European Union – United States Data Privacy Safe Harbor Policy

Exactech, Inc. European Union – United States Data Privacy Safe Harbor Policy

Exactech, Inc.

European Union – United States Data Privacy Safe Harbor Policy

A.  DATA PROTECTION AT EXACTECH, INC. (“Exactech”)

Exactech respects individual privacy and values the confidence of its customers, employees, clinical trial participants, business partners, investors, and others, and is committed to protecting confidential data maintained by the company in relation to any of these groups. Not only does Exactech strive to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it does business, but it also is committed to upholding the highest ethical standards in its business practices. For these reasons, Exactech has developed a comprehensive, global privacy program designed to respect and protect the data privacy rights of every person with whom we transact business.

Exactech intends that its corporate privacy policy and standard practices and procedures will ensure timely compliance with applicable local and international laws and regulations.

This Safe Harbor Privacy Policy (the “Policy”) sets forth the privacy principles that Exactech follows with respect to transfers of personal information from the member states of the European Union (“EU”) to the United States (“U.S.”)

Please note that additional information concerning the EU Safe Harbor principles may be found on the U.S. Department of Commerce’s website at: www.export.gov/safeharbor

B.  SCOPE OF POLICY

This Policy applies to all personal information received by Exactech in the U.S. from a member state of the EU in any format including but not limited to, electronic, written or verbal communications. This policy sets certain minimum standards within Exactech which may be subjected to more stringent privacy safeguards as a result of the requirements of other national or international regulatory agencies.

C.  DEFINITIONS

For purposes of this Policy, the following definitions shall apply:

1.  “Agent” means any third party that uses personal information provided by Exactech to perform tasks on behalf of and at the direction of Exactech.

2. “Exactech” means Exactech, Inc., its subsidiaries, affiliates and offices within the United States.

3. “Personal information” means any information or set of information that identifies or could be used by or on behalf of Exactech to identify an individual. Personal information does not include information that is encoded or stripped of all personal identifiable information, or which is publicly available.

4.  “Sensitive personal information” means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or that concerns the health of an individual. In addition, Exactech will treat as sensitive personal information any information received from a third party where that third party treats and identifies the information as sensitive.

D.  PRIVACY PRINCIPLES

The privacy principles in this Policy are based on the Safe Harbor Privacy Principles.

1.  NOTICE: Where Exactech collects personal information directly from individuals in the EU, it will inform them about the purposes for which it collects and uses the information, the types of third parties to which Exactech discloses that information, and the choices and means, if any, Exactech offers individuals for limiting the use and disclosure of their personal information. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to Exactech, or as soon as practicable thereafter, and in any event before Exactech uses the information for a purpose other than that for which it was originally collected.

Where Exactech receives personal information from its subsidiaries, affiliates or other entities in the EU, it will use such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such personal information relates.

2.  CHOICE: Exactech will offer individuals the opportunity to choose  whether their personal information is (a) to be disclosed to a third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized to be used by the individual (“opt-out”).

With regards to sensitive personal information, Exactech will give individuals the opportunity to affirmatively and explicitly consent to the disclosure of the information to a third party or to the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual (“opt-in”).

Exactech will provide individuals with reasonable processes to exercise their choices.

3. DATA INTEGRITY: Exactech will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Exactech will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete and up-to-date.

4. TRANSFERS TO AGENTS: Exactech may share an individual's information with consultants, independent contractors and/or partners of Exactech in connection with services that these individuals or entities perform for, or with, Exactech. For example, Exactech may provide an individual's personal information to consultants for the purpose of analyzing such data to assess clinical performance of the company’s products.

Exactech will obtain assurances from its consultants and independent contractors that they will safeguard personal information received from us in a manner consistent with this Policy. Appropriate assurance of compliance may be provided through several avenues, including but not limited to, one or more of the following:

  1. A contract between Exactech and the third party which includes provisions obligating the third party to provide at least the same level of protection to sensitive personal information as is required by the relevant Safe Harbor Principles
  2. The third party may be subject to the EU Data Protection Directive itself, and if so, may provide Exactech a copy of its policy and self-certification.
  3. The third party may have Binding Corporate Rules approved by the European Commission, or may be subject to another European Commission adequacy finding.

Where Exactech has knowledge that a consultant, independent contractor or partner is using or disclosing personal information in a manner inconsistent with this Policy, Exactech will take reasonable steps to prevent or stop such improper use and/or disclosure.

5. ACCESS AND CORRECTION: Upon request, individuals will be granted reasonable access to personal information that Exactech maintains about them. In addition, upon request, Exactech will take reasonable steps to permit individuals to correct, amend or delete information that is found to be inaccurate, incomplete or out-of-date.

6.  SECURITY: Exactech will employ reasonable safeguards to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration or destruction. For personal information subject to electronic storage or transmission, Exactech maintains an internal private, secure network that is protected from computer virus infection and monitored for unauthorized access. Both electronic and paper based records holding personal information are maintained in access controlled facilities for which business continuity plans are required.

7.  ENFORCEMENT: Exactech will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy.

All reported breaches or potential breaches will be investigated by the Ethics and Compliance Committee and any internal auditors assigned by such committee, who will take such actions as they deem appropriate in the investigation and if necessary, correction of the situation. Any employee that Exactech determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment. In the event of criminal or other serious violations of the law, these actions could also be subject to notification of the appropriate legal body.

8.  DISPUTE RESOLUTION: Any questions or concerns regarding the use or disclosure of personal information should be directed to the Ethics and Compliance Committee at the address given below. Exactech will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with the principles contained in this Policy.

9.  CONTACT INFORMATION: Questions or comments regarding this Policy should be submitted to the Exactech Ethics and Compliance Committee at the following address:

Exactech, Inc.
C/o Ethics and Compliance Committee
2320 NW 66th Court
Gainesville, FL 32653

If you feel that Exactech may not have abided by its policy as described herein, or the U.S. – EU Safe Harbor privacy principles, you may contact Exactech at the address above, or the U.S. Federal Trade Commission.

10.  RESERVATION OF RIGHTS: Exactech reserves the right to share an individual's information if required to so by a court of law or in order to respond to duly authorized information requests made by government authorities or agencies.

11.  AMENDMENTS TO THIS SAFE HARBOR PRIVACY POLICY: This Policy may be amended from time to time, consistent with the requirements of the Safe Harbor Principles. Appropriate public notice will be given concerning such amendments when they are made.