Privacy Statement

Effective: December 22, 2022
Most recently revised on 1 November 2023.

1. INTRODUCTION

This Privacy Statement applies to the use of the website https://meritlegacy.decort.co.

2. DATA CONTROLLER

The responsible data controller for any personal data collected and processed in connection with the use of the website https://meritlegacy.decort.co is Merit Medical Systems, Inc., 1600 West Merit Parkway, South Jordan, UT 84095. (“Merit Medical™”, “we” or “us”).

3. CONTACT DETAILS

If you have any questions about or in connection with this Privacy Statement, would like to submit a complaint about our handling of your personal data or exercise any of your rights (see 9. below), please contact us by using the following contact details:

Privacy Council, Merit Medical EMEA, Amerikalaan 42, 6199 AE Maastricht Airport, The Netherlands

Email address: [email protected]

4. DATA SUBJECTS

This Privacy Statement applies to the collection and processing of personal data of users of the website https://meritlegacy.decort.co.

5. CATEGORIES OF DATA, PURPOSES OF THE PROCESSING AND LEGAL BASIS

5.1    We collect and process your personal data only for the following purposes:

5.2    The Appendix Website Data and Cookies contains detailed information on:

• the categories of personal data we collect from you or from third parties (e.g., public authorities or public resources) in addition to other personal data that you actively provide to us (e.g., when you send an e-mail to us);
• the purposes for which we process these personal data; and
• the legal basis for the collection and processing of your personal data (unless otherwise provided, e.g., at the time we collect the data from you) we collect and process your personal data.

Please note that we process your personal data for other purposes only if we are obligated to do so on the basis of legal requirements (e.g., transfer to courts or criminal prosecution authorities), if you have consented to the respective processing or if the processing is otherwise lawful under applicable law. If processing for another purpose takes place, we may provide you with additional information.

6. RECIPIENTS AND CATEGORIES OF RECIPIENTS

6.1    Any access to your personal data by us is restricted to those individuals that have a need to know in order to fulfill their job responsibilities.

We may transfer your personal data for the respective purposes to the recipients and categories of recipients listed below — more details regarding the recipients and categories of recipients mentioned under 6.1 and 6.2 below can be found in https://meritlegacy.decort.co/cookie-declaration/.

6.2 Categories of recipients:

• Private third parties — Affiliated or unaffiliated private bodies other than us.
• Data processors — Certain third parties, whether affiliated or unaffiliated, may receive your personal data to process such data on behalf of us under appropriate instructions as necessary for the respective processing purposes. The data processors will be subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard the personal data, and to process the personal data only as instructed.
• Governmental authorities, courts, external advisors, and similar third parties that are public bodies as required or permitted by applicable law.

7. CROSS-BORDER DATA TRANSFER

Some of the recipients of your personal data will be located or may have relevant operations outside of your country and the EU, such as in the United States of America, where the data protection laws may provide a different level of protection compared to the laws in your jurisdiction and with regard to which an adequacy decision by the European Commission does not exist.

The countries which provide an adequate level of data protection from a European data protection law perspective include Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, the State of Israel, Isle of Man, Jersey, New Zealand and the Eastern Republic of Uruguay.

With regard to data transfers to recipients outside of the EU we provide appropriate safeguards, in particular, by way of entering into data transfer agreements adopted by the European Commission (e.g., Standard Contractual Clauses (2010/87/EU and/or 2004/915/EC)) with the recipients or taking other measures to provide an adequate level of data protection. We will provide you with a copy of the respective measure we have taken upon request (for contact details see 3. above).

Details regarding cross-border data transfers, existence or absence of adequacy decisions and the appropriate safeguards taken with regard to cross-border data transfers can be found in https://meritlegacy.decort.co/cookie-declaration/.

8. STORAGE PERIOD

Your personal data is stored by us and/or our service providers, to the extent necessary for the performance of our obligations and for the time necessary to achieve the purposes for which the personal data is collected, in accordance with applicable data protection laws. When we no longer need to process your personal data, we will erase it from our systems and/or records and/or take steps to properly anonymize it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which we are subject. E.g., personal data contained in contracts, communications, and business letters may be subject to statutory retention requirements, which may require retention of up to 10 years. If applicable, any other personal data will in principle be deleted 5 years after the termination of the respective related contractual relationship between you and us, if applicable). For more detailed information regarding the actual storage periods please refer to https://meritlegacy.decort.co/cookie-declaration/.

9. YOUR RIGHTS

If you have declared your consent for any personal data processing activities, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.
Pursuant to applicable data protection law you may have the following rights:

You also have the right to lodge a complaint with the competent data protection supervisory authority. To exercise your rights please contact us (see 3. above).

10. COOKIES AND SIMILAR TECHNOLOGIES

10.1 Cookies. When you use our website, we may send one or more cookies – small text files containing a string of alphanumeric characters – to your device. We may use both session cookies and persistent cookies. A session cookie disappears after you close your browser. A persistent cookie remains after you close your browser and may be used by your browser on subsequent visits of our website. Your web browser may provide you with some options regarding cookies. Please note that if you delete, or choose not to accept, cookies, you may not be able to utilize the features of the services provided via our website to their fullest potential. We may use third party cookies in connection with the services provided via our website as well. For instance, we use Google Analytics to collect and process certain analytics data. We may not process or respond to web browsers’ “do not track” signals or other similar transmissions that indicate a request to disable online tracking of users who visit our website or use the services provided via our website.

10.2 Clear GIFs/Web Beacons. Clear GIFs (also known as Web Beacons) are typically transparent very small graphic images (usually 1 pixel x 1 pixel) that are placed on a website that may be included on our services provided via our website and typically work in conjunction with cookies to identify our users and user behavior.

10.3 How we use cookies and similar technologies, in particular, for profiling. We may use cookies and automatically collected information to: (i) personalize our website and the services provided via our website, such as remembering your information so that you will not have to re-enter it during your use of, or the next time you use, our website and the services provided via our website; (ii) provide customized advertisements, content, and information on the basis of profiling; (iii) monitor and analyze the effectiveness of our website and the services provided via our website and third-party marketing activities on the basis of profiling; (iv) monitor aggregate site usage metrics such as total number of visitors and pages viewed; and (v) track your entries, submissions, and status in any promotions or other activities offered through our website and the services provided via our website (profiling). Tracking technology (profiling) also helps us manage and improve the usability of the website, (i) detecting whether there has been any contact between your computer and us in the past and (ii) to identify the most popular sections of the website.

10.4 For detailed information regarding cookies and related data processing activities, please refer to https://meritlegacy.decort.co/cookie-declaration/.

11. CHANGES TO THE WEBSITE PRIVACY STATEMENT

This Privacy Statement may require an update from time to time – e.g. due to the implementation of new technologies or the introduction of new services. We reserve the right to change or supplement this Privacy Statement at any time. We will publish the changes on https://meritlegacy.decort.co and/or inform you accordingly (e.g., via email).

12. California-Specific Description of Consumers’ Privacy Rights

12.1 California Consumer Privacy Act.

Under the California Consumer Privacy Act (“CCPA”), California consumers have the right to request that we delete any personal information (as defined in the CCPA) we have about them, and that we explain how we have collected, used, sold, and disclosed personal information about them. Merit Medical may require that a request include information that enables us to verify who is making a request. This may depend on the type of request and the information we already have. If we cannot verify a requestor’s identity, we may ask for additional information. In any event, we will endeavor to respond to requests within 45 days and if we are unable to, we will let you know.

To make a request, email us at [email protected] or write to us at:

Attn: Beth French
Merit Medical Systems, Inc.
1600 West Merit Parkway, South Jordan
UT 84095

Merit Medical does not and will not sell personal information.

Updated: August 25, 2020.

_______________________________________________________________________________

Under the CCPA (Cal. Civil Code § 1798.140):

(o) (1) “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

(B) Any categories of personal information described in subdivision (e) of Section 1798.80.

(C) Characteristics of protected classifications under California or federal law.

(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

(E) Biometric information.

(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.

(G) Geolocation data.

(H) Audio, electronic, visual, thermal, olfactory, or similar information.

(I) Professional or employment-related information.

(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

(2) “Personal information” does not include publicly available information. For purposes of this paragraph, “publicly available” means information that is lawfully made available from federal, state, or local government records. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.

(3) “Personal information” does not include consumer information that is deidentified or aggregate consumer information.”

12.2 California Privacy Rights Act.

If you are a Merit employee or applicant, please take notice that Merit collects certain information about you. California’s California Consumer Privacy Act (“CCPA”) (outlined in Section 12.1 above) and California Privacy Rights Act (“CPRA”) (outlined in this Section 12.2) provide California applicants and employees with certain rights:

• Knowledge of information collected;
• Deletion of information collected;
• Opt-out of information collected;
• Opt-in of information collected;
• Correction of information collected;
• Go to court;
• Limit use of information collected;
• Not to be discriminated or retaliated against for exercising rights under the law.

 

Where We Get Your Information From. Merit collects information about you from the following sources: 1) you; 2) prior employers, references, recruiters, job-related social media platforms; 3) third-party sources of demographic information; 4) third-party companies, such as background check companies, drug testing facilities; and 5) claim administrators and investigators. Depending on Merit’s interactions with you, we may or may not collect all of the information identified about you.

The Personal and Sensitive Personal Information That We Are Collecting. We are collecting the following information:

• Identifiers, such as name, government-issued identifier (e.g., Social Security number), and unique identifiers (e.g., employee ID);
• Personal information, such as real name, signature, SSN, physical characteristics or description, address, telephone number, personal email address, passport number, driver’s license or state identification card number, federal identification authorizing work in the United States, access and/or passcodes, insurance policy number, education, employment, employment history, bank account number, other financial information, medical information, or health insurance information;
• Characteristics of protected classifications under California or federal law, such as age, marital status, gender, sex, race, color, disability, citizenship, primary language, immigration status, military/veteran status, disability, request for leave, and medical conditions;
• Commercial information, such as transaction information and purchase history (e.g., in connection with travel or other reimbursements);
• Internet or network activity information, such as browsing history and interactions with our online systems and websites and any personal information that you provide while accessing Merit’s computer systems, such as personal credit card information and passwords;
• Geolocation data, such as device location from usage of Merit’s devices;
• Biometric information related to access to Merit’s secured access points;
• Audio, electronic, visual, and similar information;
• Professional or employment-related information, such as work history and prior employer;
• Non-public education information;
• Inferences drawn from any of the Persona and Sensitive Personal Information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics; and
• Pictures of you, your vehicle make, vehicle license plate number.

 

How Your Personal and Sensitive Personal Information is Used. We may use Personal and Sensitive Personal Information:

• To operate, manage, and maintain our business;
• For hiring, retention, and employment purposes;
• To otherwise accomplish our business purposes and objectives, including, for example:
  • Emergency services;
  • Conducting research, analytics, and data analysis;
  • Maintaining our facilities and infrastructure;
  • Quality and safety assurance measures;
  • Conducting risk and security controls and monitoring;
  • Protecting confidential and trade secret information;
  • Detecting and preventing fraud;
  • Performing identity verification;
  • Performing accounting, audit, and other internal functions, such as internal investigations;
  • Complying with the law, legal process, and internal policies;
    • Maintaining records;
    • Claims processing;
    • Responding to legal requests for information and subpoenas; and
    • Exercising and defending legal claims.
  • Any other purposes authorized by the California Privacy Protection Agency, California or Federal law.

We may or may not have used Personal and Sensitive Personal Information about you for each of the above purposes.

Sharing of Personal Information. We only share your information with the following third-party entities:

• payroll systems;
• background vendors;
• drug testing vendors;
• healthcare systems;
• applicant tracking systems;
• court ordered entities;
• government entities in response to audits, subpoenas, court orders; and
• in response to mortgage, auto loans, employment verification, unemployment, Medicare/Medicaid, Department of Workforce Services.

Selling of Personal Information. Merit does not sell your personal information.

Data Retention. Merit retains the information it receives about you for varying periods of time depending on the nature or type of information, as set forth in the Data Retention set forth below, unless a shorter or longer period is required by California or Federal law.

Data Retention Schedule

Data will be maintained for 1) the amount of time required by law or 2) as shown in the below chart, whichever is longer.  These are minimum times and data may be retained for longer periods at Merit’s discretion.

Data Type	Minimum Retention Period
Applications, Resumes, offer letters, and pre-employment tests and tests results from rejected applicants	4 weeks from termination of the selection procedure or, subject to the applicant’s consent, 1 year from termination of the selection procedure
Background Checks on Employees	2 years after termination of employment contract
Benefits Description per Employee	5 years after termination of the employment contract
Collective Bargaining Agreements	Permanent, so long as current
EEO-1 Reports	Keep most recent annual filing
Employee Applications and Resumes	2 years from the termination date of the employment contract
Employee Benefit Plans Subject to ERISA (includes plans regarding health and dental insurance, 401(k), long-term disability, and Form 5500)	5 years after termination employment contract
Employee Offer Letters	4 years from employee termination
Employee Polygraph Test Records	2 years from termination date of the contract
Employee Records with Information on Pay Rate of Weekly Compensation; Merit Evaluations, Records Relating to Promotion, Demotion, Transfer, Discipline, Termination, or Selection for Training; Copies of Tests Given to Employees; Results of any Physical Examination Considered in Connection	5 years after termination of employment contract
Employee Tax Records	7 years from the date tax is due or paid
Employment Contracts; Employment and Termination Agreements	7 years from the termination date
Employment Eligibility and Verification (I-9 Forms)	2 years from termination date of the contract
Employment of Minors—Name, Address, and Date of Birth; Certificate of Age; Dates of Hire and Termination; Times of Daily Meal Period(s); Total Hours Worked in Each Day and Week; Output of Minor Employee if Paid Other Than on an Elapsed Time Basis; and Any Written Training Agreements	2 years from termination date of the contract
Employment of Student Learners—Employment Applications, Certificates Authorizing Employment and Notation of Occupation	2 years from termination date of the contract
Family and Medical Leave Documents	2 years from termination date of the contract
Handicapped Workers Paid at a Subminimum Wage	2 years from termination date of the contract
Injury and Illness Incident Reports (OHSA Form 301) and Related Annual Summaries (OHSA Form 300A); Logs of Work-Related Injuries and Illnesses (OSHA Form 300); Supplemental Record for Each Occupational Injury or Illness (OSHA Form 101); Log and Summary of Occupational Injuries and Illnesses (OSHA Form 200)	The latter of (i) 2 years from termination date of the contract or (ii) 5 years after event
Internal Complaints and Related Documents from Handicapped Workers, Termination of Disabled Veterans, and Veterans of the Vietnam Era; and All Documents Concerning Action(s) Taken in Response to Such Complaints	The latter of (i) 2 years from termination date of employment contract or (ii) 5 years after complaint
Job Descriptions, Performance Goals and Reviews; Garnishment Records	2 years from termination date of employment contract
Labor Agreements	7 years after termination
Medical Exams Required by Law	Duration of employment + 30 years
Material Safety Data Sheets or Safety Data Sheets (MSDS/SDS)	40 years after date substance was last received in the workplace or 40 years from date of last complaint, whichever is later
Personnel or employment records made or kept by a contractor or subcontractor with at least 150 employees or less than $150,000 in federal government contracts	2 years from termination date of employment contract
Pension Plan and Retirement Documents	5 years after expiration Permanent, if current
Receiving Sheets	1 year after production document
Requisitions	1 year after production document
Salary Schedules; Ranges for Each Job Description	2 years after expiration, permanent if current
Seniority or Merit Rating System	2 years from termination date of employment contract
Time Reports	2 years from termination date of employment contract
Training Agreements, Summaries of Applicants’ Qualifications, Job Criteria, Interview Records and Identification of Minority and Female Applicants	Duration of training + 4 years OR 4 weeks after closing application term without permission and 1 year after closing application term with permission General documents without personal data
Workers’ Compensation Records	40 years after termination employment agreement
Written Affirmative Action Program (AAP) and Supporting Documents	For immediately preceding AAP year, unless it was not then covered by the AAP year

–

For Inquiries and/or to Submit Requests for Information, Deletion or Correction. Please contact either: (1) Cheryll Ross, 801.253.1600,  [email protected], 1600 West Merit Parkway, South Jordan, Utah, 84095; or [email protected] for inquiries about Merit’s policy, or to submit your requests for information, deletion or correction.

Section 12 last edited December 23, 2022.