Privacy Notice effective March 2024
Contingent Worker Privacy Notice
General Information
Medtronic and its affiliated companies (collectively called "Medtronic" or "we") is committed to protecting
your personally identifiable information or personal information (also often referred to as personal data).
This Privacy Notice explains how we process (collect, use, share, store, destroy) and protect your personal
information as part of your contract.
As an individual on contract, Medtronic needs to keep and process information about you for normal
business purposes. The information we hold and process is for our management and administrative use only.
We process it to enable us to run the business and manage our relationship with you effectively, lawfully and
appropriately, during the onboarding process, while you have a contract with us, at the time when your
contract ends and after you have left. This includes using information to enable us to comply with your
contract, to comply with any legal requirements, pursue the legitimate interests of Medtronic and protect
our legal position in the event of legal proceedings. We will process your personal information in a
transparent and lawful way. Any personal information you provide will only be processed in accordance with
this notice.
This notice does not form part of any contract of employment or other contract to provide services. We will
inform you of any changes to processing of your personal information in a new revised notice and, where
appropriate, provide you with the option to withdraw or renew your consent.
Medtronic Policy Portal.
What is Personal Information?
Personal information is any information relating to an identified or identifiable natural person. Your name,
address, phone number, date of birth and bank account number are some examples of personal information.
We process personal data about you from various sources including directly from you during your
assignment or from your supplier, as well as information about job-related activities through the course of
your assignment with us.
Medtronic processes your personal information to ensure the efficiency and effectivity of services,
particularly regarding network security and downstream business processes requiring worker personal data.
The table following this notice contains details about the types of worker data we process, how we use the
data, the legal basis for processing and the applicable data subject rights.
Lawfulness of processing
Processing will always be based on an identified legal basis. Most personal information collected by Medtronic
will be processed based on contractual necessity or legitimate interest. Other data is processed because of
legal obligations Medtronic has, like government reporting, quality and training requirements and defending
Privacy Notice effective March 2024
claims. If we do not have a legal basis identified, we will get your consent prior to processing any personal
data. For more detail about the personal information that we process and the legal basis that we rely on in
each case, please see the table at the end of this notice.
Unless there is a contractual obligation with you or other legal basis, we do not process sensitive personal
information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union
membership, and the processing of genetic data, biometric data to uniquely identify a person or data
concerning health or sex life and sexual orientation.
Profiling and automated processing
We will not use your personal information for decisions based solely on AI or automated processing if the
decision produces legal effects concerning you or significantly affects you, unless you give your explicit
consent for this processing.
Disclosure to third parties
We may disclose your personal information to Medtronic's subsidiaries, affiliates, agents, third parties or
sub-contractors for the purposes identified in the table below. We will not disclose your personal information
to third parties unless it is required for you to perform your contracted work with us. In such cases, the agent
or sub-contractor will be obligated to use that personal information in accordance with the terms of this
privacy notice and only for the specific purpose identified.
We will not sell your personal information to third parties.
We may disclose your personal information without your permission to the extent that it is required to do so
under applicable law, if illegal activity is discovered, in connection with any legal proceedings or prospective
legal proceedings, and to establish, exercise or defend Medtronic's legal rights.
International Transfer of Personal Information
Where there is a need to transfer your personal information across Medtronic or to a third party outside the
jurisdiction where you are located, we will comply with applicable legal requirements providing adequate
protection for the transfer of your personal information, including by implementing appropriate safeguards
based on the European Commission's Standard Contractual Clauses or one of the other transfer
mechanisms provided under applicable data protection laws.
Security
We are committed to ensuring that your personal information is secure. To prevent unauthorized access or
disclosure, we have put in place appropriate technical and organizational measures to safeguard and secure
information.
If, despite all Medtronic's efforts, a personal information breach does occur, we shall do everything in our
power to limit the damage. In case of a personal information breach which is likely to result in a high risk, and
depending on the circumstances, we will inform you about remedial actions to prevent any further damage.
Personal Information retention
We will not store your personal information longer than necessary for the purpose for which we need to
process your personal information. How long we retain your personal information depends on the type and
purpose for which we process it. For example, training and quality documents containing your name may
need to be kept for the life of a product. We may retain personal information for longer where there is a
compliance, audit, or legal basis.
Privacy Notice effective March 2024
Your rights*:
To the extent provided by applicable law, you may have the following rights:
Access: to request to access your personal data processed through our Sites and Services. Your request
should contain a detailed, accurate description of the personal data you want access to;
Rectification: to ask us to correct information about yourself you think is inaccurate or incomplete. Please be
informed that we can ask you to demonstrate that the personal data you want to correct is indeed erroneous;
Withdrawal: if we use your personal data based on your consent, to withdraw your consent at any time and
without giving reasons. If you do so, this will not affect the lawfulness of the data that have been processed
before you withdrew consent;
Portability: to request your personal data in a structured, commonly used and machine-readable format;
Erasure: to ask for the deletion of your personal data that is being processed or retained by us, but only when
this personal data is no longer necessary in light of the purposes explained hereunder and there is no legal or
regulatory obligation which obliges us to keep it;
Objection: to object, based on your particular situation, to any use or processing of your personal data which
we have based on our legitimate interests;
Restriction: to restrict our use of your personal data if and when (a) you contest the accuracy of the
information, (b) the processing is illegitimate and you request the restriction of its use instead of its deletion
(c) your personal information is no longer needed for the purposes which are outlined above, but you need it in
judicial proceedings;
Objection to automated decision making: to ask not to be subject to a decision based solely on automated
processing, including profiling.
*Not all rights apply to all purposes and processes. See the table below to reference what data subject rights
are applicable to the various data processing activities.
Other country-specific data protection laws may also provide additional data subject rights
. Depending on
your location, you may have the right to file a complaint with a data protection authority in case you are not
satisfied with our handling of your request.
Further information
If you have any questions about this privacy notice, about data subject rights, or about the processing of your
How Medtronic uses personal data to satisfy the right to be informed about processing of contingent
worker personal information. Please note: * *Not all of the categories of data elements in the table
below will apply to every worker due to differences in national legislation, if you have any questions
about the types of data that is collected or processed in your country please contact
Process
Purpose
Categories of data
elements processed**
Legal basis for
processing
Which data
subject
rights may
apply?
Generally
applicable for any
of the specific
processing
activities below
Included below
Name (first, last, MI),
Personal Emails, Personal
mobile number, Network
or user ID, Work contact
details (work email, work
address/business
location, work phone
numbers), signature,
status
Included below
Included
below
Privacy Notice effective March 2024
Process
Purpose
Categories of data
elements processed**
Legal basis for
processing
Which data
subject
rights may
apply?
Management of
assignment
To maintain active
and historical
records of
assignment
Security ID (Birth
Month/Day, first 2 letters
of last name and last 3 or
4 digits of National ID),
education, work history
and skills, hourly rate,
working hours, languages
Contractual
necessity and
Legal
obligation
Access,
Rectification
Time Tracking
Admin
To manage time on
assignments and
working hours to be
billed to supplier
Network/User ID, time of
swipes, location of clock
or swipe, hours worked,
supervisor hierarchy
Contractual
necessity and
Legal
obligation
Access,
Rectification
Managing and
monitoring health
and safety in the
workplace
To comply with our
health and safety and
occupational health
obligations; to
consider how your
health affects your
ability to do your job
and whether any
adjustments to your
job might be
appropriate
Health and sickness
records, contract details,
leave data, geo-location
data, vaccination records,
contact tracing details
such as exposures,
contacts date, time and
duration, may include
badge or app proximity
tracking
Legal
obligation
Access,
Rectification
Managing system
access, data
privacy and
security and data
loss prevention
(DLP)
To ensure workers
are complying with
practices, controls
and procedures
aiming at protecting
privacy and security
of information
transferred within
Medtronic and to any
external entity by
means of
communication
systems, technical
and electronic
resources. To
prevent intentional
as well as
unintentional loss of
Medtronic data, in
line with Medtronic's
Global Electronic
Resource Use Policy.
Status, equipment ID,
network or user ID, IP
address, log in details,
account activity, email
communications, website
history and cookies, and
metadata associated with
file movement and data
transfers including key
words matches. More
information can be found
in Medtronic's Electronic
Resource Use Policy.
Legitimate
interest
Access,
rectification,
erasure
(where
applicable),
data
portability
and
objection
Privacy Notice effective March 2024
Process
Purpose
Categories of data
elements processed**
Legal basis for
processing
Which data
subject
rights may
apply?
Prevention of
fraud or criminal
activities such as
background
checks,
monitoring of
equipment or
financial
transactions
To ensure the
prevention of fraud
and crime. To ensure
a safe workplace for
all.
Criminal information,
CCTV footage,
photograph containing an
individual, financial
details, credit and/or
background checks,
equipment ID, user ID, IP
address, Worker ID,
geographical location,
physical descriptions, log
in details, evidence of
completion (pass/fail)
Legitimate
interests
Access,
Rectification,
Erasure
(when
applicable),
and
Objection
To ensure the
prevention of fraud
and crime against
customers, patients,
employees,
members of the
public and law
enforcement
agencies
Public interest
Access,
Rectification
Government
Reporting
To comply with any
government
reporting
requirements
Geographical data, job
details
Legal
obligation
Access,
Rectification
Contingent
Workforce
Analytics
To conduct data
analytics to review
and better
understand
Turnover & spend
reporting and
analytics
requirements
Worker details, job level,
hourly rate, bill rate, geo-
location, Worker ID,
project assignments, time
tracking
Legitimate
interests
N/A as this is
confidential
to Medtronic
Legal disputes and
Internal
investigations
To make and defend
legal claims to ensure
that our legal rights
are protected
Worker data, hourly rate,
photographs/images,
CCTV footage and other
information obtained
through electronic means
and criminal convictions
Legitimate
interests
Access,
Rectification,
Erasure
(when
applicable)
Business
management and
business planning;
security,
accounting,
finance, sales,
strategic
sourcing, legal,
audit and other
non-HR functional
areas
To comply with the
legitimate business
needs within
Medtronic, including
non-HR functional
areas
Worker ID, work details,
hours worked, project
assignments, cost center,
geographical location, bill
rate, spend rate, other
billing or financial data
Legitimate
interests and
contractual
necessity
Access,
Rectification,
Erasure
(when
applicable),
and
Objection
Privacy Notice effective March 2024
Process
Purpose
Categories of data
elements processed**
Legal basis for
processing
Which data
subject
rights may
apply?
Administration of
disaster and
emergency
management
To meet Medtronic's
duty of care to
ensure the safety of
our workers
Work hours, work
location, user ID, travel
itinerary, building security
access, work and personal
contact data
Legitimate
interests
Access,
Rectification,
Erasure
(when
applicable),
and
Objection
Business Travel
To ensure safety and
security of our
workers and to allow
for expense
reimbursement
Travel details, hotel,
mileage, expense
Contractual
necessity
Access,
Rectification
Education,
professional/
compliance
training, and
talent
development/
learning
administration
To ensure all workers
are trained for
compliance, quality,
and other legal
requirements
Job details, work location,
training and educations
history, assessments,
certifications, test results
Legal
obligation
Access,
Rectification
Internal
directories and
organization
charts
To ensure internal
communications and
organization
structure is
accessible
Worker photograph, work
details, management
structure
Legitimate
interests
Access,
Rectification,
Erasure
(when
applicable),
and
Objection
Internal case
management
systems such as
IT and HR
To track and respond
to questions and
concerns submitted
or asked by workers
Worker ID, work location,
work details
Legitimate
interests
Access,
Rectification,
Erasure
(when
applicable),
and
Objection
3rd Party Tool or
system access
To allow access to 3rd
party tools or
systems which may
be required for the
worker to perform
their job, such as
treasury, banking,
money management,
currency trades, etc.
To request and
process permits,
licenses and
registrations for the
company, its
products and/or
services
Worker ID, work location,
work details, BU/Division,
work email, Government
Issued ID, non-sensitive
worker information,
Passport number,
signature
Legitimate
interest
Access,
Rectification
Erasure
(when
applicable)
External web
sites, virtual
Where Medtronic
worker is named as
Name, last name, email
address, work phone
Legitimate
interest
Access,
Rectification,
Privacy Notice effective March 2024
Process
Purpose
Categories of data
elements processed**
Legal basis for
processing
Which data
subject
rights may
apply?
meeting sites and
directories
contact for
Medtronic
number, work address,
signature
Erasure
(when
applicable)
Call quality
monitoring to
ensure
compliance with
applicable quality
requirements in
the context of
customer &
product support
activities;
including internal
IT/HR Helpdesks
as well as
external
customer support
calls
To ensure all workers
are trained to
provide the highest
level of service
quality to customers.
To defend legal
claims in the event of
disputes, complaints,
legal actions and/or
requests for
compensation from
customers.
Name, audio (call
recordings)
Legitimate
interest
Access,
Rectification,
Erasure
(when
applicable),
Objection
Virtual meetings
and events
To facilitate
participation to and
to video record
remote meetings
and events required
for the worker to
perform their job,
with internal and
external audience
Full name, audio, image
and video, IP address,
connection details, log in
details. We may need to
pass on certain
information to third-party
providers (e.g.,
teleconferencing
providers) hosting virtual
meetings and events on
our behalf.
Legitimate
interest
Access,
Rectification,
Erasure
(when
applicable),
Objection