CareLinkTM Personal Privacy Statement

Last Updated 24 September 2020 Your Privacy Matters Table of Contents

Medtronic’s mission is to contribute to human 1. Introduction welfare by the application of biomedical 2. What Personal Data does Medtronic collect engineering in the research, design, manufacture, and use? and sale of instruments or appliances that 3. Who is responsible for data processing? alleviate pain, restore health, and extend life. 4. For what purposes does Medtronic process Central to this mission is our commitment to be Personal Data of Users? transparent about Personal Data Medtronic 5. Provisions for Legal Guardians and Care collects, how it is used and with whom it is shared. Partners 6. How does Medtronic protect Personal Data This Privacy Statement applies to the Personal of Users? Data (including Patient Health Data) of Users 7. How does Medtronic share Personal Data of processed in CareLinkTM Personal. CareLinkTM Users? Personal is a web-based software designed to help 8. Cross border data transfers take information that is uploaded to CareLinkTM 9. How long does Medtronic retain Personal Personal from compatible devices and Data of Users? management tools – pump, continuous 10. What are the rights of Users as data monitor, glucose meter(s), logbooks subjects? and associated mobile applications – and organize 11. Updates to this Privacy Statement it into easy-to-read charts, graphs and tables. 12. Contact These reports can help Patients, Legal Guardians, Care Partners and Health Care Providers discover trends and other information that can lead to improved therapy management for greater control. In this Privacy Statement is described what Personal Data of Users is collected, how these Personal Data are processed, how long Personal Data are retained, with whom Personal Data is shared, which rights data subjects have as well as how they can exercise those rights and how Users can contact Medtronic.

1. Introduction - Definitions

“Associated mobile applications” means all mobile applications that require registering for CareLinkTM Personal. Please check the End User License Agreement of a Medtronic mobile application to find out if it is an associated mobile application within the meaning of this Privacy Statement.

Page 1 of 20

“Care Partner” means any individual that has been granted access by a Patient to view a secondary display with the Patient’s diabetes information in CareLinkTM Personal.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“Health Care Provider” means a medical professional, such as a doctor or nurse, that provides medical advice and services to individuals under their care (e.g., their patients).

“Health Data” means different types of health related data generated and measured through the compatible devices and tools that are uploaded to CareLinkTM Personal or CareLinkTM System.

“Legal Guardian” means any individual that registers to CareLinkTM Personal on behalf of a Patient, under 18 years of age, that is under their guardianship.

“Medical Center” means a , clinic, or other health care institution where health and/or medical advice and services are provided to individuals (e.g., Patients).

“Patient” means any individual that uses CareLinkTM Personal for their diabetes management.

“Personal Data” means all the information which relates to an identified/identifiable natural person. This means that any information that can lead to knowing who you are (either directly or indirectly) is qualified as ‘Personal Data’.

“Users” means Patients, Legal Guardians, Care Partners and Health Care Providers who use CarelinkTM Personal.

- What is CareLinkTM Personal and what purpose does the software serve?

CareLinkTM Personal is a web-based software designed to help take information that is uploaded to CareLinkTM Personal from compatible devices and diabetes management tools – , continuous glucose monitor, blood glucose meter(s), logbooks and associated mobile applications – and organize it into easy-to-read charts, graphs and tables. These reports can help Patients, Legal Guardians, Care Partners and Health Care Providers discover trends and other information that can lead to improved therapy management for greater control.

Page 2 of 20

CareLinkTM Personal is a CE marked Class I .

- Connection to the CareLinkTM System Software

Establishing a link to CareLinkTM Personal will enable the Medical Center to view their Patients’ Health Data from compatible devices and diabetes management tools as uploaded in CareLinkTM Personal (e.g. blood glucose levels, log book entries) in CareLinkTM System. CareLinkTM System is used by Medical Centers and Health Care Providers to inform therapy decisions and to improve engagement.

When a link is established between CarelinkTM Personal and CareLinkTM System, due to the bi-directional exchange of data between these systems, Patients will also have direct access in CarelinkTM Personal to their device data as originally uploaded in CareLinkTM System.

In order to establish the link, an explicit consent is built into CareLinkTM System to which a Patient needs to agree in addition to performing a one-time confidential entering of their unique username and password. A Patient can decide to delink his CarelinkTM Personal account from CareLinkTM System at any time in the settings of their CareLinkTM Personal account which will stop any further sharing of their future CareLinkTM Personal Data with that CareLinkTM System account.

Please note that when a Patient consents to establish a link between CarelinkTM Personal and CareLinkTM System, the following categories of Personal Data are exchanged and processed for all the purposes to which the Patient has consented in CareLinkTM Personal: - Health Data: Different types of Health Data generated and measured through the compatible devices and diabetes management tools that are uploaded to CareLinkTM System by the Health Care Provider.

2. What Personal Medtronic collects, stores and uses Personal Data (including Patient Health Data) Data does of Users that they provide directly into CareLinkTM Personal or that is generated Medtronic collect through the use of CareLinkTM Personal and diabetes devices that are compatible and use? with CareLinkTM Personal or diabetes management tools supported by Medtronic: insulin pumps, blood glucose meter(s), continuous glucose systems, logbooks. The following types of Personal Data are processed through CareLinkTM Personal:

Patients - Contact and account details: Name, phone number, email address, home address, country of residence, username, password, security question and answer;

Page 3 of 20

- Demographic data: Age category and gender; - Technical Device Data: Type of connected device and its serial number; historical usage data; - Health Data: Different types of Health Data generated and collected through compatible devices and diabetes management tools (e.g. glucose values, insulin values, physical exercise, information on meals consumed, intake).

Legal Guardians and Care Partners - Contact and account details: name, email address, username, password and telephone number; - Technical Device data: Type of connected device and its serial number; historical usage data.

Associated mobile applications The following types of Personal Data of Patients are processed through the associated mobile applications: - CareLinkTM Personal login information (see above description of contact and account details); - Diabetes related Health Data (see above description of Health Data); - Physical exercise information; - Meal consumption information; - Other information that Users decide to enter and record in the application and that is related to their diabetes management such as information on medication intake.

Cookies on the associated mobile applications The following types of Personal Data of patients are collected and processed through Adobe Analytics cookies on associated mobile applications: - The pages you open and interact with after each launch of the mobile application; - Number of times you launch and use the mobile applications on a daily and monthly basis as well as the day and the hour the mobile applications are launched; - The session length of your use each time you launch the mobile applications and the aggregated total session length; - Number of times the mobile application crashes; - Number of days since last use; - The operating system version of your device and device name.

Analytics tools used with associated mobile applications Analytics tools such as Analytics for Firebase are used to collect information about the use of the mobile application to improve the user experience. The types of information collected includes: - Store from which the app was downloaded and installed - Version name (Android) or the Bundle version (iOS) - User’s country of residence

Page 4 of 20

- name of the user’s mobile device (e.g., Motorola, LG, or Samsung) - Mobile device category (e.g., phone or tablet) - Mobile device model name (e.g., iPhone5s) - Time at which the user first opened the app - If app is opened for the first time within the last 7 days - If app is opened for the first time in more than 7 days ago - Version of the device operating system (OS) (e.g., 9.3.2)

3. Who is The Medtronic entity that you can consider as your local data Controller responsible for (hereafter “Medtronic”) depends on the country where you reside. Please review data processing? our ‘List of Local Entities’ in Appendix A for the name and contact details of your local Medtronic entity as well as the list of recipients and their roles as listed in chapter 7.

4. For what Medtronic processes Personal Data of Users obtained through CareLinkTM purposes does Personal for the purposes listed below. For each purpose, the legal basis to Medtronic process process Personal Data is specified as well as the legal ground that allows for the Personal Data of processing of Health Data where this is the case. Users? a) Processing for the provision of services

CareLinkTM Personal is designed to process Health Data of Patients from compatible devices and provide Users with insights in the form of reports.

Medtronic also processes Personal Data (including Patient Health Data) of Users to: • Provide Users with customer and product support such as technical and operational support to help Users resolve problems, issues or questions regarding CareLinkTM Personal or the compatible devices and diabetes management tools; • Provide Users with communications of an operational nature such as planned outages, software updates and maintenance of the product; • Monitor and diagnose technical issues which can limit the functionalities or working of CareLinkTM Personal; • Monitor the safety and reliability of the CarelinkTM Personal services and their underlying systems and software.

Medtronic is required to obtain the explicit consent of Patients to process their Personal Data (including Health Data) for this purpose. Patients are under no obligation to provide their consent. However, as this is related to the primary function of CareLinkTM Personal, Medtronic cannot provide CarelinkTM Personal or the associated mobile applications to Users without the explicit consent of Patients. If Patients do not provide their consent, however, they are still able

Page 5 of 20

to use their device (e.g. insulin pump with continuous glucose monitoring, blood glucose meter, etc.) with exception of the Guardian™ Connect Continuous Glucose Monitor.

Medtronic currently sends urgent (non-marketing) communications of an operational nature (e.g. planned outages or updates) about CareLinkTM Personal through email. From time to time, we may also send such communications by SMS text or push notifications if available with the Medical Device that you use (please refer to your app user guide). Medtronic asks the explicit consent of Patients to contact them through SMS text messaging for this purpose.

Depending on the features of a patient’s medical device, Medtronic also uses the SMS text message and push notifications functionality as part of its Care Partner application to send alerts. These alerts enable the Care Partner to know when a Patient is about to or is currently experiencing a low or high blood glucose episode and status information about the Patient’s devices. Care Partners will receive alerts that contain a Patient identifier that the Patient chooses and information about the specific alert that can contain Health Data (e.g. low sensor glucose or high sensor glucose). Please be aware that such SMS text messages, containing a Patient’s Health Data, are transmitted to Care Partners without encryption and that they will be visible to third-party service providers that may be located outside your country who facilitate the sending of SMS text messages as well as applicable wireless carriers. These third-party services providers may not comply with all data protection and security standards under your country’s data protection laws. The SMS text service is optional and will only be provided when Patients and their selected Care Partners both consent to the SMS text message functionality. Medtronic processes user engagement data of Patients through Adobe Analytics cookies on associated mobile applications to improve user experience. Medtronic also uses standard analytics reports through Google Analytics for Firebase to improve user experience. Medtronic asks the explicit consent of Patients and/or account owners to process their Personal Data (including Health Data) for this purpose.

Please note that when cookies or the analytics tools are used, a Patient’s consent is voluntary and that they will not be stopped or prevented from using the associated mobile applications if they decide not to provide consent. b) Processing necessary to comply with a legal obligation to which Medtronic is subject

Medtronic processes Personal Data (including Patient Health Data) of Users to comply with its vigilance and post-market surveillance

Page 6 of 20

duties to ensure high standards of quality and safety of its medical devices as per applicable medical devices regulation. CareLinkTM Personal software and associated products are medical devices whose operation may require monitoring under applicable regulations. If Medtronic detects potential abnormalities, the company is required by law to notify Users and/or regulatory authorities and to inform Users of any remedial action. Therefore, Medtronic processes Personal Data of Users to comply with a legal obligation. Health Data of Patients is processed for this purpose as it can be necessary to ensure high standards of medical devices. Where sufficient to meet the legal obligation, Medtronic pseudonymizes Personal Data, or creates and uses aggregated statistics calculated from Personal Data (including Health Data) of Patients. Aggregated data does not contain any information that can be used to directly identify Patients, but it does not completely exclude the possibility of identifying Patients. These statistics will be shared with regulatory bodies to obtain regulatory approval for products and services.

Medtronic may be requested to process Personal Data (including Patient Health Data) of Users to comply with any reasonable request from competent law enforcement agents or representatives, governmental agencies or bodies, including competent data protection authorities, in which case the processing will be limited to what is minimally required to comply with the order. c) Processing for the establishment, exercise or defense of legal claims

Medtronic processes Patient Health Data as necessary for the establishment, exercise or defense of legal claims or in the case where courts are acting in their judicial capacity. Processing of Personal Data of Users for this purpose is based on the legitimate interests of Medtronic. d) Processing for the improvement and development of products and services and overall improvement of therapy management

Medtronic intends to further research and to develop new products and services for Diabetes Management and improve existing products and services, investigate and document Patient outcome and device safety, as well as to improve therapy management and Patient treatment overall. For this purpose, Medtronic would like to create and use statistics calculated from Personal Data (including Health Data) of Patients in CareLinkTM Personal and the associated mobile applications as well as the data coming from CareLinkTM System (in case Patients have linked their CareLinkTM Personal account to CareLinkTM System in a hospital). Aggregated data does not contain any information that can be used to directly identify

Page 7 of 20

Patients, but it doesn’t completely exclude the possibility of identifying Patients. These statistics will, among other things, be shared with regulatory bodies and help obtain funding for products and services. Medtronic asks the explicit consent of Patients to process their Personal Data (including Health Data) for this purpose. Please note that a Patient’s consent is voluntary and that they will not be stopped or prevented from accessing CareLinkTM Personal if they decide not to provide consent.

e) Processing for the development of marketing materials

Medtronic uses Personal Data (including Health Data) of Patients to develop marketing materials. These materials are used to demonstrate product performance and are presented at conferences and to Health Care Providers or enable Medtronic to improve training, education and support programs. Medtronic would like to create and use aggregated statistics calculated from your Personal Data (including Health Data) for this purpose. Aggregate data does not contain any information that can be used to directly identify you, but it doesn’t completely exclude the possibility of identifying you. For this purpose, Medtronic asks the explicit consent of Patients to process their Personal Data (including Health Data) for this purpose. Please note that a Patient’s consent is voluntary and that they will not be stopped or prevented from accessing CareLinkTM Personal if they decide not to provide consent.

f) Processing for direct marketing purposes

To the extent allowed by your country laws, Medtronic would like to process your Personal Data (including Health Data) such as your name, email and home address, diabetes type to send you marketing and promotional information about Medtronic and third-party products that can be used together with Medtronic’s existing and future products. Additionally, Medtronic would like to contact you to conduct market research related to your use of our products. Medtronic intends to provide any such information or contact in writing (by regular mail, e-mail or fax). Medtronic asks the explicit consent of Patients for these direct marketing related purposes. Please note that a Patient’s consent is voluntary and that they will not be stopped or prevented from accessing CareLinkTM Personal if they decide not to provide consent.

5. Provisions for a) Processing of Personal Data of Legal Guardians and Care Partners Legal Guardians and Care Partners The Personal Data of Legal Guardians and Care Partners is processed to allow them to access the CareLinkTM Personal web site and

Page 8 of 20

associated mobile applications. Medtronic will process the name, email address, username, password of Legal Guardians and Care Partners for this purpose as it is necessary to enable them to use CareLinkTM Personal.

Depending on the features of a patient’s medical device, Legal Guardians and Care Partners can receive alerts and notices sent by SMS text message, or receive push notifications through the mobile application. Please see your app user guide to determine the communications option that is applicable for your country. o Activation of the SMS text message functionality for Care Partners is subject to the Patient’s approval for the care partner to have a CareLink care partner account and also subject to Care Partner’s consent to receive SMS text messages. In order to be able to send SMS text messages to Care Partners, Medtronic processes the Care Partner’s name and telephone number. With certain products, if SMS texts are not enabled, you will not receive alerts. o Enabling push notifications requires appropriate set-up in the notifications settings in your mobile device. Account owners are encouraged to enable push notifications. Push notifications in the mobile application are limited to important alerts or updates relating to their software or supported device. With certain products, if push notifications are not enabled, you will not receive alerts. b) Parental consent

Medtronic is under a legal obligation to obtain parental consent for underage Users of CareLinkTM Personal and in this context is allowed to process Personal Data to verify the identity and role of Legal Guardians. c) Access to Care Partners

A Patient or Legal Guardian can invite a Care Partner who can be a caregiver (e.g. a parent, other family member or friend) or a Health Care Provider to view their diabetes information on the CareLinkTM Personal web site. When using compatible devices, the Patient can enable a secondary display of diabetes information for Care Partners.

If a Health Care Provider uses CareLinkTM Personal via Health Partner Share, the Health Care Provider will become the data Controller of the Personal Data he processes through the CareLinkTM Personal web site.

Page 9 of 20

6. How does To protect Personal Data (including Patient Health Data) of Users, Medtronic Medtronic protect maintains appropriate administrative, technical and organizational safeguards. Personal Data of The appropriate safeguards include individual user accounts to which access is Users? only granted with a valid username and password, and two-factor authentication (if enabled). Personal Data is encrypted when it is transferred from the insulin pump to the CareLinkTM Personal on the Patient’s computer or laptop and then the Personal Data is encrypted again when it goes from the Patient’s browser to the CareLinkTM Personal server. The CareLinkTM Personal server is continuously monitored for potential attacks or intrusions. Medtronic regularly reviews its policies and procedures, and the physical environment of its equipment to improve the technical and organizational measures taken in regard to security measures with the aim to protect Personal Data (including Patient Health Data) of Users against accidental, unlawful or unauthorized disclosure, alteration or destruction.

7. How does The Personal Data (including Patient Health Data) of Users collected and Medtronic share processed through CareLinkTM Personal, the compatible devices and diabetes Personal Data of management tools – insulin pump, continuous glucose monitor, blood glucose Users? meter(s), logbooks and associated mobile applications – are securely processed in an ISO 27001 certified physical data center located in the .

Medtronic does not disclose Personal Data (including Patient Health Data) of Users except for the purposes described in this section of the Privacy Statement. Medtronic shares Personal Data (including Patient Health Data) of Users with our affiliates as described below.

Medtronic will also share Personal Data (including Patient Health Data) of Users with third-party service providers who perform services for Medtronic; these third parties service providers all act as data processors which means that they will process Personal Data (including Patient Health Data) of Users on behalf of Medtronic and only do so based on documented instructions from Medtronic.

a) Recipients associated with processing for the provision of services

Medtronic MiniMed Inc. based in 18000 Devonshire Street, Northridge, CA 91325, , is the legal manufacturer of CareLinkTM Personal, the compatible devices and diabetes management tools – insulin pump, continuous glucose monitor, blood glucose meter(s), logbooks and associated mobile applications – and determines the processing of Personal Data (including Patient Health Data) of Users together with Medtronic International Trading sàrl based in Route du Molliau 31, 1131 Tolochenaz, .

Medtronic MiniMed Inc. will provide second-level and third-level technical and customer support if an issue cannot be resolved at

Page 10 of 20

first-level which is performed by local Medtronic support staff through regional hubs.

Medtronic BV with registered address at Industry Park, Earl Bakkenstraat 10, 6422 PJ, the Netherlands, is responsible for server installation and maintenance of the CareLinkTM Personal servers in the data center located in the Netherlands.

F. Hoffmann-La Roche Ltd based in Grenzacherstrasse 124, CH-4070 Basel, Switzerland. F. Hoffmann-La Roche Ltd is the manufacturer of the blood glucose meters that collect blood glucose data. Medtronic shares business operational data that is aggregated (e.g. total number of blood glucose meter Users) with F. Hoffmann-La Roche Ltd. b) Recipients associated with processing in accordance with legal requirements

Medtronic MiniMedTM Inc. is the legal manufacturer of CareLinkTM Personal, the compatible devices and diabetes management tools (such as supported insulin pumps, continuous glucose monitor, logbooks, and associated mobile applications) within the meaning of the European Medical Directive, and starting from its entry into force, the Medical Device Regulation, as well as any country-specific implementing regulation (hereafter referred to as ‘Medical device regulations’) and the addressee of the statutory provisions.

Medtronic BV has been appointed by Medtronic MiniMedTM Inc. as its legal representative according to the Medical Device Regulations Act within Europe, and Medtronic BV is also the importer in Europe. Medical Device Regulations impose certain vigilance and post marketing surveillance obligations on manufacturer, importer, legal representatives which imply the processing of Personal Data (including Patient Health Data) of Patients. Any processing of Personal Data to comply with a legal obligation will be done in compliance with the requirements as prescribed by the legal obligations.

Medtronic Bakken Research Center BV based in Endepolsdomein 5, 6229 GW Maastricht, Netherlands receives Personal Data (including Health Data) of Patients to provide regional support for regulatory filings/approvals.

Legal requirements also oblige Medtronic to share Personal Data (including Health Data) of Patients with regulatory bodies or governmental agencies.

Page 11 of 20

c) Recipients associated with processing for the improvement and development of products and services

Medtronic Bakken Research Center BV receives Personal Data (including Health Data) of Patients in order to improve CareLinkTM Personal, compatible devices and diabetes management tools – insulin pump, continuous glucose monitor, blood glucose meter(s), logbooks and associated mobile applications – or to develop new products and services for diabetes management.

d) Recipients associated with processing for the development of marketing materials

Medtronic International Trading sàrl and Medtronic MiniMed Inc. develop marketing and promotional materials on the basis of aggregated statistics collected from Personal Data (including Health Data) of Patients. The local Medtronic entities will receive these presentations and publications and share them with academics, doctors, regulators, hospital administrators and other Health Care Professionals.

e) Recipients associated with processing for direct marketing purposes

To the extent allowed by country laws, the local Medtronic entities are involved with processing of Personal Data (including Health Data) of Patients in order to provide them with marketing and promotional information about Medtronic and third-party products that can be used together with Medtronic’s existing and future products. f) Recipients associated with text message functionality for Care Partners

Twilio Inc. based in 375 Beale Street, Suite 300, San Francisco, CA 94105, United States. Twilio Inc. and Clickatell (Pty) Ltd based in 100 Edward Street, 7th Floor, Manhattan Plaza, Bellville, 7530 Cape Town, receive and process Personal Data (including Patient identifiers and Health Data) of Patients as well as Personal Data of Care Partners and shares them with US based telecom providers, sub-processors, in order to provide the Care Partners with SMS text message notifications.

8. Cross border In case Medtronic transfers Personal Data (including Health Data) of Users to a data transfers country which is not a member state of the European Economic Area and for which there is no adequacy decision by the European Commission, the transfer will take place based on the European Commission standard contractual clauses or one of the other transfer mechanisms foreseen by the European Union General Data Protection Regulation 2016/679. If you wish to receive a copy of the mechanisms used for cross border data transfers, please direct your request to the following email address: [email protected]

Page 12 of 20

9. How long does Medtronic keeps Personal Data (including Patient Health Data) of Users for 10 Medtronic retain years in the live CareLinkTM Personal Database starting from the last date of Personal Data of service as defined by Medtronic Corporate policies unless a legal obligation or a Users? judicial or administrative order requires Medtronic to keep the data for longer than 10 years.

10. What are the With respect to the processing of Personal Data by Medtronic in accordance with rights of Users as local and international data protection laws, Patients, Legal Guardians and Care data subjects? Partners have the following rights: - Users have the right to receive access to their Personal Data that are processed by Medtronic. They can exercise their right to access their Personal Data directly through the CareLinkTM Personal services. For those data which are not accessible through the CareLinkTM Personal services, Users can contact Medtronic as explained below. Please indicate for which Personal Data and which activities you want to exercise your right of access; - In cases where processing is based on consent, Users have the right to withdraw their consent at any time and without giving reasons. However, this will not affect the lawfulness of data that have been processed before you withdrew consent; Note that if you withdraw the consent required to provide you with the CareLinkTM Personal services, Medtronic will no longer be able to provide you the services; - Users have the right to correct incorrect information about themselves. Users can directly implement this right themselves by correcting their information in the settings of their CareLinkTM Personal account; If Users are not able to correct their information themselves and would like Medtronic to do it for them, they can contact Medtronic as explained below. Please be informed that Medtronic can ask Users to demonstrate that the Personal Data they want to correct are indeed erroneous; - Users have the right to request that Medtronic provides their Personal Data in a common file format that they can transfer to another organization; - Users have the right to ask for the deletion of their Personal Data that is being processed or retained by Medtronic, but only when these Personal Data are no longer necessary in light of the purposes explained above and there is no legal or regulatory obligation which obliges Medtronic to keep those Personal Data; - Users have the right to restrict the processing of their Personal Data if and when (a) they contest the accuracy of that data, (b) the processing is illegitimate and the User opposes the erasure of the Personal Data, requesting the restriction of their use instead (c) the data are no longer needed for the purposes which are outlined above, but a User needs them to defend themselves in judicial proceedings;

Page 13 of 20

- Users have a right to object to the processing of their Personal Data but considering that the processing of Personal Data is largely based on the consent of Users, they may simply withdraw their consent; - Users have the right to lodge a complaint with a Data Protection Authority or turn to court if they believe their privacy rights are breached. Users can find contact information on data protection authorities located here. https://edpb.europa.eu/about- edpb/board/members_en.

Please note that some of the rights listed above for Users might be limited as Medtronic has to comply with legal requirements.

Users can exercise some of the rights listed above themselves through the settings of their CareLinkTM Personal account, such as the withdrawal of their consent or when they wish to access their Personal Data. If Users cannot directly exercise their rights themselves, they may direct their request to the following email address: [email protected].

11. Updates to this Medtronic reviews and updates this Privacy Statement periodically to reflect Privacy Statement changes in the way Personal Data (including Patient Health Data) of Users are processed with regards to the CareLinkTM services or changes in the applicable law. Medtronic will post a notice in the CareLinkTM Personal Software to notify Users of changes to this Privacy Statement. In the case this Privacy Statement changes in a way that significantly affects how Medtronic uses Personal Data (including Patient Health Data) of Users, Personal Data (including Patient Health Data) of Users that was previously gathered will not be used as described in the updated Privacy Statement without providing notice and/or obtaining consent of Users, as appropriate. Minor changes to this Privacy Statement that will not significantly affect the way Personal Data (including Patient Health Data) of Users are processed may occur without notice or consent. Any changes will be effective when the revised Privacy Statement is posted. Users can check at the top of this Privacy Statement when it was most recently updated.

12. Contact For questions regarding the processing of Personal Data (including Patient Health Data) of Users by Medtronic in accordance with this Privacy Statement, Users can contact the Data Protection Officer at the following e-mail address: [email protected].

Page 14 of 20

Appendix A

List of local entities

Please find your location below for the details and contact information of the local entity in your country.

Europe

For Patients residing in Albania: For Patients residing in : Medtronic Adriatic Medtronic Austria GmbH Folnegovićeva 1c, Millennium Tower, 10 000 Zagreb, Croatia Handelskai 94-96, [email protected] A-1200 Wien, Vienna [email protected] For Patients residing in Belarus: For Patients residing in Bosnia Herzegovina: Medtronic International Trading sàrl Medtronic Adriatic Route du Molliau 31 Folnegovićeva 1c, Case Postale 10 000 Zagreb, Croatia CH-1131 Tolochenaz, Switzerland [email protected] [email protected] For Patients residing in and For Patients residing in Bulgaria: Luxemburg: Medtronic Bulgaria EOOD N.V. Medtronic Belgium S.A. 48 Sitnyakovo blvd. Burgemeester E. Demunterlaan 5 / Avenue du R-N Oborishte Distr., Floor 7 Bourgmestre E. Demunter 5 1505 Sofia, Bulgaria Brussel / Bruxelles 1090 [email protected] België / Belgique [email protected] [email protected] For Patients residing in Croatia: For Patients residing in Cyprus: Medtronic Adriatic Medtronic Meta FZ-LLC Folnegovićeva 1c, Office Park, Block D, 2nd floor | P.O. Box 10 000 Zagreb, Croatia 500638 [email protected] Dubai, [email protected] For Patients residing in the : For Patients residing in : Medtronic Czechia s.r.o Medtronic Danmark A/S Prosecká 852/66, Arne Jacobsens Allé 17, 190 00 Prague 9, Czech Republic DK-2300 København S, Denmark [email protected] [email protected] [email protected] [email protected]

Page 15 of 20

For Patients residing in Estonia: For Patients residing in : Medtronic Sp. Z o.o. Medtronic Finland Oy Ul. Polna 11, Hitsaajankatu 20, 00-633 Warszawa, Poland PO Box 230, [email protected] FI-00811 Helsinki, Finland [email protected] [email protected] [email protected] For Patients residing in : For Patients residing in : Medtronic France S.A.S Medtronic GmbH 122, avenue du Général Leclerc, Geschäftsbereich Diabetes 92514 Boulogne-Billancourt Cedex, France Earl-Bakken-Platz 1, [email protected] 40670 Meerbusch, Germany [email protected] [email protected] [email protected] For Patients residing in : For Patients residing in Hungary: Medtronic Hellas S.A. Medtronic Hungaria Kft. 5, Ag. Varvaras str. Alkotas u. 50, 15231 Halandri, 1123 Budapest, Hungary Athens, Greece [email protected] [email protected] [email protected] For Patients residing in Iceland: For Patients residing in and Northern Medtronic AB Ireland: Isafjordsgatan 1, Medtronic Ireland Ltd Box 1034, 164 21 KISTA, Unit GA,Swords Business Campus, [email protected] Balheary Road, Swords, Co. Dublin., Ireland [email protected] [email protected] For Patients residing in : For Patients residing in Kosovo: Medtronic Italia S.p.A. Medtronic Adriatic Via Varesina 162, Folnegovićeva 1c, 20156 Milano, Italia 10 000 Zagreb, Croatia [email protected] [email protected] For Patients residing in Latvia: For Patients residing in Lithuania: Medtronic Poland Sp. Z o.o. Medtronic Poland Sp. Z o.o. Ul. Polna 11, Ul. Polna 11, 00-633 Warszawa, Poland 00-633 Warszawa, Poland [email protected] [email protected] [email protected] [email protected] For Patients residing in the Macedonia: For Patients residing in : Medtronic Adriatic Medtronic International Trading sàrl

Page 16 of 20

Folnegovićeva 1c, Route du Molliau 31 10 000 Zagreb, Croatia Case Postale [email protected] CH-1131 Tolochenaz, Switzerland [email protected] For Patients residing in Moldova: For Patients residing in Montenegro: Medtronic Adriatic Medtronic Adriatic Folnegovićeva 1c, Folnegovićeva 1c, 10 000 Zagreb, Croatia 10 000 Zagreb, Croatia [email protected] [email protected]

For Patients residing in the Netherlands: For Patients residing in : Medtronic Trading NL BV Medtronic Norge AS Larixplein 4 Vollsveien 2 A, 5616 VB Eindhoven Postboks 458, The Netherlands 1327 Lyssaker, Norway [email protected] [email protected] [email protected] [email protected] For Patients residing in Poland: For Patients residing in : Medtronic Poland Sp. Z o.o. Medtronic Portugal, Lda Ul. Polna 11, Rua Tomás da Fonseca, 00-633 Warszawa, Poland Torre E - 8º andar A,B [email protected] 1600-209 Lisboa, Portugal [email protected] [email protected] [email protected] For Patients residing in Romania: For Patients residing in Serbia: Medtronic Romania Medtronic B.V. Representative Office Baneasa Business & Technology Park Bul. Zorana Dindica 64a Șos. Bucuresti-Ploiești nr. 42-44 1100 Belgrade, Serbia Cladirea B, aripa B2, Etaj 2 [email protected] 013696, Sector 1, București, Romania [email protected] For Patients residing in : For Patients residing in Slovenia: Medtronic Slovakia, O.Z. Medtronic d.o.o Karadžičova 16, Ameriška ulica 8, 821 08 Bratislava, Slovakia 1000 Ljubljana, Slovenia [email protected] [email protected] [email protected] For Patients residing in : For Patients residing in Sweden: Medtronic Ibérica. S.A.U Medtronic AB VAT nº: A-28389484 Isafjordsgatan 1, Calle de María de Portugal 11

Page 17 of 20

28050 Madrid, Spain Box 1034, [email protected] 164 21 KISTA, Sweden [email protected] For Patients residing in Switzerland: For Patients residing in : Medtronic (Schweiz) AG / Medtronic (Suisse) Medtronic BV Representative Office SA Horizon Park Business Center Talstrasse 9 3053 Münchenbuchsee , 4 Mykoli Grinchenka Str. Switzerland 03038 Kiev, Ukraine [email protected] [email protected] For Patients residing in the : Medtronic UK Ltd Building 9, Suite 4, Croxley Green Business Park, Watford, WD18 8WW, United Kingdom [email protected] [email protected]

Central Asia

For Patients residing in Armenia: For Patients residing in Azerbaijan: Medtronic International Trading sàrl Medtronic Meta FZ-LLC Route du Molliau 31 Office Park, Block D, 2nd floor | P.O. Box Case Postale 500638 CH-1131 Tolochenaz, Switzerland Dubai, United Arab Emirates [email protected] [email protected] For Patients residing in : For Patients residing in : Medtronic International Trading sàrl Medtronic BV Route du Molliau 31 Office #4, Block 4B, Case Postale 17 Al-Ferabi Avenue, 8th Fl., CH-1131 Tolochenaz, Switzerland Business Center Nurly Tau, [email protected] Almaty, 050056, Kazakhstan [email protected] For Patients residing in Kyrgyzstan: For Patients residing in Pakistan: Medtronic Meta FZ-LLC Medtronic Meta FZ-LLC Office Park, Block D, 2nd floor | P.O. Box Office Park, Block D, 2nd floor | P.O. Box 500638 500638 Dubai, United Arab Emirates Dubai, United Arab Emirates [email protected] [email protected] For Patients residing in : For Patients residing in Tajikistan: Medtronic Russia Medtronic Meta FZ-LLC Naberezhnaya Tower C Office Park, Block D, 2nd floor | P.O. Box Presnenskaya Naberezhnaya,10 500638

Page 18 of 20

123317 Moscow, Russia Dubai, United Arab Emirates [email protected] [email protected] For Patients residing in Turkmenistan: For Patients residing in Uzbekistan: Medtronic Meta FZ-LLC Medtronic Meta FZ-LLC Office Park, Block D, 2nd floor | P.O. Box Office Park, Block D, 2nd floor | P.O. Box 500638 500638 Dubai, United Arab Emirates Dubai, United Arab Emirates [email protected] [email protected]

Middle East & Africa

For Patients residing in : For Patients residing in : Medtronic Meta FZ-LLC Medtronic Meta FZ-LLC Office Park, Block D, 2nd floor | P.O. Box Office Park, Block D, 2nd floor | P.O. Box 500638 500638 Dubai, United Arab Emirates Dubai, United Arab Emirates [email protected] [email protected] For Patients residing in : For Patients residing in Libya: Medtronic Meta FZ-LLC Medtronic Meta FZ-LLC Office Park, Block D, 2nd floor | P.O. Box Office Park, Block D, 2nd floor | P.O. Box 500638 500638 Dubai, United Arab Emirates Dubai, United Arab Emirates [email protected] [email protected] For Patients residing in Iran: For Patients residing in Iraq: Medtronic Meta FZ-LLC Medtronic Meta FZ-LLC Office Park, Block D, 2nd floor | P.O. Box Office Park, Block D, 2nd floor | P.O. Box 500638 500638 Dubai, United Arab Emirates Dubai, United Arab Emirates [email protected] [email protected] For Patients residing in : For Patients residing in Morocco: Medtronic Israel LTD Medtronic Meta FZ-LLC Hamada 10, Office Park, Block D, 2nd floor | P.O. Box Herzeliyya, 46733, Israel 500638 [email protected] Dubai, United Arab Emirates [email protected] For Patients residing in : For Patients residing in : Medtronic Meta FZ-LLC Medtronic Meta FZ-LLC Office Park, Block D, 2nd floor | P.O. Box Office Park, Block D, 2nd floor | P.O. Box 500638 500638 Dubai, United Arab Emirates Dubai, United Arab Emirates [email protected] [email protected]

Page 19 of 20

For Patients residing in the Kingdom of Saudi For Patients residing in South Africa: Arabia: Medtronic South Africa Medtronic 54 Maxwell Drive, Tawuniya Towers - South Tower - 12th Floor North Woodmead Office Park, 6897 King Fahd Road – Al Olaya Woodmead, Gauteng, South Africa Riyadh 12211-3388, Kingdom of Saudi Arabia [email protected] [email protected] For Patients residing in Sudan: For Patients residing in the : Medtronic Meta FZ-LLC Medtronic Meta FZ-LLC Office Park, Block D, 2nd floor | P.O. Box Office Park, Block D, 2nd floor | P.O. Box 500638 500638 Dubai, United Arab Emirates Dubai, United Arab Emirates [email protected] [email protected] For Patients residing in : For Patients residing in Turkmenistan: Medtronic Medikal Teknoloji Ticaret Ltd. Medtronic Meta FZ-LLC Sirketi Office Park, Block D, 2nd floor | P.O. Box Saray Mahallesi Dr. Adnan Buyukdeniz Caddesi 500638 Akkom Ofis Park 2. Blok No:4 K:18 Umraniye Dubai, United Arab Emirates Istanbul, Turkiye [email protected] [email protected]

Page 20 of 20