Data Privacy Policy of Arthrex Ltd.

Protecting our employees' data is very important to us. In this data privacy policy, we, Arthrex Ltd. ("we") provide you with information about how we handle your personal data and what rights you have in connection with your personal data.

By means of this data privacy policy, we aim to satisfy our statutory duties to provide information in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – "GDPR"). We therefore use important GDPR terminology in this data privacy policy. We will explain these and other terms used repeatedly in this data privacy policy below under Clause 2.

1.1. This data privacy policy describes the processing of data for which we are the controller under GDPR. You can find our contact information below:

Arthrex Ltd
Unit 1, Bessemer Park
Shepcote Lane
Sheffield
S9 1DZ
England
Tel.: + 44 114 23 291-80
Website: www.arthrex.com Email: info@arthrex.co.uk

1.2. You can contact our data protection department at any time should you have any questions. This department can be reached as follows

Email: dataprotection@arthrex.de

1.3. The data protection supervisory authority responsible for us is:

The Information Commissioner’s Office
Water Lane, Wycliffe House
Wilmslow - Cheshire SK9 5AF
Tel. +44 1625 545 700
email: casework@ico.org.uk
Website: https://ico.org.uk

2. Definitions
In this data privacy policy, we use various terms that we have defined for you below:

Anonymise

is the changing of personal data such that it can no longer be traced to a certain or identifiable natural person or that such data could only be traced with an excessive amount of time, money and effort.

Processors

are other places that process personal data on our behalf.

   

Special categories of personal data

is data that indicates your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying you, data concerning health or data concerning sex life or sexual orientation.

Data subject

is you, i.e. a natural person, to which the personal data relates

Direct marketing

is any advertising that we use to approach you directly, for example via post or (where permissible) via telephone, email or fax.

Third party

is anyone who is not a data subject, controller or processor

GDPR

is Regulation (EU) 2016/679, also known as the General Data Protection Regulation. You can find the full text here:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

Restriction of processing

is the restriction of processing of stored personal data such that, with the exception of storage, it can only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another person or for reasons of important public interest, and with you being informed before this restriction is lifted.

Consent

is your freely given, specific, informed and unambiguous indication of your wishes, by which you signify agreement to specific processing. To clarify: where consent is required for processing, we will obtain it from you separately. Knowledge of this data privacy policy does not replace consent.

Recipients

are other bodies to which we disclose personal data, regardless of whether they are a third party.

Guarantee

includes standard data protection clauses that have been adopted by the Commission, codes of conduct that have been approved by the supervisory authorities, and in relation to the USA includes the Privacy Shield programme and all other measures that aim to guarantee an appropriate level of data protection.

Personal data

is all information that concerns an identified or identifiable data subject. Identifiable is any person who can be identified directly or indirectly, especially by means of assignment to an identification number or to one or more factors specific to such person.

Profiling

is any form of automated processing to evaluate certain personal aspects relating to you, e.g. to evaluate, analyse or predict aspects such as personal preferences or interests.

Pseudonymisation

is the processing of personal data in such a manner that it can no longer be attributed to you without the use of additional information, with such additional information being kept separately and such a connection being ruled out using technical and organisational measures.

Unsecure third country

is any country outside of the European Economic Area that the Commission has not determined to offer a sufficient level of data protection.

Group of undertakings

includes Arthrex, Inc. and all companies affiliated with it (of which we are one). Information on the companies belonging to the corporate group with which we regularly exchange information and thus have entered into special contractual agreements can be found in the Annex Arthrex Corporate Group.

Controller

is what we are, i.e. the place that decides solely or in cooperation with other parties about the purposes and means of processing personal data.

Processing

is any operation performed on personal data such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure ordestruction.

3. Processing Operations Within the Context of the Employment Relationship
In this section, we let you know how we handle personal data concerning you, which we collect in connection with the employment relationship (this also includes internships and professional training), and what rights you have in this respect.

3.1. Data Collection, Legal Basis and Processing Purposes (Including the Legitimate Interests We Are Pursuing)
3.1.1. We process the following personal data within the context of the employment relationship:
a) Master data (such as first and last names, name supplements, date of birth, personnel number and, where applicable, work permit/residence permit)
b) Contact data (such as private address, cellphone/telephone number, email address)
c) Salary data (tax identification number, social data, bank account details, social security number, pension insurance number)
d) Performance data (time tracking data, travel and route information for sales reps, overtime, appraisals, qualifications, other skill data)
e) Behavioral data (IT usage data – i.e. log data accrued through use of IT systems, admonitions, warnings and, where applicable, past convictions)
f) Vacations, periods of inability to work
g) Severe disability/equal opportunities, data resulting from a Corporate Integration Management (CIM) process

3.1.2. Your personal data relating to employment (hereafter "personal data") is generally directly collected from you within the context of the employment process or during the employment relationship. We may also receive personal data from other external and internal bodies, e.g. within the context of customer feedback, complaints, appraisals by supervisors, or within the context of exchanging information with official authorities (tax office) or social security bodies. All information pertaining to your person is generally gathered in a physical record and an account relating to you in our personal database (electronic personal records) (these physical and electronic personal records are hereafter referred to as "personal records").

3.1.3. Personal data is particularly used for the following individual purposes:

Purposes

Personal Data

Financial planning, personnel management and planning, promotions, transfers, skills management, quality assurance

Performance data, behavioral data and, where applicable, severe disability and social data (e.g. for decisions on terminations)

Salary and payroll accounting

Master contact, salary data and, where applicable, performance data (overtime), vacations and periods of inability to work

Management of insurance policies (direct insurance, retirement provision, accident insurance, D&O insurance etc.)

Insurance application data (including health data where applicable), information relating to insured events

Planning and organization of continuing education and training, deployment planning, management of overtime

Master and contact data, performance data

Quality control and quality improvement

Recording of telephone calls for controlling and improving quality

General project and deployment planning

Processing master and contact data and, where applicable, vacations in ticket systems and project management tools

Sales rep and technology deployment planning

Recording and analyzing deployment-related performance data in the Imaging & Resection department

Travel management, booking business travel, fleet management

Master, contact and salary data, verification of driver's licenses for managing company vehicles, information relating to accidents and traffic violations

Administration in IT telecommunication (including mobile devices)

Master data, IT usage data, data on company systems, computers and mobile devices

Logging of IT use to ensure the security and integrity of systems, abuse control

IT usage data

Management of home office workstations

Master and contact data

Compliance checks, internal auditing, anti-terrorism and embargo checks, required security checks

Master, contact, salary, performance and behavioral data

Operational security

Master data, photographs, surveillance camera recordings in the data center, data on key cards etc.

Document management, archiving and destruction of documents

All types of data

External communication (reachability)

Recording of contact data in directories etc.

External communication (advertising and training documentation, digital asset management)

Images or reports on participation in product presentations, trade fairs or congresses, testimonials

Internal communication (intranet, corporate news)

Images or reports on company events or company-related events, testimonials, birthday list for birthday gifts, welcome screen for new employees

Managing deployment of trainees in the various departments in conformity with the framework curriculum

Personal data of trainees

Occupational safety, pre-employment and suitability checks, medical check-ups

Internal and external communication (telephone directories, staffing and organizational plans)  Occupational contact data

Information relating to pre-employment and suitability checks, medical check-ups; we do not receive diagnoses or information gathered by the physician but only the relevant result ("passed", "failed", disqualification from practicing an activity or similar)

Occupational contact data

3.1.4. The legal basis for processing your personal data is first and foremost justifying, implementing and terminating the employment relationship (Art. 88 GDPR) as well as fulfilling our legal obligations as the employer (Art. 6 Para. 1 (c) GDPR), particularly within the area of tax and social security law.

3.1.5. If we exchange personal data with other companies in the corporate group, this is either for the purpose of implementing the employment relationship (e.g. if you report to supervisors in other companies of the corporate group within the context of a matrix structure, or if you are seconded to the same) (legal basis: Art. 88 GDPR) or for the purpose of safeguarding our legitimate interests within corporate management, internal communication or other administrative purposes (legal basis: Art. 6 Para. 1 (f) GDPR). You can find more detailed information in section 4 of this data privacy policy.

3.1.6. Should special categories of personal data be processed, this serves to exercise rights or to satisfy legal obligations arising from employment law, social security law and social protection (e.g. recording religious affiliation for tax purposes, notifying a health insurer of health data, recording of a severe disability for the purposes of additional vacation and determining disability contributions). This takes place on the basis of Art. 9 Para. 2 (b) GDPR. The processing of health data may also be necessary to appraise your ability to work (legal basis: Art. 9 Para. 2 (h) GDPR).

3.1.7. When establishing and during the employment relationship, we also store and process data concerning our employees in order to carry out screening and comparisons for transparency purposes in order to prevent corruption, money laundering, financing of terrorism, for export inspections and to carry out other compliance checks required by law or provided for in our corporate guideline. This is done to fulfill legal requirements (legal basis: Art. 6 Para. 1 (c) GDPR) as well as, where our corporate guidelines go beyond statutory requirements, to safeguard our legitimate interest to avoid contractual relationships that do not meet our ethical standards (legal basis: Art. 6 Para. 1 (f) GDPR).

3.1.8. Security-related areas in our company and business premises (currently: the data center) are monitored by video surveillance. Cameras are installed openly and with visible notices. Some cameras are linked to surveillance monitors which record footage, while some do not record footage. Recordings may be assessed by corporate security employees on a spot check basis or in the case of a specific suspected incident. Recordings are deleted after 72 hours if they are not related to a specific suspected incident. The performance, recording and assessment of video surveillance takes place to safeguard our legitimate interest to exercise our domiciliary rights, to prevent or follow up on misconduct and to document processes to assert, exercise or defend legal claims (legal basis: point f) of Art. 6(1) GDPR). Video recordings are not used for any other purpose.

3.1.9. If there is not already a statutory legal basis, we may ask for your separate consent and process personal data on this basis (legal basis: Art 6 Para. 1 (a) GDPR). If, for example, you use the company Internet access for private purposes within the context of the applicable guidelines, you consent to the logging, checks and accesses described in these guidelines and the types of use described therein for data gathered in this way. You can revoke this consent at any time, but you will no longer be entitled to privately use the company Internet access.

3.1.10. Our IT department offers remote support for mobile devices through use of the "Bomgar" tool. The tool allows employees of our IT department to log into mobile end devices and view the applications launched by the user as well as certain system files for the purposes of troubleshooting. Access only takes place with the knowledge of the user. The user must approve said access by entering a PIN they receive from the IT staff member wishing to establish access. The IT employee will initially only see a chat window. A screen transfer must in turn be explicitly launched by the user and cannot be initiated by the employee wishing to establish access. Access is only performed for technical troubleshooting and only with the approval of the respective user (the legal basis is user consent, Art. 6 Para. 1 (a) of the General Data Protection Regulation). All access attempts are visible to the user. Logging or otherwise storing the information accessed does not generally take place. We refer to our general data privacy policy in all other instances.

3.2. Recipients and Categories of Recipients

3.2.1. Within our company, only persons and bodies who require your personal data to fulfill their tasks will receive said data (e.g. HR department, supervisors, specialist department).

3.2.2. Your data will also be transmitted to other companies within our corporate group. You can find more detailed information in section 4 of this data privacy policy.

3.2.3. Outside of the company and the corporate group, we only pass on personal data insofar as this is necessary to implement the employment relationship (e.g. disclosure of contact data to customers, or salary data to your bank as part of payment processing), or to satisfy contractual and statutory obligations as the employer (e.g. disclosure to health insurers, pension providers, professional care facilities, social security bodies, financial authorities, courts etc.).

3.2.4. We also make use of various service providers who may gain access to your personal data as part of task fulfillment and to meet our contractual and statutory obligations (e.g. fleet management for company vehicles).

A list of the most important service providers to which we pass on personal data and the purposes for which this takes place can be found in the Service Providers Annex. Please be aware that this annex only contains external service providers. Information on the services rendered by other companies of the corporate group can be found in section 4 of this data privacy policy.

3.3. Transmissions to Unsecure Third Countries and Guarantees Regarding Such Transmissions

Other companies in the corporate group which receive your personal data may also be located in a third country. You can find more detailed information on this in section 4 of this data privacy policy.

3.4. Storage Duration and Erasure

3.4.1. We retain your personal records for the duration of the employment relationship as a matter of principle. After this time, they are generally held for up to 11 years. This retention period is calculated on the basis of the knowledge-independent statutory period of limitation, plus an additional safety margin, and serves our legitimate interest in asserting, exercising or defending legal claims in cases of dispute (legal basis: Art. 6 Para. 1 (f) GDPR).

3.4.2. Shorter retention periods apply to individual personal data. For example, IP logs are regularly deleted after just 200 days.

3.4.3. Your personal data is also stored in many other contexts as part of the employment relationship (e.g. as a contact person in our customer database, as a participant in logs, or as an author or signatory in document management). These databases, files or documents are then subject to deviating retention and erasure periods (see section 6).

3.4.4. We will – as a general principle – erase all personal data once it is no longer required for the above-mentioned purposes.

4. Exchanging of Data Within the Corporate Group

In this section, we let you know how we exchange personal data concerning you with other companies within our corporate group, and what rights you have in this respect.

4.1. Data Collection, Legal Basis and Processing Purposes (Including the Legitimate Interests We Are Pursuing)
We also disclose personal data to other companies in our corporate group within the context of intra-company collaboration.

We are currently negotiating with the companies in our corporate group with which we regularly exchange personal data in order to exercise our joint responsibility pursuant to Art. 26 GDPR, and are negotiating an agreement on group-internal data exchanging to ensure appropriate data protection ("Data protection agreement").

The contractual parties of the data protection agreement can be found in the Arthrex Corporate Group Annex. These will hereafter be referred to as "Arthrex Subsidiary/Subsidiaries".

The essential content of the data protection agreement is

a) that any exchanging of personal data is subject to the conditions of the data protection agreement for which there are varying regulations for ensuring data protection depending on whether the receiving Arthrex subsidiary receives the data as a contractor from the disclosing Arthrex subsidiary, or whether this is under its own responsibility or joint responsibility,

b) that guarantees are agreed for data transmissions into an unsecure third country, and

c) that we, in the case of joint responsibility for your data, have the ultimate internal decision-making authority concerning the means and purposes of the data processing operation notwithstanding joint liability and obligation, and that we have taken it upon ourselves to fulfill all statutory transparency obligations with respect to you.

We can provide more detailed information on the data protection agreement upon request.

Data exchanging within the context of the data protection agreement primarily takes place in the following cases:
a) to implement the employment relationship (for example, if you report to supervisors in other companies of the corporate group with the context of a matrix structure, or if you are seconded to the same),

b) within the context of group management, internal communication and other administrative purposes

c) within the context of joint database use, or

d) if an Arthrex subsidiary assumes responsibility for central service or administration-related tasks within the context of the corporate group (e.g. supplying IT, pay slips, disposal of records).

This encompasses the following:

4.1.1. Personal data is disclosed to group supervisors in other Arthrex subsidiaries to implement the employment relationship, as well as to assistants for the purpose of creating analyses or reports for group supervisors, or to provide them with administrative support. Group supervisors in this respect are not only supervisors to whom are reported directly, but also those who may be responsible for departments, divisions or functions in which they are active. The information transmitted is intended to enable group supervisors to realize their management and planning responsibility within the context of the matrix structure, as well as to appraise their performance or the performance of their department or division, and compare it with other employees, departments or parts of the group. The data is thus also disclosed for these purposes to other employees in the group holding responsibility for other departments, divisions or functions for the purposes of comparing performance.

4.1.2. Within the context of group management, personal data is primarily transmitted to Arthrex, Inc. where it is used at a group level, e.g. for financial and personnel planning.

4.1.3. Joint databases are operated centrally by one Arthrex subsidiary for access by several Arthrex subsidiaries for the purposes stated in the annex concerning internal group data exchanging. However, this access is restricted through different permission levels in such a way that ensures that data can only be accessed by the Arthrex subsidiary and by employees within the Arthrex subsidiary insofar as it is necessary for the following business purposes.

4.1.4. Personal data may ultimately be disclosed to other Arthrex subsidiaries insofar as these perform internal group services. This particularly relates to the central administration of IT structures by Arthrex, Inc.

Details on the instances in which data can be exchanged and the underlying purposes can be found in the Internal Group Data Exchanging Annex.

The aforementioned exchanging of data serves to protect our legitimate interest in facilitating the central coordination of sales, business and administration-related activities, corporate planning and IT administration, and to manage our deliveries and services in as close a proximity to our customers as possible, including the way in which we offer said deliveries and services (legal basis: Art. 6 Para. 1 (f) GDPR). We assume that your interests are not in conflict with this as we have concluded the data protection agreement to ensure standardized data protection across the group.

4.2. Recipients and Categories of Recipients, Transmission to Unsecure Third Countries
The aforementioned exchanging of data encompasses Arthrex subsidiaries based in the European Economic Area as well as in unsecure third countries. To ensure standardized data protection across the group and an appropriate level of data protection, the data protection agreement explicitly refers to the standard data protection clauses enacted by the Commission for this purpose with respect to data transmissions into an unsecure third country.
In addition to the preceding forms of data transmission, transmissions may take place to companies of the corporate group. which are not party to the data protection agreement, e.g. if you work with employees of these companies in a team or on joint projects.

5. General Information About Recipients, Categories of Recipients and Transfers

5.1. We work with external consultants such as management consultants, lawyers or tax advisers. These parties may have access to your data. We have (and will do so for future engagements) entered into agreements with such service providers or consultants, which ensure confidential data handling where there is not a legal confidentiality obligation.

5.2. We may share your personal data with relevant law enforcement, regulatory or other authorities, facilities or bodies if we are legally obliged to do so (legal basis: Art. 6 Para. 1 (c) GDPR), or if we have a legitimate interest in protecting ourselves from mandatory measures of such authorities, facilities or bodies in line with legal responsibilities by sending such information (legal basis: Art. 6 Para. 1 (f) GDPR). Such transfers that are forbidden or required by law are not covered by this data privacy policy.

6. General Information About Storage Duration and Anonymisation

6.1. We have an erasure concept in place that aims to ensure that personal data is only stored for as long as required to satisfy the purpose of storage.

6.2. Our erasure concept takes into account the fact that personal data needs to still be kept after the purpose of storage no longer applies for a short period in order to avoid unintentional erasure, to facilitate the assertion, exercise or defence of legal claims and in order to sensibly design the management of storage and erasure periods. Please note that this does not violate your interests, because the subsequent storage period is appropriate in light of your legitimate interests.

6.3. Insofar as detailed information about erasure deadlines has not already been provided, the following general erasure deadlines apply in accordance with our erasure concept. If there is no information about multiple storage periods, the longest period shall apply:

6.3.1. With regard to the statutory storage period for business correspondence and tax documents, we store correspondence for seven years and accounting records and invoices for 11 years.

6.3.2. We store contractual data and documents for 11 years after the end of the contractual relationship due to the statute of limitations of claims and statutory storage obligations for accounting records.

6.3.3. We provide all product safety documents and product data, including information about safety-relevant incidents and accidents or customer complaints, in order to satisfy our statutory product monitoring duty and to assert, exercise or defend legal claims within the statute of limitations for 31 years after the end of product distribution.

6.4. Where we discuss "erasure" in this data privacy policy, we reserve the right to anonymise the data record concerned so that it can no longer be traced back to you, instead of deleting it.

6.5. We and our contract processors shall continue to process and use anonymized data indefinitely. The processing and use of anonymized data is not subject to GDPR and is not covered by this data privacy policy.

7. Your Rights
As a data subject, you have certain rights in relation to your personal data, which we explain below:

7.1. Right of access (Art. 15 GDPR) – You have the right under legal regulations to receive free-of-charge confirmation from us at any time as to whether or not personal data concerning you is being processed, to request a copy of this data and comprehensive information about this personal data, which extends in particular but not exclusively to the purposes of processing, the categories of personal data being processed, the recipients, the storage duration and the origin of the data.

7.2. Right of rectification (Art. 16 GDPR) – You have the right under legal regulations to demand the correction of inaccurate personnel data concerning you and the completion of incomplete personnel data concerning you without undue delay in line with statutory requirements.

7.3. Right to be forgotten (Art. 17 GDPR) - You have the right under legal regulations to request from us the immediate erasure of personal data concerning you without undue delay, including where such storage is no longer necessary or is unlawful, where you have revoked your consent upon which the storage was based, have objected to the storage in accordance with Clause 7.6 et seq., where we are otherwise obliged to erase data for another reason or have obtained the data from an online service. Insofar as we have published data, in this case, in addition to erasure, we must also inform other controllers that you have requested the erasure of this data and all references to it, provided that this is reasonable in light of the technology available and the costs of implementation. The above obligation does not apply in certain exceptional cases, such as storage for the purpose of the assertion, exercise or defense of legal claims.

7.4. Right to restriction of processing (Art. 18 GDPR) - You have the right under legal regulations to obtain from us restriction of processing of personal data concerning you, such as if you contest its accuracy, storage is no longer required or is unlawful yet you do not require erasure, or if you have lodged a complaint against processing (Clause 7.6 et seqq.), insofar it has not been ascertained that our legitimate interests outweigh yours.

7.5. Right to data portability (Art. 20 GDPR) – If the automated processing of personal data takes place solely on the basis of your consent or to fulfill a contract with you or to carry out pre-contractual measures, you have the right under legal regulations to request that we, or where technically feasible, a third party specified by you, provide personal data concerning you in a structured, commonly used and machine-readable format and have the right to transmit this data to a third party.

7.6. Right to object (Art. 21(1) GDPR) – You have the right under legal regulations to request that we no longer process personal data concerning you, which we process to carry out a task that is in the public interest or in order to safeguard our legitimate interests or those of a third party, if you object to such processing for reasons pertaining to your specific situation, if there are no compelling legitimate grounds for the processing which override your interests, or the processing serves the purpose of asserting, exercising or defending legal claims.

7.7. Right to object to direct marketing (Art. 21(2) GDPR) – You can object at any time to the further processing of personal data concerning you for the purpose of direct marketing, with this resulting in us no longer processing it for this purpose; this also includes profiling to the extent that it is related to such direct marketing.

7.8. Automated decisions (Art. 22 GDPR) – We will not make any decisions without your consent that have a legal effect on you or considerably impact you in a similar way, and which are based exclusively on automated processing (including profiling).

7.9. Guarantees – Insofar as we indicate in this data privacy policy that guarantees have been arranged with regard to an appropriate level of protection, you can request copies of applicable documents from our data protection officer. Insofar as there is a guarantee in the form of participation in the Privacy Shield program, you can find information and documents on this subject here: http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016D1250&from=DE.

7.10. Consent - Insofar as you have granted consent to processing, this takes place voluntarily if you do not inform us otherwise and the rejection of consent is not sanctioned. You are entitled to withdraw consent granted previously at any time. The legality of the data processing performed upon the basis of your consent until revocation will not be affected in the event of revocation. Processing on any other legal basis other than your consent is not affected by such revocation. In this respect, you can additionally exercise the above legal rights (such as the right to object under Clause 7.6 et seq.).

7.11. Right to lodge a complaint - You have the right to lodge a complaint with a supervisory authority. This authority may be the supervisory authority responsible for your place of residence or the supervisory authority generally responsible for us (Clause 1.3).

7.12. To exercise your rights, in particular to revoke any consent you have granted, you can contact us in any way, in particular via our data protection officer. To exercise your rights, it may be necessary for you to identify yourself to us as a data subject.

8. Security
To protect the personal data in our possession that concerns you from unauthorised access or misuse, we have implemented extensive technical and organisational measures corresponding to state-of-the-art technology.

9. Changes to This Data Privacy Policy
In the event of future changes to this data privacy policy, you can access old versions and information on the time periods in which they were valid here.

Arthrex Ltd.
February 2019

Corporate Group Annex

The following companies of the Arthrex corporate group are presently parties of the data protection agreement presented in the data privacy policy:

NAME

ADDRESS

Arthrex, Inc

Arthrex, Inc. is a participant in the Privacy Shield Program.

1370 Creekside Blvd.

Naples, FL 34108

USA

Arthrex GmbH

Erwin-Hielscher-Str. 9
81249 Munich
Germany

Arthrex Italia SRL

Piazzale Biancamano 8

20121 Milano

Italy

Arthrex S.A.S.

59260 Lezennes

France

Synergie Park 5,
Avenue Pierre et Marie Curie

Arthrex Ltd

S35 1QN Sheffield
United Kingdom

Unit 5, 3 Smithy Wood Drive
Smithy Wood Business Park

Arthrex BvbA

2550 Kontich
Belgium

Technologiepark Satenrozen
1A

Arthrex Austria GesmbH

2355 Wiener Neudorf

Austria

IZ NÖ Süd
Straße 7, Objekt 58C/10

Arthrex Sverige AB

120 30 Stockholm

Sweden

Hammarby Kaj 16

Arthrex Swiss AG

3123 Belp

Switzerland

Hühnerhubelstraße 60

Arthrex Nederland B.V.

5692 DJ Son en Breugel

The Netherlands

Ekkersrijt 4305

Arthrex Danmark A/S

2300 København S

Denmark

Islands Brygge 43

Arthrex Poland Sp z o.o.

02-305 Warszawa

Poland

Al. Jerozolimskie 136

Arthrex España & Portugal S.L.U.

28033 Madrid

Spain

Calle Vía de los Poblados 1, Edf. D Bajo

Arthrex Adria d.o.o.

10000 Zagreb

Croatia

Ulica grada Vukovara 269G

Arthrex Norway AS

1363 Høvik

Norway

O.H. Bangs vei 70

Arthrex sro

Ve Žlíbku 2402 / 77a
193 00 Praha 9 - Horní Počernice
Czech Republic

Arthrex Shared Service Center EMEA

Ulica grada Vukovara 269 G
10 000 Zagreb
Croatia

Service Providers Annex

We currently work with the following service providers in particular, which have access to your data:

NAME AND CATEGORY

ACTIVITY/DATA

Concur, Inc.
(Processor)

Travel cost management, booking travel
Master data, information on travel

Iron Mountain Deutschland GmbH
(Processor)

Securing of data
All types of employee data

WebEx Communications Deutschland GmbH
(Processor)

Web conferences
Data from participants and data exchanged within the context of a web conference.

Atlassian

Communication within the group
Data utilized for use of the communication tool

Tata Consultancy Services

IT services support
All types of employee data

Infosys

Support for the IT department
All types of employee data

DERPART

Travel services
Master data, information on travel

Dimension Data

Support for the IT department
All types of employee data

Mercer

Provision for semi-retirement according to the German Commercial Code (HGB) and tax law.
Employee master data

We have entered into contract processing agreements with processors, which ensure that personal data is only processed on our account and in line with our instructions. We have entered into agreements with the other service providers, which ensure confidential data handling where there is not a legal confidentiality obligation.


Internal Group Data Exchanging Annex

Subject

Subject
Responsibility

Data Subjects and Purposes

IT support
(Databases)

Arthrex, Inc. assumes central responsibility for the IT administration of some databases within the group
Arthrex, Inc. acts as our contractor in line with our instructions with respect to our data.

This generally affects all data stored by us.

IT support
(General)

Arthrex, Inc. partially assumes central responsibility for the IT support and IT administration for all IT systems within the group
Arthrex, Inc. acts as our contractor in line with our instructions with respect to our data.

This generally affects all data stored by us.

Reporting

Employees of Arthrex, Inc. prepare assessments and reports for our management and also have access to personnel data for this purpose.
Arthrex, Inc. acts as our contractor in line with our instructions with respect to our data.

This may affect all types of personal data.  Access, however, is for a specific purpose and is limited to that which is necessary for task fulfillment.

Webpage

Arthrex, Inc. hosts our webpage(s) and has access to the personal data stored thereon within this function.
Arthrex, Inc. acts as our contractor in line with our instructions with respect to our data.

This affects all personal data published on webpages.

Internal audits

Employees of Arthrex, Inc. and, where applicable, other Arthrex subsidiaries perform group-internal finance and compliance audits.
The information is processed under the joint responsibility of Arthrex, Inc. and the Arthrex subsidiary being audited.
Software and services of ACL Services Ltd. are used for the audits. A contract processing agreement is in place with said company.

During audits, auditors may have access to all types of personal data, particularly salary data. Access, however, is for a specific purpose and is limited to that which is necessary for task fulfillment.

Compliance and helpline

The corporate group also operates a system for the (voluntary) reporting of compliance breaches (helpline).
The system is operated by an external service provider, NAVEX Global Inc., which also assumes responsibility for technical processing (e.g. translation). The reports are then further processed by employees of Arthrex, Inc. and, where applicable, other Arthrex subsidiaries.
The information is processed under the joint responsibility of Arthrex, Inc. and the employer of or the data subject(s). A contract processing agreement is in place with the service provider NAVEX Global Inc.

Personal data concerning the reporter and the employee to which the report relates is processed within the context of compliance breach reports.
If a breach is substantiated, information may be passed on to the competent authorities.

Internal group reporting paths
(General)

Reporting paths within the Arthrex corporate group are partly arranged in a cross-company fashion to enable employees of one company to report to supervisors in other companies of the corporate group (the "matrix structure").
The information is processed under the joint responsibility of the employer of the group supervisor, and the employer of or employee to whom the information relates.

Where there are direct reporting paths to another group company (but not only in such cases), employees of said group company may be responsible for the departments, divisions or functions in which our employees are active (group supervisors).
The information transmitted may generally encompass all types of personal data and is intended to allow the group supervisor to exercise their management and planning responsibility within the context of the matrix structure.

Internal group reporting paths
(Performance data)

Performance data, in particular, is directly passed on within the context of the matrix structure (see above), or within the context of reports or assessments.
The information is processed under the joint responsibility of the employer of the group supervisor, and the employer of or employee to whom the information relates.

The performance data particularly serves to assess the performance of individuals or the performance of a department or division, and to compare this with the performance of other employees, departments or parts of the group.
For these purposes, the performance data is also made available to (a) assistants for the creation of analyses or reports for group supervisors, or for their administrative support, and (b) other employees in the group with responsibility for other departments, divisions or functions within the context of performance comparison.

Skills management and quality control

Employees of Arthrex, Inc. assume responsibility for the central tasks of training and quality management within the corporate group and receive access to personnel data within this context.
The information is processed under the joint responsibility of Arthrex, Inc. and the employer of or employee to whom the information relates.

This particularly relates to personal data with respect to qualifications attained and training courses completed. The exchanging of data is particularly used to organize training courses and monitor their execution.

Personnel planning and financial planning

Employees of Arthrex, Inc. assume responsibility for the central tasks of personnel planning and financial planning, and receive access to personal data within this context.
The information is processed under the joint responsibility of Arthrex, Inc. and the employer of or employee to whom the information relates.

This particularly relates to personal data with respect to remuneration, direct insurance policies, pension entitlements etc.

Exchanging of personnel

Employees of Arthrex, Inc. assume responsibility for the central tasks of exchanging personnel within the group and receive access to personal data within this context.
The information is processed under the joint responsibility of Arthrex, Inc. and the employer of or employee to whom the information relates.

This particularly relates to master data, salary data, appraisals, qualifications and other skill data.
This exchanging of data particularly serves to identify possibilities for exchanging personnel and organizing such an exchange (e.g. secondment).

Project management

Personal data may be exchanged between two or more Arthrex subsidiaries within the context of collaboration in joint teams or in the case of joint projects.
The information is processed under the joint responsibility of the receiving Arthrex subsidiary and the employer of or employee to whom the information relates.

This relates to personal data of employees in cross-company teams or projects.

Cornerstone

Arthrex, Inc. operates the central Cornerstone training management system through its service provider Cornerstone OnDemand, Inc. for all Arthrex subsidiaries.
Arthrex, Inc. acts as our contractor in line with our instructions with respect to our data, and has in turn concluded a contract processing agreement with Cornerstone OnDemand, Inc.

Personal data, skills data in particular, is transmitted to the platform or generated and processed by the same within the context of planning training courses or participation in training courses.