Privacy Notice
Last updated: September 2024
1. Scope and information that this Online Privacy Notice covers
This Online Privacy Notice (this “Privacy Notice”) applies only to Personal Information (defined below) collected on our websites, mobile applications, or cloud-based services and communication platforms with a link to this Privacy Notice (collectively, the “Site”). This Privacy Notice includes information on how ICU Medical, Inc (“ICU Medical”, “we” or “our”) collect, use, disclose, and otherwise process Personal Information since this Privacy Notice was posted. References to “Personal Information” in this Privacy Notice means information that identifies or can reasonably identify users of the Site (“you”) personally. ICU Medical is the controller of Personal Information that we collect, use, disclose, and otherwise process as described in this Privacy Notice.
2. Collection of Information
Registration and other information provided
You are not required to create a personal account. For public areas of our Site, we generally collect and process only Personal Information you voluntarily provide to us. We don’t require you to give us Personal Information to access certain public areas of our Site. This is true unless you live in a jurisdiction that defines Personal Information to include network identifiers like your Internet Protocol addresses. For some secure areas of our Site, however, we require you to provide Personal Information, including your login credentials. We also collect your Personal Information on the Site to perform services on our Site, enhance the services we offer you, maintain and improve the Site, to secure you and our Site, comply with legal obligations, and inform you about other services and products that may be available through us, our affiliated companies, and our marketing partners.
If you choose not to provide us with the Personal Information that we legitimately require, we may be unable to provide you with the information or services you have requested. Public areas of our Sites ask for Personal Information from you when you engage in the following activities:
1. Register for an account with us;
2. Sign up for newsletters or general information about our programs and services;
3. Apply to join our team; and
4. Request customer or technical support.
Personal Information may include any or all of the following:
1. First name and surname;
2. Postal or billing address;
3. E-mail address;
4. Telephone or mobile number;
5. Location via IP address;
6. Previous login history with our Site; and
7. Other relevant data, including any information you provide when contacting us.
Even if you do not send us any Personal Information, we may collect certain non-personal information about how you use our Site. This non-personal information cannot reasonably identify you and is used for statistical purposes.
Information Collected Through Technology
We may also obtain information in other ways through technology. Some of this information may be linked to you personally. We process this information to help our Sites function correctly, and better understand the needs of our customers.
Device Information
Depending on the permissions you’ve granted and other factors, we may receive information about your location and your mobile device, including a unique identifier for your device. In particular, we collect the following information:
- Attributes such as the operating system, hardware version, device settings, battery and signal strength, and device identifiers.
- Certain device locations, including specific geographic locations, such as through GPS, Bluetooth, or WiFi signals are gathered if you enabled the functionality within our product configuration.
- Connection information such as the name of your mobile operator or ISP, browser type, language and time zone, mobile phone number and IP address.
- Gathering of IP addresses is used for our enhanced security.
Most mobile devices require you to provide your consent for location services, and allow you to turn off location services, and we encourage you to contact your device manufacturer for detailed instructions on how to do that.
3. Processing Your Information
Purpose of the processing
We do not disclose your Personal Information to unaffiliated third parties solely for their own direct marketing purposes. Whatever the purpose may be – whether we disclose the personal information to service providers or other external entities – we only process and disclose your Personal Information to the extent reasonably necessary to fulfill your requests and meet our legitimate business and legal objectives.
Providing the above registration information is necessary in order to create an account and also:
• to respond to and manage questions, complaints, reviews of our services, requests for information, and/or user feedback;
• to provide the services requested through the Site, including registration and subsequent updates and to manage the activities organized through the Site;
• to carry out statistical analysis and surveys;
• to manage sales activities; and
• to provide sales and after-sales services, such as administration, accounting, returns and guarantee management, fraud prevention, customer relationship management, including compliance with legal obligations, regulations and EU regulations (including anti-money laundering regulations) and to exercise rights in legal proceedings
Any refusal by you to provide this information would still allow you to use the Site but would prevent you from using some of our services reserved for registered users.
In addition, your Personal Information must be processed in order to fulfill the contractual relationship arising from the purchase of ICU Medical products. You are free to disclose your data to us or not, but in the absence of the requested data you will not be able to purchase ICU Medical products and it will not be possible to handle your requests.
Further purposes of the processing
If we receive your consent, we will use your Personal Information for other purposes such as commercial or advertising communications, direct sales, in-store sales support worldwide through email (newsletter), telephone, SMS/MMS, or other marketing related communications. You may, at any time, indicate your preferred means of contact from among those listed above and you may refuse the receipt of promotional communication by any or all of these means of contact.
With your consent, which is optional, ICU Medical collects information about your preferences, habits and lifestyle as well as details of purchases made in order to use these to create group and individual profiles (“profiling”) and to send you personalized communications. Personalized communication may be sent by email (newsletter), phone, SMS, MMS, chat, instant messaging, online ads shown on third-party websites including social networking platforms, and traditional mail. You may at any time indicate your preferred means of contact from among those listed above, and you may refuse the receipt of promotional communication by any or all of these means of contact. You may also opt out of receiving marketing emails from us by using the unsubscribe feature in any such email we send you and instruct us whether or not to use advertising cookies via our cookie consent tool accessible here.
Consent for the above marketing and profiling purposes is optional and refusal will not have any consequences. Data may be provided by you on registration at our points of sale by means of paper and/or electronic forms, acquired during visits to our stores belonging to the ICU Medical Group or through interaction with websites, internet applications and mobile applications belonging to the ICU Medical Group.
Legal grounds for the collection, use, disclosure and other processing of Personal Information
Certain jurisdictions require the identification of the legal grounds for the collection, use, disclosure, and other processing of Personal Information. We rely on the following legal grounds for the collection, use, disclosure, and processing of Personal Information as described in this Privacy Notice:
- Necessary to provide information or otherwise carry out the performance of a contract with you as an individual;
- Our legitimate interests, including:
- Performance of the contract with you;
- Implementation and operation of a group-wide matrix structure and group-wide information disclosures;
- Customer relationship management and other forms of marketing and analytics;
- Fraud prevention, misuse of company IT systems, or money laundering;
- Whistle-blower scheme operations;
- Physical, IT, and network perimeter security;
- Internal investigations; and
- Intended mergers and acquisitions;
- Compliance with legal obligations and/or defense against legal claims, including those in the areas of healthcare, labor, social security, data protection, tax, and corporate compliance laws.
- Protection of the vital interests of any individual;
- Performance of a task carried out in the public interest or in the exercise of official authority vested in us; and
- Consent, as permitted by applicable law.
Authorized Service Providers
We use other companies and individuals to perform certain functions on our behalf. Those functions include payment card processing, analyzing or hosting data on cloud-based servers, website support and design, and other companies that help us improve our products and services. We may disclose certain Personal Information to these companies and other individuals performing services in the United States or other locations where we conduct business.
Online Advertising Partners
If you consent to our use of marketing cookies, we disclose your IP address, cookie identifiers and information about your interactions with our Site to our online advertising partners, who track visitors across websites to display online ads to you. You may toggle your cookie settings here.
Sale of the Businesses
If we sell all or part of our business, Personal Information may be transferred to the purchaser in connection with that transaction. We will use reasonable efforts to include contractual provisions that require the purchaser to treat your Personal Information consistent with the terms of this Privacy Notice.
Other Disclosures
We may otherwise disclose Personal Information as permitted or required by law, when we believe in good faith it is necessary for safety purposes, required for legal reporting, or to protect our legal rights or enforce our Site’s terms and conditions or any applicable rules, or to protect the rights of others. We may also disclose Personal Information to our auditors, legal advisors, or to respond to a subpoena. We may also aggregate information that we gather about you (e.g., online sales, traffic patterns) and provide these statistics to others in aggregate form.
The recipients identified above may be located inside or outside the European Economic Area (“EEA”) or United Kingdom (“UK”). Recipients outside the EEA or UK might be located in countries that do not offer an adequate level of protection from an EEA or UK data protection law perspective. We will take all necessary measures to ensure that transfers out of the EEA or UK are adequately protected as required by applicable data protection law. With respect to transfers to countries not providing an adequate level of data protection, we may base the transfer on appropriate safeguards, such as the EU standard contractual clauses (or equivalent standard contractual clauses approved under UK data protection laws for transfers of personal data outside of the UK), approved codes of conduct together with binding and enforceable commitments of the recipient, or approved certification mechanisms together with binding and enforceable commitments of the recipient. You can request a copy of the appropriate safeguards by contacting us as set out in the Questions section below.
Any access to your Personal Information is restricted to those individuals who have a need to receive or access this data in order to fulfill their job responsibilities. We may also disclose your Personal Information as required or permitted by applicable law to governmental authorities, courts, external advisors, and similar third parties.
4. Use of Cookies
Cookies are small files sent by websites that you visit and that are stored on the device you use to access those websites. When users visit the same site again, your browser reads the cookies stored on your device and sends the information back to the site that originally created the cookies. Our Site also uses different types of cookies and other technologies to read and store information on the user’s device. We do not use cookies that are able to launch programs on your devices or send viruses to them, or that allow us to control your devices.
On the Site you may also find social buttons/widgets, in other words those distinctive “buttons” showing social network icons like Facebook, Instagram and Twitter. These buttons allow users who are browsing the Site to share and interact with social networks with a simple “click”.
Cookies for our Services generally fall into the following categories:
- Technical Cookies:
Technical cookies are necessary for the functioning of the Site, including the provision of the Services offered by the Site. This category of cookies includes session and functionality cookies, used by the owner to, for example, collect information, in aggregate form, about the number of users and how they use the Site or to save your browsing preferences, such as the language. This category of cookies does not require the user’s consent. - Analytics Cookies:
Analytics cookies are used to carry out statistical analyses by allowing us to recognize and count the number of users of our Site and see how those users navigate the Site. These cookies are collected anonymously and exclusively for statistical purposes. This helps to improve how our Site works, for example, by ensuring that users can find what they are looking for easily. - Our Own and Third Party Profiling and Advertising Cookies:
Our own and third party profiling cookies are designed to create user profiles and used to send and display advertising messages in line with the preferences expressed by users during their browsing. This category of cookies always requires the user’s optional consent.
The above cookies may be:
- temporary, when they are automatically deleted at the end of the connection;
- permanent, when they remain on the user’s hard drive, unless the user deletes them;
- first party, when they are issued and managed directly by the Site administrator;
- third party, when they are managed by a domain other than the one visited by the user.
While the use of technical cookies does not require the user’s consent, the use of profiling cookies always requires the user’s optional consent, and the user can choose which profiling cookies to consent to. Cookies can be managed and disabled using the browser settings (e.g., Internet Explorer, Google Chrome, Safari, Firefox). Once on the Site, the user will be able to access the “cookie selection” area and view the list of third party companies that place cookies on our Site; check the presence and activity status of the installed cookie (“Status”) and selectively manage your consent (“On/Off”). Expanding the entry (Info) for each company will provide more information about the company and will link to the specific privacy and cookie policy.
5. Cross-Border Data Transfers
Your Personal Information may be transferred outside of your home country to third party recipients established within the EU or the UK, and to third party countries, not belonging to the EU or outside of the UK, which do not guarantee the same level of data protection as the EU or UK (as applicable). If you are located in a jurisdiction that does not consider the outside country to provide an adequate level of protection as the EU or the UK, cross-border transfer of your information is necessary for the conclusion or performance of a transaction that you requested, and for the establishment, exercise, and defense of legal claims. However, you are advised that such transfer to third party countries will always be in accordance with the provisions of the Privacy Notice, i.e., by obtaining your consent, when necessary, or by adopting appropriate safeguards. For example, with respect to transfers to countries not providing an adequate level of data protection, we may base the transfer on appropriate safeguards, such as the EU standard contractual clauses (or equivalent standard contractual clauses approved under UK data protection laws for transfers of personal data outside of the UK), approved codes of conduct together with binding and enforceable commitments of the recipient, or approved certification mechanisms together with binding and enforceable commitments of the recipient. You can request a copy of the appropriate safeguards by contacting us as set out in the Questions section below. To the extent permitted by local law, your use of this Site or provision of any Personal Information constitutes, where legally permitted, your consent to the cross-border transfer of Personal Information and other activities identified in this Privacy Notice.
6. Security of Information
Our security measures include contractual arrangements with any contractor (e.g., service providers) or other party intended to protect the security and confidentiality of your Personal Information, prevent unauthorized access or disclosure of Personal Information in our custody or control, and maintain data accuracy in accordance with the provisions of our Privacy Notice.
7. Data Retention
We store personal information as long as necessary to provide you with any products or services that you requested, and to fulfil the other purposes set forth in this Privacy Notice, as appropriate. Otherwise, we will only retain your personal information in accordance with storage periods as required or permitted by applicable laws and regulations (e.g., to account for statutory periods of limitation).
8. Children
The Site is not intended for persons under 16 years of age, and we do not knowingly solicit or collect personal information from or about children. Our products are intended for use by providers of healthcare, and we do not knowingly market our products or services to children.
9. User Rights
Certain jurisdictions maintain local data protection regulations that confer certain data protection rights on individuals. We will address those rights as required by applicable laws. If you wish to exercise any of these rights, please contact us as specified below. If you have declared your consent regarding certain types of processing activities, you can withdraw this consent at any time with future effect. This withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal. To the extent you’ve provided your consent and wish to withdraw it, you can contact us as stated below.
Pursuant to applicable data protection law you may also have the right to: (1) request access to Personal Information; (2) request rectification of your Personal Information; (3) request erasure of your Personal Information; (4) request restriction of processing of your Personal Information; (5) request data portability of your Personal Information; and/or (6) object to the processing of your Personal Information. Please note that these rights might be limited under the applicable national data protection law.
Below is a general description of them and how to exercise them:
- Right of access:
You may have the right to obtain from us confirmation as to whether or not Personal Information concerning you is processed, and, to request access to the Personal Information. The access information includes, among other things, the purposes of the processing, the categories of Personal Information concerned, and the recipients or categories of recipient to whom the Personal Information has been or will be disclosed. This is not, however, an absolute right, and the interests of other individuals may restrict your right of access. You may have the right to obtain a copy of their Personal Information undergoing processing. - Right to rectification:
You may have the right to obtain from us the rectification of inaccurate Personal Information about you. Depending on the purposes of the processing, you may have the right to have incomplete Personal Information completed, including by means of providing a supplementary statement. - Right to erasure:
Under certain circumstances, you may have the right to obtain from us the erasure of Personal Information concerning you, and we may be obligated to erase that Personal Information, as long as it is not required for legal or regulatory purposes. - Right to restriction of processing:
Under certain circumstances, you may have the right to obtain from us restriction of processing your Personal Information. In that case, your data will be marked and may only be processed by us for certain limited purposes. - Right to data portability:
Under certain circumstances, you may have the right to receive the Personal Information about you, which you have provided to us, in a structured, commonly used and machine-readable format, and you may have the right to transmit that data to another entity without hindrance from us. - Right to object:
Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your Personal Information by us, and we can be required to no longer process your Personal Information. For example, where we process your Personal Information on the basis of our legitimate interests. However, as we process and use your Personal Information primarily for purposes of carrying out the contract for services and in furtherance of our relationship, we have a compelling legitimate interest for the processing which may override your objection request, unless the request relates to marketing activities.
To exercise your rights, please contact us at ethicsandcompliance@icumed.com.
You also have the right to lodge a complaint with a competent data protection supervisory authority.
A list of local data protection authorities in European countries is available here: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
For the United Kingdom, you may contact the Information Commissioner’s Office at: https://ico.org.uk/
Phone: 0303 123 1113, Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
For Argentina, you may contact La Agencia de Acceso a la Informacion Publica at https://www.argentina.gob.ar/aaip/datospersonales
For Colombia, you may contact the Superintendencia de Industria y Comercio at https://www.sic.gov.co/
The Mexican data protection authority is the National Institute for Transparency, Access to Information and Personal Data Protection (Instituto Federal de Acceso a la Información y Protección de Datos (INAI)), and can be accessed here: https://gobierno.com.mx/ifai.html
For Peru, you may contact the Directorate for the Protection of personal data, which is part of the General Directorate of Transparency, Access to Public Information and Protection of Personal Data (NDPA) at https://www.gob.pe/minjus.
10. California Notice Obligations
The additional disclosures in this section entitled "California Notice Obligations" apply only if you reside in California. This Notice does not reflect our processing of California residents’ personal information where an exception under California law applies. Please see Section 3 above for information about the categories of personal information that we collect from you when you use our Site. These categories correspond with the following categories under the CCPA's definition of "personal information":
- Identifiers, including name, address, phone number, e-mail address, account username, account password, information collected via cookies, and IP address;
- Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, address, and telephone number.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Internet or Other Electronic Network Activity, including browser, time and date of access, operating system, application version, device ID, and pages shown.
- Geolocation data (but not precise geolocation data).
- Professional information.
- Audio, electronic, visual or similar information.
- Education or employment-related information if you submit a job application.
Please see Section 3 above for the purposes for which we process personal information, and Section 7 above for the criteria we use to determine how long to retain each category of personal information we collect. We do not sell or share for cross-context behavioral advertising any of the personal information that we collect about California residents. We do not collect sensitive personal information unless you voluntarily submit it to us, we do not use sensitive personal information to infer characteristics about users of the Site residing in California, and we only use sensitive personal information for purposes referred to under Subsection 1798.121(a) of the CCPA. For more information regarding the CCPA and California residents’ rights under the CCPA, please see ICU Medical’s CCPA Privacy Notice at https://www.icumed.com/about-us/corporate-policies-and-disclosures/ccpa/
11. Philippines Privacy Rights
If you are a Philippine (“PH”) citizen or resident, please note that the laws applicable to your personal data include Republic Act No. 10173, or the Philippine Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and the related issuances of the Philippine National Privacy Commission (NPC). In this regard and in addition to those matters contained in this Privacy Notice, please note the following information that specifically apply to you and the processing of your personal data:
- PH Personal Data
Consistent with the “Collection of Information” section above, we may collect personal information about you, such as your name, address, phone number, e-mail address, information collected via cookies, and IP address.
In the event that we will be collecting your sensitive personal information as defined under the DPA, we will only do so upon your express consent and only for the purposes it was provided, or in accordance with the applicable law.
- Processing of PH Personal Data
We process your personal information on the basis of your express consent (Section 12(a), DPA) whenever we deem appropriate or to the extent required by applicable law, such as when the transfer of personal data constitutes as data sharing under the DPA. Otherwise, we base our processing of your personal information on our legitimate interests (Section 12(f), DPA) or when required by the applicable law (Section 12(c), DPA).
In the event that we will be processing your sensitive personal information as defined under the DPA, we will only do so upon your express consent and only for the purposes it was provided, or in accordance with the applicable law.
- Rights of Data Subjects
As a PH citizen or resident, you acknowledge the existence of your rights as a data subject under the DPA, its Implementing Rules and Regulations, and the relevant issuances of the NPC.
12. Questions or Complaints
If you believe that your Personal Information has not been correctly processed, or if you would like to exercise any of your rights under applicable privacy or data protection laws, you may email us at ethicsandcompliance@icumed.com.
Access Notice in Alternative Formats.
Individuals who need assistance accessing this Privacy Notice in an alternative format can do so by contacting us toll-free at 1-800-824-7890.
13. Changes to this Notice
ICU Medical reserves the right to modify or update this Privacy Notice from time to time. The modified Privacy Notice will be published in visible places on our Site. Any changes will be effective immediately upon the posting of the revised Privacy Notice or as of the effective date shown in the Privacy Notice. Unless applicable laws require us to obtain your consent in another manner, your continued use of our Site after we publish on the Site a material modification to this Privacy Notice means that you consent to us processing your personal information as described in the revised Privacy Notice. ICU Medical encourages you to review periodically our Privacy Notice.
Last updated: September 2024