myMerlinPulse App Privacy Notice

alt

Version Date: October 2023

 

Abbott provides the myMerlinPulse™ App (“App”) for an implantable heart device obtained from us including, where available, the Avant™, Neutrino™, Gallant™, and Entrant™ implantable heart device (“Device”) which transmits data to the Merlin.net™ Patient Care Network (“Merlin.net”) (together the “Services”) so that your doctor or clinic can remotely monitor and program your heart device and provide you with medical treatment. Pacesetter, Inc. (an Abbott company) provides Merlin.net.

We are committed to protecting your personal information. This Privacy Notice (“Privacy Notice”) explains how we handle your personal information for the Services and what we do to keep your personal information secure. We understand that a lot of information is included in this Privacy Notice. We want to provide you with a short and easily accessible summary of how we handle, protect, retain, store and disclose your personal information. For more information, see +About the Services and +Security of Personal Information in the full Privacy Notice below.

THIS SUMMARY IS NOT COMPREHENSIVE. YOU WILL NEED TO READ THE RELEVANT SECTIONS OF THE PRIVACY NOTICE BELOW TO FULLY UNDERSTAND HOW WE PROCESS YOUR PERSONAL INFORMATION.

We use personal information when you set up the App, which includes your date of birth and device serial number. We use your email address or telephone number for authentication purposes during pairings of your heart device. This App transmits information from your device to us, and if you contact our customer services, we will keep a separate record relating to your request for technical support. We also use personal information entered by your healthcare provider into Merlin.net. For more information, see +Collection and Processing of Your Personal Information and +Country Specific Provisions in the full Privacy Notice below.

We use personal information to: (1) provide you with the Services; (2) comply with legal obligations, including those related to medical device safety, quality and improvement; and (3) conduct research once the personal information has been de-identified, pseudonymized, aggregated and/or anonymized, so that it does not identify you by name. We conduct research to understand how our products and services are used, their effectiveness and for real-world evidence studies. For more information, see +Abbott’s Own Use of Your Personal Information, +Medical Devices and other Legal Requirements, +Research, +Retention of Personal Information in the full Privacy Notice below.

We strictly limit who we share your personal information with and will never sell the information to third parties for our commercial benefit. We do share personal information with our affiliated companies to help support and provide technical assistance for the Services, for compliance purposes, to conduct research, or to perform troubleshooting/ diagnostics and broader analysis to detect systemic issues. For more information, see +Disclosure of Personal Information by Us and +Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider in the full Privacy Notice below.

Where your location grants you certain rights in relation to your personal information, we will respond to such requests. For more information, see +How Individual Users Can Access and Correct Personal Information and Your Rights in the full Privacy Notice below.

Personal information relating to the Services is stored either on servers in the United States of America or in a regional deployment in Europe, depending on your country of residence. For more information, see +Data Storage and +Cross-Border Transfers of Personal Information in the full Privacy Notice at the link below. We also recommend that you check +COUNTRY SPECIFIC PROVISIONS, as there may be additional provisions that apply depending on your country of residence.

Please contact and direct all enquiries regarding the Services to your clinic in the first instance. Your clinic is the ‘controller’ of your personal data when they provide you with medical care. We are the ‘processor’ of your personal information on their behalf to provide you and your clinic with the Services. If you have any questions or comments relating to privacy, you can contact us by emailing us at privacy@abbott.com. If you are located in the European Economic Area, you may contact our European Version Date: October 2023 Page 2 of 30 data protection officer or contact your local data protection authority. The contact details for Abbott’s European data protection officer, as well as other useful contact information, are available at www.EU-DPO.abbott.com. For more information, see +Contact Us in the full Privacy Notice below.

If we update this Privacy Notice with material changes, we will alert you by email or the App when you next use the App. For more information, see +Changes to this Privacy Notice in the full Privacy Notice below.

 

To access the full Privacy Notice, click on the link for your region:

US: https://www.cardiovascular.abbott/us/en/policies/mymerlinpulse-app-privacy.html

Outside US: https://www.cardiovascular.abbott/int/en/policies/mymerlinpulse-app-privacy.htm

 

™ Indicates a trademark of the Abbott group of companies.

© 2023 Abbott. All rights reserved

Version Date: June 2023

 

Pacesetter, Inc. (an Abbott company) provides the Merlin.net™ Patient Care Network (“Merlin.net”). Abbott provides the myMerlinPulse™ mobile application (“App”) (together, Merlin.net and the App are referred to as the “Services”). Throughout this Privacy Notice, references to “Abbott,” “we,” “us,” and “our,” mean the group of Abbott companies, headquartered in Abbott Park, Illinois, United States of America

Mobile Application Privacy Notice

 Abbott provides the myMerlinPulse™ App (“App”) for an implantable heart device obtained from us including, where available, the Avant™, Neutrino™, Gallant™, and Entrant™ implantable heart device (“Device”) which transmits data to the Merlin.net™ Patient Care Network (“Merlin.net”) (together the “Services”) so that your doctor or clinic can remotely monitor and program your heart device and provide you with medical treatment. Pacesetter, Inc. (an Abbott company) provides Merlin.net.

We are committed to protecting your personal information. This Privacy Notice (“Privacy Notice”) explains how we handle your personal information for the Services and what we do to keep your personal information secure. We understand that a lot of information is included in this Privacy Notice. We want to provide you with a short and easily accessible summary of how we handle, protect, retain, store and disclose your personal information. For more information, see +About the Services and +Security of Personal Information in the full Privacy Notice below.

THIS SUMMARY IS NOT COMPREHENSIVE. YOU WILL NEED TO READ THE RELEVANT SECTIONS OF THE PRIVACY NOTICE BELOW TO FULLY UNDERSTAND HOW WE PROCESS YOUR PERSONAL INFORMATION.

We use personal information when you set up the App, which includes your date of birth and device serial number. We use your email address or telephone number for authentication purposes during pairings of your heart device. This App transmits information from your device to us, and if you contact our customer services, we will keep a separate record relating to your request for technical support. We also use personal information entered by your healthcare provider into Merlin.net. For more information, see +Collection and Processing of Your Personal Information and +Country Specific Provisions in the full Privacy Notice below.

We use personal information to: (1) provide you with the Services; (2) comply with legal obligations, including those related to medical device safety, quality and improvement; and (3) conduct research once the personal information has been de-identified, pseudonymized, aggregated and/or anonymized, so that it does not identify you by name. We conduct research to understand how our products and services are used, their effectiveness and for real-world evidence studies. For more information, see +Abbott’s Own Use of Your Personal Information, +Medical Devices and other Legal Requirements, +Research, +Retention of Personal Information in the full Privacy Notice below.

We strictly limit who we share your personal information with and will never sell the information to third parties for our commercial benefit. We do share personal information with our affiliated companies to help support and provide technical assistance for the Services, for compliance purposes, to conduct research, or to perform troubleshooting/ diagnostics and broader analysis to detect systemic issues. For more information, see +Disclosure of Personal Information by Us and +Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider in the full Privacy Notice below.

 Where your location grants you certain rights in relation to your personal information, we will respond to such requests. For more information, see +How Individual Users Can Access and Correct Personal Information and Your Rights in the full Privacy Notice below.

Personal information relating to the Services is stored either on servers in the United States of America or in a regional deployment in Europe, depending on your country of residence. For more information, see +Data Storage and +Cross-Border Transfers of Personal Information in the full Privacy Notice at the link below. We also recommend that you check +COUNTRY SPECIFIC PROVISIONS, as there may be additional provisions that apply depending on your country of residence.

Please contact and direct all enquiries regarding the Services to your clinic in the first instance. Your clinic is the ‘controller’ of your personal data when they provide you with medical care. We are the ‘processor’ of your personal information on their behalf to provide you and your clinic with the Services. If you have any questions or comments relating to privacy, you can contact us by emailing us at privacy@abbott.com. If you are located in the European Economic Area, you may contact our European data protection officer or contact your local data protection authority. The contact details for Abbott’s European data protection officer, as well as other useful contact information, are available at www.EU-DPO.abbott.com

If we update this Privacy Notice with material changes, we will alert you by email or the App when you next use the App. For more information, see +Changes to this Privacy Notice in the full Privacy Notice below.

To access the full Privacy Notice, click on the link for your region:

US: https://www.cardiovascular.abbott/us/en/policies/mymerlinpulse-app-privacy.html

Outside US: https://www.cardiovascular.abbott/int/en/policies/mymerlinpulse-app-privacy.html

 

Mobile Application Privacy Notice
Version Date: June 2023

Pacesetter, Inc. (an Abbott company) provides the Merlin.net™ Patient Care Network (“Merlin.net”). Abbott provides the myMerlinPulse™ mobile application (“App”) (together, Merlin.net and the App are referred to as the “Services”). Throughout this Privacy Notice, references to “Abbott,” “we,” “us,” and “our,” mean the group of Abbott companies, headquartered in Abbott Park, Illinois, United States of America.

We recognize the importance of data protection and privacy and are committed to protecting personal information, including health-related information. This Privacy Notice describes how your personal information is collected and used by Abbott when you use the Services.

Please read this Privacy Notice carefully before registering to use this App as it applies to the processing, transfer and storage of your personal information, including health-related data by Abbott and certain affiliated companies as described below. It also applies to the processing of your personal information by our affiliated companies and by our processors if required to address a customer service issue related to the Services.

This Privacy Notice does not apply to personal information processed or collected by other Abbott affiliates or subsidiaries or via other methods, such as other Abbott websites, other Abbott customer call centers. Your doctor’s use of Merlin.net and other privacy policies may apply to the personal information processed or collected through these methods.

By registering and using this App, you accept this Privacy Notice and you:

  • affirm that you are of legal age to accept this Privacy Notice; and
  • that you are agreeing either on your own behalf or on behalf of another individual for whom you have actual authority to legally accept this Privacy Notice.

BY ACCEPTING OR AGREEING TO THIS PRIVACY NOTICE, YOU EXPLICITLY ACKNOWLEDGE THAT YOUR USE OF THIS APP AND THE SERVICES ARE SUBJECT TO THIS PRIVACY NOTICE AND TO THE PROCESSING AND TRANSFER OF PERSONAL INFORMATION, INCLUDING HEALTH-RELATED INFORMATION, AS DESCRIBED IN THIS PRIVACY NOTICE. (THIS PARAGRAPH DOES NOT APPLY TO USERS IN THE EUROPEAN ECONOMIC AREA (“EEA”), UNITED KINGDOM (“UK”) AND SWITZERLAND. FOR MORE INFORMATION, SEE REGIONAL SECTIONS BELOW).

WHERE REQUIRED BY THE LAW OF YOUR COUNTRY OF RESIDENCE, CLICKING “ACCEPT” OR “AGREE” MEANS THAT YOU ARE PROVIDING EXPLICIT CONSENT TO THE PROCESSING OF YOUR PERSONAL INFORMATION INCLUDING HEALTH-RELATED INFORMATION AND TO TRANSFER YOUR PERSONAL INFORMATION TO ABBOTT’S SERVERS LOCATED IN THE UNITED STATES OF AMERICA.

YOUR CONSENT IS GRANTED AT YOUR FREE WILL AND YOU ACKNOWLEDGE THAT YOU ARE NOT UNDER ANY LEGAL OBLIGATION TO PROVIDE PERSONAL INFORMATION TO ABBOTT.

+About Us

Abbott is the manufacturer of the App and the implantable heart device, including, where available, the Avant™, Neutrino™, Gallant™, and Entrant™ implantable heart device (“Device”).

Pacesetter, Inc. (a St. Jude Medical, LLC affiliate and wholly owned subsidiary of Abbott Laboratories) of 15900 Valley View Court, Sylmar, California 91342, United States of America, is the provider of Merlin.net.

Your healthcare provider is a controller of your personal data for the purposes of providing your medical care. Your healthcare provider is responsible for how such data is processed and for ensuring that information transmitted through the Services complies with applicable privacy and data protection laws. The reference to ‘controller’ is based on its definition in the data protection laws of the EEA, the UK and Switzerland and, where applicable, has the equivalent meaning of similar terms in other countries data protection and privacy laws in which you reside.

Abbott is a controller of personal information when we use personal information to: (1) provide you with the Services; (2) comply with legal obligations, including those related to medical device safety, quality and improvement; and (3) conduct research relating to the Services once the personal information has been de-identified, pseudonymized, aggregated and/or anonymized. For further information see +Abbott’s Own Use of Your Personal Information.

+About the Services

Merlin.net is a remote care system that holds information transmitted from your Device through this App.

The Services enable the automated transmission of information collected from your Device and uploaded via the App to a secure database. Through Merlin.net, your healthcare provider can receive regular updates on the performance and status of your Device and its effect on your health so as to monitor your condition remotely. The Services will help your healthcare provider to monitor your heart condition and modify your treatment without the need for you to visit a clinic in person as frequently.

Before you can use the App, your healthcare provider must register you on Merlin.net and you must have a mobile device that meets minimum system requirements. Once you have entered your date of birth and the serial number of your Device in the App on your mobile device, you must pair the App to your Device. If you need to re-pair your Device with another App after the first-time registration, you must also obtain an activation code. You can elect to have the activation code sent to the email address or telephone number that you provided to your healthcare. Once you have entered this activation code in the App, you must pair your Device to the App. The App will inform you once set up is complete. The App sends transmissions from your Device to Merlin.net, so that your healthcare provider can remotely monitor your Device.

Depending on your location, our call center agents may contact you following the implant of your Device to assist you with your use of the App, including answering any queries you may have on using the App on your mobile device, pairing the App to your mobile device and basic troubleshooting of the App on your mobile device.

+Collection and Processing of Your Personal Information

The following categories of your personal information are processed when you use the App:

  • your Device serial number and your date of birth;
  • your email address and/or phone number so that we can send you an activation code
  • day, month and time information is sent from your Device to Merlin.net;
  • information about the name and model number of your Device;
  • information relating to the settings, parameters, and diagnostics from your Device for the purpose of transmitting to Merlin.net for your healthcare provider to review.
  • periodic reports which indicate how your Device interacts with the App and how the App interacts with Abbott’s servers since the last report;
  •  information about the App performance, including crash reports; and
  •  periodic log reports which record App activity since the last maintenance report.

The App links with and transmits data from your Device to Merlin.net. The Services relating to Merlin.net use additional personal information, including health-related data that your healthcare provider inputs when creating a Merlin.net patient profile for you. That personal information may include your phone number or email, Device model and serial number, and other optional fields including gender, race, preferred language, clinical comments and the functioning of your Device, dates of treatment and transmissions, information about your condition, a clinic assigned patient number or other patient identifier. Your healthcare provider may also input the information of an emergency contact for you, including their name, phone number, and address. You may choose whether or not to provide an emergency contact and to do so, you must have received your emergency contact’s authorization to provide their information for the purpose of being your emergency contact. Abbott may need to access this personal information to support and maintain the Services.

+Your Healthcare Provider’s Use of Your Information

Your healthcare provider will collect your personal information as part of your medical treatment and will input your information into Merlin.net. Your healthcare provider uses the Services to help monitor your Device and your heart rhythm. This provides your healthcare provider with the type of information that may result in them adjusting your Device or asking you to come in for an appointment.

Your healthcare provider or clinic processes your personal information for the following purposes:

  • to provide medical care, including on-going medical treatment by monitoring and adjusting your Device and your heart rhythm to assist them to provide you with medical care;
  • to grant Abbott access to your personal information to provide technical support for the Services, including to receive technical and clinical support, such as assistance with debugging, upgrading or troubleshooting the Services or interpreting data; and
  • where otherwise required by applicable law.

+Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider
We process your personal information as a processor on behalf of your healthcare provider or clinic. Such processing is on the instructions of your healthcare provider or clinic and relates to the following purposes:

  • provide the Services for your healthcare provider to monitor your Device and your heart’s rhythm;
  • provide your healthcare provider with technical and clinical support, such as assistance with debugging, upgrading or troubleshooting; or
  • where authorized by your healthcare provider, obtain access to your health information to assist them with interpreting data transmitted from your Device.

Depending on your location, we may provide support services to your healthcare provider or clinic from locations in: Sweden; other European locations, particularly if we have operations in your country of residence; or our other support centers located in the United States of America, Costa Rica and/or Malaysia. We may also use other third parties to provide technical or clinical support to your healthcare provider or clinic. Where we use any third party to help us provide support Services to your healthcare provider or clinic, we put in place adequate measures to safeguard the confidentiality, integrity and security of your personal information.

The reference to ‘processor’ is based on its definition in the data protection laws of the EEA, the UK and Switzerland and, where applicable, has the equivalent meaning of similar terms in other countries data protection and privacy laws in which you reside.

+Abbott’s Use of Your Personal Information

Abbott processes your personal information, including your health-related personal information, as a controller for the following purposes:

  • to provide you with the Services in accordance with the App End User License Agreement;
  • to keep a record of your contact with Abbott when you contact Abbott directly regarding the Services;
  • to provide your healthcare provider or clinic with the Services, including customer support relating to your Device;
  • where required by applicable laws governing the use and classification of medical devices, including for the purposes of medical device post-market surveillance, quality management, including product development and improvement, safety, performance, and vigilance;
  • where necessary to establish, exercise or defend legal claims; and
  • as otherwise required by applicable law.

When your healthcare provider creates a patient profile in Merlin.net for you, and where required by applicable law, you provided your explicit consent for Abbott to de-identify, pseudonymize, aggregate, and/or anonymize your personal information to conduct research. For more information, see the +Research section.

Apart from the above processing, Abbott may only use your data for other purposes if you have consented for Abbott to do so. Please see the Merlin Data Use Consent form relating to these purposes.

The reference to ‘controller’ is based on its definition in the data protection laws of the EEA, the UK and Switzerland and, where applicable, has the equivalent meaning of similar terms in other countries data protection and privacy laws in which you reside.

+Data Storage

We receive data transmitted by the App and Device before it is then stored. Personal information is stored either on premises in the United States of America or in a regional deployment in the Europe, depending on the location of your healthcare provider. If your healthcare provider is located in the United States of America or in countries outside of the EEA, the UK or Switzerland, personal information will be stored on servers in the United States of America. For the EEA, the UK and Switzerland personal information will be stored either in a regional deployment in the EU (if your healthcare provider has agreed to store information in this deployment) or on servers in the United States of America.

From the third quarter of 2023 for healthcare providers in the EEA, the UK and Switzerland who have elected to store personal data in the EU regional deployment, Abbott uses Microsoft Azure to host information transmitted from your Device through this App, and, if your healthcare provider is located in a member country of the EEA, Switzerland or the UK, the App will transmit your personal information to servers within the territory of the EU. For French users, Microsoft Azure is certified by the French agency for digital health, the Agence du Numérique Santé to host health-related information. Personal information transmitted to Merlin.net may be hosted in the country closest to your healthcare provider’s country location or otherwise in accordance with the data storage and privacy requirements of your healthcare provider’s location.

When your personal information is transmitted and hosted on Merlin.net servers in a country other than the country location of your healthcare provider or your country of residence, it may become subject to the laws of the host country, which may not be equivalent to the laws of the country of your healthcare provider or your country of residence. Abbott has implemented appropriate security measures and controls to protect your personal information. For more information about our global server locations and on which servers your personal information, including health-related information, is stored, please contact your healthcare provider.

See also +Security of Personal Information and +Cross-Border Transfers of Personal Information.

+Medical Devices and other Legal Requirements

Abbott may use personal information where legally required and where possible we will de-identify, pseudonymize, aggregate and/or anonymize information to comply with our legal obligations as a medical device manufacturer. This information is securely held by Abbott and will not be used to identify you individually by your name or email address, except where we are under a legal obligation to include this information. Where such use of personal information is subject to legal requirements, we do not require consent.

The legal requirements for which Abbott will use this information are:

  • to ensure the ongoing safety of an Device and any future development;
  • to monitor and improve the quality, security and effectiveness of medical devices and systems;
  • to validate upgrades, and to keep Merlin.net and/or related mobile applications safe and secure;
  • to perform broader analysis to detect systemic issues for public interest in the area of public health.
  • to research, develop and test medical devices, including new and existing features and functionality and to test and improve Merlin.net and/or related mobile applications for product development; and
  • where otherwise required by law, including to respond to any competent regulatory, law enforcement body, governmental authorities, to address national security or epidemics, judicial proceeding, court order, government request or legal process served on us, or to protect the safety, rights, or property of our customers, the public, Abbott or others, and to exercise, establish or defend Abbott’s legal rights or where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of this Privacy Notice, or as evidence in litigation in which we are involved.

We use the terms ‘de-identify’ and ‘pseudonymize’ interchangeably. US health insurance portability law (HIPAA) describes de-identified information as information where ‘there is no reasonable basis to believe that the information can be used to identify an individual’. The EU General Data Protection Regulation (2016/679) (GDPR) defines ‘pseudonymization’ as ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information’. Anonymized data is information that does not relate to a person and from which a person cannot be identified, and this kind of data usually falls outside data protection and privacy laws.

For more information about GDPR, please see +EEA, UK, Cayman Islands, Switzerland and Thailand below.

+Research

Where required by applicable law, Abbott requests your explicit consent to allow us to de-identify or pseudonymize, aggregate, and/or anonymize your personal information to conduct research for limited purposes.

If a data set used for research purposes, the data will not include your name, address, phone number, or email address. We take steps to ensure that there is no reasonable basis from which the de-identified or pseudonymized data can be used to identify you individually. Data used in research may include Device model and serial number, intervals between implant date and subsequent visit dates, implant date, and demographics such as place of residence and age.

We conduct research using this de-identified or pseudonymized data, or aggregated, statistical and/or anonymized data for the following purposes:

  • to improve the quality, security and effectiveness of our heart and medical devices and systems and to allow for the development of innovative and effective treatment of heart-related conditions in the interests of public health;
  • to conduct research, for statistical purposes and analysis and to disclose to third party researchers, health care entities or professionals, or public health authorities;
  • to evaluate the effectiveness of the Services and how they are provided and used;
  • to validate the Services’ functionality and upgrades, including monitoring and improving the safety and security of such services;
  • to research, develop and test medical devices, including new and existing features and functionality and to test and improve the Services and our medical devices for product development, data analysis, statistical and survey purposes; and
  • for public interest in the area of public health, including where the Services and medical devices are eligible for medical reimbursement or are otherwise entitled to social security, insurance or public funding.

Where you have been asked to consent to the processing of your personal information, you can withdraw consent at any time by contacting us. Any withdrawal of consent will not affect the lawfulness of the processing based on your consent before the withdrawal. Please also note that where you withdraw consent, Abbott will only stop processing your personal information that relates to the withdrawal of consent. Abbott will still process personal information where it is under a contractual obligation to do so with your healthcare provider or other legal obligation to do so, such as described in +Medical Devices and other Legal Requirements.

If you are ever asked to participate in a clinical trial, and where required by applicable law, you will be asked to provide a separate informed consent to the research site prior to taking place in any such trial and your participation is completely voluntary. The research is this section does not relate to participation in a clinical trial. For more information about HIPAA, please see +USA below for further information. For more information about GDPR, please see +EEA, UK, Cayman Islands, Switzerland and Thailand below.

+Retention of Personal Information

Information collected from your Device will be retained for a maximum period of seven (7) years from the date of your most recent transmission (that is, the date you last use your Device and/or the App), except as may be required by law.

The section +Deleting Your Information from Merlin.net explains how you can arrange to have your healthcare provider or clinic delete your information from the Merlin.net Patient Care Network.

+Disclosure of Personal Information by Us

We may share your personal information as follows:

  • We share personal information with third-party suppliers solely to provide, maintain, host, and support the Services. Depending on the location of your health care provider, Abbott may use Microsoft Azure to receive data transmissions from your Device when using the Services. Where we provide your personal information to third-party suppliers to assist us with the provision of the Services, they are required to keep your personal information confidential and secure and to use your personal information to the minimum extent necessary.
  • Where possible, Abbott uses third party service providers to report system errors so that we can support and improve the Services and in such instances the information sent to such third parties will not involve the use of your personal information.
  • Android requires location services permissions to be granted in order to connect apps with Bluetooth®1 devices. Google’s location services include features that collect a user’s precise location data, including GPS signals, device sensors, Wi-Fi access points, and cell tower IDs. This information will be collected by Google if a user grants access to his or her location. For more information on Google’s privacy practices regarding this data, please see Android’s support website. We will not use your personal information derived from Google’s location services.
  • We will not sell or license your personal information to third parties except in connection with the sale, merger, or transfer of a product line or division, so that the buyer can continue to provide you with the Services. For the avoidance of doubt, we will never sell your personal information to third parties for commercial purposes.
  • We may share de-identified, pseudonymized, aggregated, and/or anonymized information with our affiliates, your healthcare provider or clinic, third party researchers and national health authorities or insurers to demonstrate the effectiveness of the Services or as required for medical reimbursement. This information will not be used to identify you individually.
  • We reserve the right to disclose your personal information to respond to authorized information requests from government authorities, to address national security situations, or when otherwise required by law. Furthermore, where permitted or required by law, we may also disclose the information we collect from you where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of this Privacy Notice, or as evidence in litigation in which we are involved. Your personal information may be subject to foreign laws and may be accessible by foreign governments, courts, law enforcement, and regulatory agencies.

+Security of Personal Information

Abbott has implemented appropriate security controls within the Services to protect your personal information from accidental or unlawful destruction or accidental loss, alteration, disclosure, or access.

Information received from your Device is encrypted before transmission to ensure that it will remain secure and confidential. The Services include various security measures to enhance the security of your patient profile and to prevent unauthorized access to, or disclosure of, your personal information. Only those authorized by your healthcare provider or clinic, including their authorised staff, will have access to your patient profile and only through unique IDs and passwords. Abbott has implemented various security and access controls to ensure that only authorized persons within Abbott may access pseudonymized, aggregated and de-identified data.

We use Bluetooth®1 4.0 wireless technology or higher to transmit different sets of personal information between medical devices and iOS or Android devices. Any information relating to measurements taken from your Device is transmitted through Bluetooth technology.

Please be aware that the Services may be unavailable during periods of routine maintenance.

+Cross-Border Transfers of Personal Information

Depending on the location of your clinic, information collected via the Services may be transferred to and stored in the United States of America. The data protection laws of the USA may not offer protections for personal information equivalent to those of the EEA, the UK, Switzerland or your country of residence. If you are located in the EEA, the UK or Switzerland, and your data is stored in the USA, your healthcare provider and Abbott will have entered into the European Commission approved standard contractual clauses, and for the UK, the UK Addendum for international transfers. You are requested to explicitly consent to the transfer of your personal information to Abbott’s servers in the United States of America.

If you contact us directly and request technical support, your personal information (including health-related data) may be accessible by our remote care teams in the USA, Sweden (or other European locations), Costa Rica and/or Malaysia. Abbott intracompany data transfers are governed by a data transfer agreement providing adequate safeguards to protect personal information.

We also refer you to +COUNTRY SPECIFIC PROVISIONS, for additional provisions that apply to international transfers of personal information depending on your country of residence.

BY USING THIS APP AND BY ACKNOWLEDGING THIS PRIVACY NOTICE AND CONSENT, WE ARE INFORMING YOU OF THESE TRANSFERS OF YOUR PERSONAL INFORMATION TO THE UNITED STATES OF AMERICA, SWEDEN (OR OTHER EUROPEAN LOCATIONS), COSTA RICA AND/OR MALAYSIA AND TO THE ACCESS OF YOUR PERSONAL INFORMATION, INCLUDING HEALTH-RELATED INFORMATION, WHICH MAY BE REQUIRED IN EXCEPTIONAL CIRCUMSTANCES TO RESPOND TO ANY SUPPORT REQUESTS YOU OR YOUR DOCTOR REQUESTS. THESE COUNTRIES MAY NOT OFFER AN EQUIVALENT LEVEL OF PROTECTION FOR YOUR PERSONAL INFORMATION WHEN COMPARED WITH DATA PROTECTION OR PRIVACY LAWS IN WHICH YOU RESIDE.

+How Abbott Sends Marketing and Other Material

We will not knowingly send you advertising or marketing-related information, unless you have opted into receiving these types of communications from us in relation to our other products and services.

Neither Abbott nor its affiliates or licensors will knowingly send advertising or marketing-related information to children.

We do not sell your personal information to third parties for direct marketing.

Please note that we may send you non-marketing related information about necessary App and service updates or issues relating to product safety.

+How Abbott Protects Children’s Privacy

Children can be enrolled in Merlin.net by a healthcare provider or clinic. At any time, a parent/guardian may stop the collection of a child’s personal information, including health-related information, by contacting the healthcare provider or clinic and requesting that the account be deleted. This action will delete the Merlin.net account associated with the child, but we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.

+How Individual Users Can Access and Correct Personal Information and Your Rights

To exercise any data protection or privacy rights, you should contact your healthcare provider or clinic in the first instance. We are not able to correct or amend any readings from your Device that have been uploaded.

Depending on your place of residence, you may have the right to: (a) access the personal information we hold about you; (b) request we correct any inaccurate personal information we hold about you; (c) delete any personal information we hold about you; (d) restrict the processing of personal information we hold about you; (e) object to the processing of personal information we hold about you; and/or (f) receive any personal information you have provided to us on the basis of your consent in a structured and commonly used machine-readable format or have such personal information transmitted to another company. Please note that Abbott is not required by law to adopt or maintain systems that are technically compatible with other companies. It may not be possible for Abbott to directly transmit your personal information to another company.

Children may also have the right to access the personal information held about them. Where we receive a request for access for a child’s personal information from the child’s parent/guardian, we may respond directly to the child’s parent/guardian or recommend that they contact their child’s doctor or clinic. We will always seek to verify the identity of person seeking access to a child’s information, whether it is from the child him/herself or from a parent or guardian.

To request the exercise of these rights, please contact your healthcare provider or clinic in the first instance as the controller of your personal information for the purpose of providing you medical care. You may contact us where we are the controller of your personal information using any of the methods set out in the section entitled +Contact Us.

+Deleting Your Information from Merlin.net

If you have been implantable with a Device, the only way your healthcare provider can monitor you is via Merlin.net. Therefore, if you elect not to be enrolled in Merlin.net it will affect your healthcare provider’s ability to monitor your condition and adjust the settings on your Device and may affect their ability to treat you.

If you would like to have your information deleted from Merlin.net, you may do so by contacting your healthcare provider or clinic. If you request deletion of your information from Merlin.net and still have your Device, your healthcare provider will not be able to remotely monitor your heart’s rhythm. Please be aware that if your healthcare provider or clinic deletes your information in Merlin.net, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law. 

+Contact Us 

If you have questions, concerns or complaints about the processing of your personal information for the purpose of your medical care or wish to exercise your data protection rights, please contact your healthcare provider or clinic directly. 

If you have questions, comments, or complaints about our privacy practices, please contact us by clicking on the “Contact Us” link in one of our websites or emailing us at privacy@abbott.com. Alternatively, you may write to us at: 

Attn: Privacy Officer, Abbott, One St. Jude Medical Drive, St. Paul, MN 55117, USA 

For EEA, UK and Switzerland users, see also below under your regional section for additional contact details. 

For Users in Brazil: If you have questions, comments, or complaints about our privacy practices, or if you would like to exercise any of your rights set out in the +How Individual Users can Access and Correct Personal Information and Your Rights section, please contact us by clicking on the “Contact Us” link in one of our websites or emailing our local DPO, Juliana Ruggiero, at privacybrasil@abbott.com. Alternatively, you may write to us at: 

Attn: Juliana Ruggiero Privacy Officer 
Laboratórios do Brasil Ltda. 
Rua Michigan 735, São Paulo/SP 
CEP: 04566-905 

In all communications to us, please include the email address used to register for this App and a detailed explanation of your request. 

+Changes to this Privacy Notice

This Privacy Notice is kept under regular review. If we make material changes to our privacy practices, an updated version of this Privacy Notice will reflect those changes. You will be alerted to updates to this Privacy Notice by email or the App when you next use the App.

Without prejudice to your rights under applicable law, we reserve the right to update and amend this Privacy Notice without prior notice to reflect technological advancements, legal and regulatory changes and good business practices to the extent that it does not change the privacy practices as set out in this Privacy Notice.

+COUNTRY SPECIFIC PROVISIONS

+Algeria, Armenia, Chile, Dominican Republic, Colombia, Libya, Morocco, Pakistan, Panama, Paraguay, Saudi Arabia, Trinidad & Tobago, and Tunisia

Your consent is required for Abbott to process your personal information generally. By accepting the terms of this Privacy Notice, you are deemed to have consented to the processing of your personal information as described herein. If you would like to delete your Merlin.net account, you may do so by contacting your healthcare provider or clinic. Please be aware that if you delete your account, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment.

+Argentina

The Public Information Access Agency, in its capacity as supervisory body of Act No. 25.326, has jurisdiction over all accusations and complaints made by those affected in their rights for infringements to regulations in force referred to the protection of personal information.

+Australia

If you wish to make a complaint about a breach of the Privacy Act, the Australian Privacy Principle (“APPs”) or a privacy code that applies to us, or if you have any queries or concerns about our Privacy Notice or the way we handle your personal information, please contact us using the details above and we will take reasonable steps to investigate and respond to you.

If after this process you are not satisfied with our response, you can submit a complaint to the Office of the Information Commissioner. See http://www.oaic.gov.au/privacy/privacy-complaints, to obtain the relevant complaint forms, or contact the Information Commissioner’s office.

We are not likely to disclose your personal information overseas, except as permitted by the Privacy Act 1988 (Cth), unless we otherwise advise you in writing. We may transfer your personal information to the United States. You consent to that disclosure and agree that by giving that consent, Australian Privacy Principle 8.1 no longer applies, and we are not required to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information.

+ Azerbaijan

BY CLICKING “ACCEPT” OR “AGREE” YOU ARE PROVIDING YOUR CONSENT TO THE CROSS-BORDER TRANSFER OF YOUR PERSONAL INFORMATION INCLUDING YOUR HEALTH-RELATED INFORMATION (AS SPECIAL CATEGORY PERSONAL INFORMATION) FOR THE PURPOSES DESCRIBED IN THIS PRIVACY NOTICE.

For users under the age of 18, the consent must be given by one of their parents or guardians.

After expiry of the retention period determined in +Retention of Personal Information, your personal information will either be deleted or archived in accordance with and in the manner established by applicable data protection laws.

In addition to your rights described in +How Individual Users Can Access and Correct Personal Information and Your Rights, you may also withdraw your consent any time or serve a written objection as to processing of your personal information by contacting your healthcare provider. If you withdraw your consent or serve a written objection, collection and processing of your personal data will be stopped and Abbott will retain de-identified/pseudonymized information. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment.

+Belarus

Clicking “accept” or “agree” means that you are providing explicit consent to collecting, processing, using, storing and transferring to third parties (or making available in another way, including cross-border transfer) of your personal information, including health-related information.

+ Bosnia and Herzegovina and Montenegro

The controller of your personal data for the purposes of medical treatment is your doctor/clinic. Pacesetter, Inc. (a St. Jude Medical, LLC affiliate and wholly owned subsidiary of Abbott Laboratories, Inc.) of 15900 Valley View Court, Sylmar, California 91342, United States of America is the controller of personal data to (1) provide you with this App; (2) comply with legal obligations, including those related to medical device safety, quality and improvement; and (3) conduct research once the personal information has been de-identified, pseudonymized, aggregated and/or anonymized, so that it does not identify you by name. Abbott conducts research to understand how our products and services are used, to measure their performance and effectiveness, to improve future products, and in connection with real-world evidence studies.

+Brazil

In case of updates to this Privacy Notice that require new collection of consent, you will be notified through the contacts you have provided us.

Consent: To process personal information concerning your health, you must provide Abbott affirmative consent to use the Apps. You may withdraw your consent at any time by contacting us at privacy@abbott.com.

Legal basis for the processing of your personal information: Abbott processes your information based on the following legal basis as set out in the Lei Geral de Proteção de Dados (LGPD):

  • Consent to process health-related information when you create an App account to store information relating to the Services;
  • Consent to process health-related information when you contact our customer support line, if necessary, for us to respond to your questions or to your request for support, such as troubleshooting any performance issues or when necessary to share your information with our third-party processors to resolve service issues.
  • Consent when you share your diagnostics/troubleshooting data (including health-related data) with us from your mobile device through the App, if necessary, for us to respond to your request for support, such as diagnostics and troubleshooting of any performance issues.
  • Consent when you share your personal information, including health-related information, with our third-party partners.
  • Abbott’s legitimate business interests and consent when we de-identify, pseudonymize, aggregate and/or anonymize data to better understand how you interact with and use the Services.

Your rights: If you would like to exercise any of your rights set out in the section titled +How Individual Users can Access and Correct Personal Information and Your Rights and are contacting us by email, please title your email subject line accordingly (for example, “Correction Request” or “Access Request”, or other right as applicable, in the subject line of the email.) We will do our best to respond to all reasonable requests in a timely manner, or at the very least, in accordance with any applicable legal requirements. You have the right to lodge a complaint with your local data protection authority if you are unhappy with any aspect of Abbott’s processing of your personal information.

+Canada

BY ACCESSING OR USING THE APP AND SERVICES, YOU SIGNIFY THAT YOU HAVE READ, UNDERSTOOD AND CONSENT TO OUR COLLECTION, STORAGE, USE AND DISCLOSURE OF YOUR PERSONAL INFORMATION, INCLUDING PERSONAL HEALTH INFORMATION, AS DESCRIBED IN THIS PRIVACY NOTICE.

You acknowledge and understand that many of our service providers, business partners and affiliates operate from outside of Canada. By using the App and Services, you consent that your personal information, including personal health information, may be stored, processed, or transferred to other countries (including the United States where we are headquartered) which may not guarantee the same level of protection of personal information as the jurisdiction in which you reside. Your personal information will be subject to the local laws of the jurisdiction where it is transferred and in certain circumstances, other foreign governments, courts, law enforcement agencies or regulatory agencies may be entitled to access your personal information.

We have in place appropriate physical, technological, and organizational safeguards including access controls to protect personal information against loss, theft, and unauthorized access, use and disclosure. Notwithstanding the safeguards we employ and our commitment to protecting personal information, we cannot guarantee the security or error-free transmission or storage of personal information. There are risks inherent in the use of electronic means to transmit and hold information in electronic format. Any transmission of information is at your own risk.

We may retain your personal information for as long as necessary to fulfill the purposes for which it has been collected, as outlined in this Privacy Notice, or any longer retention period required by law.

Please note that if you exercise certain of your rights set out in the section titled +How Individual Users Can Access and Correct Personal Information and Your Rights, including withdrawing your consent, this may limit our ability to provide you with certain Services.

Any changes that we make to this Privacy Notice will become effective when we make a modified version of the Privacy Notice available on the App. Your continued use of the App and/or the Services following any such change constitutes your agreement to follow and be bound by the most recent version of this Privacy Notice.

+EEA, UK, Cayman Islands, Switzerland and Thailand

We process your personal information as a processor when providing our services to your doctor or clinic and may have access to your health data to provide your doctor or clinic with technical and customer support.

Legal basis for the processing of your personal information: Abbott processes your personal information, including your health-related personal information, as a controller on the following legal bases as set out in the GDPR:

  • as necessary to assist your healthcare provider with medical diagnosis pursuant to our contract with them and as necessary for the performance of a contract to provide you with the App in accordance with the End User License Agreement;
  • your consent and as necessary for the performance of a contract (the End User License Agreement) to keep a record of your contact with Abbott when you contact Abbott directly; and
  • as necessary to provide your healthcare provider with the Services pursuant to our contract with them, including customer support;
  • as necessary to provide your healthcare provider with the Services pursuant to our contract with them and for reasons of public interest in the area of public health where required by the EU or national laws governing the use and classification of medical devices, including for the purposes of medical device post-market surveillance, quality management, including product development and improvement, safety, performance, and vigilance;
  • as necessary to establish, exercise or defend legal claims; and
  • as otherwise necessary for substantial public interest required by applicable law.

When your healthcare provider created a patient profile in Merlin.net for you, you provided your explicit consent for Abbott to de-identify, pseudonymize, aggregate, and/or anonymize your personal information, including its transfer to Abbott in the USA, to conduct research. We conduct research using this de-identified or pseudonymized data, or aggregated, statistical and/or anonymized data for the following purposes:

  • for public interest in the area of public health to improve the quality, security and effectiveness of our Devices and systems and to allow for the development of innovative and effective treatment of heart-related conditions ;
  • to conduct research, for statistical purposes and analysis and to disclose to third party researchers, health care entities or professionals, or public health authorities;
  • for Abbott’s legitimate business interests to evaluate the effectiveness of the Services and how they are provided and used;
  • for Abbott’s legitimate business interests to validate the Services’ functionality and upgrades, including monitoring and improving the safety and security of such services;
  • to research, develop and test Devices, including new and existing features and functionality and to test and improve the Services and Devices for product development, data analysis, statistical and survey purposes; and
  • for public interest in the area of public health, including where the Services and Devices are eligible for medical reimbursement or are otherwise entitled to social security, insurance or public funding.

For more information, see the +Research section.

We also process your personal information as a processor and do so on behalf of your healthcare provider. Your healthcare provider processes your personal information on the following legal bases under European Union or national law:

  • to provide medical care, including on-going medical treatment by monitoring your Device and your condition to make it easier for them to provide you with medical care;
  • to grant Abbott access to your personal information to provide technical support for the Services, including to receive technical and clinical support, such as assistance with debugging, upgrading or troubleshooting the Services or interpreting data; and
  • where otherwise required by European Union or national law.

GDPR” refers to the General Data Protection Regulation (2016/679) as to EU Member State implementing legislation, and for the UK, it refers to the UK Data Protection Act 2018, each as may be amended from time to time. Where we have included a country above that it outside the European Union, it has been done because such countries contain substantially similar or near equivalent laws to the GDPR.

Data transfers: Information collected via the Services will be transferred to and stored in the United States of America. If you request technical support your personal information (including health-related data) will be accessible by our remote care teams in the USA or Sweden only. Your personal data will be transferred on the basis of EU Standard Contractual Clauses.

If you are located in the EEA, Switzerland or UK, your healthcare provider and Abbott will have entered into the European Commission approved Standard Contractual Clauses, and for the UK, the UK Addendum for international transfers.

If you contact us directly and request technical support, your personal information (including health-related data) may be accessible by our remote care teams in the USA, and the EU. Abbott international intracompany data transfers are governed by a data transfer agreement incorporating the European Commission approved Standard Contractual Clauses providing adequate safeguards to protect personal information transferred outside the EEA, Switzerland, and the UK. See + Data Storage

Abbott also transfers your personal information, as a “controller”, as necessary for Abbott to comply with its legal requirements, such as those related to the quality and safety of medical devices or reimbursement or payment of medical costs, as described in +Medical Devices and other Legal Requirements, or, where required by law subject to your explicit consent, such as conducting research, as described in +Research.

The references to “controller” and “processor” are based on their respective definitions in the GDPR, the UK Data Protection Act 2018 and the Swiss Federal Act of Data Protection 1992, each as may be amended from time to time.

Data Protection Officer: The contact details of our European data protection officer along with other useful contact information are available at www.eu-dpo@abbott.com.

Your rights: If you would like to exercise any of your rights set out in the section +How Individual Users can Access and Correct Personal Information and Your Rights and are contacting us by email, please title your email subject line accordingly (for example, “Correction Request” or “Access Request”, or other right as applicable, in the subject line of the email.) We will do our best to respond to all reasonable requests in a timely manner, or at the very least, in accordance with any applicable legal requirement. You have the right to lodge a complaint with your local data protection authority if you are unhappy with any aspect of Abbott’s processing of your personal information.

+EEA Representatives 

Pacesetter, Inc. has appointed the following companies as its country representatives: 

CountryRepresentative NameRepresentative Address
Austria, RomaniaAbbott Medical Austria Ges.m.b.H.Perfektastraße 84A 1230 Wien, Austria
Belgium, LuxembourgAbbott Medical BelgiumThe Corporate Village, Building Figueras, DaVinci Iaan, 11 Box F1, Zaventem, Belgium
Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Iceland, Latvia, Malta, Slovakia, SloveniaSt. Jude Medical Coordination CenterThe Corporate Village, Building Figueras, DaVinci Iaan, 11 Box F1, Zaventem, Belgium
DenmarkAbbott Medical Danmark A/SProduktionsvej 14, 2600 Glostrup, Denmark
EstoniaAbbott Medical Estonia OÜ.Mõisa 4/Vabaõhumuuseumi tee 3, 13522, Tallinn, Estonia
FinlandAbbott Medical Finland OyVantaankoskentie 14, FI-01670 Vantaa, Finland
FranceAbbott Medical France SAS.1-3, esplanade du Foncet, CS 90087, 92442 Issy les Moulineaux Cedex, France
GermanyAbbott Medical GmbHHelfmann-Park 7, 65760 Eschborn, Germany
GreeceAbbott Medical Hellas Limited Liability Trading Company (trade name: Abbott Medical Hellas Ltd.) In Greek: Άμποτ Ιατρικά Ελλάς Εμπορική Εταιρεία Περιορισμένης Ευθύνης and trading name of Άμποτ Ιατρικά Ελλάς Ε.Π.ΕIroos Matsi & Archaeou Theatrou Str., 17456 Alimos-Athens, Greece
HungaryAbbott Medical Korlátolt Felelősségű Társaság (Abbreviated Name: Abbott Medical Kft.).Tóth Lőrinc utca 41. II. em., Budapest, 1126, Hungary
IrelandAbbott Medical Ireland LimitedRiverside One, Sir John Rogerson's Quay, Dublin 2 D02X576, Ireland
ItalyAbbott Medical Italia S.p.A.Sesto San Giovanni, Milano, Viale Thomas Alva, Edison 110 CAP 20099, Italy
LithuaniaUAB Abbott Medical LithuaniaSeimyniskiu str. 3, LT-09312 Vilnius, Lithuania
NetherlandsAbbott Medical Nederland B.V.Standaardruiter 13, 3905 PT Veenendaal, Netherlands
NorwayAbbott Medical Norway ASGullhaugveien 7, Oslo, 0484, Norway
PolandAbbott Medical spółka z ograniczoną odpowiedzialnością.ul. Postepu 21B, 02-676, Warsaw, Poland
PortugalAbbott Medical Austria Ges.m.b.H.Perfektastraße 84A 1230 Wien, Austria
Belgium, LuxembourgAbbott Medical (Portugal) – Distribuicao de Produtos Medicos, Lda.Estrada de Alfragide 67, Alfragide Edifico D, Amadora, Portugal
SpainAbbott Medical España, S.A.Francisca Delgado No. 11, Núcleo 3 – 3º Arroyo de la Vega, Alcobendas 28108, Spain
SwedenAbbott Medical Sweden ABIsafjordsgatan 15, 164 07 Kista, Sweden (Business Office) Jarfalla, PO Box 7051, 164 07 Kista, Stockholm, Sweden (Registered Office)

 

+Egypt

You have the right to receive notification of any data breaches of your personal data within three business days of us notifying the Data Protection Authority of such breach. You have the right to exercise your rights in accordance with the Data Protection Law by written notice to us, and we are obliged to respond to your request within six business days. In case of a failure to protect your personal data or in case of our refusal to respect your legal rights with respect to your personal data or in case you are dissatisfied with our response to any request by you, you have the right to file a complaint with the Data Protection Authority.

+France

Pacesetter, Inc. is certified with the ASIP Santé to host personal health data, including the following activities:

  1. the provision and maintenance in operational condition of the physical sites enabling the physical infrastructure of the information system used to process health data to be housed;
  2. the provision and maintenance in operational condition of the physical infrastructure of the information system used for the processing of health data;
  3. the provision and maintenance in operational condition of the platform for hosting applications of the information system;
  4. the provision and operational maintenance of the virtual infrastructure of the information system used for processing health data;
  5. administration and operation of the information system containing health data;
  6. saving of health data.

The controller of your personal data for the purposes of medical treatment is your doctor/clinic. Pacesetter, Inc. (a St. Jude Medical, LLC affiliate and wholly owned subsidiary of Abbott Laboratories, Inc.) of 15900 Valley View Court, Sylmar, California 91342, United States of America is the controller of personal data to (1) provide you with this App; (2) comply with legal obligations, including those related to medical device safety, quality and improvement; and (3) conduct research once the personal information has been de-identified, pseudonymized, aggregated and/or anonymized, so that it does not identify you by name. We conduct research to understand how our products and services are used, their effectiveness and for real-world evidence studies. For more information, see +Abbott’s Own Use of Your Personal Information, +Medical Devices and other Legal Requirements, +Research, and +Retention of Personal Information. Our local representative is Abbott Medical France SAS., 1-3, esplanade du Foncet, CS 90087, 92442 Issy les Moulineaux Cedex, France.

+Hong Kong

We are committed to protecting the privacy, confidentiality and security of the personal information we hold by complying with the requirements of the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (“PDPO”) with respect to the management of personal information.

Children and mentally incapacitated persons can be enrolled in Merlin.net by a healthcare provider. At any time, a parent/guardian may stop the collection of a child or mentally incapacitated person’s personal information, including health-related information, by contacting the healthcare provider and requesting that the account be deleted. This action will delete the Merlin.net account associated with the child or mentally incapacitated person concerned, but we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.

Children and mentally incapacitated persons may also have the right to access the personal information held about them. Where we receive a request for access for a child or mentally incapacitated person’s personal information from his or her parent/guardian, subject to the applicable law we may respond directly to the parent/guardian or recommend that they contact the child or mentally incapacitated person’s doctor or clinic. We will seek to verify the identity of person seeking access to a child or mentally incapacitated person’s information, whether it is from the child or mentally incapacitated person himself/herself or from a parent or guardian.

Where we conduct research purposes as set out in this Privacy Notice, and have de-identified, pseudonymized, aggregated and/or anonymized data from your personal data on Merlin.net, we will not attempt to re-identify any individuals from anonymized data or use the information of any individuals even if re-identification is possible.

You agree that we may share, disclose and transfer your personal data to such third parties as stated in, and in accordance with the provisions of, this Privacy Notice. Except as provided in this Privacy Notice, your personal data will not be disclosed to other parties without your voluntary and express consent. Where we intend to use your personal data for direct marketing purposes, we will comply with the notification requirements under the PDPO and obtain the consent or an indication of no objection from you before using your personal data for such purposes. You have the choice to have your personal data held by us erased and express your choice not to have the personal data shared or transferred.

You have the right to request access to (at a fee where appropriate) and correction of your personal data held by us. If you wish to do so, please contact our Privacy Officer in accordance with the section entitled +Contact Us herein.

You also have the right to lodge a complaint about any act or practice done or engaged in relating to your personal data with the Office of the Privacy Commissioner for Personal Data.

Nothing herein constitutes your registration for the Electronic Health Record Sharing System (“EHRSS”) and we shall not be liable under the Electronic Health Record Sharing System Ordinance (Cap. 625 of the Laws of Hong Kong) or otherwise in relation to the EHRSS.

+India

Abbott has implemented reasonable security practices commensurate to the standards required under applicable law.

Your consent is required for Abbott to collect, process, use and store your sensitive personal information, including physical, health condition) and to transfer your sensitive personal data to any third party. Abbott may share your sensitive personal information with third parties such as your health data. Additionally, we will ensure that such third party will afford the same or better level of data protection to your sensitive personal data. By accepting or agreeing to this Privacy Notice, you hereby provide your consent to the processing of your personal information, including sensitive personal data, as described herein. You may withdraw your consent any time by contacting our grievance redressal officer at privacy@abbott.com.

Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment If you withdraw your consent, Abbott will retain aggregated and de-identified information and may need to retain certain personal information as required by law. You have the right to review information provided by you to ensure that it is not inaccurate or deficient. Your sensitive personal information would only be collected if it is necessary to achieve the purposes expressly mentioned in this Privacy Notice.

+Japan

Abbott complies with the Act on the Protection of Personal Information (“APPI”) in handling personal information.

References in this Privacy Policy to "children" also include "persons with limited legal capacity”.

The terms “Pseudonymized (de-identified) information" and "anonymized information" in this Privacy Notice are different from such terms as defined and protected under the APPI. However, we will keep both types of data secure and will not process them without a legal obligation or your consent.

With respect to +Disclosure of Personal Information by Us, if we disclose personal information to a third party, we will supervise that third party to ensure that the personal information is appropriately secured.

Your consent is required for Abbott to handle your “special care-required personal data” (referred to in this Privacy Notice as your health-related information) and to transfer your personal information, including health-related information, to any third party outside of Japan (excluding the EU, which is designated by the Personal Information Protection Commission Japan (“PPC”) as a country with a protection system of the same level as that of Japan.). By accepting or agreeing to this Privacy Notice, you are deemed to have consented to the processing of your personal information, including health-related information, as described herein. You may withdraw your consent any time by contacting your healthcare provider. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment. If you withdraw your consent, Abbott will retain aggregated and de-identified information and may need to retain certain personal information as required by law.

You have the right to lodge a complaint with the PPC regarding the handling of your personal data.

The information collected via the Services is provided to and stored by Abbott located in the United States. The U.S. data protection laws may not provide the same level of protection for personal information as the country in which the user is located. Information on U.S. data protection laws can be found below.

The Survey of U.S. Laws by Personal Information Protection Commission (PPC) page

(https://www.ppc.go.jp/files/pdf/USA_report.pdf)

Abbott, to whom your personal information is provided, has taken measures to protect these personal information by complying with U.S. data protection laws that apply to the company.

+Jordan

Your written consent is required for Abbott to process your personal information except where we do so for us to comply with a legal obligation as described in +Medical Devices and other Legal Requirements. By accepting the terms of this Privacy Notice, you are deemed to have consented to the processing of your personal information as described herein. If you would like to delete your Merlin.net account, you may do so by contacting your healthcare provider. Please be aware that if you delete your account, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law. No actions taken by Abbott will violate any applicable legislations in Jordan. All actions will be in conformity with the Telecommunication Law No (13) of the year 1995, the Personal Data Protection Law, as soon as it is passed as a law and become enforceable, and any relevant regulations and/or instructions that the Telecommunications Regulatory Commission (TRC), or any other competent authority have issued in the past or will issue in the future.

+ Kazakhstan

CLICKING “ACCEPT” OR “AGREE” MEANS THAT YOU ARE PROVIDING EXPLICIT CONSENT TO THE COLLECTING, PROCESSING, CROSS-BORDER TRANSFER OF YOUR PERSONAL INFORMATION INCLUDING HEALTH-RELATED INFORMATION, TO THE USA, SWEDEN (OR OTHER EUROPEAN LOCATIONS), COSTA RICA, AND/OR MALAYSIA AND TO THE ACCESS OF YOUR PERSONAL INFORMATION, INCLUDING HEALTH-RELATED INFORMATION, WHICH MAY BE REQUIRED IN EXCEPTIONAL CIRCUMSTANCES TO RESPOND TO ANY SUPPORT REQUESTS YOU OR YOUR DOCTOR REQUESTS. THESE COUNTRIES MAY NOT OFFER AN EQUIVALENT LEVEL OF PROTECTION FOR YOUR PERSONAL INFORMATION WHEN COMPARED WITH DATA PROTECTION OR PRIVACY LAWS IN WHICH YOU RESIDE.

Please note that the collection, processing of your personal data may be without your consent in cases established by the law of the Republic of Kazakhstan including in cases of implementation of international treaties ratified by the Republic of Kazakhstan.

+Malaysia

General: In the event the Malaysian Personal Data Protection Act 2010 and/or all regulations, codes, standards and/or legal requirements made pursuant to or issued under the Malaysian Personal Data Protection Act 2010 (“Malaysian Data Protection Laws”) apply, this section shall apply to the processing of your personal information by Abbott.

Consent. This Privacy Notice serves to inform you that your personal information is being processed by Abbott or on Abbott’s behalf and you hereby give your consent to the processing of your personal information in accordance with this Privacy Notice, including the transfer your personal information to a place outside of Malaysia. By clicking on the “accept” or “agree” button or ticking on the “accept” or “agree” check box, you are providing explicit consent to the processing of your personal information including health-related information for the purposes stated in this Privacy Notice and as supplemented by this section to the extent the Malaysian Data Protection Laws apply.

Data access and correction requests. You have the right to request access to and to request correction of your personal information subject to the following and subject to provisions of the Malaysian Data Protection Laws: (a) you may, upon payment of a prescribed fee (if any), make a data access request or a data correction request in writing to us; and (b) we may refuse to comply with your data access request or a data correction request and shall, by notice in writing, inform you of our refusal and the reasons of our refusal.

Limiting the Processing of Personal Information. You may, by providing us with a notice in writing, limit the processing of your personal information (including to request us to cease or not begin processing your personal information for purposes of direct marketing). You have the right to withdraw your consent previously given to us (in full or in part) by providing us with a notice in writing and upon receiving such notice, we will cease the processing of the personal data. If you limit the processing or withdraw your consent to any or all use of your personal information, we may not be in a position to continue to administer any arrangement or contractual relationship in place, which in turn may result in: (i) us being unable to (continue to) process your personal data for any of the purposes stipulated in this Privacy Notice or provide you with any of our services/products; (ii) unable to (continue to) perform our contractual obligations owed to you (if any); and/or (iii) the termination of any arrangements/agreements/contracts you have with us, without any liability on our part. It will also affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment.

Versions and Conflict. In the event of any inconsistency between the English version and the Bahasa Malaysia version of this Notice, the English version shall prevail over the Bahasa Malaysia version.

In respect of the +Medical Devices and other Legal Requirements section above, consent will not be required only to the extent permitted by the Malaysian Data Protection Laws.

In respect of the +Changes to this Privacy Notice section above, to the extent that any changes will trigger the requirement to obtain fresh consent under the Malaysian Data Protection Laws (i.e., addition to the purposes in which we may process your personal information for or an addition of a class of third parties in which we may disclose your personal information to), we will procure consent from you in respect of such changes.

+Mauritius

You have the right to lodge a complaint with the Data Protection Commissioner regarding the processing of your personal data, by sending an e-mail at dpo@govmu.org.

+Mongolia

For users under the age of 18, Consent must be given by their parent or guardian.

By accepting or agreeing to this Privacy Notice, you are providing your consent to collecting, processing, using, storing and transferring to third parties (including cross-border transfer) of your personal information, including health-related information.

+New Zealand

If you wish to make a complaint about a breach of the Privacy Act 2020 (including the codes issued under the Privacy Act 2020 such as the Health Information Privacy Code 2020), or if you have any queries or concerns about our Privacy Notice or the way we handle your personal information, please contact us using the details above. We will take reasonable steps to investigate and respond to you. 

If after this process you are not satisfied with our response, you can submit a complaint to the Office of the Privacy Commissioner. See https://www.privacy.org.nz/your-rights/making-a-complaint/to obtain the relevant complaint forms and contact details of the Office of the Privacy Commissioner. In addition to your rights to requires correction of your personal information held by us, you also have the right to provide Abbott with a statement of the correction sought to your personal information (“Statement of Correction”), and request that Abbott attach the Statement of Correction to your personal information if we do not make the correction you have sought.

+North Macedonia

YOUR CONSENT IS GRANTED AT YOUR FREE WILL AND YOU ACKNOWLEDGE THAT YOU ARE NOT UNDER ANY LEGAL OBLIGATION TO PROVIDE PERSONAL INFORMATION TO ABBOTT.

Medical Devices and other Legal Requirements and Research: With regard to the term ‘pseudonymize’ used in the +Medical Devices and other Legal Requirements section and the +Research section, please note that the Law on Personal Data Protection of the Republic of North Macedonia (published in Official Gazette of the Republic of North Macedonia No. 42/20) (”MK DP Law”) defines ‘pseudonymization’ as ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’.

Legal basis for the processing of your personal information: Abbott processes your personal information, including your health-related personal information under the MK DP Law as those set out above in the section +EEA, Switzerland and UK, and Cayman Islands.

Data transfers:

For transfers of personal information from North Macedonia by your healthcare provider to Abbott, as “processor”, appropriate safeguards will be applied in accordance with the MK DP Law such as data transfer agreements providing adequate safeguards equivalent to the protections afforded under the MK DP Law. You can obtain a copy of the appropriate safeguards by contacting us on: privacy@abbott.com 

The references to “controller” and “processor” are based on their respective definitions in the MK DP Law, as may be amended from time to time.

Authorized representative: Pacesetter, Inc. has appointed the following entity as its authorized representative in North Macedonia: DTPU Synergy Medical doo of Vasil Stefanovski no. 1a/3, 1000 Skopje, North Macedonia.

+Palestine

Your prior consent is required for Abbott to process your personal information as required by Cabinet Resolution No. (3)/ 2019 and in conformity with the Basic Law as amended in 2005, except where we do so for us to comply with a legal obligation as described in Decree by Law No. (31) / 2018 Concerning Medical and Health Protection and Safety, Decree by Law No. (10)/2018 Concerning Cybercrimes and +Medical Devices and other Legal Requirements. By accepting the terms of this Privacy Notice, you are deemed to have consented to the processing of your personal information as described herein. If you withdraw your consent, you understand that the information that has already been collected in Merlin.net will continue to be processed as described herein and in the Patient Consent Form. If you would like to delete your Merlin.net account, you may do so by contacting your healthcare provider.

Please be aware that if you delete your account, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law. 

+Philippines 

BY CLICKING “ACCEPT” OR “AGREE” YOU ARE PROVIDING EXPLICIT CONSENT TO THE PROCESSING OF YOUR PERSONAL INFORMATION INCLUDING HEALTH-RELATED INFORMATION FOR THE PURPOSES STATED IN THIS AGREEMENT AND AS SUPPLEMENTED BY THIS SECTION FOR PHILIPPINE USERS. YOU UNDERSTAND THAT BY CLICKING “ACCEPT” OR “AGREE”, YOU ARE ALSO PROVIDING EXPLICIT CONSENT TO EACH SEPARATE AND ADDITIONAL CONSENT FOR THE PROCESSING OF PERSONAL INFORMATION, INCLUDING HEALTH RELATED INFORMATION, AS SET OUT IN THIS SECTION ENTITLED “PHILIPPINES” AND WE WILL PROCESS PERSONAL INFORMATION PURSUANT TO SUCH CONSENT. 

Your personal information will be processed in accordance with the requirements of Republic Act No. 10173 or the Data Privacy Act of 2012 (“DPA”), its implementing rules and regulations (“IRR”), and the relevant rules and regulations issued by the National Privacy Commission of the Philippines (“NPC”). 

You may request access to your personal information, to have it rectified or erased if there are grounds, to object to its processing or to restrict access to it, and, where possible, obtain a copy of the personal information held about you and to have any inaccurate or incomplete information relating to you corrected or updated. You are entitled to object to the processing of your personal information, on legitimate grounds, and to request the anonymization and/or deletion of such information. You also have the right to lodge a complaint about how your personal information is processed with your local data protection regulator. You are also entitled to all rights granted to you as a data subject under the DPA, its IRR, and the relevant rules and regulations issued by the NPC. 

To the extent that Abbott uses your personal information for its own purpose, you will be asked to signify your consent under the Merlin.net Consent form. 

You may withdraw your consent any time by contacting your healthcare provider. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment. If you withdraw your consent, Abbott may retain aggregated and de-identified information and may need to retain certain personal information as required by law. 

If you have enquires related to this privacy policy or how your personal data is processed, please contact: 

Abbott Laboratories
Attention: Office of Ethics and Compliance
Venice Corporate Center
No. 8 Turin Street, Mckinley Town Center
Fort Bonifacio, Taguig City, 1634 Philippines
+63287028622; +639176328959
Email: privacy@abbott.com

+ Republic of Moldova

In accordance with Personal Data Protection Law No. 133 from 08.07.2011 (hereinafter the “Law 133/2011”), your electronic acceptance serves as evidence of your consent to the processing and transfer of your personal information as set out in this privacy EULA and privacy notice, except where we process your personal data to comply with a legal obligation as described in +Medical Devices and other Legal Requirements, or where we use the data for our legitimate interests, provided that this interest does not prejudice your interests or the fundamental rights and freedoms. If you would like to delete your Merlin.net account, you may do so by contacting your healthcare provider. Please be aware that if you delete your account, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law. In relation to us processing your personal information, apart from the rights outlined in +How Individual Users Can Access and Correct Personal Information and Your Rights:

− you have the right to obtain from Abbott as a controller, upon request, in up to 15 days, without delay and free of charge, access to your personal data. Please note that Abbott is a controller for limited purposes and you may need to exercise your right of access by contacting your healthcare provider.

− you have the right to oppose at any time, free of charge and without any justification, to the data concerning you being processed for commercial prospecting; and

− you have the right to lodge a complaint about how your personal information is processed with your local data protection authority – the National Personal Data Protection Centre.

Abbott will also notify your local data protection authority – the National Personal Data Protection Centre – of any processing of your personal information, where national law requires them to do so.

Retention of personal information. We never retain your personal data longer than needed for achieving the data processing purposes. At the end of the personal data processing operations, if you will not give us your consent for another destination or for a further processing, your personal data will be: a) destroyed; or b) transferred to another operator, provided that the initial operator guarantees that subsequent processing has purposes similar to those in which the initial processing was performed; c) transformed into anonymous data and stored exclusively for statistical, historical or scientific research purposes, except as may be required by law.

In addition, Abbott as a controller has issued a personal data security policy in compliance with the Requirements regarding the security of personal data when processing them within the personal data information systems approved by Government Resolution No. 1123 dated 14.12.2010, namely has performed and provided, (1) the designation of the person responsible for the security policy; (2) the security measures; (3) the mechanism for implementing security measures; (4) the nominal list of users, authorized to access personal data; (5) the configuration of the personal data information system and of the network; (6) the detailed description of the criteria, according to which the personal data processed in the manually kept register are accessible; (7) the technical documentation regarding security controls; (8) the schedule of security checks; (9) measures for detecting cases of access and / or unauthorized processing of personal data; (10) the reports of security incidents.

If you have inquiries related to this privacy policy or how your personal data is processed, please contact the responsible person for personal data processing at privacy@abbott.com.

+Russia

This Mobile Application Privacy Notice constitutes the Privacy Policy of Pacesetter, Inc. Cross-border Transfers of Personal Information. We ensure recording, systemization, accumulation, storage, clarification (update, change) and extraction of personal information of Russian Federation citizens with the use of databases located in the territory of the Russian Federation when collecting this personal information in any manner including via the Internet. Retention of personal information. We never retain your personal data longer than needed for achieving the data processing purposes. When the purposes are achieved, we delete your personal data within 30 days. Security of Personal Information. We uninterruptedly improve our personal data protection system and take all necessary administrative, legal and technical measures with a view to international standards. We fulfil a number of data security requirements to protection of personal data processed via information systems according to article 19 of the Russian Federal Law On Personal Data No.152-ФЗ dated 27 July 2006, and other enactments. In particular, we fulfil the following requirements depending on the security level of information systems chosen by us: ensure security of premises accommodating the personal data information systems equipment in a way that prevents any person without appropriate access rights from uncontrolled intrusion or stay in these premises; ensure safety of all personal data media; adopt by the general manager’s decision a document determining list of employees whose work duties require access to the personal data processed in the information system; use information security tools, of which compliance with the requirements of the information security laws of the Russian Federation is duly assessed and confirmed, when such tools are necessary for the neutralization of actual risks; appoint an employee responsible for the security of the personal data in the information system or impose this responsibility on an appropriate division; ensure that all changes of access rights with regard to the personal data in the information system are automatically recorded in the electronic messages log; and provide access to the electronic messages log only to those employees or other authorized persons who need this access for the discharge of their work duties.

+ Serbia

The controller of your personal data for the purposes of medical treatment is your doctor/clinic. Pacesetter, Inc. (a St. Jude Medical, LLC affiliate and wholly owned subsidiary of Abbott Laboratories, Inc.) of 15900 Valley View Court, Sylmar, California 91342, United States of America is the controller of personal data to (1) provide you with this App; (2) comply with legal obligations, including those related to medical device safety, quality and improvement; and (3) conduct research once the personal information has been de-identified, pseudonymized, aggregated and/or anonymized, so that it does not identify you by name. We conduct research to understand how our products and services are used, to measure their performance and effectiveness, to improve future products, and in connection with real-world evidence studies.

Pacesetter, Inc. has appointed Abbott Laboratories S.A., Bulevar Mihajla Pupina 115d, 11000 Belgrade, Serbia as its country representative.

Legal basis for the processing of your personal information: The relevant part from COUNTRY SPECIFIC PROVISIONS for EEA, Switzerland, UK, and Cayman Islands in this Privacy Policy applies, with the reference to "the GDPR" and "European Union or national law" to be substituted by "Serbian Data Protection Act (2018)".

Data transfers: Abbott is subject to the Serbian Data Protection Act (2018) and information collected via the Services will be transferred to and stored in the USA as described in the section entitled +Cross-Border Transfers of Personal Information. While the privacy laws of the USA are not equivalent to those of Serbia, as Abbott is directly subject to the Serbian Data Protection Act (2018) for the purposes set out in the section entitled +Abbott’s Own Use of Your Personal Information, your personal information remains protected in compliance with it. Where Abbott processes data as a “processor” on behalf of your healthcare provider, Abbott processes such personal data under the instructions of your healthcare provider and subject to our contract with them.

Your rights: In addition to the rights set out in the section entitled +How Individual Users Can Access and Correct Personal Information and Your Rights, you have the right to lodge a complaint with your local data protection authority if you have concerns with Abbott’s processing of your personal information.

+Singapore

By accepting or agreeing to this Privacy Notice, you are deemed to have been informed of and have explicitly consented to all of the contents herein. For users under the age of 13, Consent must be given by their parent or guardian. If you would like to delete your Merlin.net account, you may do so by contacting your healthcare provider. Please be aware that if you delete your account, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.

This Privacy Notice sets out information on the collection, use, disclosure to third parties, outsourcing of the processing, and cross-border transfer of your personal information, including health-related information, by Pacesetter, Inc., in connection with the provision of the App and the Services. All of the following categories of processing of personal information, including health-related information, are necessary for the provision of the App and the Services.

You may provide your consent collectively to all of the following consent categories by accepting or agreeing to this Privacy Notice:

  • Consent for the collection and use of personal information, including health-related information, as described in +Collection and Processing of Your Personal Information, +Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider, +Abbott’s Own Use of Your Personal Information, +Medical Devices and other Legal Requirements, +Research
  • Consent for the collection and use of health-related information, as described in +Collection and Processing of Your Personal Information, +Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider, +Abbott’s Own Use of Your Personal Information, +Medical Devices and other Legal Requirements, +Research
  • Consent for the cross-border transfer and provision of health data (sensitive data) to third parties, as described in +Data Storage, +Disclosure of Personal Information by Us, +Cross-Border Transfers of Personal Information.

You may withdraw your consent any time by contacting your healthcare provider. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment. If you withdraw your consent, Abbott will retain aggregated and de-identified information and may need to retain certain personal information as required by law.

Note that National Identification Card (NRIC) and other national identification numbers such as birth certificate numbers, foreign identification numbers, work permit numbers and passport numbers will only be collected, used or disclosed by us if (a) the collection, use or disclosure is required by the law; or (b) it is necessary to establish or verify an individual’s identity to a high degree of accuracy.

In the event of a security incident related to your personal information, we will take all steps required under Singapore data protection laws to deal with the incident and we may report such incident and the remediation actions to the Personal Data Protection Commission as required.

Data transfers: Information collected via the Services will be transferred to and stored in the United States of America. If you request technical support, your personal information (including health-related data) will be accessible by our remote care teams in the USA, Sweden or Malaysia. Abbott intends to use data transfer agreements providing adequate safeguards, such as Standard Contractual Clauses in relation to such cross-border data transfers.

If you have enquires related to this privacy policy or how your personal data is processed, please contact: Data Privacy Officer at privacy@abbott.com.

+South Africa

You have the right to lodge a complaint to the Information Regulator regarding the processing of your personal information, by writing to: The Information Regulator, SALU Building, 316 Thabo Sehume Street, PRETORIA, Tel: 012 406 4818, Fax: 086 500 3351, inforeg@justice.gov.za.

+South Korea

BY CLICKING “ACCEPT” OR “AGREE” YOU ARE PROVIDING EXPLICIT CONSENT TO THE PROCESSING OF YOUR PERSONAL INFORMATION INCLUDING HEALTH-RELATED INFORMATION FOR THE PURPOSES STATED IN THIS NOTICE AND AS SUPPLEMENTED BY THIS SECTION FOR SOUTH KOREAN USERS. YOU UNDERSTAND THAT BY CLICKING “ACCEPT” OR “AGREE”, YOU ARE ALSO PROVIDING EXPLICIT CONSENT TO EACH SEPARATE AND ADDITIONAL CONSENT FOR THE PROCESSING OF PERSONAL INFORMATION, INCLUDING HEALTH RELATED INFORMATION, AS SET OUT IN THIS SECTION ENTITLED “SOUTH KOREA” AND WE WILL PROCESS PERSONAL INFORMATION PURSUANT TO SUCH CONSENT.

For users under the age of 14, consent must be given by their guardian.

To the extent permitted under applicable law, you may exercise your rights to make requests to Pacesetter, Inc. for the perusal, correction, deletion, and suspension of the processing of your personal information by writing, email, and any other methods prescribed under Article 41(1) of the Enforcement Decree of the Personal Information Protection Act and Pacesetter, Inc. will promptly respond to any such requests from you. You may also exercise the foregoing rights to your personal information through a duly appointed legal representative. Pacesetter, Inc. will verify whether any such requests are actually being made by you or your duly appointed legal representative. Provided, however, that in cases where your health care provider is responsible for processing your personal information, you should direct requests for the exercise of rights to your personal information to such health care provider.

The following provision “To exercise your data protection or privacy rights, you should contact your healthcare provider or clinic in the first instance. You may correct your profile information by contacting your healthcare provider. We are not able to correct or amend any readings from your Device that have been uploaded” in +How Individual Users Can Access and Correct Personal Information and Your Rights is not applicable to users in South Korea.

You may withdraw your consent any time by contacting your healthcare provider or using any of the methods set out in the section entitled +Contact Us. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment. If you withdraw your consent, Abbott will retain aggregated and anonymized information and may need to retain certain personal information as required by law.

Provision of Personal Information to Third Parties

RecipientsPurposes of Use of RecipientsItems of Personal Information to be ProvidedPeriods of Retention/Use of Recipients
The healthcare provider of each patient/userPurposes indicated in the “+Your Healthcare Provider’s Use of Your Information” sectionItems of personal information indicated in the “+Collection and Processing of Your Personal Information” sectionUntil purposes of processing have been completed

Pacesetter, Inc.,
15900 Valley View Court,
Sylmar, California 91342

Purposes indicated in the “+Abbott’s Own Use of Your Personal Information” sectionItems of personal information indicated in the “+Collection and Processing of Your Personal Information” sectionFor the period during which Pacesetter Inc. acts as an outsourced processor
 

Complaints and adverse incidents

Name of reporter, information about complaint or incident

As required by laws related to medical devices

Abbott Medical (Malaysia) Sdn. Bhd. At 35, 1st Floor, Jalan Kelisa Emas 1, Tama Kelisa Emas, 13700 Seberang Java, Penang, Malaysia

Second and/or third level technical support

Those items listed in the “+Collection and Processing of Your Personal Information” section as necessary to resolve the technical support issue. See “+Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider” section for more information.

For the period during which Pacesetter Inc. acts as an outsourced processor

Abbott Medical Sweden AB
Isafjordsgatan 15, 164 07 Kista, Sweden (Business Office)
Jarfalla, PO Box 7051, 164 07 Kista, Stockholm, Sweden (Registered Office)

Second and/or third level technical support

Those items listed in the “+Collection and Processing of Your Personal Information” section as necessary to resolve the technical support issue. See “+Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider” section for more information

For the period during which Pacesetter Inc. acts as an outsourced processor

Abbott Medical Costa Rica
Abbott
Coyol Free Zone, Bldg #44B
Alajuela, Costa Rica

Second and/or third level technical support

Those items listed in the “+Collection and Processing of Your Personal Information” section as necessary to resolve the technical support issue. See “+Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider” section for more informationFor the period during which Pacesetter Inc. acts as an outsourced processor
St. Jude Medical,
LLC, 1 St. Jude
Medical Dr.,
St. Paul, MN 55117, USA
Scientific and/or clinical researchAggregated, De-identified/pseudonymized personal data. See “+Research” section for more informationIndefinite

 

(Cross-border) Outsourcing of the Processing of Personal Information to Third Parties

RecipientsOutsourced TasksItems of Personal Information to be TransferredCountries Where Personal Information is TransferredDate/Time of TransferMethod of TransferRecipients’ Purposes of Use and Periods of Retention/Use
Abbott Medical (Malaysia)
Sdn. Bhd. At 35, 1st Floor,
Jalan Kelisa Emas 1,
Tama Kelisa Emas,
13700 Seberang Java,
Penang, Malaysia
Second and/or third level technical supportThose items listed in “+Collection and Processing of Your Personal Information” section as necessary to resolve the technical support issue. See “+Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider” section for more informationMalaysiaAs required to resolve a technical support issueSecure VPNUntil outsourced tasks have been completed and the outsourced contract has concluded
Abbott Medical Sweden AB,
Isafjordsgatan 15, 164 07 Kista, Sweden (Business Office)
Jarfalla, PO Box 7051, 164 07 Kista, Stockholm, Sweden (Registered Office)
Second and/or third level technical supportThose items listed in the “+Collection and Processing of Your Personal Information” section as necessary to resolve the technical support issue. See “+Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider” section for more informationSwedenAs required to resolve a technical support issueSecure VPNUntil outsourced tasks have been completed and the outsourced contract has concluded
Abbott Medical Costa Rica
Abbott Coyol Free Zone, Bldg #44B
Alajuela, Costa Rica
Second and/or third level technical supportThose items listed in the “+Collection and Processing of Your Personal Information” section as necessary to resolve the technical support issue. See “+Abbott’s Access to Personal Information When Providing Services to Your Healthcare Provider” section for more informationCosta RicaAs required to resolve a technical support issueSecure VPNUntil outsourced tasks have been completed and the outsourced contract has concluded
St. Jude Medical, LLC
1 St. Jude Medical Dr.,
St. Paul, MN 55117, USA
Scientific and/or clinical researchAggregated, De-identified/pseudonymized personal data. See “+Research” section for more informationUSAAs required for scientific and/or clinical researchSecure VPNIndefinite

 

After the retention period, we destroy your personal information as set out below:

Destruction Process: We select the personal information to be destroyed and destroy the personal information with the approval of the Data Protection Officer (“DPO”).

Destruction Method: We destroy personal information recorded and stored in the form of electronic files by using a technical method (e.g., low level format) ensuring that the records cannot be reproduced, while personal information and stored in the form of paper documents shall be shredded or incinerated.

Domestic Representative

We have designated a domestic representative to handle questions and complaints related to the processing of the personal information of users in Korea. The domestic representative may be contacted by using the following information:

  • Domestic Representative: Abbott Korea Ltd.
  • Address: Samtan Bldg., 5th Floor, 421 YoungDong-Daero, Kangnam-Ku, Seoul 135-846 Korea
  • Email: privacy@abbott.com

Additional Consents for the Collection, Use, and Provision of Personal Information for South Korea

  1. I understand that Pacesetter, Inc. will collect and use my personal information indicated in +Collection and Processing of Your Personal Information for the purposes indicated in +Abbott’s Own Use of Your Personal Information for a period necessary to achieve each such purpose but no longer than 7 years (unless a longer period of retention and use is otherwise required by law). I understand that I will be unable to receive the App and the Services if I choose not to consent to the processing of my personal information as described above.
  2. I understand that Pacesetter, Inc. will collect and use my sensitive information related to health, race, medications, hospitalizations, diagnoses, dates of treatment and transmissions, and heart condition for the purposes indicated in +Abbott’s Own Use of Your Personal Information for a period necessary to achieve each such purpose but no longer than 7 years (unless a longer period of retention and use is otherwise required by law). I understand that I will be unable to receive the App and the Services if I choose not to consent to the processing of my sensitive information as described above.
  3. I understand that Pacesetter, Inc. will collect and use my personal information indicated in +Collection and Processing of Your Personal Information for the purposes indicated in +Abbott’s Own Use of Your Personal Information and a supplemented by the table entitled “Provision of Personal Information to Third Parties” above. I understand that I will be unable to receive the App and the Services if I choose not to consent to the processing of my personal information as described above.
  4. I understand that Pacesetter, Inc. will collect and use information about my Device information and information about how the Device is performing and provide my Personal Information to Third Parties as set out in the table above entitled “Provision of Personal Information to Third Parties” above. I understand that I will be unable to receive the App and the Services if I choose not to consent to the processing of my sensitive information as described above.
  5. I understand that Pacesetter, Inc. will collect and use my sensitive information related to health, race, medications, hospitalizations, diagnoses, dates of treatment and transmissions, and heart condition and provide my Personal Information to Third Parties as set out in the table above entitled “Provision of Personal Information to Third Parties” above. I understand that I will be unable to receive the App and the Services if I choose not to consent to the processing of my sensitive information as described above.

+Taiwan

If you do not consent or choose not to provide your personal information, we may not be able to provide you with Services or only with limited Services.

+Thailand

PDPA” refers to the Personal Data Protection Act B.E. 2562 (A.D. 2019), as amended from time to time, and related rules, regulations, and directives and governmental requirements. 

Children’s Privacy: Children can be enrolled in Merlin.net by a healthcare provider, providing that for consent from a parent or legal guardian of a child whose age is below 10 years old must be duly obtained, and for a child whose age is more than 10 years old but less than 20 years old, unless such child is legally married or permitted under the applicable laws, consent from both the child and his/her parent or legal guardian must be duly obtained.

Cross-border Transfer: To legitimise the export of Personal Data originating from Thailand under applicable Data Protection Laws, Abbott has taken reasonable steps to enter into an appropriate data transfer agreement with your healthcare provider.

Your Rights: Pursuant to the PDPA and subject to its effectiveness, you are entitled to various rights in relation to your Personal Information which are: (i) to request access to or obtain a copy of the personal information held about you, or to request the disclosure of the source of your personal information which you did not consent to; (ii) to obtain your personal information in a format which is usable and readable by automatic tools or equipment, if any, or to request that your personal information in such format be transmitted to another controller; (iii) to object to the processing of your personal information; (iv) to have your personal information erased, destructed, or de-identified; (v) to request that the processing of your personal information be suspended; (vi) to have any inaccurate or incomplete information relating to you corrected or updated; (vii) where the processing of your personal information relies on consent as a legal basis, you have the right to withdraw your consent at any time; and (viii) to lodge a complaint about how your personal information is processed with your local data protection authority the Personal Data Protection Commission.

Your request to exercise any of the rights to your personal data described above is subject to the limitations and conditions of the PDPA. 

If you do not provide us with your personal data, we may not be able to provide you with our Services or perform our obligations under the agreement between you and us.

Contact Us: For any inquiries or concerns regarding this Privacy Notice, or if you would like to exercise any of your rights to your personal data, please contact us using the contact details above. Our data protection officer and our local representative can be contacted at privacy@abbott.com.

+Ukraine 

Your consent is required for Abbott to process your personal information except where we do so for us to comply with a legal obligation as described in +Medical Devices and other Legal Requirements. By accepting the terms of this Privacy Notice, you are deemed to have consented to the processing of your personal information as described herein. If you would like to have your information deleted from Merlin.net, you may do so by contacting your healthcare provider or clinic. Please be aware that if you ask your healthcare provider or clinic to delete your information from Merlin.net, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.

+United Kingdom 

Our local representative is Abbott Medical U.K. Limited, Elder, Central Boulevard, Blythe Valley Park, Solihull, B90 8AJ, UK.

+USA 

Abbott operates as a business associate to your healthcare provider in making this App available to you in compliance with the Health Insurance Portability and Accountability Act and its implementing regulations (collectively “HIPAA”). As a result, personal information, including health-related information, that is collected via this App is governed by HIPAA, and we may use and disclose your personal information consistent with our business associate obligations and as outlined in this Privacy Notice and Consent.

+California 

California Civil Code Section 1798.83 permits residents of the State of California to request from certain businesses with whom the California resident has an established business relationship a list of all third parties to which the business, during the immediately preceding calendar year, has disclosed certain personally identifiable information for direct marketing purposes. Abbott is required to respond to a customer request only once during any calendar year. To make such a request you should send a letter to Privacy Officer, Abbott, One St. Jude Medical Drive, St. Paul, MN 55117. In your request, please attest to the fact that you are a California resident and provide a current California address for our response. Please be aware that not all information sharing is covered by the California Privacy Rights requirements and only information sharing that is covered will be included in our response.

If you have any questions regarding Abbott’s compliance with the California Consumer Privacy Act (CCPA) and your rights under CCPA, please visit https://www.abbott.com/privacy-policy.html. 

+Vietnam 

By accepting or agreeing to this Privacy Notice, you are deemed to have been informed of and have explicitly consented to all of the contents herein. For users under the age of 7, Consent must be given by their parent or guardian. For users from the age of 7 to 15, Consent must be given by both users and their parent or guardian. 

You may withdraw your consent at any time by contacting your healthcare provider. Please be aware that if you withdraw consent, it will affect your healthcare provider’s ability to remotely monitor your device and may affect your treatment. If you withdraw your consent, Abbott will retain aggregated and de-identified information and may need to retain certain personal information as required by law. 

MAT-2403673 v1.0