Select Your Country or Region

You are now at USA (English)
Home / About us / Legal / Privacy policy

Privacy Policy

Introduction

This is one Privacy Notice for Arjo, Inc., an integral part of the Arjo group of organisations focusing on our business interests in the United States of America. This Privacy Notice relates to the processing of personal data of representatives of customers suppliers, leads and Arjo Academy platform users. Arjo, Inc. provides information to the relevant stakeholders about the who, what, why, when, where and how of our data processing activities, as well as setting out what rights individuals have in relation to these processing activities.

 

Who is processing the personal data?

As indicated above, the data controller for the processing of your personal data is Arjo, Inc.. To make this notice easier to read, Arjo, Inc. is referred to as Arjo for the rest of this document. As the data controller, if you have any questions, comments or queries about your personal data, we can be contacted using the details below:

Arjo, Inc.

2349 West Lake Street Suite 250, Addison, IL 60101

dataprivacy@arjo.com.

Arjo aims to be compliant in everything we do. As such, we invite you to contact us whenever you feel it is necessary so we can partner with you in addressing any comments or concerns you might have. We have appointed a local Data Protection Lead who is also able to support you with any queries you may have. For Arjo, Inc., this is:

James Stone

Data Compliance Manager

dataprivacy@arjo.com.

 

What personal data are we processing?

The type of personal data we process about you depends on the type of data subject and the nature of our relationship with you. The processing of your personal data could include the following:

Customer representatives, supplier representatives, leads, prospects and contacts:

  • Identifiers –
    • Name
    • Job title
  • Contact data –
    • Phone number
    • Email address
  • Location data –
    • Address
    • IP address

Webinar platform users:

  • Identifiers –
    • Name
    • Job title
  • Contact data –
    • Email address
  • Location data –
    • Address
    • IP address
  • Audio / visual data –
    • Photos (only when provided by the platform user).

Please note, the contact, location and financial information processed relates to data used in a professional capacity and may come directly from you or from the facility you are working for.

 

Why are we processing personal data?

Arjo processes personal data for the reasons listed below.

Representatives of customers, contacts and suppliers

  • Managing the production and distribution of our products and equipment via our logistics supply chain.
  • To fulfil our customer orders and requests, as well as to provide support to customer representatives in the event of a complaint or issue or handling claims.
  • To manage our legal, regulatory and statutory obligations as well as to maintain accurate and reliable administrative and accounting records, which include managing queries, concerns and investigations.

Leads and prospects

  • The pursuit of our commercial interests through marketing activities.

No automated decision-making is undertaken, with the exception of monitoring the success of marketing activities and when using the MyArjo portal. This includes generating a profile based on the use of our online resources which performs an evaluation. This information is only used to better inform how Arjo can support you and manage the layout of the MyArjo portal. The information is only used for these purposes and no individual data protection or statutory rights are infringed in this process. Any evaluation is subject to human review. If you have any questions or concerns about the potential use of automated decision-making, please contact dataprivacy@arjo.com.

Please note, no personal data is sold in any circumstance.

 

Which lawful basis do we use for processing personal data?

Arjo only process personal data if there is a legal basis for the processing. For the processing described in this privacy notice, Arjo uses the following lawful basis for processing:

Lawful basis for processing

Processing activities

Your explicit consent.

You are able to withdraw your consent at any time. You can do this by contacting dataprivacy@arjo.com.

Marketing activities including direct marketing.

Your implicit consent to fulfil our legal obligation or if processing is in our legitimate interests.

Activities linked to our regulatory and statutory requirements.

Marketing activities including managing our relationship with you as a contact of Arjo. Processing of customer representatives’ personal data is necessary to manage and distribute products and equipment via our logistics supply chain and to fulfil our customer orders and requests.

 

Where we rely on a legal obligation to justify the processing of your personal data, this is to ensure that our regulatory and statutory requirements are fulfilled. This is important in order to maintain the quality of the service and products that many stakeholders rely on.

There may also be times when legitimate interest is the appropriate justification for processing your personal data. In this situation, we have undertaken a legitimate interests assessment where the needs, expectations, rights and freedoms of all parties have been considered. Before relying on legitimate interest, we have made sure that our interests are compelling enough and will not cause any unwarranted harm.

 

For how long do we process your personal data?

We save information for as long as the information is necessary to fulfil the purposes for which the information was collected. The information can be saved for a longer period of time if it is required by applicable law, such as when complying with the requirements of the Food and Drug Administration. Arjo have established routines to ensure that we do not store unnecessary information about you.

Information regarding representatives of customers and contacts

  • Most commercial, customer or financial information, relating to e.g. purchase, order and order history, is retained for five years.
  • As a global organisation in a highly regulated field, we need to retain information relating to production, distribution, quality, or performance of any of our products for 15 years in accordance with strict European and global regulatory obligations. The personal data contained to these records is usually limited to low risk personal data where there is any personal data at all.
  • Information relating to a customer service case is saved until the matter is resolved and retained in a de-identified format for 15 years.
  • Information collected after consent is saved for as long as it is relevant or no later than within six months after consent is revoked.

Information regarding prospects and leads

  • Information collected after consent is saved for as long as it is relevant or no later than within six months after consent is revoked.

 

Where are we processing personal data and who do we transfer personal data to?

We may on occasion transfer your personal data outside of the US through the use of a particular processor. Where this is relevant, we have undertaken privacy impact assessments and transfer impact assessments to identify appropriate additional measures to implement, prior to establishing data processing agreements including approved standard contractual clauses. In the event that the contractual and organisational measures are still inadequate, we will seek your consent to undertake the proposed processing.

We use different systems and platforms to manage the data we process, and a list of the key data processors are listed below:

  • Advanced Applications.
  • AWS.
  • CEVA.
  • Digital Space.
  • Lucidoc.
  • ON24.
  • Process Solutions.
  • Salesforce.
  • Tech Mahindra and BMC Remedy.
  • Other subsidiaries of the Arjo group as part of global functions.

Additionally, we use Microsoft Office storage and productivity tools to process personal data in the course of our commercial, production, logistical, operational, research and administrative activities.

We may also share personal data with partners and in line with our regulatory or statutory obligations. In all instances, data will only be shared in line with an appropriate lawful basis for processing. Data sharing is frequently undertaken following a privacy impact assessment and a transfer risk assessment to ensure the necessary safeguards and control measures are in place prior to any data sharing.

 

How are we processing personal data?

Arjo have adapted the following to enable secure and compliance towards handling and processing data:

  • Arjo have an IT policy, Information Security Directive, Data Privacy and Acceptable Use of IT devices Directive.
  • Access management based on least privilege with access reviews performed on a quarterly basis, additionally each user will have unique and individual usernames where none are shared.
  • Admin access only given to system and database owners who have the correct skills and training, normally senior IT staff.
  • Robust change management process.
  • All systems for which the hosting solution is determined by Arjo can only be accessed via our VPN solution. In all cases, all data and systems are encrypted at rest and in transit, and require a unique username and password to access the data each user is authorised to access.
  • All Third Parties that host or work on Arjo systems are subject to a Risk Assessment on a yearly basis.
  • Arjo also have an overall Incident management process which is run by our Service Management team.
  • Patch management; as part of our service management.
  • Pen testing and vulnerability management.
  • IT audits performed by a third party annually.

 

What are your rights in relation to this data processing?

If you are a resident of California, Virginia, Colorado, or certain other jurisdictions, you may have the following rights:

  • Your right of access – You have the right to ask us for copies of your personal information that we process about you. Through this copy, you will be able to understand which of your personal data we maintain and process. The right of access is applicable when a record contains information where an individual can be identified, and the information is about them. This means that records that are accessible to you will have the personal data about other people redacted where appropriate, in order to protect their right to privacy. Your personal data will be redacted if someone else requests access to a record containing your personal data. Legislation provides other exemptions that may be applicable such as records where legal privilege needs to be observed or there is an obligation of confidentiality in specific circumstances. Any exemption applied will have a relevant legal basis and will be explained to you where necessary.

 

  • Your right to be informed – You have the right to be informed of how we process your personal data. This Privacy Notice is an initial means of informing you about the processing of your personal data. Additional methods of keeping you informed include FAQs, contractual agreements and through discussions – if you have a question about how we are processing your personal data, you can contact us by writing to dataprivacy@arjo.com.

 

  • Your right to correction – You have the right to ask us to correct information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right applies in conjunction with one of the principles of data protection. Any request to correct your personal data will also be sent to and completed by any processor with whom your personal data has been shared. This process is managed by us and will not require any additional action from you for your right to be exercised in full.

 

  • Your right to deletion – You have the right to ask us to delete your personal information when the information is no longer necessary to fulfil the purpose of processing the information or keeping it or if you retract your consent. Arjo is obliged to keep extensive records in accordance with our legal obligations. As such, Arjo may not be able to delete every record that is processed about you; however, this will be explained where relevant. Any request to be forgotten will also be managed by Arjo with any processor that is processing your personal data on our behalf.

 

  • You would have the right to opt out of the sale of your data, but Arjo does not sell data.

 

  • Your right to non-discrimination – We cannot deny goods or services, charge a different price or provide a different level or quality of goods or services just because you exercised any of the rights listed above.

For more information about your data protection rights, please see the HIPAA webpages of the Department of Health and Human Services, in addition to the relevant data protection authority of the state in which you reside.

 

You are not required to pay any charge for exercising your rights in most instances. If you make a request, we have 90 days to respond to you.

Please contact us using any of the details below if you wish to make a request.

Arjo, Inc.

2349 West Lake Street Suite 250, Addison, IL 60101

dataprivacy@arjo.com.

Finally, you have the right to complain to a data protection authority. For Arjo, Inc., the relevant supervisory authority is the US Department for Health and Human Services Office of Civil Rights, and can be reached using the details below:

US Department of Health and Human Services Office of Civil Rights

1-800-368-1019

Using the online portal or by email at OCRMail@hhs.gov.

You may also contact your local data protection authority who will advise you how to proceed.