This Privacy Policy applies to the Merlin.net Patient Care Network (“Merlin.net”), including use of the Merlin.net website.
If you are a Clinician, please see +Privacy Policy For Users Of Merlin.net Patient Care Network for information about how your personal information is processed within the Merlin.net Patient Care Network, and see +Information For Clinics To Provide To Patients About The Merlin.net Patient Care Network for information about how patient personal information is processed within the Merlin.net Patient Care Network.
“Abbott” in this Privacy Policy means the local Abbott affiliated company that supports Your Clinic’s principle location and the Clinic’s associated Users. Please see +Local Abbott Companies (https://www.cardiovascular.abbott/int/en/hcp/products/cardiac-rhythm-management/affiliates.html) for the Abbott affiliated company in each country in which Merlin.net operates.
“Abbott Laboratories” in this Privacy Policy means Abbott Laboratories, the details for which are set out in +Contact Abbott
Merlin.net is provided by Abbott. Abbott recognises the importance of data protection and privacy and is committed to protecting personal information transmitted to and stored in Merlin.net. The purpose of this Privacy Policy is to provide healthcare practitioners and other authorised users of Merlin.net (“Users”) with information about how Users’ personal information is processed in connection with their use of Merlin.net. In most cases Abbott processes personal information on behalf of a User’s associated Clinic. This is referred to in some jurisdictions as Abbott being a ’processor’ of a User’s associated Clinic. Abbott also processes personal information for its own limited purposes as described under +Abbott’s Own Use of Users’ Personal Information (Abbott as a ‘controller’).
The Clinic that provides Users with a login to use Merlin.net is responsible for Users’ personal information in connection with their use of Merlin.net and that Clinic is an independent controller from Abbott. In the first instance, Users should contact their Clinic for more information about the processing of their personal information in connection with Merlin.net. The Clinic has entered into an agreement with Abbott to provide Merlin.net to Users.
References in this Privacy Policy to the terms “controller” and “processor” have the meanings given to them in the data protection laws of the EEA, the UK and Switzerland. If these terms are not used in the privacy or data protection laws of the country in which a User is primarily located, those terms should be treated as having the equivalent meaning of similar terms under such laws.
Merlin.net is a remote follow-up system designed to assist healthcare practitioners in monitoring and managing aspects of their patient’s condition where the patient has been implanted with a cardiac device manufactured by Abbott Laboratories, such as a pacemaker, implantable cardioverter defibrillator (ICD), insertable cardiac monitor (ICM), or an arterial pressure monitor, such as CardioMEMS™ HF System. Merlin.net enables the prompt, automated transmission of information collected from a patient’s implanted medical device to a private and secure database that can be interrogated by Users as part of the patient’s medical team. Using Merlin.net allows Users to review information on the status of their patient’s device and condition, without requiring the patient to visit the Clinic in person, unless a patient’s healthcare provider determines otherwise as part of their treatment.
Abbott Laboratories uses cookies on the Merlin.net website to collect technical information from Users. Cookies are text files containing small amounts of data that are downloaded to Users’ computers when they visit a website. On each subsequent visit to the website, Users’ web browsers (such as Microsoft Edge or Chrome) send some or all of the information in these text files back to the website that is requesting the information. This allows Abbott to recognize each User. These cookies can only be read by the server that sent them to the Users’ browser in the first instance. Merlin.net does not recognize Do Not Track (DNT) headers or similar mechanisms from some or all browsers.
The cookies and similar technologies used on the Merlin.net website allow Abbott Laboratories to collect the following technical information: domain name, the date and time of the User’s website visit, the web address from which the User accessed the website, the number of visitors to the website, the pages viewed, and the length of time on the website, browser type and operating system and IP address. An IP address is a number that is automatically assigned to the User’s computer when the User uses the internet.
Abbott Laboratories uses the personal information collected from cookies and similar technologies on Merlin.net for the following purposes:
Abbott Laboratories may combine this automatically collected information with other information it has about Users, subject to obtaining Users’ consent to do so (where legally required).
There are various ways that Users can control and manage their cookies. Please remember that if a User changes any settings, it will not just affect the cookies used by Merlin.net website, these changes may apply to all websites visited (unless the User chooses to block cookies from particular sites). To find out more about cookies visit https://www.allaboutcookies.org.
Once a Clinic has entered into a separate written agreement with Abbott for the use of Merlin.net, Abbott will issue the Clinic with a Clinic account, and the administrator for the Clinic account will set up individual user accounts for Users.
To set up Users with a Merlin.net user account, a User’s Clinic administrator will input a User’s name, email address, telephone number, Clinic name and address into Merlin.net. Once a User has been set up with a Merlin.net account, the User can enter account preferences including for the DirectAlert® features. Abbott, collects, processes and hosts Users’ personal information, including their name, email address, telephone number, Clinic name and address, as a processor on behalf of the Clinic so that Users’ can access Merlin.net.
As part of providing Merlin.net services to the Clinic under a written agreement, Abbott provides technical and customer support in connection with Clinics’ (and their Users’) use of Merlin.net and will process Users’ personal information to provide this support. As part of providing the support, Abbott may have access to details that have been added to Merlin.net about Users, and/or may collect details about the User reporting a technical issue, to monitor the support request. Abbott processes personal information for this purpose on behalf of the Clinic so that Abbott can provide the Clinic with technical and customer support services as required under the agreement between the Clinic and Abbott. For specific details about the processors and subprocessors used to provide Merlin.net, please see the Merlin.net Data Processing Agreement.
Abbott and Abbott Laboratories process personal information about Users when Users contact them to report an adverse incident or a complaint about Merlin.net or an implanted cardiac device. Abbott and Abbott Laboratories record this information because they are under a legal obligation to do so pursuant to medical device regulations. The specific categories of personal information Abbott and Abbott Laboratories collect about Users for this purpose may vary between countries but in each case will be provided by the User as part of their report.
Abbott also collects and uses Users’ personal information in the following ways, to:
Under certain countries privacy or data protection laws, Abbott and Abbott Laboratories are required to have a lawful basis for processing personal information as a “controller.” As this information varies depending on the country in which the User is located, please see the relevant country section at the end of this Privacy Policy for Users.
As controllers, Abbott and Abbott Laboratories store Users’ personal information for as long as they require it to respond to queries and concerns or in accordance with any legal requirements, such as to ensure medical device quality, safety and vigilance by operating an adverse incident report process.
Generally, personal Information stored in Merlin.net shall continue to be retained during the time that the information is being transmitted. Following a period of inactivity, with the inactivity reaching Abbott’s Data Retention Limit (generally 7 to 10 years, depending on your location), the personal information shall be deleted from the system. These time periods may vary depending on the law of the relevant country in which a User is located. For further information, please contact Abbott using the details below.
Abbott will not share Users’ personal information collected through Merlin.net with unrelated third parties, except as provided in this Privacy Policy.
Abbott may disclose Users’ personal information to its affiliates for the purpose of operating and maintaining Merlin.net and/or providing customer support. These companies will act as Abbott’s processors and are not authorized to keep or use the User’s personal information for any other purpose. See the Merlin.net Data Processing Agreement for more information.
Abbott may disclose Users’ personal information to companies that it hires to perform services for them, such as technical support, mailing and data processing, where disclosing personal information is necessary to perform the service. These companies will act as Abbott’s processors and are not authorized to keep or use the User’s personal information for any other purpose. See the Merlin.net Data Processing Agreement for more information.
Depending on local requirements, Abbott may disclose certain personal information with other affiliates, the User’s Clinic, and national health authorities or insurers as required for medical reimbursement, or as may be required in relation to a corporate sale, merger, reorganization, acquisition, dissolution, or similar event. Abbott may also need to share the User’s personal information to comply with legal requirements and/or pursuant to a warrant, subpoena or court order, or where necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of this Privacy Policy, or as evidence in litigation in which Abbott is involved.
Abbott will never rent or sell Users’ personal information to third parties for marketing or other commercial purposes.
Abbott is currently in the process of migrating its Merlin.net servers to the Microsoft Azure cloud so that the servers are local to a geographic region. During this transition period, the country in which the User’s Clinic is located and product will determine where personal information is stored. For example, if the User’s Clinic is located in a member state of the EEA, personal information will be stored on servers located in the Republic of Ireland. The personal information the User uploads to Merlin.net will be stored in the country closest to the country in which the User’s Clinic is located or otherwise in accordance with the data storage and privacy requirements of such country. When the User’s personal information is hosted in a country other than the country in which their Clinic is located, it may become subject to the laws of the host country, which may not be equivalent to the laws of the country in which the User’s Clinic is located. For a current list of products and storage locations relating to Merlin, please see www.Cardiovascular.Abbott/MerlinCloudEU.
Depending on the User’s location and product, personal information may be transferred directly from the User to, and stored in, the United States of America (USA), except where local exceptions apply. As part of Abbott’s provision of support services to the Clinics, Users’ personal information may be accessed from the country in which the User resides, Sweden or another EU location, or its other support centres located in Malaysia and the USA. The privacy laws of the USA and Malaysia may not offer protections for personal information equivalent to those in the User’s country of residence, including the EEA, Switzerland or UK.
Where legally required, Abbott has incorporated safeguards within its contracts with Clinics designed to protect Users’ personal information to a standard essentially equivalent to that which it receives in the User’s country of residence. Such safeguards include, for personal information originating from the EEA, incorporating the European Commission approved controller to processor Standard Contractual Clauses (SCCs) (which the EU Court of Justice upheld as a valid legal mechanism to transfer personal information to countries located outside the EEA) and, for personal information originating from the UK, the UK Information Commissioner’s Office-approved SCCs. By including such safeguards in its contracts, Abbott is able to receive Users’ personal information lawfully in the USA as a processor so that it can perform its contracts with Clinics. In addition to the incorporation of such safeguards, Abbott has implemented strong security measures to protect personal information.
Clinic Users may correct their profile information (name, email address and password) through Merlin.net account settings, which can be accessed through the website.
In respect of personal information for which Abbott is a controller, depending on the location of the User, Users may make a request to Abbott to (a) access the personal information Abbott holds about them; (b) request that Abbott corrects any inaccurate personal information it holds about them; (c) delete any personal information Abbott holds about them; (d) restrict or cease the processing of personal information Abbott holds about them; (e) object to the processing of personal information Abbott holds about them; and/or (f) receive any personal information they have provided to Abbott in a structured and commonly used machine-readable format or have such personal information transmitted to another company. Users may also have the right to lodge a complaint with their national data protection supervisory authority.
Please note that Abbott is generally not required by law to adopt or maintain systems that are technically compatible with systems offered by other companies, unless required by local law (see +For Users in France below). It may not be possible for Abbott to directly transmit the User’s personal information to another company.
For more information about the rights Users have in respect of their personal information, please see the relevant country section at the end of this Privacy Policy.
Much of the personal information Abbott holds about Users as a controller, such as patient personal information, it also holds as a processor on behalf of the Users’ Clinic. If a User would like to exercise any of their rights in relation to the personal information held about them in Merlin.net, please contact the Clinic in the first instance.
Where Abbott has obtained a User’s consent to the processing of their personal information, they can withdraw consent at any time by contacting Abbott. Any withdrawal of consent will not affect the lawfulness of the processing based on their consent before the withdrawal. Please also note that if a User withdraws consent, Abbott will only stop processing the personal information that relates to the withdrawal of consent. Abbott will still process personal information where it has an alternative legal basis to do so, such as to comply with its regulatory requirements for manufacturing medical devices.
Users can delete their Merlin.net account at any time by contacting the Clinic’s Merlin.net administrator.
Abbott has implemented appropriate, industry standard security measures to protect personal information from accidental loss or damage, unauthorized access and misuse. Access to the Merlin.net website is only available over a secure socket layer (“https”). Please keep in mind that no Internet transmission is 100% secure and some transmissions sent to or from this Merlin.net may not be secure. Abbott has also implemented local security and interoperability requirements that may be required by law in the User’s countries.
Abbott does not intentionally collect personal information from children. If a User thinks that a child has provided Abbott with personal information, please contact Abbott at the details below. Abbott will use reasonable efforts to delete this information.
If a User has questions, concerns or complaints in relation to Abbott’s processing of personal information or wishes to exercise any data protection rights, please contact the User’s Clinic in the first instance. Otherwise, please contact Abbott at:
Privacy Officer, Abbott, 036X, AP06A-2, 100 Abbott Park Rd, Abbott Park, IL 60064, USA
or via e-mail at privacy@abbott.com
If the User is based in the EEA or UK, they can also contact Abbott’s data protection officer, details for whom are available at www.eu-dpo.abbott.com.
If Abbott makes changes to its privacy practices, an updated version of this Privacy Policy will reflect those changes. Users will be alerted to updates to this Privacy Policy by email or when they next log into Merlin.net. Users will be notified if there is a new version of this Privacy Policy and will be prompted to read and, if appropriate, acknowledge it (and, if required by law, agree to it) so that they can continue to access and use their Merlin.net account via Merlin.net website.
Without prejudice to any applicable law, Abbott reserves the right to update and amend this Privacy Policy without prior notice to reflect technological advancements, legal and regulatory changes, and good business practices to the extent that it does not change the privacy practices as set out in this Privacy Policy.
For the purposes of this section, “you” and “your” refers to the “User”
BY ACCESSING OR USING MERLIN.NET, YOU SIGNIFY THAT YOU HAVE READ, UNDERSTOOD AND CONSENT TO THE COLLECTION, STORAGE, USE AND DISCLOSURE OF YOUR PERSONAL INFORMATION AS DESCRIBED IN THIS PRIVACY POLICY.
if a User is located in Canada, then the terms “controller” and “processor” are treated as analogous to “the organization [that] collects, uses or discloses [personal information] in the course of commercial activities” where a controller would be the organization involved in the primary collection, use and disclosure, and a processor would be considered a subcontractor of that organization that also collects, uses and in turn discloses personal information.
You acknowledge and understand that many of Abbott’s service providers and affiliates operate from outside of Canada. By using Merlin.net, you consent that your personal information may be stored, processed, or transferred to other provinces, territories and countries (including the United States of America) which may not guarantee the same level of protection of personal information as the jurisdiction in which you reside. Your personal information will be subject to the local laws of the jurisdiction where it is transferred and in certain circumstances, other foreign governments, courts, law enforcement agencies or regulatory agencies may be entitled to access your personal information.
Abbott may retain your personal information for as long as necessary to fulfil the purposes for which it has been collected, as outlined in this Privacy Policy, or any longer retention period required by law.
Except in limited circumstances, you may request access to your personal information that Abbott holds about you. You may also request correction of your personal information that Abbott hold about you where you believe it to be out of date or otherwise inaccurate. You may also withdraw your consent to Abbott’s collection, storage, use and disclosure of your personal information, subject to legal or contractual restrictions, by contacting Abbott at the contact details set out in the +Contact Abbott section of this Privacy Policy. Please note that if you exercise certain of your rights, including withdrawing your consent, this may limit Abbott’s ability to provide your Clinic with certain services.
Any changes that Abbott makes to this Privacy Policy will become effective when a modified version of the Privacy Policy becomes available on Merlin.net. Your continued access and use of Merlin.net. following any such change constitutes your agreement to follow and be bound by the most recent version of this Privacy Policy.
As part of Abbott’s provision of support services to the Clinics, Users’ personal information may be accessed from the country in which the User resides, or its support center in Sweden or another EU location or the USA.
In the table below, Users can see what personal information about then is processed by Abbott as a controller and as a processor. Where Abbott is a controller, the table includes Abbott’s lawful basis for processing the personal information for the listed purpose.
| Purpose | Categories of Personal Information | Abbott as a Controller | Abbott as a Processor | Abbott's Lawful Basis |
|---|---|---|---|---|
| Authentication and security, and performance and functionality | Personal information collected via cookies: domain name, the date and time of the User’s website visit, the web address from which the User accessed the website, the number of visitors to the website, the pages viewed, and the length of time on the website, browser type and operating system and IP address | Yes | No | Legitimate interest (the cookies are strictly necessary to operate Merlin.net website) |
| Setting up a User’s account | Name, email address, telephone number, Clinic name and address | No | Yes | Not applicable |
| Providing Merlin.net to Clinic | Name, email address, telephone number, Clinic name and address, account preferences | No | Yes | Not applicable |
| Providing Merlin.net to individual User (rare occasion) | Name, email address, telephone number, Clinic name and address, account preferences | Yes | No | Necessary for the performance of a contract to which the User is a party |
| Providing support services to Clinic | Dependent on the support required, but may be any of the personal information stored in Merlin.net and details about the issue needing support | No | Yes | Not applicable |
| Adverse event reporting | Varies depending on the issue being reported but likely to be name, email address, telephone number, Clinic name and address | Yes | No | Legal obligations under medical device regulation, e.g., the Medical Devices Regulation (EU) |
| Research | User name, phone number, email address, clinic name, and clinic country. Additional information, if provided by the clinic, include job title or role and clinic ID. | Yes | No | User consent |
| Learn about customers and markets | User name, phone number, email address, clinic name, and clinic country. Additional information, if provided by the clinic, include job title or role and clinic ID. | Yes | No | User consent |
| Contacting Users about products and services of interest to them | Name, email | Yes | No | User consent |
Abbott receives Users’ personal information lawfully in the USA as a controller on the following basis:
Under the conditions set out under applicable law (i.e., the GDPR or FADP or UK GDPR), Users’ have the following rights:
Please note that the aforementioned rights might be limited under the applicable national data protection law.
Users can exercise their rights is by using any of the methods described in the section entitled +Contact Abbott.
In case of complaints, Users also have the right to lodge a complaint with the competent supervisory authority, in particular in the EEA Member State of their habitual residence or alleged infringement of the GDPR, or if the User is in the United Kingdom, the Information Commissioner’s Office.
User’s may find the contact details of the competent supervisory authority for EEA Member States with the associated contact details under the following link: https://edpb.europa.eu/about-edpb/about-edpb/members_en or for the UK: https://ico.org.uk/
In addition to the provisions contained in the section “For Users in the EEA, Switzerland and UK,” specific requirements apply for France.
The term "controller" herein refers to a business handling personal information who should be responsible for the processing of personal information under the Act on the Protection of Personal Information (the “APPI”).
Users have the rights listed in “Users’ Rights in their Personal Information” described in +For Users in the EEA, Switzerland and UK to the extent permitted by the APPI. If Abbott denies a User’s request, Abbott will notify you to that effect and the reason.
For more information about a User’s rights and how to exercise them, please contact Abbott at the contact information listed under +Contact Abbott.
In case of complaints, Users also have the right to lodge a complaint with the competent supervisory authority, the Personal Information Protection commission (the “PPC”) in Japan.
Contact details of the PPC are available at https://www.ppc.go.jp/index.html
Except as otherwise provided in the following sections, Clinics are controllers of the personal information, including health-related information, of those of its patients it has enrolled in Merlin.net to monitor their patient’s device and heart condition. Clinics must provide all patients with all of the information below and must obtain consent from their patients in relation to Abbott’s processing of their personal information as a controller, if legally required.
Below is the information a Clinic must provide to its patients about Merlin.net. We recommend that Users print it and present it to their patients and obtain their patients’ consent (where required) before uploading their personal information into Merlin.net.
By uploading a patient’s personal information into Merlin.net, the User warrants and represents that the User has provided the information below to that patient and obtained their consent for Abbott to process their personal information (where legally required).
This Clinic (“we,” “us” or “our”) has arranged for Abbott to make the Merlin.net™ Patient Care Network (“Merlin.net”) available to us so that we can monitor your device and heart condition. We are a controller of your personal information for the purposes of providing your medical care, and we are responsible for how it is processed and for ensuring that information transmitted via Merlin.net complies with applicable data protection laws.
This Privacy Policy describes how your personal information will be handled in connection with Merlin.net, including how it is used by Abbott. Abbott is the provider of Merlin.net and primarily acts as our processor but is also a controller of your personal information when processing it as necessary for purposes related to medical device safety, security and quality. Abbott recognises the importance of data protection and privacy and is committed to protecting personal information, including health-related information. This Privacy Policy should be read in conjunction with the patient guides explaining how Merlin.net operates.
References to the terms “controller” and “processor”’ in this Privacy Policy have the meanings given to them in the data protection laws of the EEA, the UK and Switzerland. If these terms are not used in the privacy or data protection laws of the country in you reside, then, where applicable, those terms will have the equivalent meaning of similar terms under the privacy or data protection laws in the country in which you reside.
Abbott Laboratories is the manufacturer of your implanted cardiac device. This Clinic has entered into an agreement with Abbott to provide it with Merlin.net which holds information about your cardiac device and heart condition. The local Abbott affiliated company for your associated Clinic’s principal location is referred to as “Abbott” in this Privacy Policy and is the provider of Merlin.net to your Clinic. Abbott and its affiliates also provide technical and customer support to this Clinic. Abbott will have access to and will process your personal information on our behalf. This is referred to, in some jurisdictions, as Abbott being a “processor,” for these purposes.
“Abbott Laboratories” in this Privacy Policy means Abbott Laboratories, the details for which are set out in +Contact Us or Abbott.
Abbott and Abbott Laboratories are controllers of your personal information for specified and limited processing purposes as described in the +Abbott’s Use Of Your Information section of this Privacy Policy. Should you have questions, concerns or complaints about the use of your personal information by Abbott or Abbott Laboratories as a controller, as well as any requests to exercise your data protection rights, please contact Abbott at +Contact Us or Abbott.
Abbott Laboratories implanted cardiac devices, such as a pacemaker, implantable cardioverter defibrillator (ICD), insertable cardiac monitor (ICM), or an arterial pressure monitor, such as CardioMEMS™ HF System, are each supported by Merlin.net. Merlin.net enables the prompt, automated transmission of information collected from your implanted cardiac device to a private and secure database. Through Merlin.net, we can receive regular updates on the performance and status of your device and its effect on your health so as to monitor your condition remotely. One of the benefits of Merlin.net is that it will help us to monitor your heart condition and modify your treatment without the need for you to visit this Clinic in person as frequently.
Where you have been given a home transmitter, that transmitter will be linked to your Abbott Laboratories implanted cardiac device. It cannot be used to transmit data from any other device or other person. Your implanted cardiac device may also be monitored should you need urgent or long-term care and do not have access to your home transmitter where a hospital, clinic, care home or other similar facility has been equipped with a Merlin.net monitor. Where you are receiving such care, both that facility and this Clinic will receive reports about how your device is operating.
You may decline to use a monitor if your implanted device is a pacemaker/defibrillator. Where you elect not to use a monitor, you do not have to give a reason for your decision, and it will not affect your regular treatment. Please be aware we will not receive or be able to monitor information about your heart condition if you elect not to be enrolled in Merlin.net. If you no longer use a monitor with your pacemaker/defibrillator, we will no longer be able to collect information about you through Merlin.net, although information already collected will continue to be processed by us to provide you with medical care.
If you have been implanted with a CardioMEMS™ device to monitor pulmonary arterial pressure or an insertable cardiac monitor, the only way we can monitor you is via Merlin.net. Therefore, if you elect not to be enrolled in Merlin.net, it will affect our ability to monitor your condition and may affect our ability to treat you.
We will collect your information as part of your medical treatment, and we will input your information into Merlin.net. Our use of Merlin.net helps us to monitor your device and your heart condition so that you need not visit us as frequently, but also provides us with the type of information that may result in us asking you to come in for an appointment. Our use of Merlin.net makes it easier for us to provide you with medical care.
Your information on Merlin.net, processed by us and Abbott, includes your first name, surname, address, phone number, email, device model and serial number, birthdate, place of birth, gender, preferred language, medications, hospitalisations, information about your condition, diagnoses and the functioning of your implanted device, dates of treatment and transmissions, and may include a Clinic assigned patient number or other patient identifier such as a healthcare-related personal identification number,. We may also input the information of an emergency contact for you, including their name, phone number, and address. You may choose whether or not to provide an emergency contact and to do so, you must have received your emergency contact’s authorisation to provide their information for the purpose of being your emergency contact. If you live in the United States of America (USA), Merlin.net may also include information about your race. If you live in France, Merlin.net may collect and use your national health identifier (“INS”) in accordance with local law requirements.
The Merlin.net information and transmission reports summarise information collected from your device and enable us to determine its effect on your health. We may also receive automated notifications regarding any device-related issues, which help us to ensure that scheduled remote follow-ups are maintained. The information received will be incorporated into your Merlin.net patient profile, which could contain device and in-Clinic follow-up data, remote follow-up data and a follow-up schedule. Your Merlin.net patient profile will be updated as information is received via the system to maintain an accurate record of the operation of your implanted device and your medical condition.
Under data protection laws in some countries, we are required to have a lawful basis for processing personal information as a controller. As this information varies depending on the country in which you are located, please see the relevant country section at the end of this Privacy Policy.
As well as providing Merlin.net to us to monitor your device and condition, Abbott will also provide us with technical and clinical support pursuant to our contract with them. In addition to Abbott processing your personal information to provide the Merlin.net services, we may authorise Abbott staff to access your information where necessary and in compliance with applicable privacy requirements for us to receive technical and Clinical support, such as assistance with debugging, upgrading or troubleshooting Merlin.net or interpreting data transmitted from your Abbott device. When Abbott undertakes this processing on our behalf or at our request, they do so as a processor.
Abbott may provide such support to us from your location, Sweden or another EU location, particularly if it has operations in your country of residence or its other support centres located in Malaysia and the USA. Abbott may also use other third parties to provide technical or clinical support to us and where it does so, Abbott is required to use measures to safeguard the confidentiality, integrity and security of your personal information. Abbott processes your personal information as a processor on our behalf for such purposes.
Following your enrolment into Merlin.net, we may engage Abbott to provide support services to you. You may be contacted directly by Abbott, on our behalf, to provide you with help in downloading and installing the accompanying Merlin.net app, help with app set up, pairing your implanted cardiac device to the app, informing you about app operations and use as well as help to troubleshoot any issues with the app. Where you are unable to use the app, you may be provided with a separate Merlin.net transmitter which will be shipped to your address. Where we engage Abbott to provide these services to you, they do so as part of their contract with us.
These automated phone messages will usually be made during times agreed to between you and us and may be sent via an SMS text message to a mobile phone instead of a voice call, if you prefer. Please note that these automated phone messages may be affected by phone signal and functionality. These calls are for the purpose of medical care only and you may tell us that you do not wish to use the DirectCall® message feature. Automated phone messages are provided free of charge, though please note that you may incur charges by your mobile phone carrier for receiving such messages.
In addition, we may receive a DirectAlert® notification if a remote follow-up or remote monitoring reveals information about you of which we would like to be informed.
Abbott and/or Abbott Laboratories process your personal information as a controller for the following purposes:
In addition, Abbott Laboratories may use de-identified or pseudonymized data for research purposes, subject to your consent (where consent is required under local law). If a data set is used for research purposes, the data will not include your name, address, phone number, or email address. Abbott Laboratories take steps to ensure that there is no reasonable basis from which the de-identified or pseudonymized data can be used to identify you individually. Data used in research may include device model and serial number, intervals between implant date and subsequent visit dates, implant date, and demographics such as place of residence and age. Abbott Laboratories conducts such research using this de-identified or pseudonymized data, or aggregated, statistical and/or anonymized data for the following purposes:
Where you have been asked to consent to the processing of your personal information, you can withdraw consent at any time by contacting us. Any withdrawal of consent will not affect the lawfulness of the processing based on your consent before the withdrawal. Please also note that where you withdraw consent, Abbott or Abbott Laboratories will only stop processing your personal information that relates to the withdrawal of consent. Abbott and/or Abbott Laboratories will still process personal information where it is under a contractual obligation to do so with your healthcare provider or other legal obligation or basis to do so.
If you are asked to participate in a Clinical trial, and where required by applicable law, you will be asked to provide a separate informed consent to the research site prior to taking place in any such trial and your participation is completely voluntary. The research in this section does not relate to participation in a Clinical trial.
Under data protection laws in some countries, Abbott and Abbott Laboratories are required to have a lawful basis for processing personal information as a controller. As this information varies depending on the country in which you are located, please see the relevant country section at the end of this Privacy Policy.
Apart from the above processing, Abbott and Abbott Laboratories may only use your data for other purposes if you have consented for Abbott to do so.
Depending on local requirements, Abbott may disclose certain data to affiliates, this Clinic, third party researchers and national health authorities or insurers to demonstrate the effectiveness of Merlin.net as required for medical reimbursement.
Abbott may disclose your personal information with companies that Abbott hires to perform services for it, such as technical support, IT services and data processing, where disclosing personal information is necessary to perform the service.
Abbott may also disclose your personal information as may be required in relation to a corporate sale, merger, reorganization, acquisition, dissolution, or similar event. Abbott may also need to disclose the User’s personal information to comply with legal requirements.
Abbott is currently in the process of migrating its Merlin.net servers to the Microsoft Azure cloud so that the servers are local to a geographic region. During this transition period, the country in which the User’s Clinic is located and product will determine where personal information is stored. For example, if the User’s Clinic is located in a member state of the EEA, personal information will be stored on servers located in the Republic of Ireland. The personal information the User uploads to Merlin.net will be stored in the country closest to the country in which the User’s Clinic is located or otherwise in accordance with the data storage and privacy requirements of such country. When the User’s personal information is hosted in a country other than the country in which their Clinic is located, it may become subject to the laws of the host country, which may not be equivalent to the laws of the country in which the User’s Clinic is located. For a current list of products and storage locations relating to Merlin, please see www.Cardiovascular.Abbott/MerlinCloudEU.
Depending on your location and product, personal information may be transferred to and stored in the United States of America (USA). The privacy laws of the USA may not offer protections for your information equivalent to those in your country of residence, including the EEA, the Switzerland or UK.
Where legally required, we have incorporated safeguards within our contracts with Abbott designed to try to protect your information to a standard essentially equivalent to that which it receives in your country of residence. Such safeguards include, for personal information originating from the EEA, incorporating the European Commission approved controller to processor Standard Contractual Clauses (SCCs), which the EU Court of Justice upheld as a valid legal mechanism to transfer personal information to countries located outside the EU and EEA countries, and for personal information originating from the UK, the UK Information Commissioner’s Office approved SCCs. By including such safeguards in our contracts, we are able to transfer your information lawfully to Abbott in the USA so that they can perform their contract with us. We have also implemented strict supplemental security measures in order to secure any data transfers to the USA.
Merlin.net is maintained by Abbott’s authorised staff on behalf of this Clinic, and Abbott has implemented security controls to protect your personal information from accidental or unlawful destruction or accidental loss, alteration, disclosure, or access. Information received from your device is encrypted before transmission to ensure that it will remain secure and confidential. Merlin.net has various security measures to enhance the security of your patient profile and to prevent unauthorised access to, or disclosure of, your personal information. Only those authorised by your physician, including authorised staff of this Clinic, will have access to your Merlin.net patient profile and only via unique IDs and passwords.
Personal Information stored in Merlin.net shall continue to be retained during the time that the information is being transmitted. Following a period of inactivity, with the inactivity reaching Abbott’s Data Retention Limit (generally 7 to 10 years, depending on your location), the personal information shall be deleted from the system.
Depending on your location, you may request access to your personal information, to have it rectified or erased, to object to its processing or to restrict access to it, and, where possible, obtain a copy of the personal information held about you and to have any inaccurate or incomplete information relating to you corrected or updated. You may be entitled to object to the processing of your personal information, on legitimate grounds, and to request the anonymisation and/or deletion of such information. You may also have the right to lodge a complaint with your local data protection authority about how your personal information is processed.
Where you have been asked to consent to the processing of your personal information, you can withdraw consent at any time, such as by contacting us. Any withdrawal of consent will not affect the lawfulness of the processing based on your consent before the withdrawal. Please also note that where you withdraw consent for Abbott to process your personal information, Abbott will only stop processing your personal information that relates to the withdrawal of consent. Abbott will still process personal information where it is under a contractual or other legal obligation to do so, such as to comply with the EU regulatory framework for medical devices.
We may still need to process personal information where we respond to a medical situation or we are required to do so by law.
Please note that if you visit another Clinic that has a Merlin.net monitor, that facility may collect information about your device where, in their sole discretion, the information is needed for your medical care. If you have any concerns or complaints about the collection of your information in such a setting, you will need to contact that facility directly.
Should you have questions, concerns or complaints about this Clinic’s processing of your personal information or wish to exercise your data protection rights, please contact us using the details we have provided you.
Should you have questions, concerns or complaints about Abbott’s processing of your personal information or wish to exercise your data protection rights, please contact Abbott at:
Privacy Officer, Abbott, 036X, AP06A-2, 100 Abbott Park Rd, Abbott Park, IL 60064, USA
or via e-mail at privacy@abbott.com
If you are based in the EEA or UK, you can also contact Abbott’s data protection officer, details for whom are available at www.eu-dpo.abbott.com.
By enrolling in, accessing or using Merlin.Net and the Services, you signify that you have read, understood and consent to the collection, storage, use and disclosure of your personal information, including personal health information, as described in this privacy policy.
if a User is located in Canada, then the terms “controller” and “processor” are treated as analogous to “the organization [that] collects, uses or discloses [personal information] in the course of commercial activities” where a controller would be the organization involved in the primary collection, use and disclosure, and a processor would be considered a subcontractor of that organization that also collects, uses and in turn discloses personal information.
You acknowledge and understand that many of Abbott’s service providers and affiliates operate from outside of Canada. By using Merlin.net and the Services, you consent that your personal information, including personal health information, may be stored, processed, or transferred to other provinces, territories and countries (including the United States) which may not guarantee the same level of protection of personal information as the jurisdiction in which you reside. Your personal information will be subject to the local laws of the jurisdiction where it is transferred and in certain circumstances, other foreign governments, courts, law enforcement agencies or regulatory agencies may be entitled to access your personal information.
You consent to Abbott creating de-identified and/or aggregated data from your personal information and using such data for research purposes.
Notwithstanding the security safeguards that Abbott employs and its commitment to protecting personal information, Abbott cannot guarantee the security or error-free transmission or storage of personal information. There are risks inherent in the use of electronic means to transmit and hold information in electronic format. Any transmission of information is at your own risk.
Abbott may retain your personal information for as long as necessary to fulfil the purposes for which it has been collected, as outlined in this Privacy Policy, or any longer retention period required by law.
Except in limited circumstances, you may request access to your personal information that Abbott holds about you. You may also request correction of your personal information that Abbott holds about you where you believe it to be out of date or otherwise inaccurate. You may also withdraw your consent to Abbott’s collection, storage, use and disclosure of your personal information, subject to legal or contractual restrictions, by contacting us at the contact details set out in the + Contact Us or Abbott section of this Privacy Policy. Please note that if you exercise certain of your rights, including withdrawing your consent, this may limit Abbott’s ability to provide you with certain services.
We reserve the right to amend this Privacy Policy at any time. Any changes made to this Privacy Policy will become effective when we provide you with a modified version of the Privacy Notice. Your continued access and use of Merlin.net. and the Services following any such change constitutes your agreement to follow and be bound by the most recent version of this Privacy Policy.
As part of Abbott’s provision of support services to the Clinics, Users’ personal information may be accessed from the country in which the User resides, or its support center in Sweden or another EU location or the USA.
We process your personal information for the following purposes:
As set out in this Privacy Notice, Abbott processes data as a “processor” and processes personal data as a “controller.” The tables below, set out the different processing and where Abbott is a controller, the relevant table includes Abbott’s lawful basis such processing of personal information by purpose for which personal data is processed.
Abbott processing of personal data as a “Processor.”
| Purpose | Categories of personal information | Abbott’s Lawful Basis |
|---|---|---|
| Providing Merlin.net to Clinic or User | First name, surname, address, phone number, email, device model and serial number, birthdate, place of birth, gender, preferred language, medications, hospitalisations, information about your condition, diagnoses and the functioning of your implanted device, dates of treatment and transmissions, and may include a Clinic assigned patient number or other patient identifier such as a healthcare-related personal identification number, device and in-Clinic follow-up data, remote follow-up data and a follow-up schedule | Not applicable. Processing is on behalf of the Clinic or user and is subject to contract between the Clinic or User and Abbott. |
| Providing support services to patient or Clinic | Dependent on the support required, but may be any of the personal information stored in Merlin.net and details about the issue needing support | Not applicable. Processing is on behalf of the Clinic or user and is subject to contract between the Clinic or user and Abbott. |
Abbott processing of personal data as a “Controller.”
| Purpose | Categories of personal information | Abbott’s Lawful Basis |
|---|---|---|
| Ongoing safety of Abbott’s implanted cardiac devices and any future development | Required patient data fields include date of birth, serial number of the implanted device, and information relating to the functioning of the implanted device. The patient’s first name and last name may be required depending on whether a Patient ID is provided by the clinic. Depending on the implanted device, a patient’s primary phone, email, and/or implant date may be required. Additional patient data, if provided by the clinic, includes gender, preferred language, a clinic assigned patient number or other patient identifier, and an emergency contact for the patient, including their name, phone number, and address. | GDPR Articles 6(1)(c) and 9(2)(i) |
| Monitor and improve the quality, security and effectiveness of medical devices and systems | Required patient data fields include date of birth, serial number of the implanted device, and information relating to the functioning of the implanted device. The patient’s first name and last name may be required depending on whether a Patient ID is provided by the clinic. Depending on the implanted device, a patient’s primary phone, email, and/or implant date may be required. Additional patient data, if provided by the clinic, includes gender, preferred language, a clinic assigned patient number or other patient identifier, and an emergency contact for the patient, including their name, phone number, and address. | GDPR Articles 6(1)(c) and 9(2)(i) |
| Validate upgrades to Merlin.net and to keep it safe and secure | Required patient data fields include date of birth, serial number of the implanted device, and information relating to the functioning of the implanted device. The patient’s first name and last name may be required depending on whether a Patient ID is provided by the clinic. Depending on the implanted device, a patient’s primary phone, email, and/or implant date may be required. Additional patient data, if provided by the clinic, includes gender, preferred language, a clinic assigned patient number or other patient identifier, and an emergency contact for the patient, including their name, phone number, and address. | GDPR Articles 6(1)(c) and 9(2)(i) |
| Perform broader analysis to detect systemic issues for public interest in the area of public health | Required patient data fields include date of birth, serial number of the implanted device, and information relating to the functioning of the implanted device. The patient’s first name and last name may be required depending on whether a Patient ID is provided by the clinic. Depending on the implanted device, a patient’s primary phone, email, and/or implant date may be required. Additional patient data, if provided by the clinic, includes gender, preferred language, a clinic assigned patient number or other patient identifier, and an emergency contact for the patient, including their name, phone number, and address. | GDPR Articles 6(1)(f) and 9(2)(i) |
| Research, develop and test medical devices, including new and existing features and functionality and to test and improve Merlin.net and/or related mobile applications for product development | Required patient data fields include date of birth, serial number of the implanted device, and information relating to the functioning of the implanted device. The patient’s first name and last name may be required depending on whether a Patient ID is provided by the clinic. Depending on the implanted device, a patient’s primary phone, email, and/or implant date may be required. Additional patient data, if provided by the clinic, includes gender, preferred language, a clinic assigned patient number or other patient identifier, and an emergency contact for the patient, including their name, phone number, and address. | GDPR Articles 6(1)(f) and 9(2)(j) |
| Where required by law, such as the EU Medical Devices Regulation (EU) 2017/745: Medical device post-market surveillance, quality management, including product development and improvement, safety, performance, and vigilance | EUDAMAD and other EU Member State vigilance reports require the following personal data: i. age or date of birth of the concerned subject; ii. patient gender; iii. description of events, including nature of the observed symptoms; duration and severity of the symptoms; date of onset of first signs of the event; medical background of the patient; medical care of the patient. Pseudonymised personal data necessary for clinical evaluation and investigations relating to information concerning safety and performance of Abbott’s medical devices generated from the use of the device and sourced from Clinical investigations and post-market surveillance and post-market Clinical follow-up based on data collected and evaluated from the use in or on humans of CE marked medical device to safety and performance throughout the expected lifetime of the device and to identify and detect risks by analysing real-world evidence on the basis of real-world data. Required patient data fields include date of birth, serial number of the implanted device, and information relating to the functioning of the implanted device. The patient’s first name and last name may be required depending on whether a Patient ID is provided by the clinic. Depending on the implanted device, a patient’s primary phone, email, and/or implant date may be required. Additional patient data, if provided by the clinic, includes gender, preferred language, a clinic assigned patient number or other patient identifier, and an emergency contact for the patient, including their name, phone number, and address. | GDPR Articles 6(1)(c) and 9(2)(i) |
| To establish, exercise or defend legal claims or where required by applicable law and/or pursuant to a warrant, subpoena or court order | As required dependent on the claim | GDPR Articles 6(1)(c) or 6(1)(f) and 9(2)(f) |
Pseudonymized data for research or statistical purposes to:
| Device model and serial number, intervals between implant date and subsequent visit dates, implant date, and demographics such as place of residence and age. | GDPR Articles 6(1)(f) and 9(2)(j) or where otherwise required, Articles 6(1)(a) and 9(2)(a) |
Under the conditions set out under applicable law (i.e., the GDPR or UK GDPR or FADP), you have the following rights which you can exercise by contacting this Clinic directly when the Clinic is processing your personal information as a controller. In the specified and limited processing purposes where Abbott processes your data as a controller as described in the +Abbott’s Use Of Your Information section of this Privacy Policy, please contact Abbott directly.
Your rights:
Please note that the aforementioned rights might be limited under the applicable national data protection law. You can exercise your rights by using any of the methods described in the section entitled +Contact Us or Abbott.
In case of complaints, you also have the right to lodge a complaint with the competent supervisory authority, in particular in the EEA Member State of your habitual residence or alleged infringement of the GDPR, or if you are in the United Kingdom, the Information Commissioner’s Office.
You may find the contact details of the competent supervisory authority for EEA Member States with the associated contact details under the following link: https://edpb.europa.eu/about-edpb/about-edpb/members_en or for the UK: https://ico.org.uk.
In addition to the provisions contained in the section +For Patients in the EEA, Switzerland and UK, specific requirements do apply for France.
You have the rights listed in “Your Rights” described in +For Patients in the EEA, Switzerland and UK to the extent permitted by the APPI. If we deny your request, we will notify you to that effect and the reason.
For more information about your rights and how to exercise them, please contact us. In the specified and limited processing purposes where Abbott processes your data as a controller as described in the section +Abbott’s Use of Your Information of this Privacy Policy, please contact Abbott directly.
In case of complaints, you also have the right to lodge a complaint with the competent supervisory authority, the Personal Information Protection commission (the “PPC”) in Japan.
You may find the contact details of the PPC at https://www.ppc.go.jp/index.html
In addition to the provisions contained in the section +For Patients in the EEA, Switzerland and UK, specific requirements do apply for Sweden. We will process patient data in accordance with applicable privacy laws in Sweden, including the Swedish Patient Data Act (2008:355) (Sw. Patientdatalag). Please see our general privacy information regarding this processing.
Abbott operates as a business associate to us, your Clinic, in compliance with the Health Insurance Portability and Accountability Act and its implementing regulations (collectively “HIPAA”). As a result, personal information, including health-related information that is collected via Merlin.net is governed by HIPAA, and we may use and disclose your personal information consistent with our business associate obligations and as outlined in this Privacy Notice.
MAT-2307935 v1.0
Stay Connected