Effective January 1, 2009

St. Jude Medical (SJM) respects and protects personally identifiable information that we collect or maintain. As part of our commitment, SJM is certified to the US-EU Safe Harbor Agreement regarding human resources personal information. This page describes the principles we follow with respect to transfers of personal information of our employees, whether in electronic, paper or verbal format, between countries in the European Economic Area (EEA) and the United States.

Safe Harbor

The United States Department of Commerce and the European Commission have agreed on a set of data protection principles and frequently asked questions (the Safe Harbor Principles) to enable U.S. companies to satisfy EU law requirements for adequate protection of personal information transferred from the EU to the United States. Consistent with our commitment to protect personal privacy, we adhere to the safe harbor principles.

Definitions

Agent - Any third party that processes personal information under the instructions of, and solely for, SJM or to which SJM discloses personal information for use on St. Jude Medical’s behalf.

Personal information - Any information or set of information that identifies or could be used by or on behalf of SJM to identify an employee. Personal information does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public personal information.

Sensitive personal information - Personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health or sex life.

Employee - An individual employed by a SJM affiliate located in a country of the EEA.

St. Jude Medical - St. Jude Medical, Inc., including any wholly-owned subsidiaries that are incorporated in any state or territory in the United States.

Privacy Principles

The following privacy principles are based on the safe harbor principles.

Notice

Where SJM collects personal information directly from employees, we will inform them about the purposes for which we collect and use personal information about the employee, the types of non-agent third parties to which SJM discloses that information, and the choices and means, if any, SJM offers individuals for limiting the use and disclosure of their personal information. Notice will be provided in clear and conspicuous language at the time of collection, or as soon as practicable thereafter, and in any event before SJM uses the information for a purpose other than that for which it was originally collected.

Choice

Where SJM collects personal information directly from employees in the EEA, we will offer the opportunity to choose (opt-out) whether their personal information is (a) to be disclosed to a non-agent third party or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. SJM will provide individuals with reasonable mechanisms to exercise their choices.

For sensitive personal information, SJM will give employees the opportunity to affirmatively and explicitly consent (opt-in) to the disclosure of the information to a non-agent third-party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the employee.

Onward Transfers to Third Parties

SJM will obtain assurances from third party business partners (agents) that they will safeguard personal information consistent with our policies. Examples of appropriate assurances that may be provided by third party business partners include: a contract obligating the third party to provide at least the same level of protection as is required by the relevant safe harbor principles, being subject to EU Directive 95/46/EC (the EU Data Protection Directive), Safe Harbor certification by the third party, or being subject to another European Commission adequacy finding. Where SJM has knowledge that a third party business partner is using or disclosing personal information in a manner contrary to the company policy, SJM will take reasonable steps to prevent or stop the use or disclosure.

Security

SJM will take reasonable precautions to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.

Data Integrity

SJM will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the employee. SJM will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current.

Access

Upon request, SJM will grant employees reasonable access to personal information that it holds about them. In addition, SJM will take reasonable steps to permit individuals to correct, amend or delete information that is demonstrated to be inaccurate or incomplete.

Enforcement and Dispute Resolution

SJM will conduct compliance audits of its relevant privacy practices to verify adherence to this policy. Any employee that SJM determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment. Complaints or concerns that can't be resolved internally will be referred to the Data Protection Panel comprised on EU data protection regulators. SJM commits to following the determination and advice of this body.

Limitation on Scope of Principles

Adherence by SJM to this policy may be limited to the extent required to meet legal, governmental or national security obligations.

Changes to This Policy

This policy may be amended from time to time, consistent with the requirements of the safe harbor principles. SJM will provide appropriate notice about such amendments.

Contact Information

Questions or comments? Send your inquiries to safeharbor@sjm.com.