myMerlin App Privacy Notice and Consent | Abbott
CARDIOVASCULAR
hamburger

Version Date: April 2021

 

Summary

Abbott provides the myMerlin™ App (“App”) which transmits data to the Merlin.net™ Patient Care Network (“Merlin.net”) (together the “Services”) so that your doctor or clinic can remotely monitor your cardiac monitor and provide you with medical treatment.  Pacesetter, Inc. (an Abbott company) provides Merlin.net.

We are committed to protecting your personal information. This Privacy Notice and Consent (“Privacy Notice”) explains how we handle your personal information for the Services and what we do to keep your personal information secure.  We understand that a lot of information is included in this Privacy Notice.  We want to provide you with a short and easily accessible summary of how we handle, protect, retain, store and disclose your personal information. For more information, see +About the Services and +Security of Personal Information below.

 

THIS SUMMARY IS NOT COMPREHENSIVE. YOU WILL NEED TO READ THE RELEVANT SECTIONS OF THE PRIVACY NOTICE BELOW TO FULLY UNDERSTAND HOW WE PROCESS YOUR PERSONAL INFORMATION.

We use personal information when you set up the App, which includes your date of birth and device serial number.  We use your email address or telephone number for authentication purposes during pairings of your cardiac monitor.  This App transmits information from your device to us, and if you contact our customer services, we will keep a separate record relating to your request for technical support.    We also use personal information entered by your healthcare provider into Merlin.net.  For more information, see +Collection and Processing of Your Personal Information and +Country Specific Provisions below.

We use personal information to: (1) provide you with the Services; (2) comply with legal obligations, including those related to medical device safety, quality and improvement; and (3) conduct research once the personal information has been de-identified, pseudonymised, aggregated and/or anonymized, so that it does not identify you by name.  We conduct research to understand how our products and services are used, their effectiveness and for real-world evidence studies.  For more information, see +Abbott’s Own Use of Your Personal Information, +Medical Devices and other Legal Requirements, +Research, +Retention of Personal Information below.

 

We strictly limit who we share your personal information with and will never sell the information to third parties for our commercial benefit.  We do share personal information with our affiliated companies to help support and provide technical assistance for the Services, for compliance purposes, to conduct research, or to perform troubleshooting/ diagnostics and broader analysis to detect systemic issues. For more information, see +Disclosure of Personal Information by Us and +Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider below.

Where your location grants you certain rights in relation to your personal information, we will respond to such requests.  For more information, see +How Individual Users Can Access and Correct Personal Information and Your Rights below.

 

We store personal information relating to the Services on servers in the United States of America. For more information, see +Data Storage and +Cross-Border Transfers of Personal Information below. We also recommend that you check +COUNTRY SPECIFIC PROVISIONS, as there may be additional provisions that apply depending on your country of residence.

 

Please contact and direct all enquiries regarding the Services to your clinic in the first instance.  Your clinic is the ‘controller’ of your personal data when they provide you with medical care.  We are the ‘processor’ of your personal information on their behalf to provide you and your clinic with the Services.  If you have any questions or comments relating to privacy, you can contact us by emailing us at privacy@abbott.com. If you are located in the European Economic Area, you may contact our European data protection officer or contact your local data protection authority. The contact details for Abbott’s European data protection officer, as well as other useful contact information, are available at www.EU-DPO.abbott.com. For more information, see +Contact Us below.

 

If we update this Privacy Notice with material changes, we will alert you by email or the App when you next use the App.  For more information, see +Changes to this Privacy Notice below.

Privacy Notice and Consent

Pacesetter, Inc. (an Abbott company) provides the Merlin.net™ Patient Care Network (“Merlin.net”).  Abbott provides the myMerlin™ mobile application (“App”) (together, Merlin.net and the App are referred to as the “Services”).  Throughout this Privacy Notice, references to “Abbott,” “we,” “us,” and “our,” mean the group of Abbott companies, headquartered in Abbott Park, Illinois, United States of America.

We recognize the importance of data protection and privacy and are committed to protecting personal information, including health-related information. This Privacy Notice describes how your personal information is collected and used by Abbott when you use the Services.

Please read this Privacy Notice carefully before registering to use this App as it applies to the processing, transfer and storage of your personal information, including health-related data by Abbott and certain affiliated companies as described below. It also applies to the processing of your personal information by our affiliated companies and by our processors if required to resolve a customer service issue related to the Services.

This Privacy Notice does not apply to personal information processed or collected by other Abbott affiliates or subsidiaries or via other methods, such as other Abbott websites, other Abbott customer call centers.  Your doctor’s use of Merlin.net and other privacy policies may apply to the personal information processed or collected through these methods.

By registering and using this App, you accept this Privacy Notice and you:

  • affirm that you are of legal age to accept this Privacy Notice; and
  • that you are agreeing either on your own behalf or on behalf of another individual for whom you have actual authority to legally accept this Privacy Notice.

BY ACCEPTING OR AGREEING TO THIS PRIVACY NOTICE AND CONSENT, YOU EXPLICITLY ACKNOWLEDGE THAT YOUR USE OF THIS APP AND THE SERVICES ARE SUBJECT TO THIS PRIVACY NOTICE AND TO THE PROCESSING AND TRANSFER OF PERSONAL INFORMATION, INCLUDING HEALTH-RELATED INFORMATION, AS DESCRIBED IN THIS PRIVACY NOTICE.

WHERE REQUIRED BY THE LAW OF YOUR COUNTRY OF RESIDENCE, CLICKING “ACCEPT” OR “AGREE” MEANS THAT YOU ARE PROVIDING EXPLICIT CONSENT TO THE PROCESSING OF YOUR PERSONAL INFORMATION INCLUDING HEALTH-RELATED INFORMATION AND TO TRANSFER YOUR PERSONAL INFORMATION TO ABBOTT’S SERVERS LOCATED IN THE UNITED STATES OF AMERICA.

YOUR CONSENT IS GRANTED AT YOUR FREE WILL AND YOU ACKNOWLEDGE THAT YOU ARE NOT UNDER ANY LEGAL OBLIGATION TO PROVIDE PERSONAL INFORMATION TO ABBOTT.

About Us

Abbott is the manufacturer of the App, Confirm Rx™ Insertable Cardiac Monitor (“ICM”) and Jot Dx™ ICM.

Pacesetter, Inc. (a St. Jude Medical, LLC affiliate and wholly owned subsidiary of Abbott Laboratories) of 15900 Valley View Court, Sylmar, California 91342, United States of America, is the provider of Merlin.net.

Your healthcare provider is a controller of your personal data for the purposes of providing your medical care. Your healthcare provider is responsible for how such data is processed and for ensuring that information transmitted through the Services complies with applicable privacy and data protection laws. The reference to ‘controller’ is based on its definition in the data protection laws of the EEA, the UK and Switzerland and, where applicable, has the equivalent meaning of similar terms in other countries data protection and privacy laws in which you reside.

Abbott is a controller of personal information when we use personal information to: (1) provide you with the Services; (2) comply with legal obligations, including those related to medical device safety, quality and improvement; and (3) conduct research relating to the Services. For further information see +Abbott’s Own Use of Your Personal Information.

About the Services

Merlin.net is a remote care system that holds information transmitted from your ICM through the Services.

The Services enable the prompt, automated transmission of information collected from your ICM and uploaded via the App to Abbott’s private and secure database. Through Merlin.net, your healthcare provider can see when your heart starts beating differently.  The App sends your heart data to your clinic based on the settings set by your healthcare provider.  The Services help your healthcare provider to monitor your heart’s rhythm and modify your treatment without the need for you to visit a clinic in person.

You must keep your mobile device connected to WiFi or to cellular/mobile data, and you must use the App so that your heart data can be remotely monitored by your healthcare provider.  Before you can use the Services, your healthcare provider must register you on Merlin.net.  Once you have entered your date of birth and the serial number of your ICM in the App, you may need to obtain an activation code, which you can elect to have sent to you.  Once you have entered this activation code in the App, you must ensure that Bluetooth®1 wireless technology is maintained “ON” in order to pair your ICM to the App.  Please keep “Notifications” “ON” to receive status updates and reminders. The App will inform you once set up is complete.

At regular intervals, the App will connect to your ICM and transmit information about how the ICM is performing.  The App will also transfer information about your heart’s rhythm to your healthcare provider, who will be able to receive alerts and updates, as well as log into Merlin.net to monitor your heart’s rhythm.

Collection and Processing of Your Personal Information

The following categories of your personal information are processed when you use the App:

  • your ICM serial number and your date of birth;
  • your email address and/or phone number so that we can send you an activation code;
  • day, month and time information is sent from your ICM to Merlin.net;
  • information about the name and model number of your ICM;
  • periodic reports which Indicate how your ICM interacts with the App and how the App interacts with Abbott’s servers since the last report;
  • information about the App performance, including crash reports; and
  • periodic log reports which record App activity since the last maintenance report.

The App links with and transmits data from your ICM to Merlin.net. The Services relating to Merlin.net use additional personal information, including health-related data that your healthcare provider inputs when creating a Merlin.net patient profile for you. That personal information may include your phone number or email, ICM model and serial number, and other optional fields including gender, race, preferred language, clinical comments and the functioning of your ICM, dates of treatment and transmissions, information about your condition, a clinic assigned patient number or other patient identifier. Your healthcare provider may also input the information of an emergency contact for you. Abbott may need to access this personal information to support and maintain the Services.

Your Healthcare Provider’s Use of Your Information

Your healthcare provider will collect your personal information as part of your medical treatment and will input your information into Merlin.net. Your healthcare provider uses the Services to help monitor your ICM and your heart rhythm.

 

Your healthcare provider or clinic processes your personal information for the following purposes:

  • to provide medical care, including on-going medical treatment by monitoring your ICM and your heart rhythm to assist them to provide you with medical care;
  • to grant Abbott access to your personal information to provide technical support for the Services, including to receive technical and clinical support, such as assistance with debugging, upgrading or troubleshooting the Services or interpreting data; and
  • where otherwise required by applicable law.

Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider

We process your personal information as a processor on behalf of your healthcare provider or clinic.  Such processing is on the instructions of your healthcare provider or clinic and relates to the following purposes:

  • provide the Services for your healthcare provider to monitor your ICM and your heart’s rhythm and your symptoms;
  • provide your healthcare provider with technical and clinical support, such as assistance with debugging, upgrading or troubleshooting; or
  • where authorised by your healthcare provider, obtain access to your health information to assist them with interpreting data transmitted from your ICM.

Depending on your location, we may provide support services to your healthcare provider or clinic from locations in: Sweden; other European locations, particularly if we have operations in your country of residence; or our other support centers located in the United States of America and Malaysia. We may also use other third parties to provide technical or clinical support to your healthcare provider or clinic.  Where we use any third party to help us provide support Services to your healthcare provider or clinic, we put in place adequate measures to safeguard the confidentiality, integrity and security of your personal information.

The reference to ‘processor’ is based on its definition in the data protection laws of the EEA, the UK and Switzerland and, where applicable, has the equivalent meaning of similar terms in other countries data protection and privacy laws in which you reside.

Abbott’s Use of Your Personal Information

Abbott processes your personal information, including your health-related personal information, as a controller for the following purposes:

  • to provide you with the Services in accordance with the App End User License Agreement;
  • to keep a record of your contact with Abbott when you contact Abbott directly regarding the Services;
  • to provide your healthcare provider or clinic with the Services, including customer support relating to your ICM;
  • where required by applicable laws governing the use and classification of medical devices, including for the purposes of medical device post-market surveillance, quality management, including product development and improvement, safety, performance, and vigilance;
  • where necessary to establish, exercise or defend legal claims; and
  • as otherwise required by applicable law.

When your healthcare provider creates a patient profile in Merlin.net for you, and where required by applicable law, you provided your explicit consent for Abbott to de-identify, pseudonymise, aggregate, and/or anonymise your personal information to conduct research. For more information, see the +Research section.

The reference to ‘controller’ is based on its definition in the data protection laws of the EEA, the UK and Switzerland and, where applicable, has the equivalent meaning of similar terms in other countries data protection and privacy laws in which you reside.

Data Storage

We receive data transmitted by the App and ICM before it is then stored in the Merlin.net servers, which are located in the United States of America. When your personal information is hosted in a country other than your country of residence, it may also become subject to the laws of the host country, which may not be equivalent to the laws of your country of residence. We have implemented appropriate security measures and controls to protect your personal information. While the United States has laws governing patient health information, those laws may not be equivalent to privacy or data protection laws in your country of residence.

See also +Security of Personal Information and +Cross-Border Transfers of Personal Information.

Medical Devices and other Legal Requirements

Abbott may use personal information where legally required and where possible we will de-identify, pseudonymize, aggregate and/or anonymize information to comply with our legal obligations as a medical device manufacturer. This information is securely held by Abbott and will not be used to identify you individually by your name or email address, except where we are under a legal obligation to include this information. Where such use of personal information is subject to legal requirements, we do not require consent.

The legal requirements for which Abbott will use this information are:

  • to ensure the ongoing safety of an ICM and any future development;
  • to monitor and improve the quality, security and effectiveness of medical devices and systems;
  • to validate upgrades, and to keep Merlin.net and/or related mobile applications safe and secure;
  • to perform broader analysis to detect systemic issues for public interest in the area of public health.
  • to research, develop and test medical devices, including new and existing features and functionality and to test and improve Merlin.net and/or related mobile applications for product development; and
  • where otherwise required by law, including to respond to any competent regulatory, law enforcement body, governmental authorities, to address national security or epidemics, judicial proceeding, court order, government request or legal process served on us, or to protect the safety, rights, or property of our customers, the public, Abbott or others, and to exercise, establish or defend Abbott’s legal rights or where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of this Privacy Notice, or as evidence in litigation in which we are involved.

We use the terms ‘de-identify’ and ‘pseudonymize’ interchangeably. US health insurance portability law (HIPAA) describes de-identified information as information where ‘there is no reasonable basis to believe that the information can be used to identify an individual’. The EU General Data Protection Regulation (2016/679) (GDPR) defines ‘pseudonymization’ as ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information’. Anonymized data is information that does not relate to a person and from which a person cannot be identified, and this kind of data usually falls outside data protection and privacy laws.

For more information about GDPR, please see +European Economic Area, UK, Cayman Islands, Switzerland and Thailand below.

Research

Where required by applicable law, your healthcare provider will have obtained your explicit consent to allow us to de-identify or pseudonymise, aggregate, and/or anonymise your personal information to conduct research for limited purposes.

If a data set used for research purposes, the data will not include your name, address, phone number, or email address. We take steps to ensure that there is no reasonable basis from which the de-identified or pseudonymised data can be used to identify you individually. Data used in research may include ICM model and serial number, intervals between implant date and subsequent visit dates, implant date, and demographics such as place of residence and age.

We conduct research using this de-identified or pseudonymised data, or aggregated, statistical and/or anonymised data for the following purposes:

  • to improve the quality, security and effectiveness of our cardiac and medical devices and systems and to allow for the development of innovative and effective treatment of heart-related conditions in the interests of public health;
  • to conduct research, for statistical purposes and analysis and to disclose to third party researchers, health care entities or professionals, or public health authorities;
  • to evaluate the effectiveness of the Services and how they are provided and used;
  • to validate the Services’ functionality and upgrades, including monitoring and improving the safety and security of such services;
  • to research, develop and test medical devices, including new and existing features and functionality and to test and improve the Services and our medical devices for product development, data analysis, statistical and survey purposes; and
  • for public interest in the area of public health, including where the Services and medical devices are eligible for medical reimbursement or are otherwise entitled to social security, insurance or public funding.

If you are ever asked to participate in a clinical trial, and where required by applicable law, you will be asked to provide a separate informed consent to the research site prior to taking place in any such trial and your participation is completely voluntary. The research is this section does not relate to participation in a clinical trial.

For more information about GDPR, please see +European Economic Area, UK, Cayman Islands, Switzerland and Thailand below.

Retention of Personal Information

Information collected from your ICM will be retained for a maximum period of seven (7) years from the date of your most recent transmission (that is, the date you last use your ICM and/or the App), except as may be required by law.

The section +Deleting Your Information from Merlin.net explains how you can arrange to have your healthcare provider or clinic delete your information from the Merlin.net Patient Care Network.

Disclosure of Personal Information by Us

We may share your personal information as follows:

  • We share personal information with third-party suppliers solely to provide, maintain, host, and support the Services. For example, where we provide your personal information to third-party suppliers to assist us with the provision of the Services, they are required to keep your personal information confidential and secure and to use your personal information to the minimum extent necessary.
  • Where possible, Abbott uses third party service providers to report system errors so that we can support and improve the Services and in such instances the information sent to such third parties will not involve the use of your personal information.
  • Android requires location services permissions to be granted in order to connect apps with Bluetooth®1 devices. Google’s location services include features that collect a user’s precise location data, including GPS signals, device sensors, Wi-Fi access points, and cell tower IDs. This information will be collected by Google if a user grants access to his or her location. For more information on Google’s privacy practices regarding this data, please see Android’s support website. We will not use your personal information derived from Google’s location services.
  • We will not sell or license your personal information to third parties except in connection with the sale, merger, or transfer of a product line or division, so that the buyer can continue to provide you with the Services. For the avoidance of doubt, we will never sell your personal information to third parties for commercial purposes.
  • We may share de-identified, pseudonymised, aggregated, and/or anonymised information with our affiliates, your healthcare provider or clinic, third party researchers and national health authorities or insurers to demonstrate the effectiveness of the Services or as required for medical reimbursement. This information will not be used to identify you individually.
  • We reserve the right to disclose your personal information to respond to authorised information requests from government authorities, to address national security situations, or when otherwise required by law. Furthermore, where permitted or required by law, we may also disclose the information we collect from you where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of this Privacy Notice, or as evidence in litigation in which we are involved. Your personal information may be subject to foreign laws and may be accessible by foreign governments, courts, law enforcement, and regulatory agencies.

Security of Personal Information

Abbott has implemented appropriate security controls within the Services to protect your personal information from accidental or unlawful destruction or accidental loss, alteration, disclosure, or access.

Information received from your ICM is encrypted before transmission to ensure that it will remain secure and confidential. The Services include various security measures to enhance the security of your patient profile and to prevent unauthorised access to, or disclosure of, your personal information. Only those authorised by your healthcare provider or clinic, including their authorised staff, will have access to your patient profile and only through unique IDs and passwords. Abbott has implemented various security and access controls to ensure that only authorised persons within Abbott may access pseudonymised, aggregated and de-identified data.

We use Bluetooth®1 4.0 wireless technology or higher to transmit different sets of personal information between medical devices and iOS or Android devices. Any information relating to measurements taken from your ICM is transmitted through Bluetooth technology.

Please be aware that the Services may be unavailable during periods of routine maintenance.

Cross-Border Transfers of Personal Information

Information collected via the Services will be transferred to and stored in the United States of America. The data protection laws of the USA may not offer protections for personal information equivalent to those of the European Union, the UK, Switzerland or your country of residence.  Your personal data will be transferred on the basis of EU and Swiss approved Standard Contractual Clauses.  You also explicitly consent to the transfer of your personal information to Abbott’s servers in the United States of America.

If you contact us directly and request technical support, your personal information (including health-related data) may be accessible by our remote care teams in the USA, the European Union or Malaysia (transfers to Malaysia do not apply to residents of the European Union, the UK or Switzerland).  Abbott intracompany data transfers are governed by a data transfer agreement providing adequate safeguards.

BY USING THIS APP AND BY ACKNOWLEDGING THIS PRIVACY NOTICE AND CONSENT, WE ARE INFORMING YOU OF THESE TRANSFERS OF YOUR PERSONAL INFORMATION TO THE UNITED STATES OF AMERICA, SWEDEN AND/OR MALAYSIA (TRANSFERS TO MALAYSIA DO NOT APPLY TO RESIDENTS OF THE EUROPEAN UNION, THE UK OR SWITZERLAND) AND TO THE ACCESS OF YOUR PERSONAL INFORMATION, INCLUDING HEALTH-RELATED INFORMATION, WHICH MAY BE REQUIRED IN EXCEPTIONAL CIRCUMSTANCES TO RESPOND TO ANY SUPPORT REQUESTS YOU OR YOUR DOCTOR REQUESTS. THESE COUNTRIES MAY NOT OFFER AN EQUIVALENT LEVEL OF PROTECTION FOR YOUR PERSONAL INFORMATION WHEN COMPARED WITH DATA PROTECTION OR PRIVACY LAWS IN WHICH YOU RESIDE.

How Abbott Sends Marketing and Other Material

We will not knowingly send you advertising or marketing-related information, unless you have opted into receiving these types of communications from us in relation to our other products and services.

Neither Abbott nor its affiliates or licensors will knowingly send advertising or marketing-related information to children.

We do not sell your personal information to third parties for direct marketing.

Please note that we may send you non-marketing related information about necessary App and service updates or issues relating to product safety.

How Abbott Protects Children’s Privacy

Children can be enrolled in Merlin.net by a healthcare provider or clinic. At any time, a parent/guardian may stop the collection of a child’s personal information, including health-related information, by contacting the healthcare provider or clinic and requesting that the account be deleted. This action will delete the Merlin.net account associated with the child, but we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.

How Individual Users Can Access and Correct Personal Information and Your Rights

To exercise any data protection or privacy rights, you should contact your healthcare provider or clinic in the first instance. We are not able to correct or amend any readings from your ICM that have been uploaded.

Depending on your place of residence, you may have the right to: (a) access the personal information we hold about you; (b) request we correct any inaccurate personal information we hold about you; (c) delete any personal information we hold about you; (d) restrict the processing of personal information we hold about you; (e) object to the processing of personal information we hold about you; and/or (f) receive any personal information you have provided to us on the basis of your consent in a structured and commonly used machine-readable format or have such personal information transmitted to another company. Please note that Abbott is not required by law to adopt or maintain systems that are technically compatible with other companies. It may not be possible for Abbott to directly transmit your personal information to another company.

Children may also have the right to access the personal information held about them. Where we receive a request for access for a child’s personal information from the child’s parent/guardian, we may respond directly to the child’s parent/guardian or recommend that they contact their child’s doctor or clinic. We will always seek to verify the identity of person seeking access to a child’s information, whether it is from the child him/herself or from a parent or guardian.

To request the exercise of these rights, please contact your healthcare provider or clinic in the first instance as the controller of your personal information for the purpose of providing you medical care. You may contact us where we are the controller of your personal information using any of the methods set out in the section entitled +Contact Us.

Deleting Your Information from Merlin.net

If you have been implanted with an ICM, the only way your healthcare provider can monitor you is via Merlin.net. Therefore, if you elect not to be enrolled in Merlin.net it will affect your healthcare provider’s ability to monitor your condition and may affect their ability to treat you.

If you would like to have your information deleted from Merlin.net, you may do so by contacting your healthcare provider or clinic. If you request deletion of your information from Merlin.net and still have your ICM, your healthcare provider will not be able to remotely monitor your heart’s rhythm. Please be aware that if your healthcare provider or clinic deletes your information in Merlin.net, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.

Contact Us

If you have questions, concerns or complaints about the processing of your personal information for the purpose of your medical care or wish to exercise your data protection rights, please contact your healthcare provider or clinic directly. 

If you have questions, comments, or complaints about our privacy practices, please contact us by clicking on the “Contact Us” link in one of our websites or emailing us at cnprivacy@abbott.com. Alternatively, you may write to us at:

Attn:  Privacy Officer, Abbott, One St. Jude Medical Drive, St. Paul, MN 55117, USA

For EEA, UK and Switzerland users, see also below under your regional section for additional contact details.

For Users in Brazil: If you have questions, comments, or complaints about our privacy practices, or if you would like to exercise any of your rights set out in the +How Individual Users can Access and Correct Personal Information and Your Rights section, please contact us by clicking on the “Contact Us” link in one of our websites or emailing our local DPO, Juliana Ruggiero, at privacybrasil@abbott.com. Alternatively, you may write to us at:

Attn: Juliana Ruggiero Privacy Officer
Laboratórios do Brasil Ltda.
Rua Michigan 735, São Paulo/SP
CEP: 04566-905

In all communications to us, please include the email address used to register for this App and a detailed explanation of your request.

Changes to this Privacy Notice

This Privacy Notice is kept under regular review. If we make material changes to our privacy practices, an updated version of this Privacy Notice will reflect those changes. You will be alerted to updates to this Privacy Notice by email or the App when you next use the App.

Without prejudice to your rights under applicable law, we reserve the right to update and amend this Privacy Notice without prior notice to reflect technological advancements, legal and regulatory changes and good business practices to the extent that it does not change the privacy practices as set out in this Privacy Notice.

Country Specific Provisions

USA

Abbott operates as a business associate to your healthcare provider in making this App available to you in compliance with the Health Insurance Portability and Accountability Act and its implementing regulations (collectively “HIPAA”). As a result, personal information, including health-related information, that is collected via this App is governed by HIPAA, and we may use and disclose your personal information consistent with our business associate obligations and as outlined in this Privacy Notice and Consent.

California

California Civil Code Section 1798.83 permits residents of the State of California to request from certain businesses with whom the California resident has an established business relationship a list of all third parties to which the business, during the immediately preceding calendar year, has disclosed certain personally identifiable information for direct marketing purposes. Abbott is required to respond to a customer request only once during any calendar year. To make such a request you should send a letter to Privacy Officer, Abbott, One St. Jude Medical Drive, St. Paul, MN 55117. In your request, please attest to the fact that you are a California resident and provide a current California address for our response. Please be aware that not all information sharing is covered by the California Privacy Rights requirements and only information sharing that is covered will be included in our response.

If you have any questions regarding Abbott’s compliance with the California Consumer Privacy Act (CCPA) and your rights under CCPA, please visit https://www.abbott.com/privacy-policy.html.

Argentina

The Public Information Access Agency, in its capacity as supervisory body of Act No. 25.326, has jurisdiction over all accusations and complaints made by those affected in their rights for infringements to regulations in force referred to the protection of personal information.

Australia

If you wish to make a complaint about a breach of the Privacy Act, the Australian Privacy Principle (“APPs”) or a privacy code that applies to us, or if you have any queries or concerns about our Privacy Notice or the way we handle your personal information, please contact us using the details above and we will take reasonable steps to investigate and respond to you.

If after this process you are not satisfied with our response, you can submit a complaint to the Office of the Information Commissioner. See https://www.oaic.gov.au/privacy/privacy-complaints, to obtain the relevant complaint forms, or contact the Information Commissioner’s office. We are not likely to disclose your personal information overseas, except as permitted by the Privacy Act 1988 (Cth), unless we otherwise advise you in writing. We may transfer your personal information to the United States. You consent to that disclosure and agree that by giving that consent, Australian Privacy Principle 8.1 no longer applies, and we are not required to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information.

Brazil

In case of updates to this Privacy Notice that require new collection of consent, you will be notified through the contacts you have provided us.

Consent: To process personal information concerning your health, you must provide Abbott affirmative consent to use the Apps. You may withdraw your consent at any time by contacting us at privacy@abbott.com.

Legal basis for the processing of your personal information: Abbott processes your information based on the following legal basis as set out in the Lei Geral de Proteção de Dados (LGPD):

  • Consent to process health-related information when you create an App account to store information relating to the Services;
  • Consent to process health-related information when you contact our customer support line, if necessary, for us to respond to your questions or to your request for support, such as troubleshooting any performance issues or when necessary to share your information with our third-party processors to resolve service issues.
  • Consent when you share your diagnostics/troubleshooting data (including health-related data) with us from your mobile device through the App, if necessary, for us to respond to your request for support, such as diagnostics and troubleshooting of any performance issues.
  • Consent when you share your personal information, including health-related information, with our third-party partners.
  • Abbott’s legitimate business interests and consent when we de-identify, pseudonymize, aggregate and/or anonymize data to better understand how you interact with and use the Services.

Your rights: If you would like to exercise any of your rights set out in the section titled + How Individual Users can Access and Correct Personal Information and Your Rights and are contacting us by email, please title your email subject line accordingly (for example, “Correction Request” or “Access Request”, or other right as applicable, in the subject line of the email.) We will do our best to respond to all reasonable requests in a timely manner, or at the very least, in accordance with any applicable legal requirements. You have the right to lodge a complaint with your local data protection authority if you are unhappy with any aspect of Abbott’s processing of your personal information.

China (excluding Hong Kong, Macau and Taiwan)

By accepting or agreeing to this Privacy Notice, you are deemed to have been informed of and have explicitly consented to the collection of your personal information, including personal identification number and health-related information and use of personal information in respect of all of the contents herein. For users under the age of 14, consent must be given by their guardian. If we discover that personal information of any minor under the age of 14 has been collected without the consent of his/her guardian, we will try to delete the relevant data as soon as possible. You may withdraw your consent any time by contacting your healthcare provider. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment. If you withdraw your consent, Abbott will retain aggregated and de-identified information and may need to retain certain personal information as required by law.

We are not legally required to obtain consent to collect or use your personal information, including health-related information, under certain circumstances if the collection or use of your personal information, including health-related information is:

  • related to the fulfilment of obligations imposed by laws and regulations;
  • directly related to national security or national defense;
  • directly related to public safety, public health, or significant public interests;
  • directly related to a criminal investigation, prosecution or trial, or the enforcement of a judgment, etc.;
  • required to safeguard the basic rights and interests of individuals (such as the right to life and property) where obtaining consent would be impracticable;
  • of personal data that you or your patients or their guardians (for children under the age of 14) have made publicly available;
  • of personal data that was obtained from legitimate public sources, such as legitimate news reports or open government information;
  • necessary for signing and performing a contract as requested by you, your patient, or your patient’s guardian if the patient is under the age of 14; or
  • necessary for maintaining the safe and stable operation of the products or services provided, such as discovering and resolving technical issues of the products or services.

In addition to other rights you have under this Privacy Notice, you have the following additional rights:

  • The right to object to a decision which is based solely on automated processing. You have the right in certain circumstances not to be subject to a decision which is based solely on automated processing without human intervention.

If you have questions or would like to exercise any of these rights in respect of your personal information, including health-related information, please contact your healthcare provider in the first instance. If you contact us, we will work with your healthcare provider and do our best to respond to all reasonable requests in a timely manner in accordance with applicable legal requirements. We may charge a reasonable administrative fee for repeated requests within 3 months. If there is any material change to this Privacy Notice, we may publish the amendments in the form of a public announcement.

Requests to exercise your rights directed to us may not be processed if they are unreasonable or repetitive. We will not be able to process your request if:

  • your request relates to our obligations under applicable laws and regulations;
  • your request directly relates to nationalc security or national defense security;
  • your request directly relates to public safety, public health, major public interests,
  • your request directly relates to criminal investigation, prosecution, adjudication, and enforcement;
  • sufficient evidence proves that you make the request in bad faith or abuse your right;
  • responding to your request would severely damage the lawful interests of you or other persons or organizations; or
  • your request touches upon our trade secrets.

Unless deletion is legally required or pursuant to your request, Abbott may retain any personal information, including health-related information, that you provide to us for the purpose of improving treatment guidance for patients using this App and Abbott’s cardiac-related products.

Personal information, including health-related information, generated and collected by us in China (excluding Hong Kong, Macau and Taiwan) is stored in China (excluding Hong Kong, Macau and Taiwan). Given that Abbott operates globally, your personal information may be transferred to and accessed by entities located outside of China (excluding Hong Kong, Macau and Taiwan).

We have in place a comprehensive security program that complies in all respects with applicable law and industry practices to protect your personal information, including health-related information. We will take all the commercially reasonable actions to ensure not to collect any personal information including health-related information irrelevant to the purposes as set out in this Privacy Notice, and will only retain your personal information, including health related information, within the retention period hereunder or a longer period as required by applicable laws. We will update and publish information about security risk, and a personal information security impact assessment as required by applicable laws.

In the event of a security incident related to your personal information, including health-related information, we will inform you in a timely manner as required by applicable laws by email, or other available contact methods with general information about the incident and its possible impact, the remediation actions we have taken and will take, and with advice to you on actions to mitigate any risks and to remediate the impact. We may report such incident and the remediation actions to the regulatory agency as required.

European Economic Area, UK, Cayman Islands, Switzerland and Thailand

We process your personal information as a processor when providing our services to your doctor or clinic and may have access to your health data to provide your doctor or clinic with technical and customer support.

Legal basis for the processing of your personal information: Abbott processes your personal information, including your health-related personal information, as a controller on the following legal bases as set out in the GDPR:

  • as necessary to assist your healthcare provider with medical diagnosis pursuant to our contract with them and as necessary for the performance of a contract to provide you with the App in accordance with the End User License Agreement;
  • your consent and as necessary for the performance of a contract (the End User License Agreement) to keep a record of your contact with Abbott when you contact Abbott directly; and
  • as necessary to provide your healthcare provider with the Services pursuant to our contract with them, including customer support;
  • as necessary to provide your healthcare provider with the Services pursuant to our contract with them and for reasons of public interest in the area of public health where required by the EU or national laws governing the use and classification of medical devices, including for the purposes of medical device post-market surveillance, quality management, including product development and improvement, safety, performance, and vigilance;
  • as necessary to establish, exercise or defend legal claims; and
  • as otherwise necessary for substantial public interest required by applicable law.

When your healthcare provider created a patient profile in Merlin.net for you, you provided your explicit consent for Abbott to de-identify, pseudonymise, aggregate, and/or anonymise your personal information to conduct research. We conduct research using this de-identified or pseudonymised data, or aggregated, statistical and/or anonymised data for the following purposes:

  • for public interest in the area of public health to improve the quality, security and effectiveness of our Devices and systems and to allow for the development of innovative and effective treatment of heart-related conditions;
  • to conduct research, for statistical purposes and analysis and to disclose to third party researchers, health care entities or professionals, or public health authorities;
  • for Abbott’s legitimate business interests to evaluate the effectiveness of the Services and how they are provided and used;
  • for Abbott’s legitimate business interests to validate the Services’ functionality and upgrades, including monitoring and improving the safety and security of such services;
  • to research, develop and test Devices, including new and existing features and functionality and to test and improve the Services and Devices for product development, data analysis, statistical and survey purposes; and
  • for public interest in the area of public health, including where the Services and Devices are eligible for medical reimbursement or are otherwise entitled to social security, insurance or public funding.

For more information, see the +Research section.

We also process your personal information as a processor and do so on behalf of your healthcare provider. Your healthcare provider processes your personal information on the following legal bases under European Union or national law:

  • to provide medical care, including on-going medical treatment by monitoring your Device and your condition to make it easier for them to provide you with medical care;
  • to grant Abbott access to your personal information to provide technical support for the Services, including to receive technical and clinical support, such as assistance with debugging, upgrading or troubleshooting the Services or interpreting data; and
  • where otherwise required by European Union or national law.

“GDPR” refers to the General Data Protection Regulation (2016/679) as to EU Member State implementing legislation, and for the UK, it refers to the UK Data Protection Act 2018, each as may be amended from time to time. Where we have included a country above that it outside the European Union, it has been done because such countries contain substantially similar or near equivalent laws to the GDPR.

Data transfers: Information collected via the Services will be transferred to and stored in the United States of America. If you request technical support your personal information (including health-related data) will be accessible by our remote care teams in the USA or Sweden only. Your personal data will be transferred on the basis of EU Standard Contractual Clauses.

Data Protection Officer: The contact details of our European data protection officer along with other useful contact information are available at www.eu-dpo@abbott.com.

Your rights: If you would like to exercise any of your rights set out in the section entitled + How Individual Users can Access and Correct Personal Information and Your Rights. and are contacting us by email, please title your email subject line accordingly (for example, “Correction Request” or “Access Request”, or other right as applicable, in the subject line of the email.) We will do our best to respond to all reasonable requests in a timely manner, or at the very least, in accordance with any applicable legal requirement. You have the right to lodge a complaint with your local data protection authority if you are unhappy with any aspect of Abbott’s processing of your personal information.

EU Representatives

Pacesetter, Inc. has appointed the following companies as its country representatives:

Country Representative Name Representative Address
Austria, Romania Abbott Medical Austria Ges.m.b.H. Perfektastraße 84A 1230 Wien, Austria
Belgium, Luxembourg Abbott Medical Belgium The Corporate Village, Building Figueras, Da Vinci laan, 11 Box F1, Zaventem, Belgium
Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Iceland, Latvia, Malta, Slovakia, Slovenia St. Jude Medical Coordination Center The Corporate Village, Building Figueras, Da Vinci laan, 11 Box F1, Zaventem, Belgium
Denmark Abbott Medical Danmark A/S Produktionsvej 14, 2600 Glostrup, Denmark
Estonia Abbott Medical Estonia OÜ Mõisa 4/Vabaõhumuuseumi tee 3, 13522, Tallinn, Estonia
Finland Abbott Medical Finland Oy Vantaankoskentie 14, FI-01670 Vantaa, Finland
France Abbott Medical France SAS 1-3, esplanade du Foncet, CS 90087, 92442 Issy les Moulineaux Cedex, France
Germany Abbott Medical GmbH Helfmann-Park 7, 65760 Eschborn, Germany
Greece Abbott Medical Hellas Limited Liability Trading Company  (trade name: Abbott Medical Hellas Ltd.)  In Greek: Άμποτ Ιατρικά Ελλάς Εμπορική Εταιρεία Περιορισμένης Ευθύνης and trading name of Άμποτ Ιατρικά Ελλάς Ε.Π.Ε Iroos Matsi & Archaeou Theatrou Str., 17456 Alimos-Athens, Greece
Hungary Abbott Medical Korlátolt Felelősségű Társaság
(Abbreviated Name: Abbott Medical Kft.)
Tóth Lőrinc utca 41. II. em., Budapest, 1126, Hungary
Ireland Abbott Medical Ireland Limited Riverside One, Sir John Rogerson's Quay, Dublin 2 D02X576, Ireland
Italy Abbott Medical Italia S.p.A. Sesto San Giovanni, Milano, Viale Thomas Alva, Edison 110 CAP 20099, Italy
Lithuania UAB Abbott Medical Lithuania Seimyniskiu str. 3, LT-09312 Vilnius, Lithuania
Netherlands Abbott Medical Nederland B.V. Standaardruiter 13, 3905 PT Veenendaal, Netherlands
Norway Abbott Medical Norway AS Gullhaugveien 7, Oslo, 0484, Norway
Poland Abbott Medical spółka z ograniczoną odpowiedzialnością. ul. Postepu 21B, 02-676, Warsaw, Poland
Portugal Abbott Medical (Portugal) – Distribuicao de Produtos Medicos, Lda. Estrada de Alfragide 67, Alfragide Edifico D, Amadora, Portugal
Spain Abbott Medical España, S.A. Francisca Delgado No. 11, Núcleo 3 – 3º Arroyo de la Vega, Alcobendas 28108, Spain
Sweden Abbott Medical Sweden AB Isafjordsgatan 15, 164 07 Kista, Sweden (Business Office) Jarfalla, PO Box 7051, 164 07 Kista, Stockholm, Sweden (Registered Office)

 

United Kingdom

Under the European Union Withdrawal Act 2020, European Union law will continue to apply in the United Kingdom until 31 December 2020. We will put appropriate measures in place to protect your personal information when we transfer it to the United States. Our local representative is Abbott Medical U.K. Limited, Elder, Central Boulevard, Blythe Valley Park, Solihull, B90 8AJ, UK.

Algeria, Chile, Colombia, Morocco, Pakistan, Panama, Paraguay, Saudi Arabia, Trinidad & Tobago, and Tunisia

Your consent is required for Abbott to process your personal information generally. By accepting the terms of this Privacy Notice, you are deemed to have consented to the processing of your personal information as described herein. If you would like to delete your Merlin.net account, you may do so by contacting your healthcare provider or clinic. Please be aware that if you delete your account, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.

France

Pacesetter, Inc. is certified with the ASIP Santé to host personal health data, including the following activities:

  1. the provision and maintenance in operational condition of the physical sites enabling the physical infrastructure of the information system used to process health data to be housed;
  2. the provision and maintenance in operational condition of the physical infrastructure of the information system used for the processing of health data;
  3. the provision and maintenance in operational condition of the platform for hosting applications of the information system;
  4. the provision and operational maintenance of the virtual infrastructure of the information system used for processing health data;
  5. administration and operation of the information system containing health data;
  6. saving of health data.
    • (Necessary) Consent for the collection and use of personal information, including health-related information, as described in +Collection and Processing of Your Personal Information, +Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider, +Abbott’s Own Use of Your Personal Information, +Medical Devices and other Legal Requirements, +Research
    • (Necessary) Consent for the collection and use of health-related information, as described in +Collection and Processing of Your Personal Information, +Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider, +Abbott’s Own Use of Your Personal Information, +Medical Devices and other Legal Requirements, +Research
    • (Necessary) Consent for the cross-border transfer and provision of health data (sensitive data) to third parties, as described in +Data Storage, +Disclosure of Personal Information by Us, +Cross-Border Transfers of Personal Information

The controller of your personal data for the purposes of medical treatment is your doctor/clinic. Pacesetter, Inc. (a St. Jude Medical, LLC affiliate and wholly owned subsidiary of Abbott Laboratories, Inc.) of 15900 Valley View Court, Sylmar, California 91342, United States of America is the controller of personal data to (1) provide you with this App; (2) comply with legal obligations, including those related to medical device safety, quality and improvement; and (3) conduct research once the personal information has been de-identified, pseudonymised, aggregated and/or anonymized, so that it does not identify you by name. We conduct research to understand how our products and services are used, their effectiveness and for real-world evidence studies. For more information, see +Abbott’s Own Use of Your Personal Information, +Medical Devices and other Legal Requirements, +Research, and +Retention of Personal Information. Our local representative is Abbott Medical France SAS., 1-3, esplanade du Foncet, CS 90087, 92442 Issy les Moulineaux Cedex, France.

Japan

Your consent is required for Abbott to handle your “special care-required personal data” (referred to in this Privacy Notice as your health-related information) and to transfer your personal information, including health-related information, to any third party outside of Japan (except for transfers to the EU, for which an adequacy decision has been issued by the Japanese government). By accepting or agreeing to this Privacy Notice, you are deemed to have consented to the processing of your personal information, including health-related information, as described herein. You may withdraw your consent any time by contacting your healthcare provider. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment. If you withdraw your consent, Abbott will retain aggregated and de-identified information and may need to retain certain personal information as required by law.

South Africa

You have the right to lodge a complaint to the Information Regulator regarding the processing of your personal information, by writing to: The Information Regulator, SALU Building, 316 Thabo Sehume Street, PRETORIA, Tel: 012 406 4818, Fax: 086 500 3351, inforeg@justice.gov.za.

South Korea

By accepting or agreeing to this Privacy Notice, you are deemed to have been informed of and have explicitly consented to all of the contents herein. For users under the age of 14, consent must be given by their guardian. If you would like to delete your Merlin.net account, you may do so by contacting your healthcare provider. Please be aware that if you delete your account, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.

This Privacy Notice sets out information on the collection, use, provision to third parties, outsourcing of the processing, and cross-border transfer of your personal information, including health-related information, by Pacesetter, Inc., in connection with the provision of the App and the Services. All of the following categories of processing of personal information, including health-related information, are necessary for the provision of the App and the Services. Therefore, you will be unable to receive this App and the Services if you choose not to consent to such processing.

You may provide your consent collectively to all of the following consent categories by accepting or agreeing to this Privacy Notice:

You may withdraw your consent any time by contacting your healthcare provider. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment. If you withdraw your consent, Abbott will retain aggregated and de-identified information and may need to retain certain personal information as required by law.

Ukraine

Your consent is required for Abbott to process your personal information except where we do so for us to comply with a legal obligation as described in +Medical Devices and other Legal Requirements. By accepting the terms of this Privacy Notice, you are deemed to have consented to the processing of your personal information as described herein. If you would like to have your information deleted from Merlin.net, you may do so by contacting your healthcare provider or clinic. Please be aware that if you ask your healthcare provider or clinic to delete your information from Merlin.net, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.

MAT-2107840 v1.0

DO YOU WISH TO CONTINUE AND EXIT CARDIOVASCULAR.ABBOTT?

CONTENTS OF THE SITE ARE NOT UNDER THE CONTROL OF ABBOTT.

False
accessibility
© 2021 Abbott. All Rights Reserved. Please read the Legal Notice for further details.

Unless otherwise specified, all product and service names appearing in this Internet site are trademarks owned by or licensed to Abbott, its subsidiaries or affiliates. No use of any Abbott trademark, trade name, or trade dress in this site may be made without the prior written authorization of Abbott, except to identify the product or services of the company.

accessibility

DO YOU WISH TO CONTINUE AND EXIT CARDIOVASCULAR.ABBOTT?

CONTENTS OF THE SITE ARE NOT UNDER THE CONTROL OF ABBOTT.