India Privacy Policy

India Privacy Policy

Effective October 29, 2014

Purpose

St. Jude Medical India Private Limited (SJM) is committed to protecting and respecting the privacy of individuals. The purpose of this policy is to set forth how St. Jude Medical India Private Limited complies with the Information Technology Act, 2000, enacted the 9th of June, 2000 and the Information Technology Rules, 2011, (“Privacy Rules”) enacted the 11th of April, 2011. This policy sets out how and why we collect, use, store, and disclose Personal or Sensitive information, whether in oral, electronic or written form, of individuals who interact with St. Jude Medical India Private Limited. It also explains how we safeguard the information you provide to us directly.

Definitions

Access – The process of gaining entry into, instructing or communicating with the Personal or Sensitive Personal Data found in a computer, computer system or computer network.

Data – A representation of information, knowledge, facts, concepts or instructions which are prepared to be processed or have been processed in a computer system or network, and is stored internally in the memory of the computer.

Data Controller – A legal person or private legal entity responsible for determining the means and the purposes of collecting and processing Personal and Sensitive Personal Data. In other words, Data Controller is the one who initiates, conceives and decides the purpose and project for which the Personal and Sensitive Personal Data shall be collected and processed.

Data Owner – The individual to whom Personal and Sensitive Personal Information relates.

Employee - An individual employed by St. Jude Medical India Private Limited.

Intermediary or Third Party – Any legal person or entity who receives, stores, or transmits Personal or Sensitive Personal Information on behalf of SJM or provides any service with respect to that data.

Personal Data or Information - Any information that relates to a natural person, which either directly or indirectly in combination with other information available is capable of identifying such person. Personal information does not include information that is encoded or anonymized and is not subject to re-identification, or publicly available information that has not been combined with non-public Personal Information.

Processing – Retrieval, use, disclosure, or storage of Personal or Sensitive Personal Data by any means. Use covers any action of access, management, transfer, or disposal of Personal or Sensitive Personal Data.

Sensitive Personal Data or Information - Personal Data which consists of information relating to:

  • Password;
  • Financial information;
  • Physical, physiological and mental health condition;
  • Sexual orientation;
  • Medical records and history;
  • Biometric information, including technologies that measure and analyse human body characteristics, such as fingerprints, DNA, and voice and facial patterns; and
  • Any detail relating to the above categories.

SJM must protect Personal and Sensitive Personal Data according to industry standards.

St. Jude Medical or SJM - St. Jude Medical India Private Limited.

Privacy Principles 

The following privacy principles are based on the Information Technology Act, 2000 and the Information Technology Rules, 2011, (“Privacy Rules”). The principles establish the laws SJM must follow when handling Personal and Sensitive Personal Data with respect to collection, use, storage and disclosure of such data, whether in electronic, paper or verbal format and explain how SJM is compliant. 

Purpose
SJM collects, uses, stores, and discloses data owners’ Personal and Sensitive information (as applicable) to fulfill treatment purposes, as stated in the consent form, and as required by law. SJM is required to register and track patients who have certain SJM devices implanted in accordance with the U.S. Federal Food, Drug and Cosmetic Act and various US Federal Drug Administration regulations. 

SJM may only collect Sensitive Personal Data if the information collected is for a lawful purpose and the collection is necessary to fulfill the purpose. SJM will only use and disclose the information for the purposes that we have disclosed to you, except as otherwise permitted by law. 

Choice
SJM and any intermediary will obtain the data owner’s consent in writing through letter or any form of electronic communication prior to collecting Personal and Sensitive Information. If you decide to withhold particular information or if you withdraw the consent that you provided previously, it may limit or restrict SJM’s ability to provide you with the services or products you requested. 

If for any reason your information is used or disclosed for a materially different purpose, we will obtain your consent before we proceed. 

Transfers to Third Parties
In cases of transfers to third parties domestically or internationally, SJM will obtain consent from the data owner prior to the transfer, unless the disclosure is necessary for compliance of a legal obligation. SJM requires third party business partners to safeguard information and agree to contractual requirements that are consistent with our privacy and security policies. SJM requires that third party business partners are prohibited from using Personal or Sensitive Personal Information except for the specific purpose for which we supply it to them and to comply with applicable legal requirements. Where SJM has knowledge that a third party business partner is using or disclosing Personal or Sensitive Personal Information in a manner contrary to the company policy, SJM will take reasonable steps to prevent or stop the use or disclosure. 

There are some situations where we are legally permitted to disclose Personal or Sensitive Personal Information such as employing reasonable and legal methods to enforce our rights or to investigate suspicion of illegal activities. 

Security
SJM will take reasonable precautions and utilize security safeguards, including maintaining physical, electronic, and procedural safeguards in compliance with industry standards and applicable laws to protect Personal and Sensitive Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. SJM has implemented strong standards of security to protect Personal and Sensitive Personal Information, including conformance with the Code of Practice for Information Security Management by the International Organization for Standardization, known as “ISO/IEC 27001”. SJM is responsible for Personal and Sensitive Information in our possession or custody, including information that we may transfer to third parties for processing and storage. 

Data Integrity
SJM will use Personal and Sensitive Personal Information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the data owner. The Personal Information or Sensitive Personal Information collected by us shall be limited to those details necessary for the purposes identified to you. SJM will take reasonable steps to ensure that Personal Information and Sensitive Personal Information is relevant to its intended use, accurate, complete, and current. SJM will not retain Personal Information or Sensitive Personal Information for longer than is required to fulfill the purposes for which it was collected or as required by law. 

Access
Upon request, SJM will grant data owners reasonable access to Personal and Sensitive Information that we collected from them to ensure any inaccurate or deficient information shall be corrected or amended as feasible. Contact the SJM Chief Privacy Officer at privacy@sjm.com for access requests. There may be circumstances where SJM is unable to provide access to your Personal or Sensitive Information. SJM may deny or restrict access for legally permissible reasons, such as situations where the information contains references to other individuals and is not reasonably severable, or where it cannot be disclosed for legal, security, or commercial proprietary reasons. We will advise the data owner of any reason for denying or restricting an access request. 

Enforcement and Dispute Resolution
Complaints or concerns on data collection and processing practices should be addressed to the Chief Privacy Officer. Any employee that SJM determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment. 

Limitation on Scope of Principles 

Adherence by SJM to this policy may be limited to the extent required to meet legal, governmental or national security obligations, including requirements to cooperate with law enforcement. 

Changes to This Policy 

This policy may be amended from time to time, consistent with the requirements of the Information Technology Act, 2000 and the Information Technology Rules, 2011. The revisions will take effect on the date of publication of the amended policy, as stated. Your continued association with St. Jude Medical India Private Limited in any capacity will signify your consent to any changes which we carry out to the Privacy Policy.

Contact Information 

Complaints, questions, or comments on SJM’s India Privacy Policy, data collection and processing practices? Send your inquiries to: 

Chief Privacy Officer
Rolando Galvez
St. Jude Medical, Inc.
One St. Jude Medical Drive
St. Paul, MN 55117 USA
651-756-2000
800-328-9634
privacy@sjm.com 

India Confidential Compliance Hotline
#000-800-100-1071
#000-800-001-6112