For healthcare professionals and other customers
Effective October 2021
This Data Protection Notice is provided by Cook Medical Holdings LLC and its subsidiaries and affiliates, including its worldwide subsidiaries and affiliates (collectively, “Cook”). It is intended to inform healthcare professionals and other customers with whom we interact about how we collect, process, safeguard, share, and store their Personal Data, as well as their rights in relation to that Personal Data. “Personal Data” means any data that can directly or indirectly lead to the identification of a specific individual.
As a world leader in medical devices, Cook collects certain types of Personal Data in connection with our sales and marketing activities with healthcare professionals and other customers, through Cook’s website(s) and in other interactions. Generally, this Personal Data is collected directly from healthcare professionals and customers but in certain circumstances, we may also collect this information directly from a patient or another third party (e.g., as part of the reporting of an adverse event) or from publicly available sources and industry databases (e.g., hospital websites, journals, industry publications, and publicly available social media posts) that contain healthcare professionals’ contact details (e.g., as part of our efforts to ensure the information we hold is accurate and up to date and/or to identify subject matters experts in relation to certain events which we may organize and/or as part of our legitimate brand management activities). Depending upon the interaction, and in accordance with applicable laws and business obligations, the information that we collect (which may not always constitute Personal Data) may include, without limitation, the following:
- Business contact details (if and when applicable): name of healthcare organization and healthcare professional(s) interacting with us; job titles/medical specialty; years of experience; business address; address of invoicing if different; telephone numbers; fax number; business email addresses; internal identification number of the customer; tax identification number (if warranted); the names of individuals to contact at the organization; after hours/emergency contact information (such as for any urgent patient needs); and preferences for how to contact them.
- Data related to the performance of the commercial contract and/or the commercial relationship (if and when applicable): information about the healthcare organization and its business; commencement of the business relationship; devices/products of interest; purchase history; frequency and overall amount purchased; contact history (sales calls, inquiries, etc.); website and other program enrollments and cancellations; Cook employees who interact with the customer; correspondence and service interactions; information gathered through satisfaction survey participation, customer feedback requests and/or product evaluations; any marketing preferences that have been requested by the healthcare professional/organization; feedback from the healthcare professional/organization about their preferences to best meet their needs (i.e., would like devices shipped on first of the month, wants to be contacted about new products, etc.).
- Data for Cook Events: If you are a presenter at one of our events, we may collect your resume and other credential information about you to determine if you are an appropriate speaker, your photograph, and we may also collect information provided by event attendees who evaluated your performance as a presenter. We may also make and store a recording of your voice and likeness in certain instances and with your consent. If you are an attendee at one of our events, we may collect data from you to register and facilitate the event and your attendance at it, including as necessary to manage any follow-up actions, such as reimbursement of expenses and collection of post-event feedback. We may also collect some personal data of individuals attending live events for contact tracing purposes to comply with local law.
- Data related to the customer’s orders and payments (if and when applicable): specific order deliveries (including address and depending on the nature of the device, limited patient information as determined by the treating HCP/instruction, such as imaging and sizing information necessary for the planning, manufacturing, and delivery of the device); delivery conditions; billing and payment terms and conditions; discounts, account status, returns, creditworthiness reviews, and credit approvals (to extend credit on purchases); bank details for incoming or outgoing wire payments; and redacted credit card numbers.
- Data collected for patient safety-related purposes (if and when applicable): information and training on proper use (sizing, placement, etc.) of medical devices and their component parts; collection, follow-up, and reporting of any adverse experiences; feedback about favorable patient experiences; recommendations or insights about ways in which Cook can further improve its devices or the information about their use; and information about new labeling or other safety related updates pertaining to Cook’s products.
- Data collected for legal and compliance purposes (if and when applicable): import and export information, collection or creditworthiness checks, tax and regulatory obligations, information required for any regulatory inspections, inquiries, or audits; reporting of any payments to healthcare professionals under the laws of certain countries (including the Sunshine Act laws—see below) and other information of a legal nature. For certain customers (such as those outside of the United States) and consistent with applicable laws, Cook may also collect information to comply with customs and trade laws, as well as anti-terrorism requirements.
- Data related to regulatory disclosure fulfillments (if and when applicable): information relating to contracts (agreements) with healthcare professionals (other than those for the purchase of goods or services), including, for example, those relating to sponsorships, education or consultant work for Cook; and information relating to the provision by or on behalf of Cook of any other items of monetary value, such as lunches or any tangible items. Under the laws of certain countries, this information must be provided to national authorities and some of it is publicly available, including the name of the recipient and the surrounding details.
Where the healthcare professional or other customer is an organization and the information above constitutes Personal Data about its employees, workers, or contractors, you should bring this notice to their attention.
Cook limits the Personal Data that it collects to that which is relevant and proportionate for the intended purpose. We also take reasonable steps to ensure that the Personal Data collected from healthcare professionals and other customers is accurate, complete, and where necessary, up-to-date in accordance with the purposes for which it was collected. As part of this undertaking, we encourage healthcare professionals and other individuals to keep their Personal Data on file with us updated or let us know to correct your information if it changes or if you believe the information that we have collected is inaccurate, so that we can continue to provide optimal service to you.
Cook uses the Personal Data collected from healthcare professionals and other customers only for the purposes for which it was collected, and any compatible purposes permitted by law. We use your Personal Data:
- To provide the information and products you request and fulfill your orders;
- To track and respond to safety and product quality concerns, including product recalls;
- For security, credit, or fraud prevention purposes;
- To contact you with special offers and other information we believe will be of interest to you (in accordance with any privacy preferences you have expressed to us);
- To invite you to participate in surveys and provide feedback to us (in accordance with any privacy preferences you have expressed to us);
- To invite you to participate in educational events, including roundtable speaking events;
- To administer any grants and/or sponsorships which we may provide;
- To better understand your needs and interests;
- To improve our products and services;
- To protect patients and improve safety;
- For the provision of customer services;
- To manage our relationship with customers and healthcare professionals;
- To improve our marketing and promotional efforts;
- To comply with our legal and regulatory obligations;
- For internal business administration and management purposes (for example, in connection with the payment of invoices, billing, reconciliation, or other financial or accounting functions and maintaining records); and
- For any other purpose identified in an applicable privacy notice, click-through agreement, or other agreement between you and us.
Where relevant under applicable data protection laws, our grounds for processing the Personal Data above include:
- Where we need to perform the contract we are about to enter into or have entered into with you; or
- Where we need to comply with a legal or regulatory obligation; or
- Where it is necessary for our legitimate interests (i.e., we have a business or commercial reason for using your information), and your interests and your fundamental rights do not override those interests. Our legitimate interests include being efficient about how we fulfill our legal and contractual duties; complying with laws or regulations that apply to us; communicating with you; supporting our customers; managing our relationship with you; providing excellent customer service; improving safety and protecting patients; improving our marketing efforts; preventing fraud or misuse of our products or services; ensuring the security of our IT systems, architecture, and networks; selling any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party; and meeting our corporate and social responsibility objectives. Or
- Where affirmative consent has been provided. Where we rely on your consent, you may withdraw your consent at any time.
Where we need to collect Personal Data by law or under the terms of a contract we have with you, and you fail to provide that information when requested, we may not be able to perform the contract we have or are trying to enter with you. In some circumstances, Cook may anonymize your Personal Data so that it can no longer be associated with you, in which case we may use and disclose such information without further notice to you.
If we need to use your Personal Data for an unrelated purpose than that for which it was collected and the further processing is incompatible with that initial purpose, we will notify you and explain the legal basis which allows us to do so. Cook may process your Personal Data without your knowledge or consent, where this is required or permitted by law.
Cook limits access to Personal Data collected from healthcare professionals and other customers on a need-to-know basis in connection with the performance of our professional activities. Within our organization, personnel are only given access in accordance with their job responsibilities, subject to appropriate confidentiality obligations. On a limited basis, we share Personal Data with:
- Other companies within the Cook group, as available here;
- Third-party vendors and advisers who provide us with services, for example, marketing and promotional services, order fulfillment services, customer relationship management (CRM) system services on which healthcare professional and customer Personal Data is processed, and/or legal, tax, and consultancy advice;
- Third parties in respect of business transactions, such as in the event of a transfer of ownership of our business;
- Third parties as permitted or required by law, including in connection with regulatory or legal matters or where this is required for safety and security (for example, regulatory, governmental, court, and law enforcement authorities).
When we share this information, we limit the transfer to the information that is relevant under the circumstances and comply with all legal requirements in respect of the transfer. To the extent possible, we require the recipient to uphold an equivalent level of protection for the Personal Data consistent with this notice and applicable law.
International data transfers
As a global organization, Cook stores data in secure, centralized systems and uses service providers based globally. Accordingly, Personal Data may be stored in, or accessible to authorized, limited persons located in the US and/or countries other than your country of residence. In accordance with applicable data protection laws, Cook has put in place appropriate measures to ensure an adequate level of protection for Personal Data and applies those measures irrespective of where the data is processed or stored.
When we transfer Personal Data out of the European Economic Area (EEA) or the UK, we ensure an adequate level of protection by implementing one of the following safeguards:
- Only transferring the Personal Data to a country or territory deemed to provide an adequate level of data protection by the European Commission and/or the UK supervisory authority.
- In respect of transfers to the US, pursuant to Cook’s certification under the Privacy Shield Framework, which requires Cook and third-party recipients to provide similar protection to Personal Data shared between Europe and the US. (Although the Privacy Shield Framework was invalidated in July of 2020 by the Court of Justice of the European Union in the Schrems II decision, Cook continues to maintain its Privacy Shield certification in accordance with the U.S. Department of Commerce advice and as a way of demonstrating our continued commitment to privacy.)
- By using specific data transfer contracts approved by the European Commission and/or the UK supervisory authority which give Personal Data the equivalent protection it has in Europe, i.e., Standard Contractual Clauses.
- When we transfer Personal Data out of other regions, Cook complies with the applicable regulatory requirements of cross-border transfer.
Cook has put in place appropriate technical, physical, and administrative security measures to help prevent unauthorized or unlawful disclosure or access to, or accidental or unlawful loss, destruction, alteration, or damage to the Personal Data that it collects. These measures are intended to ensure an appropriate level of security in relation to the risks inherent to the processing and the nature of the data to be protected and are applied in a manner consistent with applicable laws and regulations. Cook evaluates these measures on a continuing basis to help minimize risks from new security threats as they become known.
You may have rights to request amendment (rectification), access, transfer (data portability), or erasure (deletion) of your Personal Data or to object to or restrict the processing of your Personal Data.
Data subjects can contact their region’s Cook office as listed below, in relation to any questions about their Personal Data or to exercise any applicable rights or to object to our use of your Personal Data. To protect privacy, we require individuals to authenticate their identity and sign a form to obtain a copy of their Personal Data. Data subjects will not have to pay a fee to access their Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Individuals may also have the right to make a complaint at any time to their relevant supervisory authority for data protection issues. Cook would, however, appreciate the chance to deal with your concerns before you approach the relevant authority, so please contact us in the first instance.
In relation to marketing communications, we will provide you with an “opt in” or “opt out” mechanism depending on where you are located when we collect your Personal Data. An “opt in” mechanism will provide you the opportunity to positively indicate that you would like or do not object to our sending you such further communications, and we will not send you any unless you have “opted in.” An “opt out” mechanism (e.g., “unsubscribe”) will provide you the opportunity to indicate that you do not want us to send you such further communications, and if you “opt out,” we will not send you any. Either way, opting in or opting out will be up to you.
Where you provided your consent to receiving marketing communications, you may withdraw your consent at any time. Similarly, you may change previously expressed preferences regarding how we use your Personal Data. To withdraw your consent or be removed from our mailing or marketing lists, please contact us using the details set out below.
Cook retains Personal Data consistent with applicable data protection laws and regulations in order to meet its reasonable business needs. Cook disposes of Personal Data when it is no longer relevant and, in any case, upon expiration of the maximum storage term as set forth by applicable law, unless the Personal Data is required for a longer period, such as in the case of a claim, lawsuit, or other regulatory investigation.
When assessing the data retention period, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure of the Personal Data, the purposes for which we process the Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Changes to this notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your Personal Data.
For additional information about Cook’s privacy and security practices or to exercise your rights, kindly contact us at Privacy@CookGroup.com. Alternatively, you may email, call, or write to us at:
|United States or Other Locations||