PRIVACY POLICY

1.0 PURPOSE
Reflow Medical (“Reflow” or “Company”) respects the privacy of Data Subjects who entrust Reflow Medical with their Personal Data. This Global Data Privacy Program Policy (“Policy”) outlines Reflow Medical’s commitment to complying with applicable privacy laws and regulations, including the General Data Protection Regulation (“GDPR”) and its corollaries. For the purposes of this Policy, “Reflow Medical” refers to Reflow Medical Europe GmbH each individually.

2.0 SCOPE
This document defines standards based on applicable privacy laws, other regulatory requirements, and best practices regarding use and control of Personal Data subject to the GDPR by Reflow Medical. Capitalized terms in this document are defined in Section 5 of this Policy. Adherence to this Policy is
mandatory for directors, officers, and employees of Reflow Medical.

3.0 RESPONSIBILITIES

• 3.1 Data Protection Officer
  • 3.1.1 Responsibilities and tasks in accordance to Art. 39 GDPR
• 3.2 Data Protection Coordinator
  • 3.2.1 First local contact person for privacy questions
  • 3.2.2 Interface and contact person to the data protection officer
  • 3.2.3 Supports the Data Protection Officer and coordinates data protection on site
  • 3.2.4 Responsible for overseeing and maintaining this Policy and privacy documents.
  • 3.2.5 Responsible for delegating circulation of this Policy, privacy documents, as necessary
• 3.3 All Employees and Contractors
  • 3.3.1 Responsible for incorporating this Policy into their job duties.
  • 3.3.2 Act as stewards for the Privacy Program principles across Reflow Medical
• 3.4 Management
  • 3.4.1 Responsible for enforcing the adherence to, and implementation of this Policy within, Reflow Medical business processes.
• 3.5 Data Owners
  • 3.5.1 Responsible for overseeing the processing of Personal Data, including collection, usage, and transmission of Personal Data that resides within a service, system, or application in accordance with this Policy.
  • 3.5.2 Responsible for maintaining records regarding Personal Data in accordance with this Policy and applicable standards.

4.0 KEY TERMS & DEFINITIONS

• 4.1 Data Subject – A natural person who can be identified, directly or indirectly, through the Personal Data processed by Reflow Medical (e.g., via an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical physiological, genetic, mental, economic, cultural or social identity of that natural person). This can include, but is not limited to, Reflow Medical employees, contractors, customers, suppliers, clinical study subjects, and website visitors.
• 4.2 Personal Data/Personal Information – Any information relating to an identified or identifiable natural person (Data Subject). This includes, but is not limited to, employee and non-employee Personal Data, such as name, e-mail address, phone number, employee ID, photograph, banking details, performance review, health information, biometric data, genetic data, and IP address.
• 4.3 Privacy Procedures – Reflow Medical procedures (e.g., Data Subject Rights Requests Procedure) that describe how to implement the Policy. These how-to documents may take many forms, including text, diagrams, flows, or other relevant materials. These procedures describe who does what, when they do it, and relevant criteria.
• 4.4 Privacy Statements & Notices – Information about Reflow Medical’ data processing provided to Data Subjects that increases transparency and informs Data Subjects about their rights under applicable privacy law.
• 4.5 Processing – Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storing, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• 4.6 Special Categories of Personal Data – Personal Data of increased sensitivity that requires extra protection. The following are considered Special Categories of Personal Data: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; consumer health data; criminal offenses/convictions; or data concerning a natural person’s sex life or sexual orientation. Reflow Medical may treat other Personal Data as sensitive depending on local laws.

5.0 POLICY STATEMENTS

• 5.1 Privacy Principles. As detailed in this Policy, Reflow Medical’s policy is to address each of the following when processing Personal Data:
  • 5.1.1 Transparency
  • 5.1.2 Fair and Lawful Data Processing
  • 5.1.3 Limited Data Collection and Use
  • 5.1.4 Data Sharing and Transfer
  • 5.1.5 Personal Data Minimization and Accuracy
  • 5.1.6 Data Subject Rights
  • 5.1.7 Personal Data Security
  • 5.1.8 Privacy Program Governance and Accountability

• 5.2 Transparency
  Reflow Medical promotes transparency regarding its data processing activities and privacy protections by providing clear, approved Privacy Statements to Data Subjects describing the lifecycle of the Personal Data Reflow Medical may collect about the Data Subject from collection to destruction. These statements are to be made available to the Data Subject whether or not Reflow Medical directly collects such information from the Data Subject.
  • 5.2.1 Privacy Statements (and Notices) serve the purpose of notifying Data Subjects, comply with applicable privacy laws. These may contain the following or similar information regarding data processing activities conducted by Reflow Medical in accordance with applicable law:
    • Name and contact information of the Controller (where required by law);
    • Contact information for Data Protection Officer, the Privacy Officer, or other designee;
    • The purposes for the processing of the Personal Data;
    • The legal basis of processing;
    • The categories of third parties to which Reflow Medical discloses Personal Data;
    • The method by which the Data Subject may exercise their individual rights, as applicable. For example, opting out of certain processing activities;
    • A general description of security measures in place to protect data;
      and
    • Any other elements required by law.
  • 5.2.2 Privacy Statements (and Notices), in clear and concise language, are provided to Data Subject prior to, or at the time of, data collection.
  • 5.2.3 Privacy Statements (and Notices) are accessible by all relevant parties. For example, prospective customers, patients, or clinical study subjects. You can access the Reflow Medical Privacy Statement via our data protection coordinator.

• 5.3 Fair and Lawful Data Processing
  Reflow Medical must only process Personal Data for which it has a lawful basis, which Reflow Medical determines prior to processing Personal Data. When relying on consent as the lawful basis, Reflow Medical must respect the Data Subject’s right to opt-out. When relying on legitimate interests as the lawful basis, Reflow Medical must not process Personal Data when the rights of the Data Subject override the legitimate interests of Reflow Medical.
  • 5.3.1 Reflow Medical maintains a data inventory (or Record of Processing Activities) to document activities relating to Reflow Medical functions that hold data, documenting the nature and purpose of data collected, stored, and transferred. Data Owners are responsible for maintaining the accuracy and completeness of the data flows as well as the data inventories.
  • 5.3.2 Reflow Medical completes a privacy assessment, including as necessary, a data protection impact assessment (DPIA) for each processing activity identified in the Record of Processing Activities. The DPIA assesses and documents the application of the core privacy principles to each processing Page 3 of 11activity and evaluates the risk to Data Subjects based on the nature of the processing activity and the applicable controls implemented.
  • 5.3.3 Reflow Medical selects the most appropriate lawful basis (or bases) for each activity depending on the purposes for which Personal Data is processed and other relevant factors.
  • 5.3.4 Information about the lawful basis for the processing is included in the Privacy Statements (and Notices, as applicable).
  • 5.3.5 For processing activities that rely on legitimate interest of the data controller as the lawful basis, Reflow Medical will complete a legitimate interest analysis to ensure that Reflow Medical does not process Personal Data when the rights of the Data Subject should override Reflow Medical interests. This assessment will (1) identify the legitimate interest, (2) consider the necessity of processing, and (3) balance the interest of Reflow Medical with that of the Data Subject.
  • 5.3.6 For processing activities that rely on consent as a lawful basis, consent is obtained from the Data Subject, including explicit and/or written consent as applicable.
    • Consent is obtained prior to the processing activity (e.g., prior to the collection, use, and/or sharing of Personal data)
    • Consent forms contain documentation in accordance with relevant laws and regulations
    • Consent is obtained after providing the Data Subject with information regarding what they are consenting to, such as the information contained within a Privacy Statement or Notice
    • Where unambiguous consent, or affirmative action, is required by regulation, consent is obtained by requiring an affirmative action on the part of the Data Subject, such as ticking a box or choosing technical settings. In these instances, silence, pre-ticked boxes or inactivity is not used to indicate consent.
    • Reflow Medical maintains documentation of consent obtained, where applicable
    • Reflow Medical provides mechanisms for Data Subjects to withdraw their consent (see section on Data Subject rights for additional information)

• 5.4 Limited Data Collection and Use
  Reflow Medical must only collect and process the Personal Data needed for purposes specified in Privacy Statements – for only so long as the purpose exists, or as required by law or contract unless such further processing is consistent with applicable laws and regulations.
  • 5.4.1 Personal Data collected is proportional to the specified purpose and is not excessive for the purpose for which it was collected.
  • 5.4.2 Personal Data is collected fairly and lawfully, in compliance with laws and regulations.
  • 5.4.3 Personal Data is collected with the consent of the individual, where applicable
  • 5.4.4 Special Categories of Personal Data/Sensitive Data is only collected if explicit consent has been obtained, or if required or authorized by law.

• 5.5 Data Sharing and Transfer
  Reflow Medical must maintain appropriate processes and compliance mechanisms for transferring Personal Data within Reflow Medical, including transfers across jurisdictional borders. Prior to engaging third parties, Reflow Medical evaluates whether they have acceptable security and privacy controls in place before they receive access to or handle any Personal Data on behalf of Reflow Medical and ensures appropriate agreements are signed. Personal Data provided to third parties will be limited to what is necessary for the third party to carry out its contractual obligations. Personal Data disclosed upon a legally binding request for disclosure of the Personal Data by a law enforcement authority will be limited to what is legally necessary.
  • 5.5.1 Personal Data is only transferred to third parties if there is appropriate authorization for transfer.
  • 5.5.2 Transfer of Personal Data to third parties must be in compliance with applicable laws and regulations.
  • 5.5.3 Personal Data is only transferred internally or externally for legitimate purposes, in conformity to Privacy Statements and contractual agreements.
  • 5.5.4 Data Owners are responsible for maintaining records of third parties that access or receive Personal Data
  • 5.5.5 Disclosure of Personal Data is limited to only that which is necessary to achieve the purpose of disclosure.
  • 5.5.6 Where Personal Data is transferred across borders, a mechanism is used so that the recipient provides adequate safeguards as required by the originating jurisdiction. For example, transfers from the EU to non-EU countries may use Standard Contractual Clauses in conjunction with data transfer impact assessments or obtain explicit consent.
  • 5.5.7 Reflow Medical takes appropriate steps so that Personal Data remains complete and accurate during transfer.

• 5.6 Personal Data Minimization and Accuracy
  Data retention periods for Personal Data are defined, and data that is no longer required to be retained is securely destroyed. Reflow Medical implements appropriate steps to keep Personal Data complete and accurate.
  • 5.6.1 Data Owners are accountable for Personal Data collected, processed, stored or transferred.
  • 5.6.2 Incomplete or inaccurate Personal Data is corrected in an appropriate manner. The Data Subjects have the right to rectify their Personal Data.
    (See section on Data Subject Rights)
  • 5.6.3 Records are retained, at a minimum, for the period required by applicable laws and regulations in each jurisdiction where Reflow Medical conducts business. e. Records may be retained beyond the minimum required by law if necessary for business reasons. The standards regarding lawful basis in Section 2 still apply to this retained data.
  • 5.6.4 Records that contain Sensitive Personal Data are identified and appropriately secured.
  • 5.6.5 Reflow Medical securely destroys Personal Data when there is no longer a business or legal need to retain it by (a) shredding, (b) erasing, or (c) otherwise modifying the information in those records to make it unreadable or undecipherable through any means.

• 5.7 Data Subject Rights
  Where Reflow Medical processes pseudonymized data (e.g., from a clinical trial for which it is the sponsor or a data recipient) such that it cannot identify the individual, Reflow Medical may be unable to respond fully to Data Subject requests. However, where legally required, Reflow Medical provides mechanisms for Data Subjects to exercise their rights, including the right to access or correct their Personal Data, the right to be forgotten, the right to object to or restrict processing of their Personal Data, the right to data portability, and the right to not be subject to a decision based solely on automated processing.
  • 5.7.1 Processes are in place to address Data Subject Rights requests (see the Reflow Medical Data Subject Rights Requests SOP)
    • Records of Data Subject requests are maintained by Reflow Medical
    • Data Subjects, or their legal representatives, are authenticated prior to processing the request.
    • Data Subject requests are reviewed and processed without undue delay and in any case, no later than one month of receipt of that request.
    • Data Subject requests are reviewed and processed free of charge. However, where requests are manifestly unfounded or excessive (particularly when requests are repetitive), a reasonable fee may be charged to cover administrative costs associated with processing the request.
    • Information provided to Data Subjects is presented in an easily understandable, commonly used format.
  • 5.7.2 Access
    • Data Subjects are provided with a mechanism to request access to their Personal Data
  • 5.7.3 Rectification
    • Data Subjects are provided with a mechanism to request rectification of Personal Data
    • Third parties, where applicable, are notified of requests for rectification of Personal Data
    • Records of information under dispute are maintained by Reflow Medical
  • 5.7.4 Erasure
    • Data Subjects are provided with a mechanism to request erasure of their Personal Data
    • Requests for erasure are considered by Reflow Medical when the Personal Data is no longer needed, the Data Subject withdraws consent and Reflow Medical has no other legal ground for the processing, the Data Subject objects to the processing (see Objection to processing section), the Personal Data has been unlawfully processed, or the Personal Data have to be erased for compliance with a legal obligation.
    • Third parties, where applicable, are notified of requests for erasure of Personal Data, and if Reflow Medical made Personal Data public, it takes reasonable steps to inform other controllers of the erasure request.
  • 5.7.5 Objection to Processing
    • Data Subjects are provided with a mechanism to object to processing of Personal Data
    • Third parties, where applicable, are notified of objections to processing of Personal Data
    • Objections to processing are analyzed for Personal Data processed on the basis of legitimate interests of Reflow Medical, or other bases as required by law.
    • If a Data Subject objects to the processing, Reflow Medical will no longer process the Personal Data unless there are compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims. If the processing is for direct marketing purposes, including profiling for marketing purposes, Reflow Medical will no longer process the Personal Data.
  • 5.7.6 Restriction of Processing
    • Data Subjects are provided with a mechanism to make requests to restrict processing of their Personal Data as part of the Subject Consent template.
    • Requests to restrict processing are analyzed where one of the following applies: the accuracy of the Personal Data is contested by the Data Subject; the processing is unlawful and the data subject opposes erasure; Reflow Medical no longer needs the Personal Data for the purposes of the processing, but they are required to retain the data by the Data Subject for the establishment, exercise or defense of legal claims; or the Data Subject objected to processing and determination of Reflow Medical is pending.
    • If processing is restricted, Data Subjects are informed before the restriction of processing is lifted.
  • 5.7.7 Automated Decision-Making
    • Reflow Medical does not utilize automated decision-making.
  • 5.7.8 Data Portability
    • Data Subjects are provided with a mechanism to make requests to receive their Personal Data or have it transferred to another controller.
    • Requests for data portability are analyzed for Personal Data processed on the basis of either the Data Subject’s consent, or on a contract to which the Data Subject is a party.
    • Information provided to Data Subjects or directly to another controller, where technically feasible, is securely transmitted in an interoperable format that is structured, commonly used, and machine-readable.
  • 5.7.9 Withdrawal of Consent
    • Data Subjects are provided a clear and conspicuous mechanism to make requests to out-out of, or withdrawal from, the collection, use,  transfer, or other processing of Personal Data that Reflow Medical processes based on consent.
    • For Data Subjects, the process to withdraw consent is as easy as the process to grant consent.

• 5.8 Personal Data Security
  Reflow Medical maintains appropriate security measures to protect the confidentiality, integrity, and availability of Personal Data. Reflow Medical maintains procedures to investigate incidents and security breaches and appropriately notify the relevant parties, including the supervisory authority, the data controller (in the situation in which Reflow Medical acts as a data processor), the affected Data Subjects, and any other relevant third parties as required by law. Reflow Medical only engages third parties that have acceptable security and privacy controls in place before accessing or handling any data on behalf of Reflow Medical. Employees are required to immediately report any suspected privacy or security incidents.
  • 5.8.1 Security measures are maintained at an appropriate level in relation to the risks in processing of the Personal Data
    • Security measures support access controls so that Personal Data is only to be available to authorized individuals.
    • Security measures limit the ability of Personal Data to be edited or removed to only those individuals authorized to do so.
    • Security controls are maintained to protect the confidentiality of Personal Data.
  • 5.8.2 Reflow Medical maintains processes to intake and respond to privacy complaints.
  • 5.8.3 Suspected data breaches are reported to the Privacy Officer immediately and without delay, but no later than within the first 24 hours of incident intake.
  • 5.8.4 Reflow Medical maintains a Data Breach Response Procedure which is made readily available to those employees and third-parties responsible for responding to such incidents. Suspected data breaches are reviewed in line with the procedures laid out in that document.
  • 5.8.5 Reflow Medical notifies the appropriate parties of data breaches in a timely manner, in accordance with legal and regulatory requirements.
  • 5.8.6 Contracts with third parties that handle Personal Data include provisions that require the third party to:
    • Have appropriate technical and organizational security measures.
    • Act only on instruction from Reflow Medical as the controller.
    • Ensure that any individuals who have access to the Personal Data are subject to a confidentiality obligation.
    • Obtain prior, specific, or general written authorization of Reflow Medical before engaging a subprocessor, and to ensure that the agreement that is entered into with such subprocessor sets out the same obligations as those that are imposed on the third party;
    • Retain or delete the Personal Data once the contract has been terminated;
    • Assist Reflow Medical as needed to comply with its obligations as a controller; and
    • Make available to Reflow Medical all information necessary to demonstrate compliance with these obligations.
  • 5.8.7 Due diligence in accordance with risk level is performed prior to contracting with third parties.
  • 5.8.8 Third parties are monitored, using a risk-based approach, on an ongoing basis for compliance with contractual privacy and security obligations at a minimum.
  • 5.8.9 Privacy or security issues noted as part of ongoing monitoring are reviewed and resolved.

• 5.9 Privacy Program Governance and Accountability
  Reflow Medical works with Data Owners to maintain a Record of Processing Activities to document processing activities. Reflow Medical defines roles and responsibilities  related to the regulatory review, enforcement, and ongoing monitoring of the Global Privacy Program (see Global Data Privacy Policy). Reflow Medical maintains processes around risk identification and assessment, including implementation of privacy impact assessments. Individuals are required to complete training on compliance with applicable privacy regulations.
  • 5.9.1 Roles and Responsibilities
    • : The Data Protection Officer shall have at least the following tasks:
      • To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
      • To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
      • To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
      • To cooperate with the supervisory authority;
      • To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
      • The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
    • The Data Protection Officer shall have an appropriate level of professional qualifications and knowledge of data protection laws and practices to fulfil their tasks, including:
      • Expertise in data protection laws and practices including an in-depth understanding of the GDPR;
      • An understanding of information technologies and data security;
      • An understanding of data processing operations;
      • Assist the Data Protection Coordinator, the management and employees in their privacy related tasks
    • Key roles of the Data Protection Coordinator
      • Developing and maintaining policies, standards, processes, guidelines, and other documentation related to the governance of Personal Data with support from the Data Protection Officer;
      • Instruction staff on data privacy, as necessary;
      • Supervising the observance of the requirements for protection of Personal Data with support from the Data Protection Officer;
      • onducting data protection impact assessments (DPIAs);
    • The Data protection coordinator shall have an appropriate level of basic qualifications and knowledge of data protection laws and practices to fulfil their tasks, including:
      • Base knowledge in data protection laws including an understanding of the GDPR
      • An understanding of Reflow Medical’ processing operations;
      • Knowledge of Reflow Medical’ business structure and relevant industries;
      • An ability to promote a data protection culture within the organization;
      • Ensure that new business processes are properly vetted through standards and procedures defined in the established Quality Management System to comply with a “Privacy by Design” process;
      • Assist the management with incident response management as necessary;
      • Assist Data Owners in their tasks defined below; and
      • Organizes local trainings, as necessary
    • Key roles of Data Owners in their tasks defined below:
      • Responsible for maintaining records of third parties that access or receive Personal Data.
      • Accountable for how Reflow Medical’ systems collect, process, store or transfer Personal Data.
      • Responsible for maintaining the accuracy and completeness of data flows in the DPIA and data inventories.
      • Responsible for processing Personal Data, including collection, usage, and transmission of Personal Data that resides within a service, system, or application.
    • Job descriptions for operational management define privacy roles and responsibilities where applicable to the individual’s job function.
  • 5.9.2 Terms and Conditions of Employment
    • Employees and contractors treat Personal Data disclosed to them as confidential.
    • Employees who handle Personal Data are responsible for compliance with policies and face disciplinary action for privacy violations in line with local employment laws.
    • Reflow Medical hires only qualified and eligible employees for performance of privacy and security functions. Qualifications required, or training provided, is consistent with the position requirements.
  • 5.9.3 Training
    • Newly hired or newly engaged employees complete basic privacy and data protection awareness training as part of their onboarding process.
    • Specialized or advanced training may be developed and delivered to employees involved in Personal Data-intensive positions.
  • 5.9.4 Cooperation and Authorities
    • Activities that require notification to authorities are reported in a timely manner in compliance with relevant laws and regulations.
    • Requests from authorities are documented, reviewed, and processed in a timely manner.
    • Privacy advice or guidance received from authorities is implemented, where applicable, in a timely manner.
  • 5.9.5 Risk Identification and Assessment / Privacy by Design
    • Privacy risks are identified, documented, and assessed per (14 – Privacy Assessment)
    • Privacy assessments, including Privacy Impact Assessments (PIAs) where necessary, are performed for all high-risk new, or significantly changed, systems or processes processing Personal Data.
    • Privacy risks identified as part of the PIAs shall be escalated to key stakeholders from the business, the Privacy Officer, and Compliance.
    • Reflow Medical takes measures to reduce or eliminate data privacy risk as part of overall Company’s risk management processes.
    • High risk PIAs are reported to the relevant authorities where required or appropriate.
  • 5.9.6 Ongoing Maintenance
    • Ongoing effectiveness of the Reflow Medical Global Privacy Program is monitored as part of Reflow Medical internal and external audit processes, the Management review process, and through periodic reviews with the Privacy Officer throughout the year.
    • Issues related to the design or operating effectiveness of the Global Privacy Program are investigated and resolved via Corrective and Preventative Action and any trends reviewed as part of the risk management process to ensure remediation to an acceptable risk level.