Global data protection notice for suppliers

Effective January 2024

This Data Protection Notice is provided by Cook Medical Holdings LLC and its subsidiaries and affiliates, including its worldwide subsidiaries and affiliates, (collectively, “Cook”). It is intended to inform suppliers and their personnel about how we collect, process, safeguard, share, and store their Personal Data, as well as their rights in relation to that Personal Data. “Personal Data” means any data that can directly or indirectly lead to the identification of a specific individual.

Data collection

The information we collect from our suppliers may either be directly provided by our suppliers or service providers or provided directly by their employees, contractors, or workers (“Supplier Personal Data”). Where the Personal Data relates to your employees, workers, or contractors, you should bring this notice to their attention.

We may collect several types of Supplier Personal Data, depending on the nature of our relationship with a supplier, including without limitation:

• General contact and identification information (e.g., name, first name, last name, gender, email and/or postal address, and/or mobile phone);
• Function (e.g., title, position, and name of employer);
• Electronic identification data where required for the purpose of delivering products or services to our company (e.g., badge number and picture, logs, access, and closed-circuit television [CCTV] footage); and
• For natural persons acting as suppliers or service providers, in addition to the Personal Data listed above, financial information (e.g., bank account details).

Where you provide us with Personal Data about individuals (e.g., your colleagues), you should ensure that you have an appropriate legal basis for doing so. Cook takes reasonable steps to keep Personal Data accurate, complete, and up-to-date in accordance with the purposes for which it was collected. We rely on you to provide accurate information to us, and to amend or update that information if you later determine that it is incomplete or inaccurate.

For additional information pertaining to California residents about our collection of Supplier Personal Data, please refer to our California Privacy Statement for Suppliers.

Data processing

Cook uses Supplier Personal Data only for the purposes for which the data was collected and any compatible purposes as permitted by law. In particular, we use Supplier Personal Data:

• To manage our suppliers and service providers throughout the supply chain;
• To organize tenders, implement tasks in preparation of or to perform existing contracts;
• To manage our IT resources, including infrastructure management and business continuity;
• For billing and invoicing; and
• For any other purposes imposed by law and/or orders or requests from regulatory and court authorities.

Where relevant under applicable data protection laws, our grounds for processing Supplier Personal Data include:

• Where we need to perform the contract we are about to enter into or have entered into with you; or
• Where we need to comply with a legal or regulatory obligation; or
• Where it is necessary for our legitimate interests (i.e., we have a business or commercial reason for using your information), and your interests and your fundamental rights do not override those interests. Our legitimate interests include using certain platforms offered by our vendors to process data to provide more cost-effective services; being efficient about how we fulfill our legal and contractual duties; complying with laws or regulations that apply to us; communicating with you; supporting our customers; preventing fraud or misuse of our products or services; ensuring the security of our IT systems, architecture, and networks; selling any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party; and meeting our corporate and social responsibility objectives. Or
• Where affirmative consent has been provided. Where we rely on your consent, you may withdraw your consent at any time.

Where we need to collect Personal Data by law or under the terms of a contract we have with you, and you fail to provide that information when requested, we may not be able to perform the contract we have or are trying to enter with you. In some circumstances, Cook may anonymize your Personal Data so that it can no longer be associated with you, in which case we may use and disclose such information without further notice to you.

If we need to use your Personal Data for an unrelated purpose than that for which it was collected, we will notify you, where required by law, and explain the legal basis which allows us to do so. Cook may process your Personal Data without your knowledge or consent, where this is required or permitted by law.

For additional information pertaining to California residents about our collection of Supplier Personal Data, please refer to our California Privacy Statement for Suppliers.

Information disclosed

Cook limits access to Supplier Personal Data on a need-to-know basis in connection with the performance of our professional activities. Within our organization, personnel are only given access in accordance with their job responsibilities, subject to appropriate confidentiality obligations. We disclose Supplier Personal Data to:

• Other companies within the Cook group, as available here;
• Third-party vendors and advisers who provide us with services; for example, platforms offered by vendors to process data on our behalf, and/or legal, tax, and consultancy advice;
• Third parties in respect of business transactions, such as in the event of a transfer of ownership of our business;
• Third parties as permitted or required by law, including in connection with regulatory or legal matters or where this is required for safety and security (for example, regulatory, governmental, court, and law enforcement authorities).

We do not sell Supplier Personal Data. When we disclose Supplier Personal Data, we limit the transfer to the information that is relevant under the circumstances and comply with all legal requirements in respect of the transfer. To the extent possible, we require the recipient to uphold an equivalent level of protection for the Supplier Personal Data consistent with this notice and applicable law.

For additional information pertaining to California residents about our collection of Supplier Personal Data, please refer to our California Privacy Statement for Suppliers.

International data transfers

As a global organization, Cook stores data in secure, centralized systems and uses service providers based globally. Accordingly, Supplier Personal Data may be stored in, or accessible to authorized, limited persons located in the US and/or countries other than your country of residence. In accordance with applicable data protection laws, Cook has put in place appropriate measures to ensure an adequate level of protection for Supplier Personal Data and applies those measures irrespective of where the data is processed or stored.

When we transfer Supplier Personal Data out of the European Economic Area (EEA) or the UK, we ensure an adequate level of protection by implementing one of the following safeguards:

• Only transferring the Supplier Personal Data to a country or territory deemed to provide an adequate level of data protection by the European Commission and/or the UK supervisory authority.
• By using specific data transfer contracts approved by the European Commission and/or the UK supervisory authority, which give Personal Data the equivalent protection it has in Europe, i.e., Standard Contractual Clauses; or
• When we transfer Personal Data out of other regions, Cook complies with the applicable regulatory requirements of cross-border transfer.

Further, although the Privacy Shield Framework was recently invalidated by the EU in the Schrems II decision, Cook continues to maintain our Privacy Shield certification in accordance with the U.S. Department of Commerce’s advice and as a way of demonstrating our continued commitment to privacy.

Data security

Cook has put in place appropriate technical, physical, and administrative security measures to help prevent unauthorized or unlawful disclosure or access to, or accidental or unlawful loss, destruction, alteration, or damage to Supplier Personal Data that it collects. These measures are intended to ensure an appropriate level of security in relation to the risks inherent to the processing and the nature of the data to be protected and are applied in a manner consistent with applicable laws and regulations. Cook evaluates these measures on a continuing basis to help minimize risks from new security threats as they become known.

Individual rights

Depending on your place of residence, you may have rights to request amendment (rectification), access, transfer (data portability), or erasure (deletion) of your Personal Data or to object to or restrict the processing or sharing of your Personal Data.

Data subjects can contact their region’s Cook office as listed below, in relation to any questions about their Personal Data or to exercise any applicable rights or to object to our use of their Personal Data. To protect privacy, we require individuals to authenticate their identity and sign a form to obtain a copy of their Personal Data. Data subjects will not have to pay a fee to access their Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if a request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Individuals may also have the right to make a complaint at any time to their relevant supervisory authority for data protection issues. Cook would, however, appreciate the chance to deal with your concerns before you approach the relevant authority, so please contact us in the first instance.

For additional information pertaining to California residents, please refer to our California Privacy Statement for Suppliers.

Retention

Cook retains Supplier Personal Data consistent with applicable data protection laws and regulations in order to meet our reasonable business needs. Cook disposes of Supplier Personal Data when it is no longer relevant and, in any case, upon expiration of the maximum storage term as set forth by applicable law, unless the Supplier Personal Data is required for a longer period, such as in the case of a claim, lawsuit, or other regulatory investigation.

When assessing the data retention period, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure of the Supplier Personal Data, the purposes for which we process the Supplier Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Changes to this notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your Personal Data.

Contact us

For additional information about Cook’s privacy and security practices or to exercise your rights, kindly contact us at Privacy@CookGroup.com. Alternatively, you may email or write to us at: