Privacy Statement Medline International B.V

Your privacy is important to Medline International B.V. and affiliated companies (“we”, “us”, “our” or “Medline”), and we are committed to protecting your personal data.

This privacy statement describes how Medline collects, stores, uses, protects, transfers and deletes your personal data in compliance with the EU General Data Protection Regulation 2016/679 ("GDPR") and other relevant data protection laws as may be applicable. We also explain the activities we process your personal data for and the legal basis for doing so. We describe how data is shared with other parties as well as the processing of personal data outside the European Economic Area (EEA). We have also detailed your rights as a data subject and how you can exercise your rights.

 

In this privacy statement, we use concepts such as ‘personal data’, 'processing' and 'data controller', which shall have the same meaning as defined in the GDPR.

For the purpose of this privacy statement and the processing activities described herein, Medline International B.V. is considered Medline’s main establishment in the EU and the controller, unless certain processing activities are predominantly managed by an affiliated company solely for the purpose of supporting local business activities or otherwise to comply with local statutory obligations.

 

Please read this privacy statement carefully and on a regular basis to get a clear understanding of how we collect, use, protect or otherwise process your personal data. If you have any concerns or questions that cannot be answered by this privacy statement, please contact us by using our contact details listed under the 'How to contact us' section below.


We ensure that any processing of your personal data is in accordance with the following principles: 

  • Lawfulness, fairness and transparency: personal data shall be processed lawfully, fairly and in a transparent manner;
  • Purpose limitation: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • Data minimization: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Accuracy: personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • Storage limitation: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
  • Integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

This privacy statement applies to the processing of personal data we collect from you in connection with your use of our website(s) and e-commerce platform, when you visit our facilities, when we supply products and/or services to you as a customer, when you deliver products and or services to us as a supplier or vendor.

This privacy statement does not apply to personal data that we collect and process in the context of your employment or other working relationship with us.

This privacy statement does not apply to personal data that we collect and process when you apply for a vacant position within Medline. In those cases, the Medline Global Applicant Notice shall apply.


We will use the personal data collected about you for the specific purposes as detailed below.

Please note that in some cases, you have no choice but to provide your personal data to us when you make use of our products or services. In other cases, however, the provision of your personal data is voluntary. This can still mean that if you choose not to provide your personal data it might not be possible for us to provide you the products and/or services you request. We will inform you in the appropriate places, whether online or offline, if the provision of your personal data is mandatory in a particular scenario and what the consequences are if you do not provide your personal data.

The purposes and the legal basis for processing your personal data are the following:

 

To follow the on-boarding process for customers

We process your personal data when you request to register you as a Customer, which gives you the possibility to issue orders. The data we collect and process for this purpose includes your first name, last name, email address, and information about your organization/company. We process this information with the purpose of registering you as a Customer. We will retain your personal data for this purpose for as long as you have an active commercial relation with us, unless we are legally required and/or permitted to retain your personal data for a period thereafter.

We process your personal data for this purpose on the basis of article 6.1 (b) GDPR (performance of a contract, including pre-contractual measures) and, as the case may be, on the basis of article 6.1(c) (compliance with a legal obligation) or 6.1 (f) GDPR (our legitimate interest of considering and managing new business relationships).

For more information about your statutory rights, please refer to section 7 of this privacy statement.

 

To create your Medline user account

We process your personal data when you request the creation of a Medline user account via our Medline website, our customer service or your account manager, which you can use to consult invoices and historical purchases you made and issue your order via our e-commerce platform. The data we collect and process for this purpose includes your first name, last name, email address, and information about your organization/company. We process this information with the purpose of creating your user account. We will retain your personal data for this purpose in accordance with the retention period described in section 6 of this privacy statement.

We process your personal data for this purpose on the basis of article 6.1(a) GDPR (your consent) or 6.1(b) GDPR (performance of a contract, including pre-contractual measures).

For more information about your statutory rights, please refer to section 7 of this privacy statement.

 

To manage our business relationship with you

We process your personal data when you interact with us as a current or prospective supplier or customer or other business contact, via email, telephone, our website and e-commerce platform, and offline. The personal data we process for this purpose includes your name, contact details, information about your organization/company and your function, and other information that is exchanged in the context of our business relationship. We process this information for the purpose of managing product orders, supplies, deliveries, and after sales services, as applicable. We will retain your personal data for this purpose in accordance with the retention period described in section 6 of this privacy statement.

We process your personal data for this purpose on the basis of article 6.1 (b) GDPR (performance of a contract, including pre-contractual measures) and, as the case may be, on the basis of article 6.1(c) (compliance with a legal obligation) or 6.1 (f) GDPR (our legitimate interest of managing our business relationships).

For more information about your statutory rights, please refer to section 7 of this privacy statement.

 

To send you marketing and other related communications

We process your personal data when you subscribe to receive marketing or related communications, which includes relevant news, articles, whitepapers, event invitations, and updates on Medline and its products. The data we collect and process for these purposes includes your name, contact details, job title, which part of the world you are in, information about your organization/company and its healthcare focus. We process this information for the purpose of sending you our marketing and/or related communications as per your request. We will retain your personal data for this purpose for as long as you have an active subscription to receive our marketing or related communications, unless we are legally required and/or permitted to retain your personal data for a period thereafter. Please refer to section 6 of this privacy statement on Medline’s approach to retaining your personal data.

We process your personal data for this purpose on the basis of article 6.1 (a) GDPR (your consent). If you are an existing customer we may process your personal data for this purpose on the basis of article 6.1 (f) GDPR (our legitimate interest of executing marketing activities).

You may withdraw your consent and unsubscribe to receiving marketing or related communications at any time. You can unsubscribe anytime using the link at the bottom of any email you receive from us.

Please note that Medline reserves the right to communicate with you about important matters relating to its products, services or purchases you have made (e.g. product recalls, warranty or service related issues). It is not possible to withdraw your consent or unsubscribe from receiving such transactional or product-generated emails sent in connection with your use of our products and services.

For more information about your statutory rights, please refer to section 7 of this privacy statement.

 

To optimize and improve our communication with you

We process your personal data to monitor and scoring your interactions with our email marketing communications, your purchase history, and other interactions that you may have with us to better understand your needs as a customer and improve our communication with you. The personal data we process for this purpose includes your name, contact details, information about your organization/company and information about your interactions with Medline. To the extent possible, we will process aggregated data (i.e. data that cannot identify you or be linked to you, such as statistical data), pseudonymised or anonymised data, rather than personal data that allows us to directly identify you. We process this information for the purpose of better understanding our customers' needs and preferences in order to improve our communication with you and to offer you relevant product information. The use of monitoring and lead scoring techniques are not fully automated process and they will under no circumstances have legal or other significant consequences for you. We will retain your personal data for this purpose in accordance with the retention period described in section 6 of this privacy statement.

We process your personal data for this purpose on the basis of article 6.1 (f) GDPR (our legitimate interest of optimizing and improving our products and services).

For more information about your statutory rights, please refer to section 7 of this privacy statement.

 

To optimize and improve our website(s)

When you visit our website(s), we also collect data about you by using cookies and similar techniques. For more information about cookies, the way we use them and how to delete cookies, you can read our Cookies Statement.

 

To contact you when you reach out to us and to respond to your queries or complaints

We process your personal data when you contact us via our online contact form, via email, telephone, fax, social media or regular mail. The personal data we process for this purpose depends on how and why you contact us, but will always include your name, contact details and information relating to your question or request. We process this information for the purpose of contacting you and responding to your question or request. We will retain your personal data for this purpose in accordance with the retention period described in section 6of this privacy statement.

We process your personal data for this purpose on the basis of article 6.1 (a) GDPR (your consent) or, as the case may be, on the basis of article 6.1 (b) GDPR (performance of a contract, including pre-contractual measures) or, where we are legally obliged to respond to your queries, on the basis of article 6.1 (c) (compliance with legal obligation).

For more information about your statutory rights, please refer to section 7 of this privacy statement.

 

To invite you for a Medline webinar or event and to register your attendance

We process your personal data when you register for and attend to an (online) Medline webinar or event via our online registration form or via email, as the case may be. The personal data we process for this purpose includes your first name, last name, email address, job title, your country and/or you’re your city/region where you work, and information about your organization/company. We process this information for the purpose of inviting you for our webinar or event, for communicating with you about the webinar or the event, for registering your attendance, and for evaluation of the webinar or event. If you are an existing customer we will retain your personal data for as long as our commercial relationship lasts. If you just signed up for one of our webinars, we will retain your personal data for as long as it is necessary to conduct the webinar. In this case, your personal data will be deleted after the webinar if you did not consent for other purposes.

In case of an offline event, we may – subject to your consent - take photographs or have photographs taken at the event and/or ask if you have any diet restrictions (whereby your response may include health related data), which we shall only process for the purpose of offering you alternative dietary options at our event.  

We process your personal data for this purpose on the basis of article 6.1 (b) GDPR (performance of a contract, including pre-contractual measures) and, where required, on the basis of article 6.1 (a) GDPR (your consent). We process your diet (health) related information on the basis of article 9.2 (a) GDPR (explicit consent).

For more information about your statutory rights, please refer to section 7 of this privacy statement.

 

To register your visit to a Medline facility and to secure our premises

We process your personal data when you visit one of our Medline facilities as a guest. The data we process includes your name, contact details, and information about your organization/company, which we process for the purpose of visitor registration for security reasons. We will retain your personal data for this purpose for as long as 3 months, unless we are legally required and/or permitted to retain your personal data for a period thereafter.

We also use camera security/CCTV at our locations for security reasons, which may capture your presence at our Medline facilities. We will retain CCTV footage for as long as 4 weeks, unless we are legally required and/or permitted to retain your personal data for a period thereafter.

We process your personal data for these purposes on the basis of article 6.1 (f) GDPR (our legitimate interests of protecting our premises).

For more information about your statutory rights, please refer to section 7 of this privacy statement.

 

To comply with our legal obligations

We process your personal data when this is necessary for us to comply with our legal obligations or is otherwise necessary in view of our legitimate interests, which may include the prevention and detection of fraud and other criminal activities, protecting the rights, safety and property, of Medline, you, and/or others, satisfying Medline’s audit requirements, the resolution of disputes and disputed payment transactions, the establishment, exercise or defence of legal claims, protecting information security or the retention and disclosure of information as required by applicable legislation and/or public authorities.

We process your personal data for these purposes on the basis of article 6.1 (c) GDPR) (compliance with our legal obligation) and article 6.1 (f) GDPR (our legitimate interest of protecting our business), as applicable.

For more information about your statutory rights, please refer to section 7 of this privacy statement.

 

To comply with our Materiovigilance obligations

For this purpose Medline International France SAS will be the data controller, which will process your personal data to manage the adverse health event that you reported to us. If you report to us an adverse health event with one of our products that you are not exposed to, we remind you that Medline does not need to process any personal data related to the patient or the person affected by the event. In the case that patient data is included in the report, we inform you that Medline has processes in place to anonymize or delete such personal data.

Medline will process your personal data to enable the prevention, monitoring, evaluation and management of adverse health events that the use of our products may produce. Medline will collect, analyse, document and store your personal data to conduct the necessary investigation about the event. As a part of the investigation, we may need to use your personal data to contact you.

Medline will process the contact details, included but not limited to first name, last name, email address, and phone number, of the person that reports the adverse health event to us.

We process your personal data only if such processing is justified by a legal obligation and in accordance with the data protection regulations. Therefore, we will only process your personal data if the processing is necessary to comply with our legal obligations relating to the safety of medical devices.

Medline will share your personal data with the following recipients and for the following purposes:

  • Medline International Germany GmBH for support in the management of the adverse health event reports as part of the Quality Assurance function that manage the adverse health event reports in Medline.
  • British Standard Institution (BSI) as Medline’s external auditor for the ISO quality certification. BSI is an organization based in the UK and therefore we inform you that Medline is conducting an International Transfer with your personal data. The UK has an adequacy decision made by the European Commission ensuring that the level of protection of your personal data is equivalent to the level of protection established by the GDPR.

We will keep your personal data for the necessary period to perform our investigation about the reported adverse health event. Once the investigation is closed we will store your personal data for a period of 10 years as required by law. During these 10 years, your personal data will be blocked and only accessible to the relevant functions that may access and process your personal data to comply with a legal obligation or for the defence of legal claims. After this period, we will delete your personal data.

For this purpose you can exercise the following rights:

  • the right of access / information;
  • the right to obtain the restriction of the processing of your personal data;
  • the right to rectification by requesting corrections/amendments if inaccurate or incomplete personal data has been processed;

Please, be informed that under this processing activity you do not have the right to object to processing your personal data, to delete your personal data or to request the portability of your personal data because the processing activity is based on the compliance of a legal obligation.

 

Special categories of data

We do not ask for, collect or process any special categories of data about you, except in specific circumstances as described in this privacy statement. Special categories of personal data are often referred to as ‘sensitive’ personal data and include information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual life. In cases where you accidently or voluntarily provide such information and we do not have a legal basis to process this information, we will delete this information without undue delay.


In accordance with this privacy statement and as permitted by law, Medline shares your personal data with third parties in different ways and for different reasons, as further detailed below. Medline does not sell your personal data to third parties. Where legally required, we will ask for your consent before we share your personal data with third parties.

We share personal data within the Medline group of companies, of which the parent company is Medline Industries, LP. An overview of our Medline group of companies can be found the section “Medline Offices in Europe” that you will find in the footer of this website.

We use third parties such as IT service providers, distributors, marketing technology platforms and suppliers to perform services on our behalf. Where we engage third parties to perform services on our behalf, we ensure that we have taken the necessary contractual, technical and organizational measures to safeguard that your personal data is protected and only used for the purposes for which the personal data is shared. Where required and permitted by applicable law, we may share personal data with public authorities, such as tax authorities, data protection authorities and/or other regulatory or governmental bodies.

We reserve the right to share your personal data with third parties in case we (consider to) sell or transfer all or part of our business activities or assets to a third party.

 

Medline is an international organisation with affiliates across the world. Medline has committed itself to comply with this privacy statement and the applicable data protection laws and regulations with regard to personal data transferred outside the EEA. The laws in other countries outside the EEA may not be as strict as the laws in Europe. Because of this, Medline has taken measures to protect your privacy and fundamental rights when your personal data is transferred outside the EEA and other countries where no adequacy decisions of the European Commission apply. This means that Medline uses appropriate safeguards such as standard contractual clauses and safe transfer protocols to ensure adequate protection. Where legally required, we will ask for your consent before we transfer your personal data to territories outside the EEA.

You may request additional information with respect to the transfer of personal data to non-EEA territory by contacting us using the contact details in the 'How to contact us' section.


Unless a specific period is mentioned in this privacy statement, in the normal course of business we retain your personal data between five (5) and ten (10) years after your relationship ends with us, unless we have an obligation to keep it longer (for example due to a court order or investigation by law enforcement agencies or regulators).

In determining the applicable data retention period in a specific situation, Medline will also take into account specific data retention obligations arising from applicable laws other than privacy laws, which laws may prohibit the deletion of data before expiry of the minimum retention period (for example for accounting purposes).

In the absence of any applicable retention periods, we consider the following criteria to determine the appropriate retention period for your personal data: the nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the data, and applicable legal requirements.

Furthermore, in case certain personal data is needed for a legal claim or other legal issue, Medline will retain this data as long as that issue is ongoing up to when the statute of limitation has expired.


Under the GDPR you have certain rights in relation to your personal data, as detailed below. We will respect your statutory rights and comply with your request insofar as we are legally required to. Please be aware that not all rights are absolute and that we may have legitimate grounds to refuse your request.

If you would like to exercise any of these rights, please contact us at the address, email, phone or fax number as stated in the 'How to contact us' section below.

If you make a request we have one (1) month to respond. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We may ask you to provide documentation demonstrating your identity when you make a request, so that we can protect you and us against mistakes in the handling of your request.


Your statutory rights include:

  • Right to access: You have the right to request information about how we process your personal data, including the categories of personal data we process, recipients of your personal data, and purposes for our processing.
  • Right of rectification: You have the right to request that we correct incorrect personal data we hold about you, as well as, taking into account the purposes of the processing, the right to have incomplete personal data completed.
  • Right of erasure (right to be forgotten): You have the right to request the deletion of personal data concerning you where: (a) the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) you withdraw your consent and there are no other legal grounds for the processing; (c) you exercise your right to object (see below) and there are no compelling legitimate grounds for the processing; (d) the personal data have been unlawfully processed; or (e) the personal data have to be erased for compliance with a legal obligation applicable to us.
  • Right to restriction of processing: You have the right to request that we restrict the processing of your personal data (i.e., data will be blocked from normal processing but not erased) where: (a) you contest the accuracy of the personal data, for a period enabling us to verify the accuracy; (b) the processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead; (c) we no longer need the personal data for the purposes of the processing but they are required by you for the establishment, exercise or defence of legal claims; (d) you exercise your right to object (see below) pending the determination of whether our legitimate grounds override your rights.
  • Right to withdraw your consent: Where processing is based on your consent, you have the right to withdraw consent at any time. Please note that withdrawing your consent is not affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to data portability: You have the right to request to receive your personal data in a structured, commonly used and machine-readable format, and to have the data transferred by us to another data controller unhindered, insofar as the processing is carried out on the basis of your consent or on the basis of a contract and the processing is carried out using an automated process.
  • Right to object: You have the right to raise objections to the processing of your personal data that is based on our legitimate interest, including profiling, for reasons relating to your particular situation. Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data concerning for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  • Right to lodge a complaint: At any time, you have the right also to file a complaint in relation to the processing of your personal data with the data protection authority, which in the Netherlands is the Autoriteit Persoonsgegevens (Postbus 93374, 2509 AJ Den Haag, The Netherlands, Tel.: +31 (0) 88 1805 250 or at https://www.autoriteitpersoonsgegevens.nl/).

In addition, under circumstances  your (local) supervisory authority is competent to handle a complaint lodged with it or a notification of a possible infringement of the applicable legislation and regulations regarding data protection (that is: if the subject matter of the complaint/notification relates only to an establishment in its Member State or substantially affects data subjects only in its Member State). In such a case you may contact the supervisory authority of your Member State. Details of the local supervisory authorities you can find here.


We are committed to protecting your personal data, and we have implemented appropriate technical and organizational measures to ensure the personal data we process is protected from unauthorized access, use, disclosure, alteration or destruction, in accordance with applicable laws and regulations.

We work with secured networks and use encryption as appropriate. Access to personal data by our employees and consultants is also limited to a ‘need-to-know’ basis. We take measures to maintain the confidentiality of your personal data and to protect it from unauthorised disclosure. We will not publicly communicate your personal data without your prior consent.

Unfortunately, no data transmission or storage system can be guaranteed to be completely secure and we cannot fully guarantee the security of personal data at all times.


The data controller with respect to the processing of personal data as described in this privacy statement is Medline International B.V.

If you would like to exercise your statutory rights, withdraw your consent to the processing of your personal data, have any comments or suggestions regarding this privacy statement or if you suspect misuse or loss of or unauthorised access to your personal data, you can contact us at the following address:

 

To contact our Privacy Office, please send an email to [email protected]

 

Medline International B.V.

Nieuwe Stationsstraat 10

6811 KS Arnhem

The Netherlands

Tel.: +31(0)26-3127227

Fax: +31(0)26-3127208

Email: [email protected]

If you are a German, Dutch, French, Italian, Spanish or UK resident, you may also contact our Data Protection Officer at the following address:

 

Philipp M. Moehrle

Datenschutzbeauftr./ Dipl. Wirtschaftsjurist/ MCSE - BECHTLE Datenschutz Competence Center - Bechtle GmbH IT-Systemhaus

Parkstraße 2-8, 47829 Krefeld

Tel.: 02151 - 455 - 836

Fax: 02151 - 455 - 77810

eMail: [email protected]http://www.bechtle.com

Geschäftsführer:   Karl-Heinz Empel

HRB: 9925, AG Krefeld

Sitz der Gesellschaft: Krefeld

At any time, you have the right also to file a complaint in relation to the processing of your personal data by Medline International B.V. with its supervisory authority, which in the Netherlands is the “Autoriteit Persoonsgegevens” (Postbus 93374, 2509 AJ Den Haag, The Netherlands, Tel.: +31 (0) 88 1805 250) or your local supervisory authority, details of which you can find here.

This privacy statement applies to the processing of personal data by Medline entities in the European Union (EU) and European Economic Area (EEA) and by Medline entities outside the EU and EEA to the extent the GDPR applies to such processing. For completeness, please be aware that is possible that countries apply different interpretation to the protection of personal data at a detailed level on the basis of local implementation laws. We will inform you separately on any country-specific rules that apply to the processing of personal data by us in a specific scenario.


We may update this privacy statement from time to time to reflect changes in the way we process personal data, for example if we implement new systems or processes that involve new uses of personal data or as may be required as a result of legal developments.

We will actively notify you about changes to this statement or the way we use your personal data when we are legally required to do so.

This privacy statement was lastly updated on 13th March 2024.