Privacy Statement

Document Title: Privacy Notice and Personal Data Protection
Document Number: COL-01
Effective Date: June 01, 2020

Policy for Colombia
Privacy Notice and Personal Data Protection

Purpose

Establish privacy and protection principles, by Stryker Colombia SAS (“Stryker”), with address at Calle 116 # 7-15, Office 1001 Bogotá, Colombia, telephone +57 1 743 8200, which will govern how we protect the Personal Data of our employees, patients, customers, business partners and suppliers. 

Scope

This policy applies to all Stryker employees to the extent permitted by law, ordinance and regulation. In the event that any provision of this policy is not in compliance with local law, Stryker will modify this policy and/or implement a separate policy to comply with local law, understanding that the modified policy will include the principles as much as possible of the present policy. All provisions of this policy that are in compliance with Local Law shall remain in effect. 

At Stryker we acknowledge that the Personal Data we receive and that are provided to Stryker are confidential. For this reason, we have adopted this policy to manage the collection, storage, processing, transfer and use of Personal Data. 

Stryker, in its capacity as Data Controller, is obliged to ensure and answer for the way in which processes Personal Data under its control, custody and/or possession, including those data that Stryker forwards, transfers or communicates to third parties, including suppliers, business partners, contractors and/or affiliates and subsidiaries of Stryker. 

Definitions

For purposes of this policy, Stryker uses the following definitions: 

Authorization: Prior express and informed consent of the Holder to carry out the Processing of Personal Data or Sensitive Personal Data. 

Databases: The organized set of Personal Data or Sensitive Personal Data that is the object of the Processing. 

Personal Data: Any information that is or may be associated with one or more specified or determinable natural persons. Data anonymous or that does not refer to a specific person for statistical evaluation or study purposes are not subject to this policy. Personal Data means any information that can be used to identify a natural person or any information that in combination with non-personal information reasonably identifies a natural person. 

Sensitive Personal Data: Those that affect the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, trade union membership, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as data related to health, sex life and biometric data. 

Public Data: It is the data that is not semi-private, private or sensitive. Data relating to the civil status of persons, their profession or occupation and their status as traders or public servants are considered public data, among others. By their nature, public data may be included, among others, in public records, public documents, gazettes and official journals and duly enforceable court rulings that are not subject to confidentiality. 

Responsible for processing: Natural or legal person, public or private, which by itself or in association with others, performs the Processing of personal data on behalf of Stryker. 

Holder: Natural person whose Personal Data or Sensitive Personal Data are subject to Processing. 

Local Law: The set of laws, decrees and regulations of the [Republic of Colombia] regarding privacy and protection of Personal Data. 

Transfer: The transfer of data takes place when Stryker and/or Data Controller, located in Colombia, sends Personal Data or Sensitive Personal Data to a receptor, which in turn is located within or outside the country. 

Processing: Any operation or set of operations on Personal Data or Sensitive Personal Data, such as collection, storage, use, circulation or suppression. 

Basic Policies

1. Privacy Notice about the types of information that Stryker obtains and the purposes of use: Stryker provides notice to individuals about the type of information that is obtained and the purpose of its use. The Privacy Notice is considered the verbal or written communication generated by Stryker and addressed to the Holder by means of which the Holder is informed about the existence of the information processing policies that will be applicable, the way to access them and the purposes of the processing that is intended to be given to the Personal Data. The Privacy Notice is available for review at our offices and on our website Stryker.com. 

2. We provide access to the Personal Data that we obtain: The Holder is given reasonable access to the Holder’s Personal Data, including the ability to review and correct the Holder's Personal Data, when applicable. 

3. We maintain the Personal Data in a complete, accurate and updated way: We make reasonable efforts to ensure that Personal Data is complete, accurate and up to date. We take reasonable measures to ensure that Holders who provide us with Personal Data will be treated with high quality standards. 

4. We protect the security and confidentiality of Personal Data: We are committed to protecting Personal Data against unauthorized use or disclosure. We take reasonable measures to limit access to Personal Data to those persons who have a legitimate need to have access to Personal Data in the performance of their job responsibilities. We make every effort to ensure that appropriate administrative, technical and physical safeguards are used to protect the confidentiality and security of Personal Data. 

5. We may share the Personal Data we obtain with third parties: We make reasonable efforts to ensure that we have provided clear notice and obtained the consent of the Holder to make Transfers, where required by Local Law. Personal Data may be processed outside the country of origin of the Holder. When Personal Data is shared outside of the Holder's country of origin, Stryker will ensure that the processing is adequately protected and in accordance with Local Law. We use model contract clauses as an approved means to comply with the adequacy and security requirements according to the Local Law for Cross-Border Data Transfer. We may also share Personal Data with our subsidiaries and affiliates. In such cases, we enter into agreements that bind us to the same standards of security and protection of Personal Data that we require from the Holder. 

6. We maintain an active program to ensure compliance with these principles: We offer awareness and training programs designed to educate Stryker employees about the meaning and requirements of these principles and applicable laws. Stryker employees are expected to report known violations to their manager, the Human Resources Department, a Compliance Officer or through the Ethics Channel. As far as possible, we will keep these reports confidential. We will also carry out internal assessments of our privacy practices and periodically commission outside experts to review our compliance with these privacy principles and Local Law. 

Obtain and use of Confidential Personal Data

Stryker may obtain Confidential Personal Data such as name, address, age, telephone, religion, bank data, marital status, among others, provided that: (i) the Holder has given his/her explicit authorization to said Processing, except in cases in which the granting of said authorization is not required by law; (ii) the Treatment is necessary to safeguard the vital interest of the Holder, he is physically or legally incapacitated and his legal representative grants his/her authorization; (iii) the Processing refers to Sensitive Personal Data that are necessary for the recognition, exercise or defense of a right in a judicial process; (iv) the Processing has a historical, statistical or scientific purpose and that measures are adopted leading to the suppression of the identity of the Holders. 

In addition to the above, Stryker will inform the Holder: 

(i) as Sensitive Personal Data, the Holder is not obliged to authorize its Processing; 

(ii) which data object of the Processing are considered Sensitive Personal Data and the purpose of the Processing, and obtain the express consent of the Holder; and 

(iii) that Stryker will not condition any activity for the Holder to provide Sensitive Personal Data, unless there is some legal cause to do so. 

The Personal Data and Sensitive Personal Data that are indicated in the previous paragraphs, will be retained in the different Stryker databases, which may be electronic, physical, or in any other means that meets the security standards required by applicable laws. 

All information regarding Personal Data and Sensitive Personal Data will be stored and retained in accordance with national standards and as required by law. 

Rights of children and adolescents

Stryker will not obtain Personal Data from children and adolescents, except those that are public, in accordance with the provisions of the Local Law, or when the Processing complies with the following parameters and requirements:  

(a) that corresponds and respects the best interests of children and adolescents. 

(b) that ensures respect for their fundamental rights. 

Once the above requirements have been fulfilled, the legal representative of the child or adolescent will grant the authorization prior to the exercise of the minor's right to be heard, an opinion that will be valued taking into account the maturity, autonomy and ability to understand the matter. 

Legal principles of Processing

When Stryker processes personal data, it will monitor all moment the following principles: 

Legality: Personal Data shall be processed in accordance with the provisions of this policy and the Local Law. 

Purpose: Stryker shall ensure that it obeys a legitimate purpose for obtaining Personal Data in accordance with Local Law and that the purpose is informed to the Holder. 

Truthfulness or Quality: Any Personal Data shall be truthful, complete, accurate, updated, verifiable and understandable. The Processing of partial, incomplete, fractioned or misleading Personal Data is prohibited. 

Transparency: Guarantee to the Holder the right to obtain from Stryker or the Data Processor, information about the existence or not of Personal Data of the Holder. 

Access and Restricted Circulation: Subject the Processing to the limits derived from the nature of the Personal Data, from the provisions of the Local Law. 

Security: Perform the Processing with the technical, human and administrative measures that are necessary to obtain the security of Personal Data, avoiding its adulteration, loss, consultation, use or improper access. 

Confidentiality: Guarantee the reservation of Personal Data, even after the end of your relationship, may only make provision or communication of Personal Data when this corresponds to the development of the activities authorized in the Local Law and in the terms of the same. 

Procedure for the processing

Stryker will have a procedure for the Processing of Personal Data in which are included; (i) access; (ii) update; (iii) rectification and (iv) deletion of data following the guidelines provided by the Local Law. 

To carry out any of the points indicated in the previous paragraph, the Holder must contact Stryker, using the contact information included at the end of this policy. 

For access requests, Stryker will have 10 (ten) business days after the date of receipt of the request to respond to it. 

For requests for updating, rectification or deletion, the Holder must submit a letter addressed to Stryker, attaching identification of the Holder, including a description of the facts claimed and contact information. In the event that Stryker needs further information, the Holder will be requested within 5 (five) days following the receipt of the Holder’s request. Once Stryker receives the complete request, Stryker will have 15 (fifteen) business days to respond to the request. 

Rights of the Holder

The Holder of the Personal Data will have the following rights to: 

(i) know, update and rectify your Personal Data; 

(ii) request a proof of the authorization granted to Stryker, unless provided otherwise; 

(iii) be informed about the processing of your Personal Data;

(iv) make complaints for violations of the law and applicable regulations; 

(v) revoke the authorization and/or request the deletion of Personal Data if the processing of Personal Data does not respect the principles, rights and guarantees provided in the law and applicable regulations. 

(vi) have access, free of charge, to your Personal Data. 

Transfer of Personal Data to third countries

In cases where Stryker, in the development of any of its functions or activities involving the Transfer of Personal Data to third countries, Stryker shall monitor and the Transfer shall be governed in accordance with the rules and conditions determined in the Local Law. 

Such Transfer shall, at all times, maintain adequate levels of protection of Personal Data, and in the understanding that the third country complies with the standards set by the Local Law or by the corresponding authorities.

Information Security

Stryker shall be responsible for defining and establishing technical, physical and administrative security measures to protect Personal Data in Stryker's possession against damage, loss, alteration, destruction or unauthorized use, access or processing. 

Personal Data Controller

Stryker designates as the person responsible for the Processing of Personal Data the area of protection of Personal Data, or the unit that takes its place, as the person who will receive, process, and manage the different requests that Stryker receives, and will send them to the respective unit responsible for the Processing, units that once they receive these communications and / or requests, enter to fulfill the function of protection of Personal Data, and must process the requests of the Holders, under the terms, deadlines and conditions established in the Local Law. 

Stryker may be contacted through communication addressed to the Personal Data Protection Area of Stryker. Address: Calle 116# 7-15 Of.1001 Bogotá, Colombia or by e-mail: datospersonalescolombia@stryker.com

Availability; sanctions; effect

Availability: This notice and the privacy and protection policy will be available at the following website: www.stryker.com/co/es/legal/privacy.html and a copy will be available at Stryker’s offices at the following address: Calle 116# 7-15 Of.1001 Bogotá, Colombia. 

Updates: Stryker may modify the terms and conditions of this notice and the privacy and Personal Data protection policy, as part of our effort to comply with our obligations under applicable laws and regulations, in order to reflect any changes in our operations or duties. In the cases that this occurs, the new notice and / or new privacy policy and protection of Personal Data will be published on the website: www.stryker.com/co/es/legal/privacy.html

Sanctions: Stryker may conduct investigations related to non-compliance with this policy. Failure by any employee to Failure by any employee to comply with this policy may be considered a lack of probity and honesty and, therefore, may result in sanctions or disciplinary action, including, including without limitation, as a cause for justified dismissal. 

Effect: This Privacy and Policy Protection Notice shall become effective as of May 12, 2017 and shall remain in effect indefinitely. 

Historical Document Review

Version Review Date Reasons and Description of the Review
1 May 12, 2017 New Document.
1.1 June 01, 2020 Colombia Office Address Update

www.stryker.com/co/es/legal/privacy.html

COL-01 Versión 1.1

Privacy Notice and Personal Data Protection


Introduction
Stryker recognises that the personal information it receives is held in a position of trust. Stryker seeks to fulfill that trust by adhering to general principles regarding the protection of personal information. This Privacy Statement explains how we collect, use, share and protect information in the course of operating our business.

Scope
This Privacy Statement (“Statement”) applies to the personal information of consumers that is collected or used by Stryker, its affiliates or subsidiaries (collectively, “Stryker”, “we”, “our”, “us”). This Statement applies to all the personal information that Stryker collects when consumers interact with us, such as when visiting our websites, using or purchasing our products or services, contacting customer service and when interacting with us as a business customer, supplier or business partner (collectively, the “Services”). 

This includes, without limitation, all online and offline collections of all types of personal information. However, some Stryker collections involve types of data with special requirements (for example, health information) which require a different privacy notice. Whenever that is the case, Stryker will make it clear that the privacy notice concerned is different from this Statement.

For those who reside in California, please see our Privacy Notice for California Residents for additional information regarding our practices.

Information collection 
Stryker may ask you to provide personal information for purposes including, but not limited to, the following:

  • Buying Stryker products and services;
  • Activating or registering certain products and services or enhancing functionality;
  • Receiving information about Stryker products and services;
  • Participating in Stryker online communities, including our social media channels/pages; 
  • Storing your preferences for future interactions and communications from Stryker; 
  • Helping us to develop products and services and create campaigns that are designed around you, optimise customer services and continuously improve our websites; 
  • Helping us to improve products and services, and allowing Stryker to keep you informed of, or involve you in the testing of, new products and services; 
  • Resolving consumer and/or product and services issues; 
  • Registering visitors of Stryker facilities or Stryker organised events and conferences; 
  • Contract or tender management; and 
  • Receiving personalised messages, special offers and advertisements that are relevant to your personal interests, based on the information you have shared with us and on the information we have collected through cookies or similar techniques regarding your use of the Stryker websites/social media/blogs. 

Stryker maintains physical, technical, and administrative safeguards to protect your personal information and only allows disclosures as permitted by law to assist in providing products or services. We may also collect product and service information and provide these statistics to others in an aggregate form where the information has been de-identified.  

Personal information collected may include:

  • Contact information, such as name, address, email, telephone number, fax number, organisation name, and/or job title;
  • Unique identifiers and preference information such as username, password, marketing preferences, internet protocol (IP) address, browser type, operating system, computer or mobile device, or navigation and clickstream behaviour for online interactions;
  • Resume or CV, including work history, professional qualifications, publications, awards, references, completed trainings, and signature;
  • Food restrictions, passport info for travel bookings or identification purposes, social security number (where required by law), bank account details, (emergency) contact persons, family information (where applicable and in accordance with local law);
  • Creditworthiness, VAT number, product, purchase information history, request documentation;
  • Pictures, video and audio recordings where you have provided your permission;
  • Sensitive personal information, such as health information or reports of an individual end-customer (e.g.,concerning product claims and investigations, patient pre- and post-operative outcomes for research & statistical purposes, or criminal records for due diligence procedures in accordance with applicable law).

Stryker will retain and use the personal information collected for above mentioned processes and processing purposes in accordance with legal obligations. 

Legal Bases
The legal basis Stryker uses to process personal information will be dependent on the processing purposes and the jurisdictional legal requirements. Where the personal information collected involved is of EU citizens, in general, we use the following basis:

  • Consent to use the personal information, e.g. where this involves (digital) direct marketing activities and where we would like to use a photo, video or audio recording with identifiable individuals for external publishing; 
  • Establishment or performance of a contract, e.g. where we enter into a contract with a party and we collect contact information and signatures, as well as potential bank account details that may be linked to a representative of a company we do business with; 
  • Compliance with a legal obligation, e.g. where we need to disclose consumer details for compliance with (local or industry) laws such as the Physician Payments Sunshine Act or for compliance with the Medical Device Regulation; 
  • Legitimate interest of Stryker, e.g. where Stryker collects contact information and preferences, details for lodging and travel for attendees of Stryker organised events & trainings or third party hosted events & trainings in collaboration with Stryker; 
  • Public interest or for the exercise of public authority in strictly limited cases, e.g.. where we would be required to cooperate with the police or other government bodies in case of illegal conduct; 
  • For the establishment, exercise or defence of legal claims, e.g. for court cases; 
  • For scientific or research purposes, e.g. for clinical research studies with sufficient safeguards safeguarding confidentiality; 
  • For preventative and occupational medicine, medical diagnosis pursuant to contract with healthcare professionals; 
  • For public interest in the public health to ensure high standards of quality and safety of healthcare and products; and
  • Where the individual chooses to disclose the personal information publicly by its own initiative. 

If you choose not to provide the personal information we reasonably require, it may hinder Stryker’s ability to provide the information or services you have requested.

Cross-Border Transfers
To the extent personal information is transferred out of the country where the owner of that personal information lives, such as to Stryker affiliates or business partners in other countries, including in the United States, different standards may apply to how your data is used and protected in those countries. Stryker has appropriate safeguards in place in accordance with applicable legal requirements to ensure that data is adequately protected irrespective of the country. This includes obtaining written assurances from any third party given access to your data so as to require them to adopt standards that ensure an equivalent level of protection for data as that adopted by Stryker and standardized corporate safeguards and contractual measures (based on the European Commission Model Clauses) for internal data transfers to Stryker affiliates in third countries which are deemed to provide an inadequate level of data protection.

Privacy Statement for Children
Stryker will not collect personal information from anyone we know to be under the age of 16 without the prior, verifiable consent from his or her legal representative. Such legal representative has the right, upon request, to view the information provided by the child and/or to require that it be deleted. 

Retention of Information
Stryker will retain your personal information for as long as reasonably necessary to comply with legal obligations or for no longer as required for legitimate business purposes. 

Disclosure of Information
Stryker may share personal information we have collected with companies or agents doing technological maintenance or working on our behalf to help fulfil business needs, including providing customer services and distributing marketing communications. Stryker may also share personal information with our subsidiaries and affiliates.

Other service providers that may be used to perform certain functions on our behalf and to whom personal information may be disclosed in order to perform their intended function include call-centre support, sending or processing postal or electronic mail or analysing or hosting information on cloud-based servers. 

Stryker does not share your personal information with unaffiliated third parties for their own direct marketing purposes.

Security
The security and confidentiality of your personal information matters to us. For this reason, Stryker has physical, technical and administrative controls in place to protect your personal information from unauthorised access, use and disclosure. Stryker evaluates these safeguards on an ongoing basis to help minimise risks from new security threats as they become known.

Rights
You may request details of personal information which we hold about you. If you believe that any personal information we are holding about you is incorrect or incomplete, please contact us as soon as possible, at the address below. We will promptly correct any personal information found to be incorrect.

You may always choose to object to the collection or use of your personal information or to have your information erased. If you would like a copy of the information held about you for your own use or to transfer to another party, or if you wish to exercise any other right, please contact us at globalprivacy@stryker.com.

Updates to Privacy Statement

This Statement may be amended at any time. If material changes are made in how personal information is collected, used, disclosed or otherwise processed, this Statement will be updated and notices will be provided when/where appropriate. Any material changes to this Statement will be effective at the time of our posting of the notice of the update. Where required to do so by law, Stryker may seek your prior consent to any material changes we make to this Privacy Statement.

The Statement was last updated on [23-04-2018]

Contact
If you have any questions, concerns or comments about this Statement, please contact us. Stryker will use reasonable efforts to respond to you as soon as possible.


Send mail to:
Stryker Corporation
Attn.: Data Privacy Director
2825 Airview Boulevard
Kalamazoo, MI 49002

Send email to:
globalprivacy@stryker.com

EU Data Protection Officer: europe.privacy@stryker.com

If we fail to respond to you within a reasonable period of receiving it in writing, or if you are dissatisfied with the response that you receive from us, you may lodge a complaint with the data protection authorities in your home country.