Edwards Lifesciences Data Privacy Notice
1. Overview
Edwards Lifesciences Corporation and its subsidiaries and affiliates, (collectively "Edwards Lifesciences") issue this Data Privacy Notice for Service Providers ("Service Providers") to describe how we handle the personal data we hold about you and your employees, which you provide to us in the course of performing the Agreement between you and Edwards Lifesciences.
Edwards Lifesciences respects the privacy rights of individuals and are committed to handling personal data responsibly and in accordance with Applicable Data Protection Laws, including but not limited to the EU General Data Protection Regulation (Regulation 2016/679) (GDPR), UK GDPR, Data Protection Act 2018, the California Consumer Privacy Act (CCPA), and Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD). Note that in relation to your data, the Data Controller will be the Edwards Lifesciences group company named in your Agreement.
2. Types of personal data we collect
In the course of contracting and providing services, we may process personal data about you and your employees whose personal data has been provided to us. The nature and extent of the personal data you provide to us will vary, depending on the nature of the Services you are providing and the sensitivity of the Edwards Personal Data to which you are exposed, as well as whether or not you will be present at Edwards’ facilities to provide Services and whether you will have access to Edwards’ information technology systems.
The types of personal data we process include, but are not limited to:
1. Identification data and contact details – such as your name, address, telephone/email address, phone number.
2. Background information – such as academic/professional qualifications, education, CV/resume, languages, information obtained through references (to assess your qualifications to perform the Services described in the Agreement).
3. National identifiers – such as national ID, immigration status, driver's license, social security numbers (if pertinent to the Services you will provide).
4. Financial information – such as bank account details (in order to make payments under the Agreement), tax information (to make government-mandated reports of payments made to you).
5. Information you have made publicly available, such as social media (e.g., Facebook, Instagram, Twitter, LinkedIn, and the like) profiles and posts, unless prohibited by law.
In some circumstances we may request on a voluntary disclosure basis, some sensitive personal data relating to you, including your racial or ethnic origin (for purposes of assuring fairness in provider selection), or trade union membership (where pertinent to the Services) ("Sensitive Personal Data").
3. Sources of personal data
Usually you will have provided the information we hold about you and your employees but there may be situations where we collect personal data or Sensitive Personal Data from other sources. For example, we may collect certain background information during “due diligence” in the Service Provider selection process, including information on your performance, conduct or other information relevant to formal internal procedures, from customers or other organisations you work with or have worked with.
4. Purposes for processing personal data
We collect and process this personal data primarily for the purpose of evaluating potential Service Providers prior to contracting, and then to perform our obligations to you under the Agreement.
We may also collect and use personal data when it is necessary for other legitimate purposes, such as:
• to help us conduct our business – for example, for accounting purposes, or financial planning;
• if you are a Healthcare Provider, for purposes of required transparency reporting and to ensure compliance with requirements for appropriate HCP interactions;
• if your Services involve access to our IT systems or software, to operate, administer and update IT and communications systems including for security purposes, to enable communication between colleagues and with third parties;
• to investigate violations of law or breaches of our own internal policies – whether by you or your employees;
• where necessary to comply with laws and regulations, under judicial authorisation, or to exercise or defend the legal rights of Edwards Lifesciences.
5. Who we share your personal data with.
Edwards Lifesciences takes care to allow access to personal data about our Service Providers only to those who require such access to perform their tasks and duties, and who have a legitimate purpose for accessing it. Whenever we permit access to personal data, we will implement appropriate measures to ensure the data is used in a manner consistent with this Notice. In particular, we will require that the confidentiality and integrity of the information is maintained, including through appropriate technical and organizational security measures.
(i) Transfers to other group companies
We will share your personal data within Edwards Lifesciences around the world as necessary for legitimate business purposes (such as tax & accounting purposes, general business management).
(ii) Transfers to Service Providers or other third parties
We will transfer your personal data to others where legally required to carry out our obligations under the Agreement (for example, to tax authorities). In addition, we make certain personal data available to other Service Providers. We do so on a "need to know basis" and in accordance with applicable data privacy law.
For example, (i) Service Providers who perform “due diligence” on certain Service Providers (with your knowledge); (ii) if your Services involve access to our IT systems, Service Providers who provide, support and maintain our IT and communications infrastructure (including for data storage purposes), and/or provide business continuity services, e.g. Amazon Web Services; and (iii) auditors, advisors, legal representatives and similar agents in connection with the advisory services they provide to us for legitimate business purposes and under a contractual prohibition of using the personal data for any other purpose.
In other instances, you may use Edwards Lifesciences third-party software services to record actions you take in the performance of the Services, and interaction with these systems is logged as evidence that the required steps were taken.
(iii) Other transfers
We may also disclose personal data on other lawful grounds, including (i) to comply with our legal obligations, including where necessary to abide by law, regulation or contract, or to respond to a court order, administrative or judicial process, or to meet national security or law enforcement requests, including, but not limited to, a subpoena or search warrant; (ii) with your consent; (iii) as necessary to establish, exercise or defend against potential, threatened or actual litigation; (iv) where necessary to protect your vital interests or those of another person; or (v) in connection with the sale, assignment or other transfer of all or part of our business.
6. Legal bases for processing personal data.
Our legal bases for collecting and using the personal data (and, where applicable, Sensitive Personal Data) described in this Notice will depend on the information concerned and the specific context in which we collect it. Some of the bases we rely on are set out above.
In summary, we will normally collect personal data from you only where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms, where we need the personal data to perform a contract with you, where the processing is necessary to comply
with a legal obligation or where we have your consent to do so. In some cases, we may also need the personal data to protect your vital interests or those of another person.
Where we request personal data and Sensitive Personal Data from you, you can choose not to provide it to us. However, unless otherwise indicated, the personal data we request from you is normally required in order to enter into our contract with you or comply with our legal obligations. Failure to provide it may prevent us from effectively administering our contractual relationship with you, which may mean we are unable to continue the engagement.
7. Transfers of data across borders.
Edwards Lifesciences is a global group of companies headquartered in Irvine, California in the United States. Many of our IT and other functions are administered centrally by Edwards Lifesciences LLC in the United States, and your personal data is stored and processed by Edwards Lifesciences on servers in the US. Edwards Lifesciences Corporation, the US-based parent of all Edwards Lifesciences companies, may also receive personal data.
As Edwards Lifesciences operates at a global level, we may also need to transfer personal data to other non-European countries where we operate. In respect of those inter-company transfers, we have entered into inter-company agreements which implement the European Commission's Standard Contractual Clauses (pursuant to the European Commission’s decision (CID (EU) 2021/914). As for transfers to third parties, we ensure compliance to requirements regarding cross-border transfers through the Standard Contractual Clauses and through consent, where applicable.
8. Your data privacy rights
Under applicable law, you may have a right (i) to request access and obtain a copy of your personal data, (ii) to request updates, rectification or erasure, including if your personal data is inaccurate or no longer necessary in relation to the purposes for which it was collected; (iii) to restrict the processing of your personal data; (iv) if applicable, to request portability of your data; and (v) if applicable, to request that your personal data not be sold. In certain circumstances, you may also have the right to object to the processing of your personal data.
Any such request can be made to the Privacy office at [email protected] by filling out the data subject request form on Edwards.com here: https://www.edwards.com/legal/privacyrequest.
If you have concerns that your data are being processed improperly, you have the right to lodge a complaint free of charge with the data protection authority in your country or state of residence.
If we are relying on your consent to process your personal data, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of processing that took place before consent was withdrawn, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
9. Monitoring of Edwards’ premises and equipment
If your Services involve access to Edwards’ premises or to Edwards’ IT or other systems, all Edwards assets should be used only for legitimate business purposes. This includes office facilities, equipment, supplies, products, information and other assets.
Edwards Lifesciences will carry out automated monitoring of its IT and communications systems and devices including through automated tools such as anti-malware software, website filtering and spam filtering. It will also carry out monitoring of its physical premises, such as by way of CCTV and badge scans. We may also carry out certain manual or partly automatic monitoring activities including, for example, email and other communications reviews, logging of browsing and activity data, remote access and wiping of devices and recording of information relating to the physical location of Edwards’ devices.
The primary purpose of this monitoring is to protect Edwards Lifesciences, its employees, customers and business partners, for example (i) for system and network security, including in particular the security of Edwards Lifesciences' IT system and assets, and the safety of its employees and other third parties; (ii) for proof of business transactions and archiving; (iii) for the protection of confidential information and intellectual
property – including by tracking and/or remote wiping of stolen devices or property; (iv) for investigating breaches of internal policies, fraud or other unlawful activity; (v) for other legitimate business purposes as permitted under applicable law (including, for example, for complying with data subject rights).
Monitoring activities are likely to be continuous and ongoing. However, they will always be proportionate, for legitimate purposes, and as required or permitted by applicable law. Before undertaking any monitoring activities, we will consider reasonable expectations of privacy and assess whether there are any less invasive options. Users of our IT systems should be aware that any message, files, data, document, facsimile, telephone conversations, social media post or instant message communications, or any other types of information transmitted to or from, received or printed from, or created, stored or recorded on our IT and communications systems and assets are presumed to be business-related and may be monitored by us in accordance with applicable law.
10. Data retention periods
The guiding principle adopted by Edwards Lifesciences is that your personal data will be stored in accordance with applicable laws and kept as long as needed to carry out the purposes described in this Notice or as otherwise required by contractual agreements with third parties, law or other Edwards Lifesciences policies.
We will generally keep your personal data for at least as long as your Service Agreement remains active. After the agreement expires, how long we keep the data will depend on the nature of the information and the purpose for which it was collected. The first criterion used to determine retention times is whether the law requires us to keep it, and for how long. Otherwise, we will generally retain information where necessary in connection with a purpose under this Notice.
11. Automated Decision-Making.
Edwards Lifesciences does not engage in automated decision-making as it relates to the processing of your personal data.
12. Updates to this Notice
This Notice may be updated periodically to reflect any necessary changes in our privacy practices. In such cases, the updated version will be made available and will indicate at the top of the Notice when it was most recently updated.
13. Questions and Concerns
You can address any questions or concerns relating to this Notice and our privacy practices to the contact details further below. As noted above, you also have a right to lodge a complaint free of charge with your local data protection authority (DPA).
We will cooperate with the relevant DPA in investigations and resolutions of complaints relating to this Notice. We commit to cooperate and comply in good faith with the advice of these authorities.
Of course, we value the opportunity to deal with any concerns directly before they are shared externally and would encourage you to raise them using the contact details below as a first step.
14. Contact details
Questions, concerns or requests relating to your data, or to data protection generally, may be addressed to the Privacy Office, Edwards Lifesciences, One Edwards Way, Irvine, CA 92614, by telephone without charge to +1 (888) 570-4014 or by email to [email protected].