Information on Data Protection for Customers, Suppliers and other Data Subjects
LivaNova takes the privacy of your information seriously. We are committed to ensuring that information relating to you and from which you can be identified (known as “personal data”) is protected in accordance with our legal obligations under the EU General Data Protection Regulation (“GDPR”) and other applicable national data protection laws. With this Privacy Notice, we would like to give you an overview of the processing of your personal data by us and your rights under data protection law. Which data exactly are processed and the manner in which they are used is principally determined by the services requested or agreed. Therefore, not every element of this information may be applicable to you.
1. Who is responsible for data processing?
Responsibility lies with LivaNova PLC (4th Floor, 20 Eastbourne Terrace, London W2 6LG, United Kingdom) and/or one of its subsidiaries listed in the Appendix attached at the end of this document (“LivaNova”). The individual responsibility depends on which of the LivaNova entities listed in the Appendix processes your personal data as a controller (Art. 4 no. 7 GDPR). For further information on the controller role please contact: firstname.lastname@example.org
2. How can I contact the European Data Protection Officer?
You can contact the European Data Protection Officer under: LivaNova Deutschland GmbH Data Protection Lindberghstr. 25 80939 Munich Germany email@example.com
3. What kind of personal data do we hold?
We may have received personal data directly from you, from our business partners (such as the legal entity for whom you work), other third parties (such as health care facilities) or reliable public sources (such as university or congress websites). We collect different kinds of personal data on you, for example:
Name and contact details (e.g. name, sex, email address and/or postal address, telephone number(s))
Function (e.g. title, position, name of company, as well as for health care professionals field(s) of expertise, education, publications, congress activities, participation in clinical studies and organizations)
Payment details (e.g. bank details, credit card details, VAT no. or other tax ID)
Information on your preferences, including communication channels and frequency
Data provided to us e.g. by filling out forms, during events in which you participate or by answering questions of a survey
Data relating to our products or services
Information on a scientific and medical cooperation with us
If you would like to provide personal data on other persons (e.g. colleagues of yours) to us you are obliged to provide such persons with a copy of this Privacy Notice either directly or via your employer.
4. For which purpose do we process your personal data and why is this justified?
We process personal data in accordance with the provisions of the GDPR and other applicable national data protection laws.
4.1 As a result of your consent, Art. 6 (1) (a) GDPR
To the extent you have consented to the processing of personal data by us for certain purposes (such as marketing, mailing newsletters, clinical studies, device tracking), such processing is legitimate based on your consent. Consent once given may be revoked at any time. This also applies to the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Revocation of consent has an effect only for the future and does not affect the legitimacy of the data processed until revocation.
4.2 In order to comply with contractual obligations, Art. 6 (1) (b) GDPR
Personal data are processed for the purpose of providing services in connection with the performance of our agreements with our customers or for performing pre-contractual measures as a result of queries. The purposes of data processing are primarily determined by the specific agreements regarding services or products (such as purchase of medical devices, repair or maintenance services, participation in events) and may, among other things, include administration of contracts. For further details on the purposes of data processing, please refer to the respective contractual documents.
4.3 Within the scope of the balancing of interests, Art. 6 (1) (f) GDPR
To the extent necessary, we will process your personal data beyond the scope of the actual performance of the contract so as to protect justified interests of our own and of third parties. Please note that, when processing your personal data on this basis, we always seek to maintain a balance between our legitimate interests and your privacy. Examples:
Tracking of side effects (pharmacovigilance purposes)
Improvement of our products and services
Commercialisation of products
Advertising or marketing and opinion research unless you have objected to the use of your data
Lodging of legal claims and defence in case of legal disputes
Ensuring IT security and IT operations
Prevention and investigation of criminal acts
Measures for securing buildings and systems (such as admission control)
Measures to protect our domiciliary right
Measures for business management and advanced development of services and products.
4.4 On the basis of statutory regulations, Art. 6 (1) (c) GDPR
Moreover, we, as a medical device manufacturer, are subject to various legal obligations, i.e. statutory requirements (such as the EU Medical Device Regulation) which require us to process your personal data in certain cases.
5. Who will receive my data?
Within LivaNova, those departments will be granted access to your data which require them in order to comply with our contractual and statutory obligations. Further, we may transfer personal data within the LivaNova group. Regulatory authorities responsible for medical device approval and product safety may receive personal data from us. Service providers and agents appointed by us may receive the data for these purposes. These are companies in the categories of IT services, logistics, printing services, telecommunication, consultation as well as sales and marketing. Your personal data may also be accessed by or transferred to any national and/or international regulatory, enforcement, public body or court.
In any case, personal data will only be transferred to recipients outside LivaNova if this is required by law, you have given your consent or we have entered into data processing agreements, if applicable.
6. Will the data be transferred to a third country or an international organization?
Data transfers to bodies in states outside the European Union (so-called third countries) will take place to the extent
you have given your consent, and/or
we ensure that appropriate safeguards are implemented to provide an adequate level of data protection such as standard contractual clauses approved by the European Commission or adequacy decision by the European Commission.
7. For how long will my data be stored?
We process and store your personal data as long as this is required to meet our contractual and statutory obligations. If the data are no longer required for the performance of contractual or statutory obligations, these will be erased on a regular basis unless – temporary – further processing is necessary for the following purposes:
Compliance with obligations of retention under commercial or tax law. In general, the time limit specified for respective retention or documentation is two to 15 years.
Preservation of evidence under the statutory regulations regarding the statute of limitations. These statutes of limitations may be up to 30 years, the regular statute of limitation being three years.
8. What are my rights under to data protection law?
Every data subject has the right of access pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR, the right to object pursuant to Art. 21 GDPR and the right to data portability pursuant to Art. 20 GDPR. Moreover, there is a right to appeal to a competent data protection supervisory authority (Art. 77 GDPR).
Your consent to the processing of personal data granted to us may be revoked at any time by informing us accordingly. This also applies for the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Please keep in mind that such revocation will be effective only for the future with no impact on processing carried out before the date of revocation.
9. Am I obliged to provide data?
Within the scope of our business relationship, you are obliged to provide such personal data which are required for commencing, executing and terminating a business relationship and for compliance with the associated contractual obligations. Without these data, we will generally not be able to enter into agreements with you, to perform under such an agreement or to terminate it.
Information about your right to object pursuant to Art. 21 GDPR
Right to object based on individual cases
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6 (1) (f) GDPR (data-processing on the basis of the balancing of interests). If you do object, we will no longer process your personal data unless we have compelling justified reasons for such processing which take precedence over your interests, rights and freedom or, alternatively, such processing serves to assert, exercise or defend legal claims.
Right to object to processing for the purpose of direct marketing
In individual cases, we will process your personal data for the purpose of direct marketing. You have the right to object at any time against the processing of your personal data for the purposes of such marketing; this also applies for profiling to the extent it is connected to such direct marketing. If you do object to processing for the purposes of direct marketing, we will refrain from using your personal data for such purposes in the future.
Recipient of an objection
Any objection may be submitted informally under the heading "objection" indicating your name, your address and your date of birth and should be addressed to: