Abbott provides the myMerlin™ App (“App”) for insertable cardiac monitor devices obtained from us (including, where available, the Confirm Rx™, Jot Dx™ or Assert-IQ™ Insertable Cardiac Monitor (“ICM”) which transmits data to the Merlin.net™ Patient Care Network (“Merlin.net”) (together the “Services”) so that your doctor or clinic can remotely monitor and program your cardiac monitor and provide you with medical treatment. Pacesetter, Inc. (an Abbott company) provides Merlin.net.
We are committed to protecting your personal information. This Privacy Notice ("Privacy Notice") explains how we handle your personal information for the Services and what we do to keep your personal information secure. We understand that a lot of information is included in this Privacy Notice. We want to provide you with a short and easily accessible summary of how we handle, protect, retain, store and disclose your personal information. For more information. For more information, see +About the Services and +Security of Personal Information below.
This summary is not comprehensive. You will need to read the relevant sections of the privacy notice below to fully understand how we process your personal information.
We use personal information when you set up the App, which includes your date of birth and device serial number. We use your email address or telephone number for authentication purposes during pairings of your cardiac monitor. This App transmits information from your device to us, and if you contact our customer services, we will keep a separate record relating to your request for technical support. We also use personal information entered by your healthcare provider into Merlin.net. For more information, see +Collection and Processing of Your Personal Information and +Country Specific Provisions below.
We use personal information to: (1) provide you with the Services; (2) comply with legal obligations, including those related to medical device safety, quality and improvement; and (3) conduct research once the personal information has been de-identified, pseudonymized, aggregated and/or anonymized, so that it does not identify you by name. We conduct research to understand how our products and services are used, their effectiveness and for real-world evidence studies. For more information, see +Abbott’s Own Use of Your Personal Information, +Medical Devices and other Legal Requirements, +Research, +Retention of Personal Information below.
We strictly limit who we share your personal information with and will never sell the information to third parties for our commercial benefit. We do share personal information with our affiliated companies to help support and provide technical assistance for the Services, for compliance purposes, to conduct research, or to perform troubleshooting/ diagnostics and broader analysis to detect systemic issues. For more information, see +Disclosure of Personal Information by Us and +Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider below.
Where your location grants you certain rights in relation to your personal information, we will respond to such requests. For more information, see +How Individual Users Can Access and Correct Personal Information and Your Rights below.
Personal information relating to the Services is stored either on servers in the United States of America or in a regional deployment in Europe, depending on your country of residence. For more information, see +Data Storage and+Cross-Border Transfers of Personal Information below. We also recommend that you check +COUNTRY SPECIFIC PROVISIONS, as there may be additional provisions that apply depending on your country of residence.
Please contact and direct all enquiries regarding the Services to your clinic in the first instance. Your clinic is the ‘controller’ of your personal data when they provide you with medical care. We are the ‘processor’ of your personal information on their behalf to provide you and your clinic with the Services. If you have any questions or comments relating to privacy, you can contact us by emailing us at privacy@abbott.com. If you are located in the European Economic Area, you may contact our European data protection officer or contact your local data protection authority. The contact details for Abbott’s European data protection officer, as well as other useful contact information, are available at www.EU-DPO.abbott.com. For more information, see +Contact Us below.
If we update this Privacy Notice with material changes, we will alert you by email or the App when you next use the App. For more information, see +Changes to this Privacy Notice below.
™ Indicates a trademark of the Abbott group of companies.
© 2022 Abbott. All rights reserved
Pacesetter, Inc. (an Abbott company) provides the Merlin.net™ Patient Care Network (“Merlin.net”). Abbott provides the myMerlin™ mobile application (“App”) (together, Merlin.net and the App are referred to as the “Services”). Throughout this Privacy Notice, references to “Abbott,” “we,” “us,” and “our,” mean the group of Abbott companies, headquartered in Abbott Park, Illinois, United States of America.
We recognize the importance of data protection and privacy and are committed to protecting personal information, including health-related information. This Privacy Notice describes how your personal information is collected and used by Abbott when you use the Services.
Please read this Privacy Notice carefully before registering to use this App as it applies to the processing, transfer and storage of your personal information, including health-related data by Abbott and certain affiliated companies as described below. It also applies to the processing of your personal information by our affiliated companies and by our processors if required to address a customer service issue related to the Services.
This Privacy Notice does not apply to personal information processed or collected by other Abbott affiliates or subsidiaries or via other methods, such as other Abbott websites, other Abbott customer call centers. Your doctor’s use of Merlin.net and other privacy policies may apply to the personal information processed or collected through these methods.
By registering and using this App, you accept this Privacy Notice and you:
By accepting or agreeing to this privacy notice, you explicitly acknowledge that your use of this app and the services are subject to this privacy notice and to the processing and transfer of personal information, including health-related information, as described in this privacy notice. (This paragraph does not apply to users in the European Economic Area (“EEA”), United Kingdom (“UK”) and Switzerland. For more information, see regional sections below).
Where required by the law of your country of residence, clicking “Accept” or “Agree” means that you are providing explicit consent to the processing of your personal information including health-related information and to transfer your personal information to Abbott’s servers located in the United States of America.
Your consent is granted at your free will and you acknowledge that you are not under any legal obligation to provide personal information to Abbott.
Abbott is the manufacturer of the App, Confirm Rx™, Jot Dx™ and Assert-IQ™ Insertable Cardiac Monitor Insertable Cardiac Monitor (“ICM”).
Pacesetter, Inc. (a St. Jude Medical, LLC affiliate and wholly owned subsidiary of Abbott Laboratories) of 15900 Valley View Court, Sylmar, California 91342, United States of America, is the provider of Merlin.net.
Your healthcare provider is a controller of your personal data for the purposes of providing your medical care. Your healthcare provider is responsible for how such data is processed and for ensuring that information transmitted through the Services complies with applicable privacy and data protection laws. The reference to ‘controller’ is based on its definition in the data protection laws of the EEA, the UK and Switzerland and, where applicable, has the equivalent meaning of similar terms in other countries data protection and privacy laws in which you reside.
Abbott is a controller of personal information when we use personal information to: (1) provide you with the Services; (2) comply with legal obligations, including those related to medical device safety, quality and improvement; and (3) conduct research relating to the Services once the personal information has been de-identified, pseudonymized, aggregated and/or anonymized. For further information see +Abbott’s Own Use of Your Personal Information.
Merlin.net is a remote care system that holds information transmitted from your ICM through the Services.
The Services enable the automated transmission of information collected from your ICM and uploaded via the App to Abbott’s private and secure database. Through Merlin.net, your healthcare provider can see when your heart starts beating differently and, depending on your ICM and location, can remotely adjust the settings on your ICM. The App sends your heart data to your clinic based on the settings set by your healthcare provider. The Services help your healthcare provider to monitor your heart’s rhythm and/or modify your treatment without the need for you to visit a clinic in person.
You must keep your mobile device connected to WiFi or to cellular/mobile data, and you must use the App so that your heart data can be remotely monitored by your healthcare provider. Before you can use the Services, your healthcare provider must register you on Merlin.net. Once you have entered your date of birth and the serial number of your ICM in the App, you may need to obtain an activation code, which you can elect to have sent to you in an email, SMS text message, or via phone call.
At regular intervals, the App will connect to your ICM and transmit information about how the ICM is performing. The App will also transfer information about your heart’s rhythm to your healthcare provider, who will be able to receive alerts and updates, as well as log into Merlin.net to monitor your heart’s rhythm and adjust the settings on your ICM.
The following categories of your personal information are processed when you use the App:
The App links with and transmits data from your ICM to Merlin.net. The Services relating to Merlin.net use additional personal information, including health-related data that your healthcare provider inputs when creating a Merlin.net patient profile for you. That personal information may include your phone number or email, ICM model and serial number, and other optional fields including gender, race, preferred language, clinical comments and the functioning of your ICM, dates of treatment and transmissions, information about your condition, a clinic assigned patient number or other patient identifier. Your healthcare provider may also input the information of an emergency contact for you, including their name, phone number, and address. You may choose whether or not to provide an emergency contact and to do so, you must have received your emergency contact’s authorization to provide their information for the purpose of being your emergency contact. Abbott may need to access this personal information to support and maintain the Services.
Your healthcare provider will collect your personal information as part of your medical treatment and will input your information into Merlin.net. Your healthcare provider uses the Services to help monitor your ICM and your heart rhythm. This provides your healthcare provider with the type of information that may result in them adjusting your ICM or asking you to come in for an appointment.
Your healthcare provider or clinic processes your personal information for the following purposes:
We process your personal information as a processor on behalf of your healthcare provider or clinic. Such processing is on the instructions of your healthcare provider or clinic and relates to the following purposes:
Depending on your location, we may provide support services to your healthcare provider or clinic from locations in: Sweden; other European locations, particularly if we have operations in your country of residence; or our other support centers located in the United States of America, Costa Rica and/or Malaysia. We may also use other third parties to provide technical or clinical support to your healthcare provider or clinic. Where we use any third party to help us provide support Services to your healthcare provider or clinic, we put in place adequate measures to safeguard the confidentiality, integrity and security of your personal information.
The reference to ‘processor’ is based on its definition in the data protection laws of the EEA, the UK and Switzerland and, where applicable, has the equivalent meaning of similar terms in other countries data protection and privacy laws in which you reside.
Abbott processes your personal information, including your health-related personal information, as a controller for the following purposes:
When your healthcare provider creates a patient profile in Merlin.net for you, and where required by applicable law, you provided your explicit consent for Abbott to de-identify, pseudonymize, aggregate, and/or anonymize your personal information to conduct research. For more information, see the +Research section.
Apart from the above processing, Abbott may only use your data for other purposes if you have consented for Abbott to do so. Please see the Merlin Data Use Consent form relating to these purposes.
The reference to ‘controller’ is based on its definition in the data protection laws of the EEA, the UK and Switzerland and, where applicable, has the equivalent meaning of similar terms in other countries data protection and privacy laws in which you reside.
We receive data transmitted by the App and ICM before it is then stored. Personal information is stored either on premises in the United States of America or in a regional deployment in the Europe, depending on the location of your healthcare provider. If your healthcare provider is located in the United States of America or in countries outside of the EEA, the UK or Switzerland, personal information will be stored on servers in the United States of America. For the EEA, the UK and Switzerland personal information will be stored either in a regional deployment in the EU (if your healthcare provider has agreed to store information in this deployment) or on servers in the United States of America.
From the third quarter of 2023 for healthcare providers in the EEA, the UK and Switzerland who have elected to store personal data in the EU regional deployment, Abbott uses Microsoft Azure to host information transmitted from your ICM through this App, and, if your healthcare provider is located in a member country of the EEA, Switzerland or the UK, the App will transmit your personal information to servers within the territory of the EU. For French users, Microsoft Azure is certified by the French agency for digital health, the Agence du Numérique Santé to host health-related information. Personal information transmitted to Merlin.net may be hosted in the country closest to your healthcare provider’s country location or otherwise in accordance with the data storage and privacy requirements of your healthcare provider’s location.
When your personal information is transmitted and hosted on Merlin.net serves in a country other than the country location of your healthcare provider or your country of residence, it may become subject to the laws of the host country, which may not be equivalent to the laws of the country of your healthcare provider or your country of residence. Abbott has implemented appropriate security measures and controls to protect your personal information. For more information about our global server locations and on which servers your personal information, including health-related information, is stored, please contact your healthcare provider.
See also +Security of Personal Information and +Cross-Border Transfers of Personal Information.
Abbott may use personal information where legally required and where possible we will de-identify, pseudonymize, aggregate and/or anonymize information to comply with our legal obligations as a medical device manufacturer. This information is securely held by Abbott and will not be used to identify you individually by your name or email address, except where we are under a legal obligation to include this information. Where such use of personal information is subject to legal requirements, we do not require consent.
The legal requirements for which Abbott will use this information are:
We use the terms ‘de-identify’ and ‘pseudonymize’ interchangeably. US health insurance portability law (HIPAA) describes de-identified information as information where ‘there is no reasonable basis to believe that the information can be used to identify an individual’. The EU General Data Protection Regulation (2016/679) (GDPR) defines ‘pseudonymization’ as ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information’. Anonymized data is information that does not relate to a person and from which a person cannot be identified, and this kind of data usually falls outside data protection and privacy laws.
For more information about GDPR, please see +EEA, UK, Cayman Islands, Switzerland and Thailand below.
Where required by applicable law, Abbott requests your explicit consent to allow us to de-identify or pseudonymize, aggregate, and/or anonymize your personal information to conduct research for limited purposes.
If a data set used for research purposes, the data will not include your name, address, phone number, or email address. We take steps to ensure that there is no reasonable basis from which the de-identified or pseudonymized data can be used to identify you individually. Data used in research may include ICM model and serial number, intervals between implant date and subsequent visit dates, implant date, and demographics such as place of residence and age.
We conduct research using this de-identified or pseudonymized data, or aggregated, statistical and/or anonymized data for the following purposes:
Where you have been asked to consent to the processing of your personal information, you can withdraw consent at any time by contacting us. Any withdrawal of consent will not affect the lawfulness of the processing based on your consent before the withdrawal. Please also note that where you withdraw consent, Abbott will only stop processing your personal information that relates to the withdrawal of consent. Abbott will still process personal information where it is under a contractual obligation to do so with your healthcare provider or other legal obligation to do so, such as described in +Medical Devices and other Legal Requirements.
If you are ever asked to participate in a clinical trial, and where required by applicable law, you will be asked to provide a separate informed consent to the research site prior to taking place in any such trial and your participation is completely voluntary. The research is this section does not relate to participation in a clinical trial. For more information about HIPAA, please see +USA below for further information. For more information about GDPR, please see +EEA, UK, Cayman Islands, Switzerland and Thailand below.
Information collected from your ICM will be retained for a maximum period of seven (7) years from the date of your most recent transmission (that is, the date you last use your ICM and/or the App), except as may be required by law.
The section +Deleting Your Information from Merlin.net explains how you can arrange to have your healthcare provider or clinic delete your information from the Merlin.net Patient Care Network.
We may share your personal information as follows:
Abbott has implemented appropriate security controls within the Services to protect your personal information from accidental or unlawful destruction or accidental loss, alteration, disclosure, or access.
Information received from your ICM is encrypted before transmission to ensure that it will remain secure and confidential. The Services include various security measures to enhance the security of your patient profile and to prevent unauthorized access to, or disclosure of, your personal information. Only those authorized by your healthcare provider or clinic, including their authorised staff, will have access to your patient profile and only through unique IDs and passwords. Abbott has implemented various security and access controls to ensure that only authorized persons within Abbott may access pseudonymized, aggregated and de-identified data.
We use Bluetooth®1 4.0 wireless technology or higher to transmit different sets of personal information between medical devices and iOS or Android devices. Any information relating to measurements taken from your ICM is transmitted through Bluetooth technology.
Please be aware that the Services may be unavailable during periods of routine maintenance.
Depending on the location of your clinic, information collected via the Services may be transferred to and stored in the United States of America. The data protection laws of the USA may not offer protections for personal information equivalent to those of the EEA, the UK, Switzerland or your country of residence. If you are located in the EEA, the UK or Switzerland, and your data is stored in the USA, your healthcare provider and Abbott will have entered into the European Commission approved standard contractual clauses, and for the UK, the UK Addendum for international transfers. You are requested to explicitly consent to the transfer of your personal information to Abbott’s servers in the United States of America.
If you contact us directly and request technical support, your personal information (including health-related data) may be accessible by our remote care teams in the USA, Sweden (or other European locations), Costa Rica and/or Malaysia. Abbott intracompany data transfers are governed by a data transfer agreement providing adequate safeguards to protect personal information.
We also refer you to +Country Specific Provisions, for additional provisions that apply to international transfers of personal information depending on your country of residence.
By using this app and by acknowledging this privacy notice and consent, we are informing you of these transfers of your personal information to the United States of America, Sweden (or other European locations), Costa Rica and/or Malaysia and to the access of your personal information, including health-related information, which may be required in exceptional circumstances to respond to any support requests you or your doctor requests. These countries may not offer an equivalent level of protection for your personal information when compared with data protection or privacy laws in which you reside.
We will not knowingly send you advertising or marketing-related information, unless you have opted into receiving these types of communications from us in relation to our other products and services.
Neither Abbott nor its affiliates or licensors will knowingly send advertising or marketing-related information to children.
We do not sell your personal information to third parties for direct marketing.
Please note that we may send you non-marketing related information about necessary App and service updates or issues relating to product safety.
Children can be enrolled in Merlin.net by a healthcare provider or clinic. At any time, a parent/guardian may stop the collection of a child’s personal information, including health-related information, by contacting the healthcare provider or clinic and requesting that the account be deleted. This action will delete the Merlin.net account associated with the child, but we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.
To exercise any data protection or privacy rights, you should contact your healthcare provider or clinic in the first instance. We are not able to correct or amend any readings from your ICM that have been uploaded.
Depending on your place of residence, you may have the right to: (a) access the personal information we hold about you; (b) request we correct any inaccurate personal information we hold about you; (c) delete any personal information we hold about you; (d) restrict the processing of personal information we hold about you; (e) object to the processing of personal information we hold about you; and/or (f) receive any personal information you have provided to us on the basis of your consent in a structured and commonly used machine-readable format or have such personal information transmitted to another company. Please note that Abbott is not required by law to adopt or maintain systems that are technically compatible with other companies. It may not be possible for Abbott to directly transmit your personal information to another company.
Children may also have the right to access the personal information held about them. Where we receive a request for access for a child’s personal information from the child’s parent/guardian, we may respond directly to the child’s parent/guardian or recommend that they contact their child’s doctor or clinic. We will always seek to verify the identity of person seeking access to a child’s information, whether it is from the child him/herself or from a parent or guardian.
To request the exercise of these rights, please contact your healthcare provider or clinic in the first instance as the controller of your personal information for the purpose of providing you medical care. You may contact us where we are the controller of your personal information using any of the methods set out in the section entitled +Contact Us.
If you have been implanted with an ICM, the only way your healthcare provider can monitor you is via Merlin.net. Therefore, if you elect not to be enrolled in Merlin.net it will affect your healthcare provider’s ability to monitor your condition and adjust the settings on your ICM and may affect their ability to treat you.
If you would like to have your information deleted from Merlin.net, you may do so by contacting your healthcare provider or clinic. If you request deletion of your information from Merlin.net and still have your ICM, your healthcare provider will not be able to remotely monitor your heart’s rhythm. Please be aware that if your healthcare provider or clinic deletes your information in Merlin.net, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.
If you have questions, concerns or complaints about the processing of your personal information for the purpose of your medical care or wish to exercise your data protection rights, please contact your healthcare provider or clinic directly.
If you have questions, comments, or complaints about our privacy practices, please contact us by clicking on the “Contact Us” link in one of our websites or emailing us at privacy@abbott.com. Alternatively, you may write to us at:
Attn: Privacy Officer, Abbott, One St. Jude Medical Drive, St. Paul, MN 55117, USA
For EEA, UK and Switzerland users, see also below under your regional section for additional contact details.
For Users in Brazil: If you have questions, comments, or complaints about our privacy practices, or if you would like to exercise any of your rights set out in the +How Individual Users can Access and Correct Personal Information and Your Rights section, please contact us by clicking on the “Contact Us” link in one of our websites or emailing our local DPO, Juliana Ruggiero, at privacybrasil@abbott.com. Alternatively, you may write to us at:
Attn: Juliana Ruggiero Privacy Officer
Laboratórios do Brasil Ltda.
Rua Michigan 735, São Paulo/SP
CEP: 04566-905
In all communications to us, please include the email address used to register for this App and a detailed explanation of your request.
This Privacy Notice is kept under regular review. If we make material changes to our privacy practices, an updated version of this Privacy Notice will reflect those changes. You will be alerted to updates to this Privacy Notice by email or the App when you next use the App.
Without prejudice to your rights under applicable law, we reserve the right to update and amend this Privacy Notice without prior notice to reflect technological advancements, legal and regulatory changes and good business practices to the extent that it does not change the privacy practices as set out in this Privacy Notice.
Your consent is required for Abbott to process your personal information generally. By accepting the terms of this Privacy Notice, you are deemed to have consented to the processing of your personal information as described herein. If you would like to delete your Merlin.net account, you may do so by contacting your healthcare provider or clinic. Please be aware that if you delete your account, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment.
The Public Information Access Agency, in its capacity as supervisory body of Act No. 25.326, has jurisdiction over all accusations and complaints made by those affected in their rights for infringements to regulations in force referred to the protection of personal information.
If you wish to make a complaint about a breach of the Privacy Act, the Australian Privacy Principle (“APPs”) or a privacy code that applies to us, or if you have any queries or concerns about our Privacy Notice or the way we handle your personal information, please contact us using the details above and we will take reasonable steps to investigate and respond to you.
If after this process you are not satisfied with our response, you can submit a complaint to the Office of the Information Commissioner. See http://www.oaic.gov.au/privacy/privacy-complaints, to obtain the relevant complaint forms, or contact the Information Commissioner’s office.
We are not likely to disclose your personal information overseas, except as permitted by the Privacy Act 1988 (Cth), unless we otherwise advise you in writing. We may transfer your personal information to the United States. You consent to that disclosure and agree that by giving that consent, Australian Privacy Principle 8.1 no longer applies, and we are not required to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information.
By clicking “accept” or “agree” you are providing your consent to the cross-border transfer of your personal information including your health-related information (as special category personal information) for the purposes described in this privacy notice.
For users under the age of 18, the consent must be given by one of their parents or guardians.
After expiry of the retention period determined in +Retention of Personal Information, your personal information will either be deleted or archived in accordance with and in the manner established by applicable data protection laws.
In addition to your rights described in +How Individual Users Can Access and Correct Personal Information and Your Rights, you may also withdraw your consent any time or serve a written objection as to processing of your personal information by contacting your healthcare provider. If you withdraw your consent or serve a written objection, collection and processing of your personal data will be stopped and Abbott will retain de-identified/pseudonymized information. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment.
Clicking “accept” or “agree” means that you are providing explicit consent to collecting, processing, using, storing and transferring to third parties (or making available in another way, including cross-border transfer) of your personal information, including health-related information.
The controller of your personal data for the purposes of medical treatment is your doctor/clinic. Pacesetter, Inc. (a St. Jude Medical, LLC affiliate and wholly owned subsidiary of Abbott Laboratories, Inc.) of 15900 Valley View Court, Sylmar, California 91342, United States of America is the controller of personal data to (1) provide you with this App; (2) comply with legal obligations, including those related to medical device safety, quality and improvement; and (3) conduct research once the personal information has been de-identified, pseudonymized, aggregated and/or anonymized, so that it does not identify you by name. Abbott conducts research to understand how our products and services are used, to measure their performance and effectiveness, to improve future products, and in connection with real-world evidence studies.
In case of updates to this Privacy Notice that require new collection of consent, you will be notified through the contacts you have provided us.
Consent: To process personal information concerning your health, you must provide Abbott affirmative consent to use the Apps. You may withdraw your consent at any time by contacting us at privacy@abbott.com.
Legal basis for the processing of your personal information: Abbott processes your information based on the following legal basis as set out in the Lei Geral de Proteção de Dados (LGPD):
Your rights: If you would like to exercise any of your rights set out in the section titled +How Individual Users can Access and Correct Personal Information and Your Rights and are contacting us by email, please title your email subject line accordingly (for example, “Correction Request” or “Access Request”, or other right as applicable, in the subject line of the email.) We will do our best to respond to all reasonable requests in a timely manner, or at the very least, in accordance with any applicable legal requirements. You have the right to lodge a complaint with your local data protection authority if you are unhappy with any aspect of Abbott’s processing of your personal information.
We process your personal information as a processor when providing our services to your doctor or clinic and may have access to your health data to provide your doctor or clinic with technical and customer support.
Legal basis for the processing of your personal information: Abbott processes your personal information, including your health-related personal information, as a controller on the following legal bases as set out in the GDPR:
When your healthcare provider created a patient profile in Merlin.net for you, you provided your explicit consent for Abbott to de-identify, pseudonymize, aggregate, and/or anonymize your personal information, including its transfer to Abbott in the USA, to conduct research. We conduct research using this de-identified or pseudonymized data, or aggregated, statistical and/or anonymized data for the following purposes:
For more information, see the +Research section.
We also process your personal information as a processor and do so on behalf of your healthcare provider. Your healthcare provider processes your personal information on the following legal bases under European Union or national law:
“GDPR” refers to the General Data Protection Regulation (2016/679) as to EU Member State implementing legislation, and for the UK, it refers to the UK Data Protection Act 2018, each as may be amended from time to time. Where we have included a country above that it outside the European Union, it has been done because such countries contain substantially similar or near equivalent laws to the GDPR.
Data transfers: Information collected via the Services will be transferred to and stored in the United States of America. If you request technical support your personal information (including health-related data) will be accessible by our remote care teams in the USA or Sweden only. Your personal data will be transferred on the basis of EU Standard Contractual Clauses.
If you are located in the EEA, Switzerland or UK, your healthcare provider and Abbott will have entered into the European Commission approved Standard Contractual Clauses, and for the UK, the UK Addendum for international transfers.
If you contact us directly and request technical support, your personal information (including health-related data) may be accessible by our remote care teams in the USA, and the EU. Abbott international intracompany data transfers are governed by a data transfer agreement incorporating the European Commission approved Standard Contractual Clauses providing adequate safeguards to protect personal information transferred outside the EEA, Switzerland, and the UK. See +Data Storage
Abbott also transfers your personal information, as a “controller”, as necessary for Abbott to comply with its legal requirements, such as those related to the quality and safety of medical devices or reimbursement or payment of medical costs, as described in +Medical Devices and other Legal Requirements, or, where required by law subject to your explicit consent, such as conducting research, as described in +Research.
The references to “controller” and “processor” are based on their respective definitions in the GDPR, the UK Data Protection Act 2018 and the Swiss Federal Act of Data Protection 1992, each as may be amended from time to time.
Data Protection Officer: The contact details of our European data protection officer along with other useful contact information are available at www.eu-dpo@abbott.com.
Your rights: If you would like to exercise any of your rights set out in the section entitled + How Individual Users can Access and Correct Personal Information and Your Rights. and are contacting us by email, please title your email subject line accordingly (for example, “Correction Request” or “Access Request”, or other right as applicable, in the subject line of the email.) We will do our best to respond to all reasonable requests in a timely manner, or at the very least, in accordance with any applicable legal requirement. You have the right to lodge a complaint with your local data protection authority if you are unhappy with any aspect of Abbott’s processing of your personal information.
Pacesetter, Inc. has appointed the following companies as its country representatives:
| Country | Representative Name | Representative Address |
|---|---|---|
| Austria, Romania | Abbott Medical Austria Ges.m.b.H. | Perfektastraße 84A 1230 Wien, Austria |
| Belgium, Luxembourg | Abbott Medical Belgium | The Corporate Village, Building Figueras, Da Vinci laan, 11 Box F1, Zaventem, Belgium |
| Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Iceland, Latvia, Malta, Slovakia, Slovenia | St. Jude Medical Coordination Center | The Corporate Village, Building Figueras, Da Vinci laan, 11 Box F1, Zaventem, Belgium |
| Denmark | Abbott Medical Danmark A/S | Produktionsvej 14, 2600 Glostrup, Denmark |
| Estonia | Abbott Medical Estonia OÜ | Mõisa 4/Vabaõhumuuseumi tee 3, 13522, Tallinn, Estonia |
| Finland | Abbott Medical Finland Oy | Karvaamokuja 2, 00380 Helsinki, Finland |
| France | Abbott Medical France SAS | 1-3, esplanade du Foncet, CS 90087, 92442 Issy les Moulineaux Cedex, France |
| Germany | Abbott Medical GmbH | Helfmann-Park 7, 65760 Eschborn, Germany |
| Greece | Abbott Medical Hellas Limited Liability Trading Company (trade name: Abbott Medical Hellas Ltd.) In Greek: Άμποτ Ιατρικά Ελλάς Εμπορική Εταιρεία Περιορισμένης Ευθύνης and trading name of Άμποτ Ιατρικά Ελλάς Ε.Π.Ε | Iroos Matsi & Archaeou Theatrou Str., 17456 Alimos-Athens, Greece |
| Hungary | Abbott Medical Korlátolt Felelősségű Társaság (Abbreviated Name: Abbott Medical Kft.) | Tóth Lőrinc utca 41. II. em., Budapest, 1126, Hungary |
| Ireland | Abbott Medical Ireland Limited | Riverside One, Sir John Rogerson's Quay, Dublin 2 D02X576, Ireland |
| Italy | Abbott Medical Italia S.r.l. | Viale Thomas Alva Edison 110, 20099 CAP, Italy |
| Lithuania | UAB Abbott Medical Lithuania | Seimyniskiu str. 3, LT-09312 Vilnius, Lithuania |
| Netherlands | Abbott Medical Nederland B.V. | Standaardruiter 13, 3905 PT Veenendaal, Netherlands |
| Norway | Abbott Medical Norway AS | Gullhaugveien 7, Oslo, 0484, Norway |
| Poland | Abbott Medical spółka z ograniczoną odpowiedzialnością. | ul. Postepu 21B, 02-676, Warsaw, Poland |
| Portugal | Abbott Medical (Portugal) – Distribuicao de Produtos Medicos, Lda. | Estrada de Alfragide 67, Alfragide Edifico D, Amadora, Portugal |
| Spain | Abbott Medical España, S.A. | Francisca Delgado No. 11, Núcleo 3 – 3º Arroyo de la Vega, Alcobendas 28108, Spain |
| Sweden | Abbott Medical Sweden AB | Isafjordsgatan 15, 164 07 Kista, Sweden (Business Office) Jarfalla, PO Box 7051, 164 07 Kista, Stockholm, Sweden (Registered Office) |
You have the right to receive notification of any data breaches of your personal data within three business days of us notifying the Data Protection Authority of such breach. You have the right to exercise your rights in accordance with the Data Protection Law by written notice to us, and we are obliged to respond to your request within six business days. In case of a failure to protect your personal data or in case of our refusal to respect your legal rights with respect to your personal data or in case you are dissatisfied with our response to any request by you, you have the right to file a complaint with the Data Protection Authority.
Pacesetter, Inc. is certified with the ASIP Santé to host personal health data, including the following activities:
The controller of your personal data for the purposes of medical treatment is your doctor/clinic. Pacesetter, Inc. (a St. Jude Medical, LLC affiliate and wholly owned subsidiary of Abbott Laboratories, Inc.) of 15900 Valley View Court, Sylmar, California 91342, United States of America is the controller of personal data to (1) provide you with this App; (2) comply with legal obligations, including those related to medical device safety, quality and improvement; and (3) conduct research once the personal information has been de-identified, pseudonymized, aggregated and/or anonymized, so that it does not identify you by name. We conduct research to understand how our products and services are used, their effectiveness and for real-world evidence studies. For more information, see +Abbott’s Own Use of Your Personal Information, +Medical Devices and other Legal Requirements, +Research, and +Retention of Personal Information. Our local representative is Abbott Medical France SAS., 1-3, esplanade du Foncet, CS 90087, 92442 Issy les Moulineaux Cedex, France.
We are committed to protecting the privacy, confidentiality and security of the personal information we hold by complying with the requirements of the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (“PDPO”) with respect to the management of personal information.
Children and mentally incapacitated persons can be enrolled in Merlin.net by a healthcare provider. At any time, a parent/guardian may stop the collection of a child or mentally incapacitated person’s personal information, including health-related information, by contacting the healthcare provider and requesting that the account be deleted. This action will delete the Merlin.net account associated with the child or mentally incapacitated person concerned, but we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.
Children and mentally incapacitated persons may also have the right to access the personal information held about them. Where we receive a request for access for a child or mentally incapacitated person’s personal information from his or her parent/guardian, subject to the applicable law we may respond directly to the parent/guardian or recommend that they contact the child or mentally incapacitated person’s doctor or clinic. We will seek to verify the identity of person seeking access to a child or mentally incapacitated person’s information, whether it is from the child or mentally incapacitated person himself/herself or from a parent or guardian.
Where we conduct research purposes as set out in this Privacy Notice, and have de-identified, pseudonymized, aggregated and/or anonymized data from your personal data on Merlin.net, we will not attempt to re-identify any individuals from anonymized data or use the information of any individuals even if re-identification is possible.
You agree that we may share, disclose and transfer your personal data to such third parties as stated in, and in accordance with the provisions of, this Privacy Notice. Except as provided in this Privacy Notice, your personal data will not be disclosed to other parties without your voluntary and express consent. Where we intend to use your personal data for direct marketing purposes, we will comply with the notification requirements under the PDPO and obtain the consent or an indication of no objection from you before using your personal data for such purposes. You have the choice to have your personal data held by us erased and express your choice not to have the personal data shared or transferred.
You have the right to request access to (at a fee where appropriate) and correction of your personal data held by us. If you wish to do so, please contact our Privacy Officer in accordance with the section entitled +Contact Us herein.
You also have the right to lodge a complaint about any act or practice done or engaged in relating to your personal data with the Office of the Privacy Commissioner for Personal Data.
Nothing herein constitutes your registration for the Electronic Health Record Sharing System (“EHRSS”) and we shall not be liable under the Electronic Health Record Sharing System Ordinance (Cap. 625 of the Laws of Hong Kong) or otherwise in relation to the EHRSS.
Abbott has implemented reasonable security practices commensurate to the standards required under applicable law.
Your consent is required for Abbott to collect, process, use and store your sensitive personal information, including physical, health condition) and to transfer your sensitive personal data to any third party. Abbott may share your sensitive personal information with third parties such as your health data. Additionally, we will ensure that such third party will afford the same or better level of data protection to your sensitive personal data. By accepting or agreeing to this Privacy Notice, you hereby provide your consent to the processing of your personal information, including sensitive personal data, as described herein. You may withdraw your consent any time by contacting our grievance redressal officer at privacy@abbott.com.
Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment If you withdraw your consent, Abbott will retain aggregated and de-identified information and may need to retain certain personal information as required by law. You have the right to review information provided by you to ensure that it is not inaccurate or deficient. Your sensitive personal information would only be collected if it is necessary to achieve the purposes expressly mentioned in this Privacy Notice.
Your consent is required for Abbott to handle your “special care-required personal data” (referred to in this Privacy Notice as your health-related information) and to transfer your personal information, including health-related information, to any third party outside of Japan (except for transfers to the EU, for which an adequacy decision has been issued by the Japanese government). By accepting or agreeing to this Privacy Notice, you are deemed to have consented to the processing of your personal information, including health-related information, as described herein. You may withdraw your consent any time by contacting your healthcare provider. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment. If you withdraw your consent, Abbott will retain aggregated and de-identified information and may need to retain certain personal information as required by law.
Your written consent is required for Abbott to process your personal information except where we do so for us to comply with a legal obligation as described in +Medical Devices and other Legal Requirements. By accepting the terms of this Privacy Notice, you are deemed to have consented to the processing of your personal information as described herein. If you would like to delete your Merlin.net account, you may do so by contacting your healthcare provider. Please be aware that if you delete your account, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law. No actions taken by Abbott will violate any applicable legislations in Jordan. All actions will be in conformity with the Telecommunication Law No (13) of the year 1995, the Personal Data Protection Law, as soon as it is passed as a law and become enforceable, and any relevant regulations and/or instructions that the Telecommunications Regulatory Commission (TRC), or any other competent authority have issued in the past or will issue in the future.
Clicking “accept” or “agree” means that you are providing explicit consent to the collecting, processing, cross-border transfer of your personal information including health-related information, to the USA, Sweden (or other European locations), Costa Rica, and/or Malaysia and to the access of your personal information, including health-related information, which may be required in exceptional circumstances to respond to any support requests you or your doctor requests. These countries may not offer an equivalent level of protection for your personal information when compared with data protection or privacy laws in which you reside.
Please note that the collection, processing of your personal data may be without your consent in cases established by the law of the Republic of Kazakhstan including in cases of implementation of international treaties ratified by the Republic of Kazakhstan.
General: In the event the Malaysian Personal Data Protection Act 2010 and/or all regulations, codes, standards and/or legal requirements made pursuant to or issued under the Malaysian Personal Data Protection Act 2010 (“Malaysian Data Protection Laws”) apply, this section shall apply to the processing of your personal information by Abbott.
Consent. This Privacy Notice serves to inform you that your personal information is being processed by Abbott or on Abbott’s behalf and you hereby give your consent to the processing of your personal information in accordance with this Privacy Notice, including the transfer your personal information to a place outside of Malaysia. By clicking on the “accept” or “agree” button or ticking on the “accept” or “agree” check box, you are providing explicit consent to the processing of your personal information including health-related information for the purposes stated in this Privacy Notice and as supplemented by this section to the extent the Malaysian Data Protection Laws apply.
Data access and correction requests. You have the right to request access to and to request correction of your personal information subject to the following and subject to provisions of the Malaysian Data Protection Laws: (a) you may, upon payment of a prescribed fee (if any), make a data access request or a data correction request in writing to us; and (b) we may refuse to comply with your data access request or a data correction request and shall, by notice in writing, inform you of our refusal and the reasons of our refusal.
Limiting the Processing of Personal Information. You may, by providing us with a notice in writing, limit the processing of your personal information (including to request us to cease or not begin processing your personal information for purposes of direct marketing). You have the right to withdraw your consent previously given to us (in full or in part) by providing us with a notice in writing and upon receiving such notice, we will cease the processing of the personal data. If you limit the processing or withdraw your consent to any or all use of your personal information, we may not be in a position to continue to administer any arrangement or contractual relationship in place, which in turn may result in: (i) us being unable to (continue to) process your personal data for any of the purposes stipulated in this Privacy Notice or provide you with any of our services/products; (ii) unable to (continue to) perform our contractual obligations owed to you (if any); and/or (iii) the termination of any arrangements/agreements/contracts you have with us, without any liability on our part. It will also affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment.
Versions and Conflict. In the event of any inconsistency between the English version and the Bahasa Malaysia version of this Notice, the English version shall prevail over the Bahasa Malaysia version.
In respect of the +Medical Devices and other Legal Requirements section above, consent will not be required only to the extent permitted by the Malaysian Data Protection Laws.
In respect of the +Changes to this Privacy Notice section above, to the extent that any changes will trigger the requirement to obtain fresh consent under the Malaysian Data Protection Laws (i.e., addition to the purposes in which we may process your personal information for or an addition of a class of third parties in which we may disclose your personal information to), we will procure consent from you in respect of such changes.
You have the right to lodge a complaint with the Data Protection Commissioner regarding the processing of your personal data, by sending an e-mail at dpo@govmu.org.
For users under the age of 18, Consent must be given by their parent or guardian.
By accepting or agreeing to this Privacy Notice, you are providing your consent to collecting, processing, using, storing and transferring to third parties (including cross-border transfer) of your personal information, including health-related information.
If you wish to make a complaint about a breach of the Privacy Act 2020 (including the codes issued under the Privacy Act 2020 such as the Health Information Privacy Code 2020), or if you have any queries or concerns about our Privacy Notice or the way we handle your personal information, please contact us using the details above. We will take reasonable steps to investigate and respond to you.
If after this process you are not satisfied with our response, you can submit a complaint to the Office of the Privacy Commissioner. See https://www.privacy.org.nz/your-rights/making-a-complaint/to obtain the relevant complaint forms and contact details of the Office of the Privacy Commissioner. In addition to your rights to requires correction of your personal information held by us, you also have the right to provide Abbott with a statement of the correction sought to your personal information (“Statement of Correction”), and request that Abbott attach the Statement of Correction to your personal information if we do not make the correction you have sought.
Your consent is granted at your free will and you acknowledge that you are not under any legal obligation to provide personal information to Abbott.
Medical Devices and other Legal Requirements and Research: With regard to the term ‘pseudonymize’ used in the +Medical Devices and other Legal Requirements section and the +Research section, please note that the Law on Personal Data Protection of the Republic of North Macedonia (published in Official Gazette of the Republic of North Macedonia No. 42/20) (”MK DP Law”) defines ‘pseudonymization’ as ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’.
Legal basis for the processing of your personal information: Abbott processes your personal information, including your health-related personal information under the MK DP Law as those set out above in the section +EEA, Switzerland and UK, and Cayman Islands.
Data transfers:
For transfers of personal information from North Macedonia by your healthcare provider to Abbott, as “processor”, appropriate safeguards will be applied in accordance with the MK DP Law such as data transfer agreements providing adequate safeguards equivalent to the protections afforded under the MK DP Law. You can obtain a copy of the appropriate safeguards by contacting us on: privacy@abbott.com
The references to “controller” and “processor” are based on their respective definitions in the MK DP Law, as may be amended from time to time.
Authorized representative: Pacesetter, Inc. has appointed the following entity as its authorized representative in North Macedonia: DTPU Synergy Medical doo of Vasil Stefanovski no. 1a/3, 1000 Skopje, North Macedonia.
Your prior consent is required for Abbott to process your personal information as required by Cabinet Resolution No. (3)/ 2019 and in conformity with the Basic Law as amended in 2005, except where we do so for us to comply with a legal obligation as described in Decree by Law No. (31) / 2018 Concerning Medical and Health Protection and Safety, Decree by Law No. (10)/2018 Concerning Cybercrimes and +Medical Devices and other Legal Requirements. By accepting the terms of this Privacy Notice, you are deemed to have consented to the processing of your personal information as described herein. If you withdraw your consent, you understand that the information that has already been collected in Merlin.net will continue to be processed as described herein and in the Patient Consent Form. If you would like to delete your Merlin.net account, you may do so by contacting your healthcare provider. Please be aware that if you delete your account, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.
By clicking “accept” or “agree” you are providing explicit consent to the processing of your personal information including health-related information for the purposes stated in this agreement and as supplemented by this section for Philippine users. You understand that by clicking “accept” or “agree”, you are also providing explicit consent to each separate and additional consent for the processing of personal information, including health related information, as set out in this section entitled “Philippines” and we will process personal information pursuant to such consent.
Your personal information will be processed in accordance with the requirements of Republic Act No. 10173 or the Data Privacy Act of 2012 (“DPA”), its implementing rules and regulations (“IRR”), and the relevant rules and regulations issued by the National Privacy Commission of the Philippines (“NPC”).
You may request access to your personal information, to have it rectified or erased if there are grounds, to object to its processing or to restrict access to it, and, where possible, obtain a copy of the personal information held about you and to have any inaccurate or incomplete information relating to you corrected or updated. You are entitled to object to the processing of your personal information, on legitimate grounds, and to request the anonymization and/or deletion of such information. You also have the right to lodge a complaint about how your personal information is processed with your local data protection regulator. You are also entitled to all rights granted to you as a data subject under the DPA, its IRR, and the relevant rules and regulations issued by the NPC.
To the extent that Abbott uses your personal information for its own purpose, you will be asked to signify your consent under the Merlin.net Consent form.
You may withdraw your consent any time by contacting your healthcare provider. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment. If you withdraw your consent, Abbott may retain aggregated and de-identified information and may need to retain certain personal information as required by law.
If you have enquires related to this privacy policy or how your personal data is processed, please contact:
Abbott Laboratories
Attention: Office of Ethics and Compliance
Venice Corporate Center
No. 8 Turin Street, Mckinley Town Center,
Fort Bonifacio, Taguig City, 1634 Philippines
+63287028622; +639176328959
Email: privacy@abbott.com
In accordance with Personal Data Protection Law No. 133 from 08.07.2011 (hereinafter the “Law 133/2011”), your electronic acceptance serves as evidence of your consent to the processing and transfer of your personal information as set out in this privacy EULA and privacy notice, except where we process your personal data to comply with a legal obligation as described in +Medical Devices and other Legal Requirements, or where we use the data for our legitimate interests, provided that this interest does not prejudice your interests or the fundamental rights and freedoms. If you would like to delete your Merlin.net account, you may do so by contacting your healthcare provider. Please be aware that if you delete your account, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law. In relation to us processing your personal information, apart from the rights outlined in +How Individual Users Can Access and Correct Personal Information and Your Rights:
– you have the right to obtain from Abbott as a controller, upon request, in up to 15 days, without delay and free of charge, access to your personal data. Please note that Abbott is a controller for limited purposes and you may need to exercise your right of access by contacting your healthcare provider.
– you have the right to oppose at any time, free of charge and without any justification, to the data concerning you being processed for commercial prospecting; and
– you have the right to lodge a complaint about how your personal information is processed with your local data protection authority – the National Personal Data Protection Centre.
Abbott will also notify your local data protection authority – the National Personal Data Protection Centre – of any processing of your personal information, where national law requires them to do so.
Retention of personal information. We never retain your personal data longer than needed for achieving the data processing purposes. At the end of the personal data processing operations, if you will not give us your consent for another destination or for a further processing, your personal data will be: a) destroyed; or b) transferred to another operator, provided that the initial operator guarantees that subsequent processing has purposes similar to those in which the initial processing was performed; c) transformed into anonymous data and stored exclusively for statistical, historical or scientific research purposes, except as may be required by law.
In addition, Abbott as a controller has issued a personal data security policy in compliance with the Requirements regarding the security of personal data when processing them within the personal data information systems approved by Government Resolution No. 1123 dated 14.12.2010, namely has performed and provided, (1) the designation of the person responsible for the security policy; (2) the security measures; (3) the mechanism for implementing security measures; (4) the nominal list of users, authorized to access personal data; (5) the configuration of the personal data information system and of the network; (6) the detailed description of the criteria, according to which the personal data processed in the manually kept register are accessible; (7) the technical documentation regarding security controls; (8) the schedule of security checks; (9) measures for detecting cases of access and / or unauthorized processing of personal data; (10) the reports of security incidents.
If you have inquiries related to this privacy policy or how your personal data is processed, please contact the responsible person for personal data processing at privacy@abbott.com.
This Mobile Application Privacy Notice constitutes the Privacy Policy of Pacesetter, Inc. Cross-border Transfers of Personal Information. We ensure recording, systemization, accumulation, storage, clarification (update, change) and extraction of personal information of Russian Federation citizens with the use of databases located in the territory of the Russian Federation when collecting this personal information in any manner including via the Internet. Retention of personal information. We never retain your personal data longer than needed for achieving the data processing purposes. When the purposes are achieved, we delete your personal data within 30 days. Security of Personal Information. We uninterruptedly improve our personal data protection system and take all necessary administrative, legal and technical measures with a view to international standards. We fulfil a number of data security requirements to protection of personal data processed via information systems according to article 19 of the Russian Federal Law On Personal Data No.152-ФЗ dated 27 July 2006, and other enactments. In particular, we fulfil the following requirements depending on the security level of information systems chosen by us: ensure security of premises accommodating the personal data information systems equipment in a way that prevents any person without appropriate access rights from uncontrolled intrusion or stay in these premises; ensure safety of all personal data media; adopt by the general manager’s decision a document determining list of employees whose work duties require access to the personal data processed in the information system; use information security tools, of which compliance with the requirements of the information security laws of the Russian Federation is duly assessed and confirmed, when such tools are necessary for the neutralization of actual risks; appoint an employee responsible for the security of the personal data in the information system or impose this responsibility on an appropriate division; ensure that all changes of access rights with regard to the personal data in the information system are automatically recorded in the electronic messages log; and provide access to the electronic messages log only to those employees or other authorized persons who need this access for the discharge of their work duties.
The controller of your personal data for the purposes of medical treatment is your doctor/clinic. Pacesetter, Inc. (a St. Jude Medical, LLC affiliate and wholly owned subsidiary of Abbott Laboratories, Inc.) of 15900 Valley View Court, Sylmar, California 91342, United States of America is the controller of personal data to (1) provide you with this App; (2) comply with legal obligations, including those related to medical device safety, quality and improvement; and (3) conduct research once the personal information has been de-identified, pseudonymized, aggregated and/or anonymized, so that it does not identify you by name. We conduct research to understand how our products and services are used, to measure their performance and effectiveness, to improve future products, and in connection with real-world evidence studies.
Pacesetter, Inc. has appointed Abbott Laboratories S.A., Bulevar Mihajla Pupina 115d, 11000 Belgrade, Serbia as its country representative.
Legal basis for the processing of your personal information: The relevant part from COUNTRY SPECIFIC PROVISIONS for EEA, Switzerland, UK, and Cayman Islands in this Privacy Policy applies, with the reference to "the GDPR" and "European Union or national law" to be substituted by "Serbian Data Protection Act (2018)".
Data transfers: Abbott is subject to the Serbian Data Protection Act (2018) and information collected via the Services will be transferred to and stored in the USA as described in the section entitled +Cross-Border Transfers of Personal Information. While the privacy laws of the USA are not equivalent to those of Serbia, as Abbott is directly subject to the Serbian Data Protection Act (2018) for the purposes set out in the section entitled +Abbott’s Own Use of Your Personal Information, your personal information remains protected in compliance with it. Where Abbott processes data as a “processor” on behalf of your healthcare provider, Abbott processes such personal data under the instructions of your healthcare provider and subject to our contract with them.
Your rights: In addition to the rights set out in the section entitled +How Individual Users Can Access and Correct Personal Information and Your Rights, you have the right to lodge a complaint with your local data protection authority if you have concerns with Abbott’s processing of your personal information.
By accepting or agreeing to this Privacy Notice, you are deemed to have been informed of and have explicitly consented to all of the contents herein. For users under the age of 13, Consent must be given by their parent or guardian. If you would like to delete your Merlin.net account, you may do so by contacting your healthcare provider. Please be aware that if you delete your account, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.
This Privacy Notice sets out information on the collection, use, disclosure to third parties, outsourcing of the processing, and cross-border transfer of your personal information, including health-related information, by Pacesetter, Inc., in connection with the provision of the App and the Services. All of the following categories of processing of personal information, including health-related information, are necessary for the provision of the App and the Services.
You may provide your consent collectively to all of the following consent categories by accepting or agreeing to this Privacy Notice:
You may withdraw your consent any time by contacting your healthcare provider. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment. If you withdraw your consent, Abbott will retain aggregated and de-identified information and may need to retain certain personal information as required by law.
Note that National Identification Card (NRIC) and other national identification numbers such as birth certificate numbers, foreign identification numbers, work permit numbers and passport numbers will only be collected, used or disclosed by us if (a) the collection, use or disclosure is required by the law; or (b) it is necessary to establish or verify an individual’s identity to a high degree of accuracy.
In the event of a security incident related to your personal information, we will take all steps required under Singapore data protection laws to deal with the incident and we may report such incident and the remediation actions to the Personal Data Protection Commission as required.
Data transfers: Information collected via the Services will be transferred to and stored in the United States of America. If you request technical support, your personal information (including health-related data) will be accessible by our remote care teams in the USA, Sweden or Malaysia. Abbott intends to use data transfer agreements providing adequate safeguards, such as Standard Contractual Clauses in relation to such cross-border data transfers.
If you have enquires related to this privacy policy or how your personal data is processed, please contact: Data Privacy Officer at privacy@abbott.com.
You have the right to lodge a complaint to the Information Regulator regarding the processing of your personal information, by writing to: The Information Regulator, SALU Building, 316 Thabo Sehume Street, PRETORIA, Tel: 012 406 4818, Fax: 086 500 3351, inforeg@justice.gov.za.
By clicking “accept” or “agree” you are providing explicit consent to the processing of your personal information including health-related information for the purposes stated in this notice and as supplemented by this section for South Korean users. You understand that by clicking “accept” or “agree”, you are also providing explicit consent to each separate and additional consent for the processing of personal information, including health related information, as set out in this section entitled “South Korea” and we will process personal information pursuant to such consent.
For users under the age of 14, consent must be given by their guardian.
To the extent permitted under applicable law, you may exercise your rights to make requests to Pacesetter, Inc. for the perusal, correction, deletion, and suspension of the processing of your personal information by writing, email, and any other methods prescribed under Article 41(1) of the Enforcement Decree of the Personal Information Protection Act and Pacesetter, Inc. will promptly respond to any such requests from you. You may also exercise the foregoing rights to your personal information through a duly appointed legal representative. Pacesetter, Inc. will verify whether any such requests are actually being made by you or your duly appointed legal representative. Provided, however, that in cases where your health care provider is responsible for processing your personal information, you should direct requests for the exercise of rights to your personal information to such health care provider.
The following provision “To exercise your data protection or privacy rights, you should contact your healthcare provider or clinic in the first instance. You may correct your profile information by contacting your healthcare provider. We are not able to correct or amend any readings from your Device that have been uploaded” in +How Individual Users Can Access and Correct Personal Information and Your Rights is not applicable to users in South Korea.
You may withdraw your consent any time by contacting your healthcare provider or using any of the methods set out in the section entitled +Contact Us. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment. If you withdraw your consent, Abbott will retain aggregated and anonymized information and may need to retain certain personal information as required by law.
Provision of Personal Information to Third Parties
| Recipients | Purposes of Use of Recipients | Items of Personal Information to be Provided | Periods of Retention/Use of Recipients |
|---|---|---|---|
| The healthcare provider of each patient/user | Purposes indicated in the “+Your Healthcare Provider’s Use of Your Information” section | Items of personal information indicated in the “+Collection and Processing of Your Personal Information” section | Until purposes of processing have been completed |
| Pacesetter, Inc., 15900 Valley View Court, Sylmar, California 91342 | Purposes indicated in the “+Abbott’s Own Use of Your Personal Information” section | Items of personal information indicated in the “+Collection and Processing of Your Personal Information” section | For the period during which Pacesetter Inc. acts as an outsourced processor |
| Complaints and adverse incidents | Name of reporter, information about complaint or incident | As required by laws related to medical devices | |
| Abbott Medical (Malaysia) Sdn. Bhd. At 35, 1st Floor, Jalan Kelisa Emas 1, Tama Kelisa Emas, 13700 Seberang Java, Penang, Malaysia | Second and/or third level technical support | Those items listed in the “+Collection and Processing of Your Personal Information” section as necessary to resolve the technical support issue. See “+Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider” section for more information. | For the period during which Pacesetter Inc. acts as an outsourced processor |
| Abbott Medical Sweden AB Isafjordsgatan 15, 164 07 Kista, Sweden (Business Office) Jarfalla, PO Box 7051, 164 07 Kista, Stockholm, Sweden (Registered Office) | Second and/or third level technical support | Those items listed in the “+Collection and Processing of Your Personal Information” section as necessary to resolve the technical support issue. See “+Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider” section for more information | For the period during which Pacesetter Inc. acts as an outsourced processor |
| Abbott Medical Costa Rica Abbott Coyol Free Zone, Bldg #44B Alajuela, Costa Rica | Second and/or third level technical support | Those items listed in the “+Collection and Processing of Your Personal Information” section as necessary to resolve the technical support issue. See “+Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider” section for more information | For the period during which Pacesetter Inc. acts as an outsourced processor |
| St. Jude Medical, LLC, 1 St. Jude Medical Dr., St. Paul, MN 55117, USA | Scientific and/or clinical research | Aggregated, De-identified/pseudonymized personal data. See “+Research” section for more information | Indefinite |
(Cross-border) Outsourcing of the Processing of Personal Information to Third Parties
| Recipients | Outsourced Tasks | Items of Personal Information to be Transferred | Countries Where Personal Information is Transferred | Date/Time of Transfer | Method of Transfer | Recipients’ Purposes of Use and Periods of Retention/Use |
|---|---|---|---|---|---|---|
| Abbott Medical (Malaysia) Sdn. Bhd. At 35, 1st Floor, Jalan Kelisa Emas 1, Tama Kelisa Emas, 13700 Seberang Java, Penang, Malaysia | Second and/or third level technical support | Those items listed in “+Collection and Processing of Your Personal Information” section as necessary to resolve the technical support issue. See “+Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider” section for more information | Malaysia | As required to resolve a technical support issue | Secure VPN | Until outsourced tasks have been completed and the outsourced contract has concluded |
| Abbott Medical Sweden AB, Isafjordsgatan 15, 164 07 Kista, Sweden (Business Office) Jarfalla, PO Box 7051, 164 07 Kista, Stockholm, Sweden (Registered Office) | Second and/or third level technical support | Those items listed in the “+Collection and Processing of Your Personal Information” section as necessary to resolve the technical support issue. See “+Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider” section for more information | Sweden | As required to resolve a technical support issue | Secure VPN | Until outsourced tasks have been completed and the outsourced contract has concluded |
| Abbott Medical Costa Rica Abbott Coyol Free Zone, Bldg #44B Alajuela, Costa Rica | Second and/or third level technical support | Those items listed in the “+Collection and Processing of Your Personal Information” section as necessary to resolve the technical support issue. See “+Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider” section for more information | Costa Rica | As required to resolve a technical support issue | Secure VPN | Until outsourced tasks have been completed and the outsourced contract has concluded |
| St. Jude Medical, LLC 1 St. Jude Medical Dr., St. Paul, MN 55117, USA | Scientific and/or clinical research | Aggregated, De-identified/pseudonymized personal data. See “+Research” section for more information | USA | As required for scientific and/or clinical research | Secure VPN | Indefinite |
After the retention period, we destroy your personal information as set out below:
Destruction Process: We select the personal information to be destroyed and destroy the personal information with the approval of the Data Protection Officer (“DPO”).
Destruction Method: We destroy personal information recorded and stored in the form of electronic files by using a technical method (e.g., low level format) ensuring that the records cannot be reproduced, while personal information and stored in the form of paper documents shall be shredded or incinerated.
Domestic Representative
We have designated a domestic representative to handle questions and complaints related to the processing of the personal information of users in Korea. The domestic representative may be contacted by using the following information:
Additional Consents for the Collection, Use, and Provision of Personal Information for South Korea
If you do not consent or choose not to provide your personal information, we may not be able to provide you with Services or only with limited Services.
“PDPA” refers to the Personal Data Protection Act B.E. 2562 (A.D. 2019), as amended from time to time, and related rules, regulations, and directives and governmental requirements.
Children’s Privacy: Children can be enrolled in Merlin.net by a healthcare provider, providing that for consent from a parent or legal guardian of a child whose age is below 10 years old must be duly obtained, and for a child whose age is more than 10 years old but less than 20 years old, unless such child is legally married or permitted under the applicable laws, consent from both the child and his/her parent or legal guardian must be duly obtained.
Cross-border Transfer: To legitimise the export of Personal Data originating from Thailand under applicable Data Protection Laws, Abbott has taken reasonable steps to enter into an appropriate data transfer agreement with your healthcare provider.
Your Rights: Pursuant to the PDPA and subject to its effectiveness, you are entitled to various rights in relation to your Personal Information which are: (i) to request access to or obtain a copy of the personal information held about you, or to request the disclosure of the source of your personal information which you did not consent to; (ii) to obtain your personal information in a format which is usable and readable by automatic tools or equipment, if any, or to request that your personal information in such format be transmitted to another controller; (iii) to object to the processing of your personal information; (iv) to have your personal information erased, destructed, or de-identified; (v) to request that the processing of your personal information be suspended; (vi) to have any inaccurate or incomplete information relating to you corrected or updated; (vii) where the processing of your personal information relies on consent as a legal basis, you have the right to withdraw your consent at any time; and (viii) to lodge a complaint about how your personal information is processed with your local data protection authority the Personal Data Protection Commission.
Your request to exercise any of the rights to your personal data described above is subject to the limitations and conditions of the PDPA.
If you do not provide us with your personal data, we may not be able to provide you with our Services or perform our obligations under the agreement between you and us.
Contact Us: For any inquiries or concerns regarding this Privacy Notice, or if you would like to exercise any of your rights to your personal data, please contact us using the contact details above. Our data protection officer and our local representative can be contacted at privacy@abbott.com.
Your consent is required for Abbott to process your personal information except where we do so for us to comply with a legal obligation as described in +Medical Devices and other Legal Requirements. By accepting the terms of this Privacy Notice, you are deemed to have consented to the processing of your personal information as described herein. If you would like to have your information deleted from Merlin.net, you may do so by contacting your healthcare provider or clinic. Please be aware that if you ask your healthcare provider or clinic to delete your information from Merlin.net, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.
Our local representative is Abbott Medical U.K. Limited, Elder, Central Boulevard, Blythe Valley Park, Solihull, B90 8AJ, UK.
Abbott operates as a business associate to your healthcare provider in making this App available to you in compliance with the Health Insurance Portability and Accountability Act and its implementing regulations (collectively “HIPAA”). As a result, personal information, including health-related information, that is collected via this App is governed by HIPAA, and we may use and disclose your personal information consistent with our business associate obligations and as outlined in this Privacy Notice and Consent.
California Civil Code Section 1798.83 permits residents of the State of California to request from certain businesses with whom the California resident has an established business relationship a list of all third parties to which the business, during the immediately preceding calendar year, has disclosed certain personally identifiable information for direct marketing purposes. Abbott is required to respond to a customer request only once during any calendar year. To make such a request you should send a letter to Privacy Officer, Abbott, One St. Jude Medical Drive, St. Paul, MN 55117. In your request, please attest to the fact that you are a California resident and provide a current California address for our response. Please be aware that not all information sharing is covered by the California Privacy Rights requirements and only information sharing that is covered will be included in our response.
If you have any questions regarding Abbott’s compliance with the California Consumer Privacy Act (CCPA) and your rights under CCPA, please visit https://www.abbott.com/privacy-policy.html.
By accepting or agreeing to this Privacy Notice, you are deemed to have been informed of and have explicitly consented to all of the contents herein. For users under the age of 7, Consent must be given by their parent or guardian. For users from the age of 7 to 15, Consent must be given by both users and their parent or guardian.
You may withdraw your consent at any time by contacting your healthcare provider. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment. If you withdraw your consent, Abbott will retain aggregated and de-identified information and may need to retain certain personal information as required by law.
MAT-2107840 v3.0