Data Privacy Policy - Ottobock India

Effective from: 1st Jan 2021


1. PURPOSE

1.1. This Data Privacy Policy (“Policy”) is developed and put forth by Otto Bock Health Care India Limited (“Company”) to maintain the privacy and protect the Personal or Sensitive Data of Patients, Employees, or any other Third Party of the Company and to ensure compliance with Data Protection laws and regulations applicable to the Company.

1.2. Compliance with privacy regulation and the protection of Personal and Sensitive Data of Patients, Employees and other Third Parties utmost priority for the Company, especially as a globally operating company. In many circumstances, Ottobock Group is seen as a single corporate by its customers, patients and in general public and therefore, it is in the commune interest of the Company to significantly contribute to the corporate success by implementing this Policy and to underline the Company’s claim on “Quality for Life” for high-quality and technologically outstanding products and services in the field of medical technology.

1.3. By the means of this Policy, the Company establishes a standardized level of data privacy in India and according to its Global Data Privacy Policy worldwide.

2. SCOPE

2.1. This Policy applies to all Patients, Employees and other Third Parties who may receive personal information, have access to personal information collected or processed, or who provide information to the Company, regardless of the geographic location.

2.2. All employees of the Company are expected to abide the regulations of this Policy when they are processing Personal and Sensitive Data, or are involved in the process of maintaining or disposing of Personal and Sensitive Data.

2.3. All Third Parties working with or for the Company, and who have or may have access to Personal and Sensitive Data, will be expected to have read, understand and comply with this Policy.

3. DEFINITIONS

3.1. “Employee” means a current employee of the Company or former employees, as well for the purpose of this Policy also trainees and interns.

3.2. “Patient” means any person receiving services from the Company.

3.3. “Personal Data” means any information that relates to an Individual, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. This shall include information such as Name, Address, Date of Birth etc.

3.4. “Processing” shall mean any operation or set of operations which is performed on Personal and Sensitive Personal Data, whether or not by automated means, such as collection, recording, organizing, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3.5. “Sensitive Personal Data” means data such as financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation and critical data.

Provided that, any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as Sensitive or Personal Data for the purpose of this Policy.

3.6. “Third Party” shall mean an individual or a legal entity, public authority, agency or body who, under the direct authority of the Company, is authorised to process Personal or Sensitive Data.

4. COLLECTION OF PERSONAL AND SENSITIVE DATA

4.1. Throughout the course of the relationship with its Patients, Employees and Third Parties the Company needs to process Personal and Sensitive Data.

  • a. The type of information that may be required from its Patients includes but is not limited to the following:
    • Basic Information such as name, contact details, address, gender, date of birth, marital status, children, parents details, PAN Card, Aadhaar Card, insurance details, citizenships, visa, work permit details;
    • Information about the Patients medical condition and its health and sickness records, which includes information related to physical measurements, amputation and all other physical and medical conditions.

  • b. The type of information that may be required from its Employees includes but is not limited to the following:

    • Basic Information such as name, contact details, address, gender, date of birth, marital status, children, parents details, PAN Card, Aadhaar Card, insurance details, citizenships, visa, work permit details;
    • Information about the Employees medical condition and its health and sickness records;
    • Recruitment, engagement or training records including CV’s, applications, references, qualifications, education records, test results;
    • The terms and conditions of employment contracts with previous employers;
    • Performance reviews and disciplinary records with the previous employer;
    • Information relating to the Employees membership with professional associations or trade unions;
    • Leave records (including annual leave, sick leave, casual leave and maternity leave);
    • Financial Information relating to compensation, bonus, pension and benefits, salary, travel expenses, tax rates, bank account and provident fund account details.

  • c. The type of information that may be required from its Third Parties includes but is not limited to the following:

    • Basic Information such as name, contact details, registered address, date of incorporation, PAN Card, Adhaar Card, GST Number, insurance details.

5. PURPOSES OF PROCESSING OF PERSONAL AND SENSITIVE DATA

5.1. This Policy shall apply to all types of Personal or Sensitive Data processed within the Company, regardless of where the data is collected. Personal and Sensitive Data shall be processed within the Company for the following purposes in particular:

  • a. To manage and enable health protection and therapy as well as clinical science and research.
  • b. Compliance with legal requirements such as health and safety rules and other legal obligations;
  • c. To manage employee data such as payroll administration, medical or other insurance, payment of salary or invoices, taxation requirements under payment of salaries/ invoices, performance assessment and training;
  • d. To initiate, implement and process business and customer agreements, and to carry out advertising and market-research activities aimed at informing customers and interested Third Parties about products and services offered by the Company;
  • e. To initiate and implement agreements with the Company’s service providers as part of the provision of services for the Company;
  • f. To enable appropriate handling with Third Parties, in particular investors, partner or visitors and to comply with a binding legal obligation.

5.2. Personal and Sensitive Data shall be processed in-line with the current and future business purposes of the Company, which include the provision of products and services in the field of medical technology, digital services for patients and business customers including physical and locomotor technical services, not limited to just orthopaedics and includes technical and orthopaedic advisory services.

6. TRANSPARENCY OF PROCESSING OF PERSONAL AND SENSITIVE DATA

6.1 Patients and Employees shall be informed on how their personal data is processed in line with applicable laws and regulations. For this, the Company shall inform on the identity of the Company and respective contact details, the purposes and legal basis of processing activities as well as data deletion periods, the recipient Third Party and scope and purposes of data transfer (if applicable), the rights in relation to the processing of data. This information shall be given in a clear and easily understandable manner.

7. CONDITIONS OF ADMISSIBILITY FOR THE PROCESSING OF PERSONAL AND SENSITIVE DATA

7.1. Personal and Sensitive Data shall be only processed, if the conditions of admissibility have been satisfied in accordance with the following conditions

  • a. It is legally permissible to process the Personal and Sensitive Data in the way intended.
  • b. The Patient or Employee had consented to the processing of data.
  • c. It is necessary to process the data in this way in order for the Company to fulfil its obligations under an agreement with the Patient, Employee or Third Party, including its contractual duties to inform and/or secondary duties, or in order for the Company to implement pre- or post-contractual measures for initiating or processing an agreement that has been requested.
  • d. The data must be processed to fulfil a legal obligation of the Company.
  • e. It is necessary to process the data to complete a task that is in the interest of the general public or that forms part of the exercise of public authority.
  • f. It is necessary to process the data in order to realize the legitimate interest of the Company.

8. LIMITED ACCESS TO PERSONAL AND SENSITIVE DATA

8.1 Only those Employees who “need-to-know” or require access to function in their role should have access to Personal and Sensitive Data.

8.2. The Company will not disclose Personal and Sensitive Data to any person outside the Company except for the agreed purposes or with the consent of the respective Patient or Employee, or with a legitimate interest or legal reason for doing so.

8.3. Every Employee of the Company, who deals with or comes into contact with Personal or Sensitive Data, shall have the responsibility to comply with the applicable law concerning data privacy and with the rules and regulations set out in this Policy and/or the Global Data Privacy Policy of the Group.

8.4. The Employee shall be diligent and extend caution while dealing with Personal and Sensitive Data of others, in the course of performance of his/her duties.

8.5. Every Employee shall immediately, on becoming aware report and notify any vulnerabilities and privacy-related breach/security breaches, including potential risk.

9. DISCLOSURE AND TRANSFER OF PERSONAL AND SENSITIVE DATA

9.1. The Company may, from time to time, disclose and/or transfer Personal and Sensitive Data to Third Parties. However, such data transfer is only justified on the basis that there is a “need-to-know” and it is reasonable and legitimate to allow the Company to operate effectively and competitively.

9.2. Personal and Sensitive Data is only transferred to another country in case of the transfer to another Group Country for extraordinary reasons and in particular only in as far as a reasonable level of data protection is assured in the recipient country.

9.3. When using external data processors or transferring Personal and Sensitive Data to Third Parties, the Company shall enter into agreements with appropriate contractual clauses for the protection of Personal and Sensitive Data and confidentiality including requirements to process the data only in accordance with instructions given by the Company. Further Third Parties shall be obliged to take appropriate technical and organisational measures to ensure that there is no unauthorised or unlawful processing or accidental loss or destruction or damage to the data.

10. DATA ACCURACY

10.1. Personal and Sensitive Data shall be correct and, where necessary, kept up-to-date (“data accuracy”).

10.2. In light of the purpose for which the data is being processed, appropriate measures shall be taken to ensure that any incorrect or incomplete information is erased, blocked or, if necessary corrected

11. RETENTION AND DELETION OF PERSONAL AND SENSITIVE DATA

11.1. All Personal and Sensitive Data of Patients or Employees may be retained for periods as prescribed under law or as per the Company’s policy. The Personal and Sensitive Data may be retained for a longer period if there is a subsisting reason that obliges the Company to do so, or the Personal and Sensitive Data is necessary for the Company to fulfil contractual or legal obligations.

11.2. Once the Company no longer required the Personal and Sensitive Data, it is destroyed appropriately and securely or anonymized in accordance with the law.

12. SECURITY MEASURES

12.1. The Company shall take appropriate technical and organizational measures such as IT systems and platform to process Personal and Sensitive Data safely and securely. These measures shall be evaluated regularly regarding their effectiveness.

12.2. Such measures shall include:

  • a. Confidentiality measures (admittance control, denial-of-use control, data access control, separation control, encryption control);
  • b. Integrity measures (data input control, data transmission control, contractor control);
  • c. Availability measures (back up procedures and business continuity management) and
  • d. Measures for continuous monitoring, assessment and evaluation.

13. GENERAL TERMS AND CONDITIONS:

13.1. The Company shall define a document internal procedures in case of any privacy-related incidents and breaches. Any complaints related to data privacy shall be reviewed regularly to ensure that all complaints are resolved in timely manners and resolutions are documented and communicated to the respective individuals.

13.2. Patients or Third Parties with inquiries or complaints about the processing of their Personal and Sensitive Data shall bring the matter to the attention of the Company in writing.

13.3. Employees with inquiries or complaints about the processing of their Personal and Sensitive Data shall discuss the matter with their immediate supervisor or shall bring the matter to the attention of the Company in writing.

13.4. This Policy shall be examined and reviewed by the Company at regular intervals, but at least once a year, to find out about its compliance with applicable legislation, and shall make any necessary adjustments

13.5. Any significant amendments to this Policy that become e.g. necessary as a result of adjustments made to bring in line with legal requirements shall be agreed within the Board of Directors.