPF and Swiss-U.S. DPF Principles and are covered by Arthrex 's DPF submission:
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Arthrex commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to ICDR-AAA DPF IRM Service, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of ICDR-AAA are provided at no cost to you.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Arthrex commits to resolve DPF Principles-related complaints about our collection and use of your personal data. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Arthrex at privacy@arthrex.com.
With regards to the transfer of personal data to the United States and participation in the Data Privacy Framework (DPF), Arthrex will arbitrate claims and follow the terms as set forth in Annex I of the DPF (https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction).
Arthrex is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). Arthrex may be required to disclose personal data that we handle under the Data Privacy Framework in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
For information about the type or identity of third parties and the purposes for which Arthrex discloses personal data, please visit https://privacy.arthrex.com/index.html#Sharing-of-Personal-Data. Arthrex is liable for the onward transfer of personal data.
For information about the rights of individuals to access their personal data and to limit the use and disclosure of personal data, please visit https://privacy.arthrex.com/index.html#What-Are-Your-Rights and the Arthrex EMEA Privacy Notice at https://privacy.arthrex.com/our-commitment-to-privacy/european-economic-area-emea.html.
In addition to the EU – U.S. DPF adequacy decision, we have conducted an extensive risk assessment of the Arthrex’s personal data transfers, considering the following factors: the purpose(s) for which the personal data is transferred and processed (e.g., marketing, HR, data storage, IT support, clinical trials).
These factors and particularly the nature of the personal data transferred is supporting an argument that the U.S. government is unlikely to seek to acquire the transferred information. As a medical device company, Arthrex is not involved in an industry with heightened national security concerns (e.g., defense contracting, intelligence community support, government contracting, or provision of critical infrastructure). Instead, the company’s transferred information typically includes personnel personal data, data system security, online learning user credentials and account information, and medical records that may contain personal data. These medical records are primarily used to develop specific surgical tools and plans, monitor patient recovery and progress in certain post-surgery circumstances, and, in limited instances, to provide technical support for surgical video recording processes. Arthrex is receiving the personal data from its EU subsidiary in order to support its routine business efforts, which are not sensitive in terms of national security or counter-intelligence considerations. The personal data is not transferred to additional countries from the United States, and when transmitted to the United States it is either sent in an encrypted format, or securely accessed remotely from the United States. Arthrex has not received, and is unlikely to receive, any U.S. government request regarding personal data processed by Arthrex. Therefore, it could not be reasonably expected that any personal data processed by Arthrex would be of particular national security interest.
Where applicable, Arthrex will exclusively store and process personal data of the European data subjects within the European Union. In such cases, the personal data is not retained in the United States, and any access to such data from the United States is based on a need-to-know requirement, such as fulfilling customer support requests, providing specific security assistance, or conducting technical troubleshooting.
Transfer of personal data to US is done strictly on need-to-know/need-to-have bases according to Data Processing Agreements outlining the organizational and technical measures Arthrex has in place to protect the personal data of European data subjects.
Arthrex acknowledges that in the event of an order to grant personal data access to US authorities, Arthrex would be obliged to inform customers, enabling them to terminate their agreement with us and halt personal data transfers to our organization. It is important to note that Arthrex has never had to issue such a notification, and based on the aforementioned evaluation, it is highly improbable that such circumstance will arise in the future.
Based on the comprehensive analysis outlined above, we assert with confidence that the risk of harm to the data subjects is minimal. This conclusion is based on the rigorous protective measures and safeguards implemented by Arthrex, along with the highly improbable likelihood of requests for personal data access by US authorities in relation to our product and services. Therefore, taking into account these factors and in compliance with relevant legal obligations, we affirm that the risk of harm to the data subjects is considered insignificant.
Regardless of low-risk exposure concerning the transfer of personal data of the European data subjects to the US, Arthrex is fully committed to maintaining compliance with the principles and safeguards outlined in the EU-US Data Privacy Framework and all relevant regulations, as well as best practices in data protection. By upholding these standards, we ensure the secure and lawful transfer of personal data, demonstrating our unwavering dedication to protecting our customers' privacy.