It is the policy of Cantel Medical Corp. and its subsidiaries (taken together, the “Cantel Companies”) to comply with the requirements of the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce (the “Privacy Shield”). The Cantel Companies have certified that they adhere to the privacy principles set forth by the Privacy Shield, including the supplemental principles, with respect to the transfer and protection of Personal Information (the “Privacy Shield Principles”), received within the scope of their Privacy Shield certification, from the EU to the U.S. To learn more about the Privacy Shield program, please visit https://www.privacyshield.gov/. A list of Privacy Shield participants can be found at https://www.privacyshield.gov/list.
This Privacy Shield Policy (this “Policy”) applies to all Personal Information received by the Cantel Companies in the U.S. from the EU, in any format, including electronic, paper, or verbal. Adherence to the Privacy Shield Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that further requirements under the Privacy Shield Principles are met; or (c) as otherwise specified by the Privacy Shield. In the event of any conflict between the provisions of this Policy and the Privacy Shield, the Privacy Shield will govern.
The Cantel Companies are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
Agent: a person or organization that is Processing Personal Information on behalf of and under the instructions of the Cantel Companies
Controller: a person or organization which, alone or jointly with others, determines the purposes and means of Processing Personal Information.
Personal Information: data about an identified or identifiable individual that is within the scope of Directive 95/46/EC, received by an organization in the U.S. from the EU, and recorded in any form. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity. Personal Information may include an individual’s name, postal address, email address, telephone number, Social Security number, license number, photograph, or other identifying characteristics or data.
Process: means any operation, or set of operations, which is performed upon Personal Information, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction
Sensitive Information: Personal Information that reveals medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of an individual.
THE PRIVACY SHIELD PRINCIPLES
The following privacy principles have been developed based on the Privacy Shield Principles. These principles apply to the transfer, collection, use, or disclosure of Personal Information from the EU to the U.S.
The Cantel Companies are committed to compliance with the Privacy Shield Principles for all Personal Information that is received in the U.S. from the EU. In accordance with such principles, the Cantel Companies will inform individuals about the purpose and use of the Personal Information that is collected from them by the Cantel Companies, the types of nonAgent third parties to which the Cantel Companies will or may disclose the Personal Information to, and the choice and means, if any, for limiting the use and disclosure of Personal Information. Notice regarding the collection and use of Personal Information will be provided in clear and conspicuous language when individuals are first asked to provide Personal Information to the Cantel Companies, or as soon as practicable thereafter, but in any event before the Cantel Companies use such Personal Information for a purpose other than that for which it was originally collected or disclose Personal Information for the first time to a third party. If you have any questions regarding our practices relating to Personal Information or would like to limit the transfer, collection, use, or disclosure of any Personal Information within the control of the Cantel Companies, as appropriate, please contact firstname.lastname@example.org.
The Cantel Companies may directly collect, Process, and retain Personal Information about an individual if he or she contacts the Cantel Companies or provides it to the Cantel Companies during the course of a legitimate business interaction. Such Personal Information may include any identifying data that the individual chooses to provide to the Cantel Companies for the purpose of the communication, including name, email address, company information, street address, or telephone number. The Cantel Companies may use this information to respond to the communication or for other legitimate business purposes.
The Cantel Companies may indirectly collect, Process, and retain Personal Information through the use of network, internet, and email servers that are physically located in the U.S. or incidentally from other sources in the ordinary course of business. With respect to such information, the Cantel Companies will only use and retain Personal Information to the extent appropriate to meet the purposes for which it was provided and to advance the legitimate business purposes of the Cantel Companies (including, but not limited to, marketing, server maintenance, and security).
The Cantel Companies may obtain Personal Information from the employees of its EU affiliates for human resources purposes, which includes all information received in the context of the employment relationship. Such information may be obtained for the purposes of, but not limited to, career development, staffing, statistical analysis, consideration for appointment or promotion, performance review, internal investigations, ethics investigations, law enforcement inquiries, benefits processing, or acquisitions and divestitures. The Cantel Companies will not, without obtaining an employee’s prior consent, use such information for any purpose other than human resources purposes unless the employee has already consented to such use.
The Cantel Companies may engage third party Agents for the Processing of the Personal Information in their possession. Such Agents may include organizations that provide services related to human resources or those that support other legitimate business needs. The Cantel Companies will adhere to the Privacy Shield Principles, including the principle on Accountability for Onward Transfer, when transferring any Personal Information to a third party Agent or Controller
For Personal Information, the Cantel Companies will offer individuals the opportunity to choose (“opt-out”) whether their Personal Information will be disclosed to a non-Agent third party or used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by the individual.
Unless otherwise provided for under the Privacy Shield Principles, for Sensitive Information, the Cantel Companies will give individuals the opportunity to affirmatively or explicitly (“opt-in”) consent if such Personal Information is to be disclosed to a third party or used for a purpose other than that for which it was originally collected or subsequently authorized by the individual through the exercise of opt-in choice.
The Cantel Companies will provide individuals with reasonable mechanisms to exercise choice per the requirements of the Privacy Shield. Questions regarding opt-in or opt-out procedures, or requests to opt-in or opt-out, should be directed to email@example.com. Employees of the Cantel Companies should consult the Human Resources Department or Cantel Compliance Department regarding opt-in and opt-out procedures.
ACCOUNTABILITY FOR ONWARD TRANSFERS
The Cantel Companies may share Personal Information with third parties for Processing purposes, subject to the requirements of Privacy Shield. Additionally, the Cantel Companies may disclose Personal Information to third parties for the purposes for which the Personal Information was collected and as required or permitted by law. The Cantel Companies will comply with the Accountability for Onward Transfer principle when transferring data to third party Agents and Controllers. Upon notice, the Cantel Companies will take reasonable and appropriate steps to stop and remediate any unauthorized Processing performed by its Agents.
The Cantel Companies have implemented reasonable and appropriate measures to protect the Personal Information that they transfer, collect, use, or disclose from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
Since no transmission of information over the internet or electronic storage of information is ever completely secure, it is possible that Personal Information could be accessed, used, or disclosed without authorization, despite the efforts of the Cantel Companies. Accordingly, individuals should use caution in determining what Personal Information they elect to disclose via the internet.
DATA INTEGRITY AND PURPOSE LIMITATION
The Cantel Companies will only collect Personal Information that is relevant for the purposes of Processing. Such Personal Information will be used in a manner that is compatible with and relevant for the purposes for which it was collected or subsequently authorized by the individual. To the extent necessary for those purposes, the Cantel Companies will take reasonable steps to ensure that Personal Information is reliable for its intended use, accurate, complete, and current.
Upon request, the Cantel Companies will make a good faith effort to grant individuals reasonable access to collected Personal Information, as appropriate. Additionally, the Cantel Companies will take reasonable measures to allow such individuals to correct, amend, or delete Personal Information that is inaccurate, or that was Processed in violation of the Privacy Shield Principles, except where the burden or expense of providing such access would be disproportionate to the risks to the individual’s privacy in the case in question, where the rights of a third party would be violated, or as otherwise provided in the Privacy Shield.
Requests to access, correct, amend, or delete information should be made by email to firstname.lastname@example.org. The Cantel Companies will respond to such requests within a reasonable time period and in a reasonable manner, subject to the provisions of the Privacy Shield. When appropriate, the Cantel Companies may charge an individual a reasonable fee for providing access to his or her Personal Information.
With respect to the Personal Information of any EU employee of the Cantel Companies, the Cantel Companies will provide such employees with access to any Personal Information that is required by the local laws of such employee’s employment location, regardless of the location of data Processing and storage. Additionally, the Cantel Companies will comply with local laws relating to the use and transfer of Personal Information, as well as all other employment-related laws, in respect of such employees.
RECOURSE, ENFORCEMENT, AND LIABILITY
Any questions regarding the practices of the Cantel Companies concerning Personal Information should first be directed to email@example.com. The Cantel Companies will investigate and attempt to resolve complaints and disputes relating to the use and disclosure of Personal Information by reference to the principles contained in this Policy. In the event of any noncompliance with such principles, the Cantel Companies will take disciplinary, remedial, and/or corrective action, as appropriate. For matters that cannot be resolved between the Cantel Companies and the complainant, including unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship, the Cantel Companies utilize the dispute resolution procedures promulgated by the EU Data Protection Authorities. The Cantel Companies will cooperate with the EU Data Protection Authorities and abide by their information and advice, as provided in the Privacy Shield Principles. Please contact us to be directed to the relevant EU Data Protection Authority contacts. The services of the EU Data Protection Authorities are provided at no cost to you. Additionally, the Cantel Companies will adhere to the arbitration terms and practices outlined in the Privacy Shield, including the conditions for binding arbitration.
The Cantel Companies use a self-assessment approach to ensure compliance with this Policy and periodically verify that this Policy is accurate, accessible, comprehensive for the information intended to be covered, prominently displayed, and implemented in conformity with the Privacy Shield Principles.
In the context of onward transfer to third parties, the Cantel Companies remain responsible and liable under the Privacy Shield Principles if any Agents that are engaged for the Processing of Personal Information do so in a manner that is inconsistent with the Privacy Shield Principles, unless the Cantel Companies can prove that they are not responsible for the event giving rise to the damage, as appropriate.
The Cantel Companies are committed to following the Privacy Shield Principles regarding the transfer, collection, use, and disclosure of Personal Information. This Policy may be amended from time to time consistent with the requirements of such principles. Revisions will be posted on the Cantel Medical Corp. website.
September 28, 2016