Data Privacy Framework Policy

Updated August 2025

Medtronic MiniMed ( “we,” “us,” and “our”) participates in the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as established by the U.S. Department of Commerce, collectively referred to herein as “the Data Privacy Framework” or “DPF”. Medtronic MiniMed commits to comply with the DPF Principles with respect to the Personal Data of Medical Device Users and Healthcare Professionals that the company receives from the EU, UK, and Switzerland in reliance with the DPF. This Data Privacy Framework Policy (“Policy”) describes how Medtronic MiniMed implements the DPF Principles for Medical Device Users’ and Healthcare Professionals’ Personal Data. If there is any conflict between the terms in this Policy and the DPF Principles, the DPF Principles shall govern.

As used in this statement, “Medtronic MiniMed” means, collectively, the following U.S.-based entities:

  • Medtronic MiniMed, Inc.
  • MiniMed Distribution Corporation.

To learn more about the DPF program, and to view our certification, please visit the Data Privacy Framework website at www.dataprivacyframework.gov. You may find the list of Data Privacy Framework participants at www.dataprivacyframework.gov/list.

For purposes of this Policy:

“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“DPF Principles” means the Principles and Supplemental Principles of the DPF.

“EU” means the European Union and Iceland, Liechtenstein and Norway.

“Healthcare Professionals” means nurses, physicians and/or members of healthcare associations who (1) are located in the EU, UK or Switzerland, and (2) assist people with diabetes.

“Medtronic Diabetes Management Solutions” or “Solutions” means a diabetes therapy management solution used by a Medical Device User or a Healthcare Professional, and which consist of a range of device management software (including CareLink™ software) and associated services (including product support, education and online ordering platform).

“Medical Device User” means any individual with diabetes or their care giver who (1) is located in the EU, UK or Switzerland, (2) uses a Medtronic MiniMed medical device (including insulin pump, continuous glucose monitor and Smart insulin Pen) and (3) has his/her Personal Data processed in Medtronic Diabetes Management Solutions.

“Personal Data” means any information, including Sensitive Data, that is (i) about an identified or identifiable individual; (ii) received by Medtronic MiniMed in the U.S. from the EU, UK or Switzerland, and (iii) recorded in any form.

“Processor” means any natural or legal person, public authority, agency or other body that processes Personal Data on behalf of a Controller.

“Sensitive Data” means Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (including trade union-related views or activities), sex life (including personal sexuality), information on social security measures, the commission or alleged commission of any offense, any proceedings for any offense committed or alleged to have been committed by the individual or the disposal of such proceedings, or the sentence of any court in such proceedings (including administrative proceedings and criminal sanctions).

“UK” means the United Kingdom (and Gibraltar).

“U.S.” means the United States of America.

We may update this Policy periodically to reflect changes in our practices, technology, or applicable laws. We encourage you to review this Policy regularly.

Types of Personal Data Medtronic MiniMed Collects

Personal Data of Medical Device Users

Medtronic MiniMed collects Personal Data from Medical Device Users through a use by the Medical Device User or the Healthcare Professional of Medtronic Diabetes Management Solutions or in connection with such use, e.g., during assistance for customer and product support and/or via a registration to a device management software and/or associated service.

Medtronic MiniMed obtains, uses, discloses and otherwise processes Personal Data about Medical Device Users to (i) comply with legal requirements, such as vigilance reporting, post-market surveillance, and correspondence with competent authorities; (ii) provide maintenance and technical assistance; and (iii) support its research and development activities on the Solutions and develop educational materials by means of internal statistical reports based on aggregated data.

The types of Medical User Personal Data Medtronic MiniMed collects include:

  • Contact information and/or account details, such as: first and last name, home address, country, phone number, email address, date of birth or age, gender, user ID, Medtronic MiniMed account credentials (i.e., username and password),
  • Information about healthcare system: Information about healthcare provider(s), healthcare organization and health insurance company,
  • Contract details: Information relevant to the performance of a contract, such as: credit card details, order and shipment information,
  • Information about way of living: information about food consumptions or personal preferences, such as lifestyle, habits, interests and hobbies that the Medical Device User chooses to provide to us,
  • Information about personal devices: where applicable, information about the devices used as part of the Solution(s), such as mobile device model name (e.g. iPhone5s), Operating System (e.g. Android), time zone and changes of time zones, mobile app usage data,
  • General information: Other personal data contained in content submitted when using a Solution, such as: notes and request for technical support.

In addition, we may collect Sensitive Data, i.e., health-related data associated with the Medical Device User’s therapy, including type of diabetes, Medtronic MiniMed device information (such as the type of device used and its serial number) and compatible medical device data uploaded to Medtronic MiniMed device management software (e.g., CareLink™ Personal).

Personal Data of Healthcare Professionals

Medtronic MiniMed collects Personal Data from Healthcare Professionals through their medical institutions for the purposes of providing Medtronic Diabetes products and services that are part of the Medtronic Diabetes Management Solutions.

Medtronic MiniMed may also collect Personal Data from Healthcare Professionals through consulting and educational services that Medtronic MiniMed or its affiliates provide to Healthcare Professionals. Those services consist of training sessions focusing on the safe and effective use of Medtronic Diabetes products and services or specific to a protocol, and/or Medtronic MiniMed-sponsored events to present diabetes current therapies, services and future innovations and collaboration (collectively, the “Consulting and Educational Services”). The Consulting and Educational Services may be delivered in-person or remotely, including through accessing or logging into an online application (e.g. teleconferencing or learning management system) which may be provided by Medtronic MiniMed, Medtronic MiniMed affiliates or a third party engaged for this purpose.

The types of Healthcare Professional Personal Data Medtronic MiniMed collects include:

  • Contact and account details – to support services provided to medical institutions or to register Healthcare Professionals to the Consulting and Educational Services and/or to Medtronic Diabetes Management Solutions, we may collect Personal Data such as: first name, last name, email-address, postal address, profession or clinic role (such as physician, nurse, administrator), therapy group, primary medical specialty, hospital/clinic name and address, city, country of practice, access rights requested, username and password as needed for any online platform log-in. In case required by national law to register to the Consulting and Educational Services, Healthcare Professional number will be collected.
  • Electronic data - to support services provided to medical institutions, we may also collect logging details and IP address.
  • Training and education data – to access the Consulting and Educational Services, the following data may be collected and linked to the Healthcare Professional, including through the creation of a learning profile for this purpose: course attendance, learning program progress, assessment/observation results at single question level, course evaluation, course completion, certification, training exemptions, results of knowledge tests, learning modules and resources viewed, and feedback assessments.
  • Travel information - to organize and facilitate in-person training, events or meetings we may process the following additional Personal Data needed for trip and event management purposes: national identity/passport number, dietary and travel preferences, logistics and travel details, expenses.
  • Trainer/Consultant Information – If a Healthcare Professional is engaged by Medtronic MiniMed to provide the Consulting and Educational Services, we may process additional Personal Data in order to administer our contractual relationship, including basic identity information, contact details, professional activities and affiliations, professional qualifications, financial information on honoraria paid by Medtronic MiniMed, and bank account information.
  • Images/Video/Audio – The delivery of the Consulting and Educational Services may involve photography or video recording by Medtronic MiniMed or make use of an online platform that will transmit the Healthcare Professional’s audio, video and/or image to other participants. Medtronic MiniMed informs Healthcare Professionals about the intent to actually capture and record any such Personal Data for further use.

Medtronic MiniMed’s privacy practices regarding the processing of Medical Device Users’ and Healthcare Professionals’ Personal Data comply with the DPF Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability.

  1. Notice
    Medtronic MiniMed provides information in this Policy and the privacy notices published on the https://carelink.minimed.eu and, where applicable on www.medtronic-diabetes.com website about its Medical Device User Personal Data practices, including the types of Personal Data Medtronic MiniMed collects, the types of third parties to which Medtronic MiniMed discloses the Personal Data and the purposes for doing so, the rights and choices Medical Device Users have for limiting the use and disclosure of their Personal Data, and how to contact Medtronic MiniMed about its practices concerning Personal Data.

    Medtronic MiniMed provides information in this Policy and the Medtronic privacy notice for education services available at www.medtronic.com about its Healthcare Professional Personal Data practices. Relevant information also may be found in notices pertaining to specific data processing activities.

  2. Choice
    Medtronic MiniMed generally offers Medical Device Users and Healthcare Professionals the opportunity to choose whether their Personal Data may be (i) disclosed to third-party Controllers or (ii) used for a purpose that is materially different from the purposes for which the information was originally collected or subsequently authorized by the relevant Medical Device User or Healthcare Professional. To the extent required by the DPF Principles, Medtronic MiniMed obtains opt-in consent for certain uses and disclosures of Sensitive Data. Medical Device Users and Healthcare Professionals may contact Medtronic MiniMed as indicated below regarding Medtronic MiniMed’s use or disclosure of their Personal Data. Unless Medtronic MiniMed offers Medical Device Users and Healthcare Professionals an appropriate choice, Medtronic MiniMed uses Personal Data only for purposes that are materially the same as those indicated in this Policy.

    Medtronic MiniMed shares Medical Device User and Healthcare Professional Personal Data with its affiliates and subsidiaries. Medtronic MiniMed may disclose Medical Device User and Healthcare Professional Personal Data without offering an opportunity to opt out, and may be required to disclose the Personal Data, (i) to third-party Processors Medtronic MiniMed has retained to perform services on its behalf and pursuant to its instructions, (ii) if it is required to do so by law or legal process, or (iii) in response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements. Medtronic MiniMed also reserves the right to transfer Personal Data in the event of an audit or if Medtronic MiniMed sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation).

  3. Accountability for Onward Transfers
    This Policy and the privacy notices published on Medtronic MiniMed websites, as listed above, describe Medtronic MiniMed’s sharing of Medical Device User and Healthcare Professional Personal Data.

    Except as permitted or required by applicable law, Medtronic MiniMed provides Medical Device Users and Healthcare Professionals with an opportunity to opt out of sharing their Personal Data with third-party Controllers. Medtronic MiniMed requires third-party Controllers to whom it discloses Medical Device User and Healthcare Professional Personal Data to contractually agree to (i) only process the Personal Data for limited and specified purposes consistent with the consent provided by the relevant Medical Device User/Healthcare Professional, (ii) provide the same level of protection for Personal Data as is required by the DPF Principles, and (iii) notify Medtronic MiniMed and cease processing Personal Data (or take other reasonable and appropriate remedial steps) if the third-party Controller determines that it cannot meet its obligation to provide the same level of protection for Personal Data as is required by the DPF Principles.

    With respect to transfers of Medical Device User and Healthcare Professional Personal Data to third-party Processors, Medtronic MiniMed (i) enters into a contract with each relevant Processor, (ii) transfers Personal Data to each such Processor only for limited and specified purposes, (iii) ascertains that the Processor is obligated to provide the Personal Data with at least the same level of privacy protection as is required by the DPF Principles, and (iv) takes reasonable and appropriate steps to ensure that the Processor effectively processes the Personal Data in a manner consistent with Medtronic MiniMed’s obligations under the DPF Principles. In addition, Medtronic MiniMed requires each Processor to notify Medtronic MiniMed if the Processor determines that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles. Medtronic MiniMed will take reasonable and appropriate steps to stop and remediate any unauthorized processing of the Personal Data by the Processor of which Medtronic MiniMed becomes aware, and will provide a summary or representative copy of the relevant privacy provisions of the Processor contract to the Department of Commerce, upon request. Medtronic MiniMed remains liable under the DPF Principles if the company’s third-party Processor onward transfer recipients process relevant Personal Data in a manner inconsistent with the DPF Principles, unless Medtronic MiniMed proves that it is not responsible for the event giving rise to the damage.

  4. Security
    Medtronic MiniMed implements reasonable and appropriate security measures to protect Medical Device Users’ and Healthcare Professionals’ Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.

  5. Data Integrity and Purpose Limitation
    Medtronic MiniMed limits Medical Device Users’ and Healthcare Professionals’ Personal Data it processes to that which is relevant for the purposes of the particular processing. Medtronic MiniMed does not process Medical Device Users’ and Healthcare Professionals’ Personal Data in ways that are incompatible with the purposes for which it has been collected or subsequently authorized by the relevant Medical Device User/Healthcare Professional. Medtronic MiniMed takes reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current. In this regard, Medtronic MiniMed relies on Medical Device Users and on Healthcare Professionals to update and correct the relevant Personal Data to the extent necessary for the purposes for which the information was collected or subsequently authorized. Medical Device Users and Healthcare Professionals may contact Medtronic MiniMed as indicated below to request that Medtronic MiniMed update or correct relevant Personal Data.

    Medical Device Users’ and Healthcare Professionals’ Personal Data will only be retained by Medtronic MiniMed for so long as necessary and relevant to fulfill the purpose(s) for which it has been collected and may be retained beyond the duration of the business relationship with Medtronic MiniMed if required to enable us to fulfill such purposes as to comply with legal requirements, including compliance and record retention regulations.

  6. Access
    Medical Device Users and Healthcare Professionals generally have the right to access their Personal Data. Accordingly, where appropriate, Medtronic MiniMed provides Medical Device Users and Healthcare Professionals with reasonable access to the Personal Data Medtronic MiniMed maintains about them. Medtronic MiniMed also provides a reasonable opportunity for those Medical Device Users and Healthcare Professionals to correct, amend or delete the information where it is inaccurate or has been processed in violation of the DPF Principles, as appropriate. Medtronic MiniMed may limit or deny access to Personal Data where the burden or expense of providing access would be disproportionate to the risks to the Medical Device User’s and Healthcare Professional’s privacy in the case in question, or where the rights of persons other than the relevant Medical Devie User or Healthcare Professional would be violated.

    Medical Device Users and Healthcare Professionals may exercise these rights by contacting Medtronic MiniMed as indicated below.

  7. Recourse, Enforcement, and Liability
    Medtronic MiniMed has mechanisms in place designed to help assure compliance with the DPF Principles. Medtronic MiniMed conducts an annual self-assessment of its Personal Data practices to verify that the attestations and assertions Medtronic MiniMed makes about its DPF privacy practices are true and that Medtronic MiniMed’s privacy practices have been implemented as represented and in accordance with the DPF Principles.

    In compliance with the Data Privacy Framework, Medtronic MiniMed commits to resolve DPF Principles-related complaints about our collection and use of your Personal Data. Medical Device Users and Healthcare Professionals with inquiries or complaints regarding our processing of Personal Data received in reliance on the DPF should first contact Medtronic MiniMed at the contact information provided below.

    If a Medical Device User’s or Healthcare Professional’s complaint concerning our processing of Personal Data received in reliance on the DPF cannot be resolved through Medtronic MiniMed’s internal processes, Medtronic MiniMed commits to refer unresolved complaints to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

    Following the dispute resolution process, the mediator or the Medical Device User/Healthcare Professional may refer the matter to the U.S. Federal Trade Commission, which has DPF investigatory and enforcement powers over Medtronic MiniMed.

    When other dispute resolution procedures have been exhausted, Medical Device Users and Healthcare Professionals also may be able under certain circumstances to invoke binding arbitration to address unresolved complaints about Medtronic MiniMed’s compliance with the DPF Principles. For more information, please visit https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.

  8. How to Contact Medtronic MiniMed?
    To contact Medtronic MiniMed with questions or concerns about this Policy or Medtronic MiniMed’s Medical Device User and Healthcare Professional Personal Data practices:

    Write to:

    Medtronic MiniMed Inc.
    Attention: Data Protection Officer
    18000 Devonshire Street,
    Northridge, CA 91325
    United States of America

    Or

    Medtronic International Trading Sárl
    Attention : Data Protection Officer
    Route du Molliau 31
    1131 Tolochenaz
    Switzerland

    Email: rs.privacyeurope@medtronic.com