Data Privacy Framework Statement

The Abbott DPF Entities (defined below) comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. The Abbott DPF Entities have certified to the U.S. Department of Commerce that they adhere to the EU-U.S. Data Privacy Framework ­Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension (UK Extension) to the EU-U.S. DPF. The Abbott DPF Entities have certified to the U.S. Department of Commerce that they adhere to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit Data privacy framework website. You may find Data Privacy Framework participants here: https://www.dataprivacyframework.gov/list.  

As used in this statement, the terms “Abbott DPF Entities,” “we,” “us,” and “our” shall mean, collectively, the following U.S.-based entities:

• Abbott Molecular, Inc.
• Abbott Diabetes Care, Inc.
• Abbott Diagnostics Scarborough, Inc.
• Abbott International LLC
• Abbott Laboratories
• Abbott Laboratories, Inc.
• Abbott Laboratories International LLC
• Abbott Point of Care, Inc.
• Abbott Rapid Diagnostics Informatics, Inc.
• Abbott Rapid Dx North America, LLC
• Advanced Neuromodulation Systems, Inc.
• CardioMEMS LLC
• Irvine Biomedical, Inc.
• Lingo US, Inc.
• Pacesetter, Inc.
• St. Jude Medical, Atrial Fibrillation Division, Inc.
• St. Jude Medical, Cardiology Division, Inc.
• St. Jude Medical, LLC
• Standing Stone, LLC

PRIVACY PRINCIPLES

The Abbott DPF Entities adhere to the EU-U.S. DPF, the UK Extension and the Swiss-U.S. DPF published by the U.S. Department of Commerce (collectively, the “DPF Program”). These privacy principles have been compiled from the EU-U.S. Data Privacy Framework and have been integrated into the Abbott DPF Entities’ data privacy framework. These privacy principles are followed by the Abbott DPF Entities as part of our commitment to using best practices in transferring, processing, and protecting data.

NOTICE

We are committed to the following Data Privacy Framework Principles for all personal data within the scope of the DPF Program. We collect personal data from individuals only as permitted by the DPF Program.

We provide individuals notice regarding the personal data that we collect from them, how we use it, and how to contact us with privacy concerns through this statement and through other agreements or notices provided to the individuals and/or through our direct engagement with the individuals.

For customers, professionals, patients, users and website visitors of the Abbott DPF Entities, more information regarding (1) the types of personal data the applicable Abbott DPF Entities collect; (2) the purposes for which the applicable Abbott DPF Entities collect and use personal data; (3) the types or identities of third parties to which the applicable Abbott DPF Entities disclose personal data and the purposes for which the applicable Abbott DPF Entities do so, is available at the following links:

(a) MEDICAL DEVICE DATA: Abbott Laboratories and its US divisions, Abbott Diabetes Care, Inc., Advanced Neuromodulation Systems, Inc., St. Jude Medical, LLC, St. Jude Medical, Atrial Fibrillation Division, Inc., St. Jude Medical, Cardiology Division, Inc., Pacesetter, Inc. and CardioMEMS, LLC processes the personal data of patients and customers that use our medical devices related to cardiac rhythm, pulmonary arterial pressure, diabetes management, and neurostimulation at the direction of the hospitals and clinics acting as data controllers located in the European Economic Area, Switzerland, and the United Kingdom. Abbott Laboratories also acts as a controller for the data in relation to these devices for research purposes and for complying with medical device regulatory obligations. 

(i) CARDIOMEMS™ HEART FAILURE MONITORING SYSTEM: For information about data processed for patients and customers enrolled in the CardioMEMS™ Heart Failure Monitoring System, please see: https://www.abbott.com/privacy-policy.html, and https://www.abbott.com/privacy-policy/consumer-health-data.html. 

(ii) LIBRE: For information about data processed for patients and customers using the LibreView Data Management System through LibreView.com, the FreeStyle mobile application, the LibreLinkUp mobile application, and/or use of the Abbott FreeStyle customer care line, please see: https://www.libreview.com/files/documents/en-US/pat-PP_2024-01-10.html.

(iii) MERLIN.NET™ PATIENT CARE NETWORK: For more information related to how information is processed for patients and customers enrolled in the Merlin.Net™ Patient Care Network, please see: https://www.cardiovascular.abbott/us/en/policies/merlin-net/merlin-net-privacy-policy.html.

(iv) MYMERLIN™ MOBILE APP: For information about data processed for patients and customers using the MyMerlin™ mobile application, please see: https://www.cardiovascular.abbott/us/en/policies/mymerlin-app.html.

(v) For information about all other data processed for patients and customers that use our medical devices, please see: https://www.abbott.com/privacy-policy.html, and https://www.abbott.com/privacy-policy/consumer-health-data.html.

CLINICAL DATA: Abbott Laboratories and its US divisions, its Cardiac Rhythm Management Division, Pacesetter, Inc. d/b/a St. Jude Medical Cardiac Rhythm Management Division; St. Jude Medical Atrial Fibrillation Division, Inc.; Irvine Biomedical Inc.; St. Jude Medical, Cardiology Division, Inc., Advance Neuromodulation Systems, Inc. d/b/a St. Jude Medical Neuromodulation Division; and St. Jude Medical LLC through its International Division. process personal data of patients (patients enrolled or participating in clinical studies) from its affiliates, subsidiaries and agents and partners located in the European Economic Area, Switzerland, and the United Kingdom to support clinical research. For more information about data processed to support clinic research please see: https://www.abbott.com/privacy-policy.html, and https://www.abbott.com/privacy-policy/consumer-health-data.html. 

(b) DIAGNOSTIC DATA: Abbott Laboratories and its US divisions, Abbott Molecular Inc., Abbott Point of Care Inc., Abbott Diagnostics Scarborough, Inc., Abbott Rapid Dx North America, LLC, and Abbott Rapid Diagnostics Informatics, Inc. and Standing Stone, LLC process personal data of patients and customers using our diagnostic products and services and located in the European Economic Area, Switzerland, and the United Kingdom. For information about data processed for patients and customers that use our diagnostic products and services, please see: https://www.abbott.com/privacy-policy.html, and https://www.abbott.com/privacy-policy/consumer-health-data.html.

(c) USER DATA: Abbott Laboratories and its US divisions and Lingo US, Inc. processes the personal data of users/customers that use our Lingo biosensor and app located in the United Kingdom, or where available. For information about data processed for users/customers using Lingo products and services, such as the Lingo mobile application and the Lingo biosensor, please see: https://www.hellolingo.com/privacy-notice.

CHOICE

Consent for personal data to be collected, used, or disclosed in certain ways (such as, opt-in consent for sensitive data) may be required for an individual to obtain or use our services. The Abbott DPF Entities’ collect such consent, if necessary, in documents between the applicable Abbott DPF Entity and the individual. The Abbott DPF Entities provide individuals with clear, conspicuous, and readily available mechanisms to exercise the choices (e.g., opt-ins, opt-outs, etc.) set forth under the DPF Program. 

ACCOUNTABILITY FOR ONWARD TRANSFERS TO THIRD PARTIES

The Abbott DPF Entities are responsible for personal data in our possession or custody, including personal data that we may transfer to third parties for processing, including storage. In connection with the purposes described in the “Notice” Section above, the Abbott DPF Entities may transfer your personal data to other companies within the Abbott group of companies or to third parties such as external service providers. In cases of onward transfers to third parties, the Abbott DPF Entities will limit the personal data shared to the minimum amount necessary and will obtain assurances from third party business partners (agents) that they will safeguard personal data consistent with our policies. Examples of appropriate assurances that may be provided by third party business partners may include: standard contractual clauses as approved by the European Commission, certification under the DPF Program or being subject to a European Commission adequacy finding. Where the Abbott DPF Entities have knowledge that a third-party business partner is using or disclosing personal data in a manner contrary to our company policy, the Abbott DPF Entities will take reasonable steps to prevent or stop the use or disclosure. The Abbott DPF Entities remain responsible and liable under the DPF Program if a third-party business partner uses or discloses personal data in a manner inconsistent with the Program, unless the Abbott DPF Entities proves that we are not responsible for the event giving rise to the damage.

SECURITY

The Abbott DPF Entities take reasonable and appropriate measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destructions, taking into account the risks involved in the processing and nature of the personal data.

DATA INTEGRITY

The Abbott DPF Entities will use personal data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the relevant individual. The Abbott DPF Entities will take reasonable steps to ensure that personal data is accurate, complete, current, and relevant to its intended use.

ACCESS

Upon request and subject to certain exceptions, the Abbott DPF Entities will provide individuals reasonable access to personal data that it holds about them. In addition, the Abbott DPF Entities will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete. If an individual wishes to access their personal data subject to DPF Program, they use the Abbott EU DPO site at https://www.abbott.com/eu-dpo.html or use the contact information included in the applicable Abbott DPF Entities’ respective privacy policy. To protect the individual’s privacy, we may take steps to verify the requestors’ identity and/or authority prior to acting on a request regarding personal data.

ENFORCEMENT AND DISPUTE RESOLUTION

The Abbott DPF Entities are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”) regarding personal data received or transferred pursuant to the DPF Program.

In compliance with the DPF Program principles, the Abbott DPF Entities commit to resolving complaints about our collection or use of your personal data. We will endeavor to resolve your issue and respond no later than 45 days after receipt. EU, Swiss or UK individuals with inquiries or complaints regarding our Data Protection Framework Statement should first contact the Abbott DPF Entities by sending the inquiry or complaint to:

Abbott EU DPO site at https://www.abbott.com/eu-dpo.html or use the contact information included in the applicable Abbott DPF Entities’ respective privacy policies referenced above.

Any privacy or data use concerns that cannot be resolved internally will be referred to JAMS, a third-party alternative dispute provider located in the United States. If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit the JAMS complaint link here: https://www.jamsadr.com/dpf-dispute-resolution. The services of JAMS are provided at no cost to you.

If JAMS or the EU DPAs do not resolve the matter, you may be able to invoke binding arbitration when other dispute resolution procedures have been exhausted. For more information, please visit: https://www.dataprivacyframework.gov/Individuals-in-Europe.  

If you have any concerns regarding the use of your data by US intelligence agencies, you have the right to submit a complaint related to data processed after. For more information, please visit: https://www.edpb.europa.eu/our-work-tools/our-documents/other-guidance/rules-procedure-data-protection-framework-redress_en.

Any employee that an Abbott DPF Entity determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment.

LIMITATION ON SCOPE OF PRINCIPLES

Adherence by the Abbott DPF Entities to this policy may be limited to the extent required to meet legal, governmental, or national security obligations, including requirements to cooperate with law enforcement.

CHANGES TO THIS POLICY

This policy may be amended from time to time, consistent with the requirements of applicable laws and regulations. The revisions will take effect on the date of publication of the amended policy, as stated. The Abbott DPF Entities will not amend this statement in a manner inconsistent with the EU-U.S. DPF Program.

You can download a copy of our Data Privacy Framework Statement.

CONTACT INFORMATION

Complaints, questions, comments, or concerns on this policy, data collection, or data processing practices should be sent to:

Chief Privacy Officer
Address: Abbott
100 Abbott Park Road, Building AP6A
Abbott Park, IL 60064

USA

Website:  https://www.abbott.com/eu-dpo.html

Email: privacy@abbott.com
Phone: +1 (224) 668 9400