SMITH & NEPHEW VISIONAIRE EU CUSTOMER GUIDANCE NOTE
WHY ARE WE ASKING OUR CUSTOMERS TO SIGN UP TO A DATA PROCESSING ADDENDUM?
Background
VISIONAIRE Patient Matched Instrumentation is a patient specific product the production of which requires the processing of patient information and personal data. This includes the transfer of patient personal data from healthcare providers in the European Union (EU) (acting as data controllers) to Smith & Nephew and its affiliates in the US, Switzerland and Australia (acting as data processors).
Smith & Nephew strives to maintain a robust and secure infrastructure for the receiving, processing and storage of patient personal data. Smith & Nephew is also committed to helping its healthcare provider customers to transfer patient and other personal data from the EU to the US in compliance with European Data Protection laws, although this remains the responsibility of our customers.
Until recently transfers from the EU to the US were permitted under the US Safe Harbor framework. However, a recent European Court decision has ruled Safe Harbor invalid, which means it can no longer be relied upon (see section 3 for further details). It is the responsibility of customers and data controllers to ensure that alternative measures are put in place when transferring personal data from the EU to the US. In order to assist customers to adapt to this evolving landscape, Smith & Nephew has prepared The Data Processing Addendum.
Since 2000 the Safe Harbor framework has been in place which facilitated the transfer of personal data from the EU to US entities. US organisations that self-certified compliance with the requirements of the Safe Harbor regime were deemed to have met the EU "adequacy" standards. This includes Smith & Nephew Inc. which was signed up to the Safe Harbor regime in relation to its processing of VISIONAIRE personal data.
Following a landmark decision by the Court of Justice of the European Union in October 2015, Safe Harbor has been ruled invalid. This means that other measures need to be put in place to try to ensure that the transfer of personal data from the EU to the US is compliant with EU Data Protection laws.
Smith & Nephew recognises that its customers will want to ensure that they comply with European Data Protection laws and by providing The Data Processing Addendum Smith & Nephew is seeking to help its customers to do so because The Data Processing Addendum incorporates the EU "model clauses". These are standard contractual clauses that data controllers can adopt to help meet the "adequacy" standards of EU Data Protection laws when transferring personal data outside the EU. The standard clauses incorporated into The Data Processing Addendum cover transfers from controllers to processors (including sub-processors). The standard clauses have been approved by the European Commission and cannot be changed.
It is widely accepted that signing up to these standard contractual clauses is currently the preferred solution whilst the uncertainty around Safe Harbor is resolved. If this position changes Smith & Nephew will reconsider its approach to this issue. Customers remain responsible for ensuring appropriate safeguards are in place.
By completing, signing and returning The Data Processing Addendum, the standard clauses will be incorporated into your existing Visionaire agreement with Smith & Nephew.