Data Privacy Framework Policy

Updated March 2026

MiniMed ( “we,” “us,” and “our”) participates in the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as established by the U.S. Department of Commerce, collectively referred to herein as “the Data Privacy Framework” or “DPF”.  MiniMed commits to comply with the DPF Principles with respect to the Personal Data of Medical Device Users and Healthcare Professionals that the company receives from the EU, UK, and Switzerland in reliance with the DPF. This Data Privacy Framework Policy (“Policy”) describes how MiniMed implements the DPF Principles for Medical Device Users’ and Healthcare Professionals’ Personal Data. If there is any conflict between the terms in this Policy and the DPF Principles, the DPF Principles shall govern.

As used in this statement, “MiniMed” means, collectively, the following U.S.-based entities:

• Medtronic MiniMed, Inc.
• MiniMed Distribution Corporation.

To learn more about the DPF program, and to view our certification, please visit the Data Privacy Framework website at www.dataprivacyframework.gov. You may find the list of Data Privacy Framework participants at www.dataprivacyframework.gov/list.

For purposes of this Policy:

“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“DPF Principles” means the Principles and Supplemental Principles of the DPF.

“EU” means the European Union and Iceland, Liechtenstein and Norway.

“Healthcare Professionals” means nurses, physicians and/or members of healthcare associations who (1) are located in the EU, UK or Switzerland, and (2) assist people with diabetes.

“MiniMed Management Solutions” or “Solutions” means a diabetes therapy management solution used by a Medical Device User or a Healthcare Professional, and which consist of a range of device management software (including CareLink™ software) and associated services (including product support, education and online ordering platform).

“Medical Device User” means any individual with diabetes or their care giver who (1) is located in the EU, UK or Switzerland, (2) uses a MiniMed medical device (including insulin pump, continuous glucose monitor and Smart insulin Pen) and (3) has his/her Personal Data processed in MiniMed Management Solutions.

“Personal Data” means any information, including Sensitive Data, that is (i) about an identified or identifiable individual; (ii) received by MiniMed in the U.S. from the EU, UK or Switzerland, and (iii) recorded in any form.

“Processor” means any natural or legal person, public authority, agency or other body that processes Personal Data on behalf of a Controller.

“Sensitive Data” means Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (including trade union-related views or activities), sex life (including personal sexuality), information on social security measures, the commission or alleged commission of any offense, any proceedings for any offense committed or alleged to have been committed by the individual or the disposal of such proceedings, or the sentence of any court in such proceedings (including administrative proceedings and criminal sanctions).

“UK” means the United Kingdom (and Gibraltar).

“U.S.” means the United States of America.

We may update this Policy periodically to reflect changes in our practices, technology, or applicable laws. We encourage you to review this Policy regularly.
 

Types of Personal Data MiniMed Collects

Personal Data of Medical Device Users

MiniMed collects Personal Data from Medical Device Users through a use by the Medical Device User or the Healthcare Professional of MiniMed Management Solutions or in connection with such use, e.g., during assistance for customer and product support and/or via a registration to a device management software and/or associated service.

MiniMed obtains, uses, discloses and otherwise processes Personal Data about Medical Device Users to (i) comply with legal requirements, such as vigilance reporting, post-market surveillance, and correspondence with competent authorities; (ii) provide maintenance and technical assistance; and (iii) support its research and development activities on the Solutions and develop educational materials by means of internal statistical reports based on aggregated data.

The types of Medical User Personal Data MiniMed collects include:

• Contact information and/or account details, such as: first and last name, home address, country, phone number, email address, date of birth or age, gender, user ID, MiniMed account credentials (i.e., username and password),
• Information about healthcare system: Information about healthcare provider(s), healthcare organization and health insurance company,
• Contract details: Information relevant to the performance of a contract, such as: credit card details, order and shipment information,
• Information about way of living: information about food consumptions or personal preferences, such as lifestyle, habits, interests and hobbies that the Medical Device User chooses to provide to us,
• Information about personal devices: where applicable, information about the devices used as part of the Solution(s), such as mobile device model name (e.g. iPhone5s), Operating System (e.g. Android), time zone and changes of time zones, mobile app usage data,
• General information: Other personal data contained in content submitted when using a Solution, such as: notes and request for technical support.

In addition, we may collect Sensitive Data, i.e., health-related data associated with the Medical Device User’s therapy, including type of diabetes, MiniMed device information (such as the type of device used and its serial number) and compatible medical device data uploaded to MiniMed device management software (e.g., CareLink™ Personal).

Personal Data of Healthcare Professionals

 MiniMed collects Personal Data from Healthcare Professionals through their medical institutions for the purposes of providing MiniMed products and services that are part of the MiniMed Management Solutions.

 MiniMed may also collect Personal Data from Healthcare Professionals through consulting and educational services that MiniMed or its affiliates provide to Healthcare Professionals. Those services consist of training sessions focusing on the safe and effective use of MiniMed products and services or specific to a protocol, and/or MiniMed-sponsored events to present diabetes current therapies, services and future innovations and collaboration (collectively, the “Consulting and Educational Services”). The Consulting and Educational Services may be delivered in-person or remotely, including through accessing or logging into an online application (e.g. teleconferencing or learning management system) which may be provided by MiniMed, MiniMed affiliates or a third party engaged for this purpose.

The types of Healthcare Professional Personal Data MiniMed collects include:

• Contact and account details – to support services provided to medical institutions or to register Healthcare Professionals to the Consulting and Educational Services and/or to MiniMed Management Solutions, we may collect Personal Data such as: first name, last name, email-address, postal address, profession or clinic role (such as physician, nurse, administrator), therapy group, primary medical specialty, hospital/clinic name and address, city, country of practice, access rights requested, username and password as needed for any online platform log-in. In case required by national law to register to the Consulting and Educational Services, Healthcare Professional number will be collected.
• Electronic data - to support services provided to medical institutions, we may also collect logging details and IP address.
• Training and education data – to access the Consulting and Educational Services, the following data may be collected and linked to the Healthcare Professional, including through the creation of a learning profile for this purpose: course attendance, learning program progress, assessment/observation results at single question level, course evaluation, course completion, certification, training exemptions, results of knowledge tests, learning modules and resources viewed, and feedback assessments.
• Travel information - to organize and facilitate in-person training, events or meetings we may process the following additional Personal Data needed for trip and event management purposes: national identity/passport number, dietary and travel preferences, logistics and travel details, expenses.
• Trainer/Consultant Information – If a Healthcare Professional is engaged by MiniMed to provide the Consulting and Educational Services, we may process additional Personal Data in order to administer our contractual relationship, including basic identity information, contact details, professional activities and affiliations, professional qualifications, financial information on honoraria paid by MiniMed, and bank account information.
• Images/Video/Audio – The delivery of the Consulting and Educational Services may involve photography or video recording by MiniMed or make use of an online platform that will transmit the Healthcare Professional’s audio, video and/or image to other participants. MiniMed informs Healthcare Professionals about the intent to actually capture and record any such Personal Data for further use.

MiniMed’s privacy practices regarding the processing of Medical Device Users’ and Healthcare Professionals’ Personal Data comply with the DPF Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability.

1. Notice
   MiniMed provides information in this Policy and the privacy notices published on the https://carelink.minimed.eu website about its Medical Device User Personal Data practices, including the types of Personal Data MiniMed collects, the types of third parties to which MiniMed discloses the Personal Data and the purposes for doing so, the rights and choices Medical Device Users have for limiting the use and disclosure of their Personal Data, and how to contact MiniMed about its practices concerning Personal Data.
   
   MiniMed provides information in this Policy and the privacy notice for education services available at www.minimed.com about its Healthcare Professional Personal Data practices. Relevant information also may be found in notices pertaining to specific data processing activities.
   
   
2. Choice
   MiniMed generally offers Medical Device Users and Healthcare Professionals the opportunity to choose whether their Personal Data may be (i) disclosed to third-party Controllers or (ii) used for a purpose that is materially different from the purposes for which the information was originally collected or subsequently authorized by the relevant Medical Device User or Healthcare Professional. To the extent required by the DPF Principles, MiniMed obtains opt-in consent for certain uses and disclosures of Sensitive Data. Medical Device Users and Healthcare Professionals may contact MiniMed as indicated below regarding MiniMed’s use or disclosure of their Personal Data. Unless MiniMed offers Medical Device Users and Healthcare Professionals an appropriate choice, MiniMed uses Personal Data only for purposes that are materially the same as those indicated in this Policy.
   
   MiniMed shares Medical Device User and Healthcare Professional Personal Data with its affiliates and subsidiaries. MiniMed may disclose Medical Device User and Healthcare Professional Personal Data without offering an opportunity to opt out, and may be required to disclose the Personal Data, (i) to third-party Processors MiniMed has retained to perform services on its behalf and pursuant to its instructions, (ii) if it is required to do so by law or legal process, or (iii) in response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements. MiniMed also reserves the right to transfer Personal Data in the event of an audit or if MiniMed sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation).
   
   
3. Accountability for Onward Transfers
   This Policy and the privacy notices published on MiniMed websites, as listed above, describe MiniMed’s sharing of Medical Device User and Healthcare Professional Personal Data.
   
   Except as permitted or required by applicable law, MiniMed provides Medical Device Users and Healthcare Professionals with an opportunity to opt out of sharing their Personal Data with third-party Controllers.  MiniMed requires third-party Controllers to whom it discloses Medical Device User and Healthcare Professional Personal Data to contractually agree to (i) only process the Personal Data for limited and specified purposes consistent with the consent provided by the relevant Medical Device User/Healthcare Professional, (ii) provide the same level of protection for Personal Data as is required by the DPF Principles, and (iii) notify MiniMed and cease processing Personal Data (or take other reasonable and appropriate remedial steps) if the third-party Controller determines that it cannot meet its obligation to provide the same level of protection for Personal Data as is required by the DPF Principles.
   
   With respect to transfers of Medical Device User and Healthcare Professional Personal Data to third-party Processors, MiniMed (i) enters into a contract with each relevant Processor, (ii) transfers Personal Data to each such Processor only for limited and specified purposes, (iii) ascertains that the Processor is obligated to provide the Personal Data with at least the same level of privacy protection as is required by the DPF Principles, and (iv) takes reasonable and appropriate steps to ensure that the Processor effectively processes the Personal Data in a manner consistent with MiniMed’s obligations under the DPF Principles. In addition, MiniMed requires each Processor to notify MiniMed if the Processor determines that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles. MiniMed will take reasonable and appropriate steps to stop and remediate any unauthorized processing of the Personal Data by the Processor of which MiniMed becomes aware and will provide a summary or representative copy of the relevant privacy provisions of the Processor contract to the Department of Commerce, upon request. MiniMed remains liable under the DPF Principles if the company’s third-party Processor onward transfer recipients process relevant Personal Data in a manner inconsistent with the DPF Principles, unless MiniMed proves that it is not responsible for the event giving rise to the damage.
   
   
4. Security
   MiniMed implements reasonable and appropriate security measures to protect Medical Device Users’ and Healthcare Professionals’ Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.
   
   
5. Data Integrity and Purpose Limitation
   MiniMed limits Medical Device Users’ and Healthcare Professionals’ Personal Data it processes to that which is relevant for the purposes of the particular processing. MiniMed does not process Medical Device Users’ and Healthcare Professionals’ Personal Data in ways that are incompatible with the purposes for which it has been collected or subsequently authorized by the relevant Medical Device User/Healthcare Professional. MiniMed takes reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current. In this regard, MiniMed relies on Medical Device Users and on Healthcare Professionals to update and correct the relevant Personal Data to the extent necessary for the purposes for which the information was collected or subsequently authorized. Medical Device Users and Healthcare Professionals may contact MiniMed as indicated below to request that MiniMed update or correct relevant Personal Data.
   
   Medical Device Users’ and Healthcare Professionals’ Personal Data will only be retained by MiniMed for so long as necessary and relevant to fulfill the purpose(s) for which it has been collected and may be retained beyond the duration of the business relationship with MiniMed if required to enable us to fulfill such purposes as to comply with legal requirements, including compliance and record retention regulations.
   
   
6. Access
   Medical Device Users and Healthcare Professionals generally have the right to access their Personal Data. Accordingly, where appropriate, MiniMed provides Medical Device Users and Healthcare Professionals with reasonable access to the Personal Data MiniMed maintains about them. MiniMed also provides a reasonable opportunity for those Medical Device Users and Healthcare Professionals to correct, amend or delete the information where it is inaccurate or has been processed in violation of the DPF Principles, as appropriate. MiniMed may limit or deny access to Personal Data where the burden or expense of providing access would be disproportionate to the risks to the Medical Device User’s and Healthcare Professional’s privacy in the case in question, or where the rights of persons other than the relevant Medical Devie User or Healthcare Professional would be violated.
   
   Medical Device Users and Healthcare Professionals may exercise these rights by contacting MiniMed as indicated below.
   
   
7. Recourse, Enforcement, and Liability
   MiniMed has mechanisms designed to help assure compliance with the DPF Principles. MiniMed conducts an annual self-assessment of its Personal Data practices to verify that the attestations and assertions MiniMed makes about its DPF privacy practices are true and that MiniMed’s privacy practices have been implemented as represented and in accordance with the DPF Principles.
   
   In compliance with the Data Privacy Framework, MiniMed commits to resolve DPF Principles-related complaints about our collection and use of your Personal Data. Medical Device Users and Healthcare Professionals with inquiries or complaints regarding our processing of Personal Data received in reliance on the DPF should first contact MiniMed at the contact information provided below.
   
   If a Medical Device User’s or Healthcare Professional’s complaint concerning our processing of Personal Data received in reliance on the DPF cannot be resolved through MiniMed’s internal processes, MiniMed commits to refer unresolved complaints to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
   
   Following the dispute resolution process, the mediator or the Medical Device User/Healthcare Professional may refer the matter to the U.S. Federal Trade Commission, which has DPF investigatory and enforcement powers over MiniMed.
   
   When other dispute resolution procedures have been exhausted, Medical Device Users and Healthcare Professionals also may be able under certain circumstances to invoke binding arbitration to address unresolved complaints about MiniMed’s compliance with the DPF Principles. For more information, please visit https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.

How to Contact MiniMed?

To contact MiniMed with questions or concerns about this Policy or MiniMed’s Medical Device User and Healthcare Professional Personal Data practices:

Write to:

MiniMed Inc.
Attention: Data Protection Officer
18000 Devonshire Street,
Northridge, CA 91325
United States of America

Or

MiniMed Inc.
International Trading Sárl
Attention: Data Protection Officer
Route du Molliau 31
1131 Tolochenaz
Switzerland

Email: privacyoffice@minimed.com