Our Commitment to Protecting Your Privacy: Your privacy is important to Carestream Dental LLC (“Carestream Dental”). We’ve developed this Privacy Shield Policy Statement to explain how Carestream Dental and its affiliates worldwide collect, use, process, disclose, transfer and store your information. To make sure your personal data is treated in accordance with this Statement, we communicate our information security and privacy guidelines to all Carestream Dental employees and enforce privacy safeguards within the company. We encourage you to read this Privacy Statement and to familiarize yourself with our privacy practices before submitting personal data, and please let us know if you have any questions.
PRIVACY SHIELD POLICY
Carestream Dental DPMS Holdings, Inc.
Carestream Dental Partnerships, LLC
Carestream Dental Equipment, Inc.
Carestream Dental Equipment, LLC
Carestream Dental Equipment Holdings, Inc
CADI Acquisition Corporation
These entities are collectively referred to hereinafter as “Carestream Dental.”
Carestream Dental recognizes and acknowledges current data protection laws in the European Union ("EU"), United Kingdom (“UK”) and Switzerland, and has therefore adopted this Privacy Shield Policy ("Policy") governing Personal Data transferred from Carestream Dental operations, affiliates, agents, third party distributors, patients, customers or other healthcare providers in the EU, UK and Switzerland to Carestream Dental operations in the United States ("U.S."). This Policy sets forth the standards under which Carestream Dental will treat such Personal Data.
Carestream Dental participates in the U.S.-EU Privacy and Swiss-U.S. Privacy Shield Frameworks administered by the U.S. Department of Commerce, and commits to subject to the Principles all Personal Data received from the EU, UK and Switzerland in reliance on the Privacy Shield. Carestream Dental’s participation in Privacy Shield is subject to investigation and enforcement by the Federal Trade Commission. For more information about the Privacy Shield Framework, including a list of companies that have certified to Privacy Shield, please visit the U.S. Department of Commerce’s website at https://www.privacyshield.gov/.
"Data Subject" means the individual to whom any given EU and Switzerland Personal Data covered by this Policy refers.
"EU, UK and Switzerland Personal Data" or "Personal Data" means any information relating to an individual residing in the EU, UK or Switzerland that can be used to identify that individual either on its own or in combination with other readily available data (e.g., the individual’s name, title, work location, home address, date of birth, compensation, benefits, or family members).
"Sensitive Personal Data" means Personal Data regarding any of the following:
Health or medical condition;
Racial or ethnic origin;
Religious or philosophical beliefs;
Trade union membership;
Sex life; or
Criminal convictions or indictments.
SCOPE AND RESPONSIBILITY
This Policy applies to the collection, use, and disclosure in the U.S. of all EU, UK and Switzerland Personal Data transferred from countries in the EU, UK and Switzerland to Carestream Dental in the U.S. Where Carestream Dental acts solely as an agent processing EU, UK and Switzerland Personal Data under the direction of a third party, Carestream Dental has no direct relationship with the Data Subjects whose Personal Data it processes, and for such Personal Data, Carestream Dental instead may rely on such third parties to comply with the European, United Kingdom and Switzerland legal requirements underlying the Privacy Shield Principles.
All employees of Carestream Dental that have access to such EU, UK and Switzerland Personal Data in the U.S. are responsible for conducting themselves in accordance with this Policy. Adherence by Carestream Dental to this Policy may be limited to the extent required to meet legal, regulatory, governmental, or national security obligations, but EU, UK and Switzerland Personal Data shall not be collected, used, or disclosed in a manner contrary to this policy without the prior written permission of Carestream Dental’s General Counsel.
Carestream Dental employees responsible for engaging third parties to handle EU, UK and Switzerland Personal Data covered by this Policy on behalf of Carestream Dental (e.g., temporary staff, independent contractors, sub-contractors, business partners, or vendors) are responsible for obtaining appropriate assurances that such third parties have an obligation to conduct themselves in accordance with the applicable provisions of this Policy, including any applicable contractual assurances required by Privacy Shield.
Failure of a Carestream Dental employee to comply with this Policy may result in disciplinary action up to and including termination.
PRIVACY SHIELD PRINCIPLES
Carestream Dental has adopted the U.S. Department of Commerce’s Privacy Shield Principles, as set forth below, with respect to the EU, UK and Switzerland Personal Data described in the "SCOPE AND RESPONSIBILITY" section of this Policy that is transferred from Carestream Dental operations in the EU, UK and Switzerland to Carestream Dental operations in the U.S.
Notice – Carestream Dental takes steps so that Data Subjects covered by this Policy are notified about the types of Personal Data it collects about them, the purposes for which it uses such Personal Data, the types of third parties to which it discloses such Personal Data, the choices and means that it offers for limiting its use and disclosure of such Personal Data, and how Data Subjects can contact Carestream Dental with any inquiries or complaints. Notice is provided in clear and conspicuous language at the time of collection or as soon as practicable thereafter; before Carestream Dental uses or discloses Personal Data for a purpose other than that for which it was originally collected, and through this Policy.
Specifically, Carestream Dental collects and uses Personal Data for, among other things:
the delivery of current and future products and services;
compliance as required by law, or as permitted by law;
our everyday business operations such as:
product safety and product complaint reporting;
communicating information about diseases, products and services, or via e-mail, direct mail and other channels;
business and marketing research; and
auditing our programs and resources for compliance and security purposes; and
Employment related purposes and legitimate human resource business reasons such as:
carrying out and supporting its human resources functions and activities;
carrying out its obligations under employment contracts and employment and benefits laws;
administering employee participation in benefits, compensation and human resources plans and programs;
managing employee performance;
implementing compliance and discipline procedures, and investigating and reporting on employee compliance and discipline; and
complying with legal or contractual obligations, carrying out investigations and for other internal administrative purposes.
Carestream Dental discloses Personal Data to the following types of third parties:
To third parties that are designated by the Data Subject or customer to which the Personal Data pertains for purposes of providing health care treatment (including training and service), paying for health care, or for the administrative health care operations of a health plan or health care provider;
To Carestream Dental affiliates or subsidiaries for purposes such as coordinating the delivery of products or services, processing payment and conducting data analytics;
To agents, distributors or third party service providers (such as accountants, attorneys, consultants, and other service providers) who need the information in order to provide services to or perform activities on behalf of Carestream Dental, including in connection with the delivery of services or products, Carestream Dental’s management, administration, or legal responsibilities; or
As required by law, including disclosure in response to lawful requests by public authorities, such as to meet national security or law enforcement requirements.
Choice – In the event EU, UK and Switzerland Personal Data covered by this Policy is to be used for a new purpose that is materially different from the purpose(s) for which the Personal Data was originally collected or subsequently authorized, or is to be transferred to the control of a third party, Data Subjects are given, when feasible and appropriate, an opportunity to choose (opt-out) whether to have their Personal Data so used or transferred. In the event that Sensitive Personal Data is used for a new purpose or transferred to the control of a third party, the Data Subject’s explicit consent (opt-in) will be obtained prior to such use or transfer of the Sensitive Personal Data.
Accountability for Onward Transfer (transfers to affiliates and/or other third parties) – In the event Carestream Dental transfers EU, UK and Switzerland Personal Data covered by this Policy to an affiliate or other third party, it will do so consistent with any notice provided to Data Subjects and any consent they have given. Carestream Dental will transfer Personal Data to such third parties only if the transfer is for limited and specified purposes and the third party will provide at least the same level of privacy protection as is required by this Policy and the Privacy Shield Principles. When Carestream Dental has knowledge that a third party is using or sharing Personal Data in a way that is contrary to this Policy, Carestream Dental will take reasonable steps to prevent or stop such use or sharing.
With respect to transfers to its agents, Carestream Dental remains responsible under the Privacy Shield Principles if an agent processes Personal Data in a manner inconsistent with the Principles, except where Carestream Dental is not responsible for the event giving rise to the damage.
Access – Data Subjects whose Personal Data is covered by this Policy have the right to access such Personal Data and to correct, amend, or delete such Personal Data if they can demonstrate that it is inaccurate or incomplete (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated).
You have the right to request personal data Carestream Dental, LLC and its affiliates may hold about you. This is known as a Data Subject Access Request (“DSAR”). A data subject is an individual who is the subject of the personal data. If you wish to make a DSAR, please complete this form.
Security – Carestream Dental takes reasonable precautions to protect EU, UK and Switzerland Personal Data covered by this Policy from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
Data Integrity and Purpose Limitation – EU, UK and Switzerland Personal Data covered by this Policy that is collected, processed, and maintained by Carestream Dental shall be kept and used for its intended purpose. Carestream Dental takes reasonable steps to ensure that the Personal Data is used for its intended purpose(s), and is accurate, complete, and current.
Recourse, Enforcement, and Liability – To ensure compliance with these Privacy Shield Principles, Carestream Dental will:
In the investigation and resolution of complaints that cannot be resolved between Carestream Dental and the complainant,
Commits to cooperate with EU and UK data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU, UK and Switzerland in the context of employment relationship
Commits to cooperate with the Better Business Bureau’s ("BBB") EU Privacy Shield Dispute Resolution Procedure, which is based in the U.S. with regard to non-HR Personal Data transferred from the EU, UK and Switzerland;
Periodically review and verify its compliance with the Privacy Shield Principles; and
Remedy issues arising out of any failure to comply with the Privacy Shield Principles.
Carestream Dental acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of Privacy Shield participants, and thereafter transfers of Personal Data will not be allowed unless Carestream Dental otherwise complies with EU, UK and Switzerland data protection laws.
ENFORCEMENT AND DISPUTE RESOLUTION
Any inquiries or complaints regarding this Policy or the collection, use, disclosure, or transfer of Personal Data should be directed to:
Carestream Dental LLC
Attention: Noni Ellison, General Counsel
3625 Cumberland Blvd. Ste 700
Atlanta, GA 30339
Carestream Dental will work with you to resolve any concerns you have about this policy.
Carestream Dental will investigate and attempt to resolve complaints in accordance with the Privacy Shield Principles. In the event an inquiry or complaint cannot be resolved between Carestream Dental and a Data Subject, the Data Subject may contact an independent recourse mechanism to provide appropriate recourse free of charge:
For inquiries or complaints regarding HR Personal Data,
EU individuals should contact the DPA of the EU Member State where the Data Subject works, which can refer the complaint to the DPA panel
UK individuals should contact the UK Information Commissioner’s Office (ICO)
Swiss individuals should contact the Swiss Federal Data Protection and Information Commissioner (FDPIC)
For inquiries or complaints regarding non-HR Personal Data, EU, UK and Swiss individuals can refer the complaint to the International Centre for Dispute Resolution of the American Arbitration Association at http://go.adr.org/privacyshield.html
Should a complaint remain fully or partially unresolved after a review by Carestream Dental and the applicable independent recourse mechanism, Data Subjects may be able to, under certain conditions, seek binding arbitration before the Privacy Shield Panel. For more information, please visit www.privacyshield.gov.
CHANGES TO THIS POLICY
This Policy may be amended from time to time consistent with the requirements of the Privacy Shield Principles. Appropriate notice will be given concerning such amendments.
Effective: May 2019