This policy is applicable to India Medtronic Private Limited
India Medtronic Private Limited (hereinafter referred to “we”, “us” and “Medtronic”), are bound by the data privacy principles, contained in the Information Technology Act, 2000 read with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. We are also bound by various other legislations some of which are the Constitution of India, Indian Penal Code 1860, Contract Act 1872 which outlines the right of privacy of every individual and the consequences of its breach (India Privacy Laws). The object of the India Privacy Laws is to protect the confidentiality of “sensitive personal data or information” and the privacy of individuals by regulating the way in which such sensitive personal information is managed.
Broadly, “personal information” means information or an opinion about an identified individual or from which an individual can be reasonably identified. ‘’Sensitive Personal Information means such personal information which consists of information relating to:
(1) Password; (2) Financial information such as bank accounts; (3) Physical, physiological and mental health condition; (4) Sexual orientation; (5) Medical records and history; (6) Biometric information; (7) Any detail relating to the above provided to any body corporate for providing service or received by the body corporate for processing, stored or processed under lawful contractor otherwise.
Sensitive Personal Information does not include any information which is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force.
Sensitive Personal Information includes “health information”, which refers to information regarding an individual’s physical or mental health or a health service provided to an individual. We refer to such personal information and health information in this Policy collectively as “Sensitive Personal Information”.
Medtronic is committed to protecting the Sensitive Personal Information it collects and regularly monitors its systems and procedures to ensure compliance with the India Privacy Principles and this Policy. This Policy has been framed to ensure that reasonable security practices have been put in place to protect Sensitive Personal Information from unauthorized access, damage, use, modification, disclosure or impairment. This Policy outlines the way in which Medtronic deals with the Sensitive Personal Information it collects and uses in India. Medtronic complies with all applicable data privacy laws in India.
Medtronic collects Sensitive Personal Information that is reasonably necessary for or directly related to our functions and activities as a provider of medical devices with your valid written consent. In some cases, we are required to collect Sensitive Personal Information in order to comply with our obligations such as responding to safety concerns about our products.
Medtronic may collect Personal Information or Sensitive Personal Information about you through our interactions with you. Where Medtronic collects Sensitive Personal Information from or about you, we will inform you about the purpose and use of the collected information, the intended recipients of such information and if it is collected or transferred by/ to third parties the name and address of such third party collecting and retaining the information.
The Personal Information we collect may include:
▪ Your name ▪ Your address ▪ Your date of birth ▪ Your email address ▪ Your phone number
If you are a healthcare professional, additional Personal Information we may collect from you includes:
▪ Your medical specialty ▪ Your clinical interests
If you are a patient, additional Sensitive Personal Information we may collect includes:
▪ Details of your health care professional ▪ Your implantation details and history ▪ Product performance, service and reliability data ▪ Product data, such as model and usage of your device ▪ Credit related information, if applicable
Personal Information and/ or Sensitive Personal Information may be collected by Medtronic in the course of:
▪ If you are a patient or healthcare professional, providing technical assistance about our products or services; ▪ Responding to product complaints; and ▪ Participation in Medtronic sponsored programs, including educational programs and research grants
Medtronic will prior to collection of your Sensitive Personal Information provide you an option to not provide the information sought to be collected. You will also have an option to withdraw your consent (in writing), which you may have earlier granted to Medtronic.
Medtronic will collect and use your Sensitive Personal Information, with your valid written consent, for the purpose for which it is collected, which inter alia may include the following:
▪ In the course of the sale, distribution or provision of medical devices that have been requested by health care providers; ▪ In the course of supporting healthcare professional in ongoing care, if you are a patient; ▪ Administering training programs, clinical trials or other similar programs in which you agree to be involved; and ▪ Compliance with regulatory requirements, such as maintaining a record of medical queries, complaints, adverse events and recalls relating to our products.
We may also use your Personal Information or Sensitive Personal Information to:
▪ Provide healthcare providers with updated product or safety information with respect to Medtronic medical devices; ▪ Send healthcare providers materials on our activities and products or developments in medical technology that Medtronic believes may be of interest to them; ▪ Manage, plan and arrange meetings between the healthcare provider and Medtronic representatives; and ▪ Generate customer lists for the purposes of market research.
When dealing with Sensitive Personal Information, such as your health information, Medtronic will seek your written consent before using such Sensitive Personal Information. In only such circumstances where required by law to disclose information or in the event where the Government of India has requested such information for the purpose of verification of identity or for prevention, detection, and investigation of cyber incidents and the like, will we disclose your health information without your consent.
As part of a group of companies located in many different countries, we may disclose some Personal and Sensitive Personal Information to a Medtronic company or database overseas. The countries to which we are likely to disclose Personal and Sensitive Personal Information include the United States, Singapore, Italy, Switzerland, and the Netherlands. In disclosing data offshore, Medtronic ensures that the use and disclosure of the Personal and Sensitive Personal information transferred is dealt with in accordance with this policy and the safeguards under India Privacy Laws.
Medtronic will not sell or publish your Sensitive Personal Information to any third party for any purpose. In the event Sensitive Personal Information is transferred to third parties in connection with our business operations or if it is necessary for the purpose of performance of a lawful contract, such transfer will only happen if you have consented to the transfer and only when such third parties have ensured that reasonable security procedures are in place for protection of such Sensitive Personal Information.
All such third parties are required by Medtronic to process the Sensitive Personal Information disclosed to them only for the purposes expressly authorized by Medtronic and are required by Medtronic to meet our standards of data protection and comply with the safeguards under India Privacy Laws.
Medtronic has put in place reasonable security procedures and safeguards to protect Sensitive Personal Information we hold from misuse, loss, unauthorized access, modification or disclosure. Medtronic holds the Personal and Sensitive Personal Information you provide to us in an electronic form on computer servers, which are password protected for limited access and are located in controlled facilities. However, Medtronic may also hold Personal and Sensitive Information in physical form, such as in paper hard copies. While Medtronic cannot guarantee against any loss, misuse or alteration to data, we take reasonable steps to prevent such occurrences.
Access to the Personal and Sensitive Information is restricted to those employees who need to use the data, who have been trained to handle such data properly and observe strict standards of confidentiality.
Medtronic destroys or permanently de-identifies Personal and Sensitive Information that we no longer need, where permitted.
You have the right, in most cases, to access your Personal and Sensitive Personal Information at any time. Medtronic takes reasonable steps to ensure that any information we hold about you is up-to-date, accurate and complete. If you wish to access or correct Personal Information we hold, or you have any questions about this Policy, please contact Medtronic’s Privacy Officer at privacyISC@medtronic.com, setting out a full description of the request.
If you have a complaint about how we have handled your personal information or consider that we may have breached our obligations under the APPs, please write to our Privacy Officer at privacyISC@medtronic.com or at:
India Medtronic Private Limited
1261, Solitaire Corporate Park,
Bldg No.12, 6th Floor, Andheri– G. Link Road,
Andheri East, Mumbai – 400 093
Attention: Data Privacy Officer
We will respond to your complain within a reasonable period, usually within 30 days.
Medtronic will retain your Personal Information and Sensitive Personal Information no longer than it is required for the purposes for which the information may lawfully be used or is otherwise required under any law in force. In many cases Personal Information and Sensitive Personal Information must be kept for considerable periods of time in order to make it available as and when questions or disputes arise. Retention periods will be determined for each information that is collected, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused information at the earliest reasonable opportunity.