Privacy Policy

Sirtex Medical Limited ACN 078 116 122

August 2018

The information below is also available as a PDF document.

 

1 PURPOSE

The purpose of this Policy is to define how Sirtex collects, uses and discloses personal information.

2 SCOPE

This Policy applies to all personal information collected and used by Sirtex Medical Limited and all its subsidiary companies.

3 REFERENCES AND ASSOCIATED DOCUMENTS

Nil

4 DEFINITIONS / ABBREVIATIONS

GDPR: General Data Protection Regulation. The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Personal information: For the purposes of this Policy “personal information” (or “personal data”) means any information related to an identified or identifiable natural person. This includes, for example, your name, your address and your IP address.

5 RESPONSIBILITIES

All Sirtex personnel are responsible for reading, understanding and complying with all formal Sirtex policies, procedures and protocols, including those related to privacy and personal data.

6 TRAINING

All Sirtex personnel will be aware of this policy and suitably trained in their responsibilities under this policy.

7 POLICY

7.1 Introduction

Sirtex Medical Limited ACN 078 116 122, Level 33, 101 Miller St, North Sydney NSW 2060, Australia, and all of its subsidiaries are committed to protecting the privacy of information, and to handling personal information in a responsible manner in accordance with the Privacy Act 1988 (Cth), the Privacy Amendment (Enhancing Privacy Protection) Act 2012, the Australian Privacy Principles (“APPs”), relevant Australian State and Territory privacy legislation as well as appropriate legislation concerning privacy in other countries and regions in which Sirtex operates and/or where Sirtex products are distributed, including but not limited to the GDPR and US Health Insurance Portability and Accountability Act of 1996 (HIPAA), (collectively referred to as privacy legislation).

This Privacy Policy explains how Sirtex collects, uses and discloses personal information, how any person may access that information, and how any person may seek the correction of any information. It also explains how any person may make a complaint about a breach of privacy legislation.

EU residents may find specific information on the data processing, including the relevant legal bases and their rights regarding the processing, in Section 7.20 of this Policy.

By providing personal information to Sirtex, any person:

1. confirms that they understand that their personal information, including health information, will be collected and processed as described in this Privacy Policy, and in accordance with any other explanation they may be given at the time of providing the information; and
2. consents and agrees to such collection and processing.

In addition, if any person is providing personal information to Sirtex on behalf of someone else (for example, as their carer, parent or legal guardian), that person confirms that they have authority to consent to the use of the information as described in this Privacy Policy.

If any person does not consent to the collection, use and disclosure of their personal information (including health information) as set forth in this Privacy Policy, they should not provide personal information to Sirtex.

From time to time Sirtex may make changes to the policy, processes and systems in relation to how Sirtex handles personal information. Sirtex will update this Privacy Policy to reflect any changes, which will be available on the Sirtex website.

7.2 Types of Personal Information Sirtex collects

The type of personal information that may be collected will depend on Sirtex’s relationship with the person, and the circumstances of collection.

7.2.1 General Information

The information Sirtex collects from any person may include personal details, for example:

• name and gender;
• address;
• age, date of birth, weight and height;
• e-mail address;
• phone number(s) and fax number(s);
• other contact information;
• health information relating to the person (including details of medical history, diagnosis, treatment and prognosis); and/or
• details of relevant health care professional(s).

The information Sirtex collects from any person may also include:

• details of any specific products, services or clinical trials they want to learn about;
• photographs/images (where authorized); and
• information provided in “free text” fields when completing information sheets and forms, such as pre-treatment evaluation forms.

Information about health of persons is referred to in this Privacy Policy as "health information".

7.2.2 Contractors, Officers & Employees

For contractors, officers and persons seeking employment with Sirtex, Sirtex may collect the following information:

• name, gender and date of birth;
• residential address, email address, contact telephone numbers and emergency contact details;
• personal resumes which may contain details of education and work history, personal interests, details of referees and other information relevant to the individual;
• documents provided as evidence of skills, qualifications, training, work history, identity and legal right to work;
• bank account details, superannuation details and tax file number, employee records (including leave entitlements, salary details and performance review information);
  and
• doctors’ certificates in the case of sick leave.

7.2.3 Health Professionals

If the person is a healthcare professional interacting with Sirtex in their professional capacity, Sirtex may collect personal information about them including:

• medical specialty;
• clinical interests;
• details of the clinics worked at or owned;
• details of Sirtex products purchased;
• language; and
• details of education, qualifications and experience;

so as to better provide tailored information around Sirtex products and services.

7.3 From whom does Sirtex collect personal information?

Wherever practicable Sirtex will only collect information from any person personally. However, Sirtex may also need to collect information from other sources such as treating health care providers, carers and guardians. Where personal data is obtained from a third person other than the data subject, the data subject must be informed about the data processing after obtaining the information.

In the case of persons seeking employment with Sirtex, information in an applicant’s resume may be verified by contacting referees. Sirtex may also obtain information about an individual seeking employment from a recruiter.

Salary survey data may be collected from third parties which is used to assess and determine salaries to be paid to officers of Sirtex and staff.

Sirtex will only collect information from third parties when it is not reasonable and practical to collect the information from any person directly.

7.4 When does Sirtex collect Personal Information?

Information may be collected by medical and non-medical staff. Sirtex collects information about any person when they:

• request information about Sirtex products, services and/or clinical trials;
• telephone, email or write to Sirtex;
• use Sirtex website;
• apply to, and/or participate in a clinical trial;
• apply to, and/or participate in conducting clinical trials;
• attend Sirtex presentations or training sessions;
• complete Sirtex application forms or feedback forms;
• apply for work experience or employment with Sirtex;
• commence employment with Sirtex; and/or
• accept an offer of employment or enter into a contract with Sirt

Sirtex may also need to collect personal and sensitive information in order to comply with legal obligations.

7.5 How Sirtex stores information

Personal information is stored and held in a combination of hard copy and electronic files maintained by Sirtex, and on personal devices, including laptop computers.

Sirtex may combine information made available from a variety of sources. This enables Sirtex to analyse the data in order to gain useful insights which can be used for the purposes mentioned in Section 7 of this Privacy Policy.

7.6 How is Personal Information Used?

7.6.1 Use of Personal Information

Sirtex uses personal information that is reasonably necessary for one or more functions (the primary purpose), or for a related secondary purpose that would be reasonably expected by any person, or to which any person has consented.

Sirtex may use any person’s information for the following purposes:

• to establish their identity;
• to provide the products, information and/or services requested;
• to evaluate whether an individual is suitable to participate in a clinical trial;
• to evaluate whether an individual is suitable to conduct a clinical trial;
• to engage individuals to participate in clinical trials;
• to engage medical staff to conduct clinical trials;
• for medical research purposes;
• to comply with regulatory requirements, such as maintaining a record of medical queries, complaints, adverse events and recalls relating to Sirtex products;
• to contact any person to satisfy any of our legal or regulatory obligations;
• to create a profile from the interactions Sirtex has with any person to help Sirtex understand what information that person might be interested in receiving (subject to receiving any appropriate consent which may be required);
• to invite any person to participate in surveys and provide feedback to Sirtex (subject to receiving any appropriate consent which may be required);
• to deal with queries, requests or complaints;
• to provide a personalized experience when any person interfaces with Sirtex (subject to receiving any appropriate consent which may be required);
• to contact any person with information and notices related to their use of Sirtex websites (subject to receiving any appropriate consent which may be required);
• to improve the content, functionality and usability of Sirtex websites; and
• to manage the relationship between Sirtex and officers, contractors and employees (including making salary and superannuation payments, managing performance and managing a person’s career with Sirtex).

When collecting personal data Sirtex will inform the data subject as to which specific categories of personal data are being collected and for which purposes.

7.6.2 Job Applicants

Data provided by any person to support their job application is used for the purpose of managing the Sirtex recruitment process. Sirtex may keep a record of the application in order to contact that person about future job opportunities and send emails about job opportunities with Sirtex. Any person can request to have their applicant profile and personal information changed or deleted at any time by contacting Sirtex using the contact details provided for in Section 7.22 of this Privacy Policy.

7.7 Direct Marketing

Sirtex does not generally engage in direct marketing activities. However, on occasion Sirtex may communicate with individuals by email and other forms of communication. If any person does not want to receive emails and/or other communications from Sirtex, they can inform Sirtex at any time. Any person may opt out of electronic communications by contacting Sirtex using the contact details provided for in Section 7.22 of this Privacy Policy.

7.8 Sensitive Information

Sirtex only collects sensitive information reasonably necessary for one or more of the uses specified in Section 7.2 of this Privacy Policy, if Sirtex has the consent of the individual to whom the sensitive information relates, or if the collection is:

• necessary to lessen or prevent a serious threat to life, health or safety;
• necessary pursuant to a legal requirement;
• required for another permitted general situation (as defined in Section 16A of the Privacy Act 1988 (Cth) or other international privacy legislation)); or
• for a permitted health situation (as defined in Section 16B of the Privacy Act 1988 (Cth) (or other international privacy legislation)).

7.9 Disclosure

7.9.1 Subsidiaries and Related Bodies Corporate

Sirtex will treat personal information as strictly private and confidential. Sirtex may however on occasion exchange personal information with Subsidiaries and/or Related Bodies Corporate of Sirtex Medical Limited, and with Sirtex distributors who are required to comply with this Privacy Policy. These entities may use the personal information for the purposes specified in Section 7 of this Privacy Policy.

7.9.2 Third Parties

It may be necessary for Sirtex to disclose personal information to certain third parties in order to assist Sirtex with one or more functions or activities, or where permitted or required by law. Third parties may include:

• clinics or hospitals (where treatment is received, and/or clinical trials are performed);
• medical practitioners and related staff;
• health insurers and health service providers;
• those to whom Sirtex outsource certain functions, for example information technology support;
• auditors and insurers;
• government and law enforcement agencies and regulators; and
• entities established to help identify illegal activities and prevent fr

7.9.3 Sale of Business / Restructure

If all or any part of Sirtex business is sold, restructured or integrated with another group of companies, personal information may be transferred to another party. Those parties will be bound by the requirements of this Privacy Policy and will be required to use the personal information in the same ways as set out in this Privacy Policy.

7.9.4 Service Providers

Sirtex service providers are required by contract to protect the confidentiality of the personal information Sirtex shares with them, and to use it only to provide services on behalf of Sirtex.

7.9.5 When does Sirtex disclose Personal Information?

Sirtex may disclose personal information from time to time, only if one or more of the following apply:

• the person has consented;
• the person would reasonably expect Sirtex to use or disclose their personal information in that way;
• Sirtex is authorized or required to do so by law;
• disclosure will lessen or prevent a serious threat to the life, health or safety of an individual or to public safety;
• where a permitted general situation applies (as defined in Section 16A of the Privacy Act 1988 (Cth) or other international privacy legislation) or a permitted health situation applies (as defined in Section 16B of the Privacy Act 1988 (Cth) or other international privacy legislation) or;
• disclosure is reasonably necessary for a law enforcement related activity or by a Government body or agency, or by a Court of

7.9.6 Officers, employees or contractors

Sirtex does not disclose personal information about officers, employees or contractors to any third parties (including overseas entities), unless prior consent is obtained from the relevant individual. Personal information about officers, employees or contractors may however be disclosed if required:

• pursuant to the Privacy Act 1988;
• pursuant to a legal requirement; or
• by an enforcement agency, Government body, or by a Court of

7.10 Overseas Recipients

7.10.1 Sirtex businesses worldwide

Sirtex Medical Limited has business operations in numerous locations worldwide. By sharing personal information with Sirtex, that personal information may be transferred to, or be accessible by businesses in other countries that form part of the Sirtex group.

The countries in which such recipients are likely to be located are Australia, Singapore, United States & Germany.

7.10.2 Service Providers located outside Australia

Information may be provided to service providers located outside Australia. The locations of the service providers may change from time to time.

The countries in which service providers are likely to be located are Australia, Singapore, United States & Germany.

7.10.3 Transfer of Personal Information to a Foreign Recipient

Sirtex may transfer personal information to a foreign recipient (including when an overseas entity accesses the information in Australia), only if:

• Sirtex reasonably believes that:
  • the recipient is subject to law, or a binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the APPs; and
  • there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or
• the disclosure is required or authorized by or under an Australian law or a court/tribunal order; or
• the transfer is necessary for the performance of a contract / arrangement with the individual (from which the information was collected); or
• the transfer is for the benefit of the individual (and the other APP requirements are met); or
• the individual consents to the transf

7.10.4 Assessment of Foreign Privacy Laws

When disclosure is to be made to a known overseas entity, Sirtex will take reasonable steps to assess the privacy laws of the country where information will be disclosed to determine whether the overseas recipient is required to comply with privacy laws that are at least as stringent as the APP requirements in relation to information. Sirtex service providers are required to enter into a contract pursuant to which they agree to protect the confidentiality of the personal information Sirtex shares with them, and to use the information only to provide services on behalf of Sirtex.

7.11 Cookies used on our websites

Sirtex websites, like most websites on the Internet, use cookies. A cookie is a small text file that is placed on your computer or mobile device when you visit the website. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, for example so you don’t have to re-enter them whenever you come back to the website or browse from one page to another. Cookies can be “persistent” or “session” cookies. While persistent cookies remain on your computer when you go offline, session cookies will be deleted as soon as you close your web browser.

Sirtex makes use of Google Analytics, a web analytics service provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google"), which uses cookies to analyse how users use the website. The information generated by the cookie about your use of the website will generally be transmitted to and stored by Google on servers in the United States, under a data processing agreement between Sirtex and Google. However, note that we have activated the IP anonymization function on our Sirtex websites. As a result, the users’ IP address is truncated by Google within member states of the European Union or other Contracting States to the Agreement on the European Economic Area prior to transmission to the United States. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there.

At the request of Sirtex, Google will use this information for the purpose of measuring any person’s activity on our website, compiling statistical reports on overall website activity for Sirtex on an anonymous basis and providing other services relating to website activity and internet usage. The IP address transmitted by Google Analytics as part of Google Analytics will not be merged with other Google data.

Any person may refuse the use of cookies by selecting the appropriate settings on their browser. Some browser manufacturers provide comprehensive help relating to cookie management in their products. Please see below for more information:

• Google chrome: https://support.google.com/chrome/answer/95647?hl=en-GB
• Internet Explorer: https://support.microsoft.com/en-us/help/260971/description-of-cookies
• Mozilla Firefox : https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
• Safari (Desktop) : https://support.apple.com/kb/PH5042?locale=en_US
• Safari (Mobile) : https://support.apple.com/en-us/HT201265
• Android Browser : https://support.google.com/nexus/answer/54068?visit_id=0-636612941590933601-131731679&hl=en&rd=1
• Opera : https://www.opera.com/help

In addition, any person can prevent the collection of the data generated by the cookie by Google, as well as the processing of this data by Google, by downloading and installing the browser plug-in available from the following link: http://tools.google.com/dlpage/gaoptout?hl=en.

7.12 Data Quality

Sirtex takes all reasonable steps to ensure the personal information Sirtex holds, uses and discloses is accurate, complete and up-to-date. These steps include ensuring that the personal information is accurate, complete and up-to-date at the time of collection, and when using or disclosing the personal information.

On an ongoing basis Sirtex maintains and updates personal information when Sirtex is advized by any person or when Sirtex becomes aware through other means that the personal information has changed.

Please contact Sirtex if any of the details provided to Sirtex change. Any person should also contact Sirtex if they believe that the personal information Sirtex has about them is not accurate, complete or up-to- date.

7.13 Security

Sirtex has put in place safeguards to protect the personal information Sirtex holds from misuse, interference, loss and unauthorized access, modification or disclosure by using industry standard software protection programs. Personal information is only accessible by officers and employees of Sirtex (strictly on a need to know basis), unless it is disclosed to another party in accordance with this Privacy Policy.

Employee personal information is retained in secure hard copy and electronic files, and is only accessible by human resources staff, accounts staff and directors on a need to know basis.

Whilst Sirtex endeavours to take all appropriate measures, Sirtex cannot guarantee the security of personal information sent online. Persons must bear this in mind when providing personal information online to Sirtex.

7.14 Information that is no longer required

If Sirtex no longer needs the personal information for any purpose for which it may use or disclose the information (for example when an employee has been terminated), and the information is not otherwise required to be kept under an Australian law or court order, Sirtex will take reasonable steps to destroy or permanently de-identify the information as appropriate.

7.15 Unsolicited Information

Sometimes Sirtex may be provided with personal information without having sought it through normal means of collection. Sirtex refers to this as “unsolicited information”. Where Sirtex collects unsolicited information Sirtex will only hold, use and or disclose that information if Sirtex could otherwise do so had Sirtex collected it by normal means. If that unsolicited information could not have been collected by normal means then Sirtex will destroy, permanently delete or de-identify the information as appropriate.

7.16 How to gain access to personal information Sirtex holds

Persons may request access to the personal information Sirtex holds about them, or request that Sirtex change and/or update the personal information Sirtex holds, by contacting Sirtex.

Upon request, Sirtex will give any person access to the personal information held about them, unless specific limitations apply (for example, if the request is frivolous or vexatious, or providing access would be unlawful).

Sirtex will respond to a request for access to personal information within a reasonable period after the request is made, and give access to the personal information in the manner requested, if it is reasonable and practicable to do so.

If Sirtex does not agree to provide any person with access, or to amend their personal information as requested, the person will be notified accordingly. Where appropriate Sirtex will provide the reason/s for the decision, and the mechanisms available to complain about the refusal. If the rejection relates to a request to change a person’s personal information, that person may make a statement about the requested change and Sirtex will attach this to their record.

Where the request to access personal information is made by or on behalf of a current or former employee, disclosure of such information shall be made in line with the prevailing privacy legislation in that jurisdiction.

7.17 Complaints

If any person has a complaint about the privacy of their personal information, Sirtex requests that they contact Sirtex in writing by email, letter, and facsimile or by personal delivery to any one of the Sirtex contact details as set out below. Any person may also make a complaint verbally. Upon receipt of a complaint Sirtex will consider the details and attempt to resolve the matter in accordance with Sirtex complaints handling procedures.

Sirtex will respond to the complaint within a reasonable time (usually no longer than 30 days), and Sirtex may seek further information from the person in order to provide that person with a full and complete response.

If any person is dissatisfied with Sirtex’s handling of a complaint or the outcome, they may make an application to the Office of the Australian Information Commissioner by calling them on 1300 363 992, contacting them online at www.oaic.gov.au, or by writing to the Office of the Australian Information Commissioner at GPO Box 5218 Sydney NSW 2001, or the Privacy Commissioner in your State or Territory.

7.18 Overseas Transfer of Data

If any person chooses to provide Sirtex with personal information, that person understands and consents to the transfer of their information to Sirtex locations and systems in Australia and around the world.

7.19 Links to other websites

Sirtex websites may contain links to other websites. Sirtex does not share personal information with those websites, and Sirtex is not responsible for their privacy practices. Sirtex is not responsible or liable for, and does not endorse, the data privacy practices or the content of any other linked sites.

7.20 Information for EU Residents

In the course of visiting our websites, contacting us, or applying for a job we may process the following personal information:

7.20.1 Contacting us

Any person can contact Sirtex using the contact form provided on the website, via e-mail or phone, e.g. for requesting information about Sirtex products, services or clinical trials. In this case Sirtex processes the details from the inquiry form, including the contact details (e.g. name, e-mail address, country of origin) the sender’s role, the topic of the request and any other information provided by the sender in the inquiry. Sirtex will use this information to respond to the communications, fulfil the requests, or provide other support. The legal basis is Art. 6 (1) 1 lit. b GDPR. The information will be deleted after the inquiry is concluded.

7.20.2 Visiting the Sirtex websites

If a person visits a Sirtex website without using the service offered by Sirtex and without providing Sirtex with personal data, Sirtex automatically collects information about the user in so-called server log files. This information includes the browser type and browser version, the operating system used, the referrer URL, the host name of the accessing computer, time of service request, and the IP address. The user’s browser automatically sends this information to Sirtex.

The legal basis for the processing of personal data is Art. 6 (1) 1 lit. b GDPR and Art. 6 (1) 1 lit. f GDPR. We have a legitimate interest in ensuring the security, stability and effective use of our website. We assume that the problem-free use of the website is in your interest as well.

Regarding the use of cookies on Sirtex websites please see Section 7.11 above.

7.20.3 Job applications

For persons seeking employment Sirtex collects the following personal data:

• applicant’s name, gender, date of birth, residential address, e-mail address, telephone number and marital status;
• personal resumes which may contain details of education and work history, personal interests, details of referees and other information relevant to the individual;
• documents provided as evidence of skills, qualifications, training, work history, identity and legal right to work.

Where the applicant is a health professional, this may additionally include the data listed in Section 7.2.3.

Personal data provided by any person to support their job application is used for the purpose of managing the Sirtex recruitment process. The legal basis is Art. 6 (1) 1 lit. b GDPR.

If the application process is completed without an offer for employment the personal data will be deleted six months after the conclusion of the recruitment process, unless the applicant agrees that Sirtex will keep a record of the application in order to contact that person about future job opportunities, and send emails about job opportunities with Sirtex. The legal basis is Art.6 (1) 1 lit. a GDPR. The consent is given freely and can be withdrawn any time with effect for the future.

If an employment contract is concluded Sirtex uses the above-mentioned personal as well the following additional to prepare and perform the employment contract:

• copy of passport, nationality, health insurance provider, social security number, start date of employment;
• bank account details, superannuation details and tax file number, employee records (including leave entitlements, salary details and performance review information); and
• doctors’ certificates in the case of sick leave.

The legal basis for processing is Article 6 (1) (1) (b) GDPR. The personal data will be stored for the duration of the employment. Legal retention obligations remain unaffected.

7.20.4 Application and/or participation in a clinical trial

If a person is interested in applying for and/or participating in a clinical trial, Sirtex will then provide more information on the intended data processing prior to the application, including with regard to health data where an explicit consent will generally be necessary. Sirtex may then process the data listed in Section 7.2.1. The data will be used by Sirtex to evaluate whether an individual is suitable to participate in a clinical trial. The details of the clinical trial, including the relevant data processing, will be outlined in the Patient Information Sheet & Consent Form that any person will be provided before participating in a clinical trial. The personal data, particularly the health data, will only be processed for the clinical trial after the person consented. The legal basis is Art. 6 (1) 1 lit. a GDPR.

7.20.5 Application and/or participation in conducting a clinical trial

If a person is interested in applying for and/or participating in the conduct of a clinical trial, Sirtex will then provide more information on the intended data processing prior to the application, including with regard to health data where an explicit consent will generally be necessary. Sirtex processes the personal data listed in Section 7.2.3 of health professionals for the purposes of applying to, and/or participating in conducting clinical trials. The legal basis is Art. 6 (1) 1 lit. b GDPR. The data will be deleted as soon it is not needed anymore for the above-mentioned purposes.

7.20.6 Attending Sirtex presentations or training sessions

If a person is interested in attending a Sirtex presentation or training session Sirtex will process the person’s name and contact details (address, e-mail-address). If the person is health professional, Sirtex may additionally use the personal data listed in Section 7.2.3.

7.20.7 Advertisement

Sirtex may use some of the personal information (e.g. in particular health information) to create a profile from the interactions Sirtex has with any person to help Sirtex understand what information that person might be interested in receiving, to invite any person to participate in surveys and provide feedback to Sirtex, to provide a personalized experience when any person interfaces with Sirtex and/or to contact any person with information and notices related to their use of Sirtex websites. In these instances an explicit consent is necessary.

The legal basis is Art. 6 (1) 1 lit. f GDPR. Sirtex has a legitimate interest to analyse our customers’ interests and provide direct marketing upon receipt of appropriate consent.

7.20.8 Automated decision making

Please note that we do not use your personal data for automated decision making which produces legal effects concerning you or similarly significantly affects you.

7.20.9 Sharing of personal information

It may be necessary for Sirtex to disclose personal information to certain third parties in order to assist Sirtex with one or more functions or activities, or where permitted or required by law. Third parties may include the following categories of recipients:

• clinics or hospitals (where treatment is received and/or clinical trials are performed);
• medical practitioners and related staff;
• health insurers and health service providers;
• those to whom Sirtex outsource certain functions, for example information technology support;
• auditors and insurers;
• government and law enforcement agencies and regulators; and
• entities established to help identify illegal activities and prevent fraud.

Where Sirtex shares some of the above-mentioned personal information with third party agents that perform services on Sirtex’ behalf (e.g. technical service providers) Sirtex will conclude data processing agreements to ensure that service providers only use use the information shared with them for the specific tasks requested from them and consistent with this Privacy Policy, and for no other purposes. The legal basis for this data transfer and processing activity is Art. 28 GDPR in conjunction with the respective data processing agreement.

Where the transfer is necessary to fulfill a contract, the legal basis is Art. 6 (1) 1 lit. b GDPR. If Sirtex is required to transfer data by law the legal basis is Art. 6 (1) 1 lit. c GDPR.

Where the third party is located outside the European Union and/or the European Economic Area, particularly Australia, Singapore, USA. Sirtex will only transfer data to recipients in these countries if an adequate level of data protection at the location of the recipient is ensured, e.g. because the recipient (in the USA) is EU US Privacy Shield certified or the recipient and Sirtex concluded standard contractual clauses (for processors: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32010D0087, for controllers: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32004D0915).

7.20.10 Legal disclosure

Sirtex may use the personal information listed above to comply with regulatory requirements, such as maintaining a record of medical queries, complaints, adverse events and recalls relating to Sirtex products and/or to contact any person to satisfy any of our legal or regulatory obligations. This may also include disclosure of personal information if such disclosure may prevent the investigation of a crime, facilitate an investigation related to public safety, protect the security or integrity of our service, or enable us to take precautions against liability or to protect our rights. The legal basis for such disclosure is Article 6 (1) 1 lit. c (“compliance with legal obligation”) and lit. f (“legitimate interest”) GDPR. It is our legitimate interest to comply with the legal requirements of EU Member States and Australian law.

7.20.11 Subject data rights

Data subjects based in the European Union may be entitled to exercise some or all of the following rights:

• require (i) information whether his/her personal information is retained and (ii) access to and/or duplicates of his/her personal information retained, including the purposes of the processing, the categories of personal information concerned, and the data recipients as well as potential retention periods;
• request rectification, removal or restriction of his/her personal information, e.g. because (i) it is incomplete or inaccurate, (ii) it is no longer needed for the purposes for which it was collected, or (iii) the consent on which the processing was based has been withdrawn;
• refuse to provide and – without impact to data processing activities that have taken place before such withdrawal – withdraw his/her consent to processing of their personal information at any time;
• object, on grounds relating to his/her particular situation, to processing of his/her personal information, in case such processing is either based on Sirtex’ or a third party’s legitimate interests or on a performance of a task carried out in the public interest. In this case, the data subject shall provide Sirtex with information about his/her particular situation. After the assessment of the facts presented by the data subject Sirtex will either stop processing his/her personal information or present him/her Sirtex’ compelling legitimate grounds for an ongoing processing; and/or
• object to the use of his/her personal data for direct marketing at any time;
• take legal actions in relation to any potential breach of his/her rights regarding the processing of his/her personal information, as well as to lodge complaints before the competent data protection regulators.
• require (i) to receive the personal information concerning him/her, which the data subject has provided to Sirtex, in a structured, commonly used and machine-readable format and (ii) to transmit those data to another controller without hindrance from Sirtex’ side; where technically feasible the data subject shall have the right to have the personal information transmitted directly from Sirtex to another controller.

You may (i) exercise the rights referred to above or (ii) pose any questions or (iii) make any complaints regarding our data processing by contacting us under the contact details set out above in Section 7.22.

7.21 Updates to this Privacy Policy

Sirtex may update or amend this Privacy Policy at any time by posting a revized version on the Sirtex website. Unless stated otherwise, this current Privacy Policy applies to all information that Sirtex has about any person.

7.22 Contact

Should any person wish to access their information, change their contact preferences, receive further information about this Privacy Policy, express concerns about how Sirtex handles their personal information, or wishes to revoke the consents they have given for the use of their personal information, they can contact Sirtex by:

• Post/Mail: Sirtex Medical Limited
  Level 33, 101 Miller St, North Sydney NSW 2060, Australia;
• Emailing: privacy@sirtex.com; or
• Calling: +61 2 9964 8400.

If practical, any person can contact Sirtex anonymously (i.e. without identifying themselves) or by using a pseudonym. However, if any person chooses not to identify themselves, Sirtex may not be able to give that person the information or provide the assistance they might otherwise receive if it is not practical to do so.

 

CHANGE HISTORY
CR#	DATE	CHANGE REASON
2084	Nov 2016	New CPOL
2416	Aug 2018	Updated to reflect requirements of GDPR and ensure HIPAA Compliance.