Itamar Medical Data Protection Law Compliance Overview

The General Data Protection Regulation (“GDPR”), which has been in effect as of May 25, 2018, is an iteration of the existing data protection law defined and enforced by the European Union. The Israeli Protection of Privacy Law, 5741 – 1981 (“Israeli Privacy Law”), provides some of the rights provided under the GDPR to Israeli residents. The Health Information Portability and Accountability Act of 1996 as amended by the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009), and their implementing rules and regulations codified at 45 C.F.R. Parts 160 and 164 (“HIPAA”) originally aimed to improve the efficiency and effectiveness of the U.S. healthcare system and over time, several rules were added to it which focused on the protection of sensitive patient information. The California Consumer Privacy Act (“CCPA”) will become effective on January 1, 2020 and will provide California residents with new rights with respect to the collection of their personal information.

Itamar Medical Ltd. and its affiliates (“Company”) are committed to ensuring that their services and products (including medical devices and cloud based data processing platforms) comply with applicable privacy laws, including GDPR, the Israeli Privacy Law, CCPA and HIPAA (collectively, “Data Protection Regulations“). The Company has designated an internal team, which has been getting assistance from the Company’s legal consultants and other professional and expert consultants, for the sole purpose of ensuring all required actions are taken by the Company in order to achieve Data Protection Regulation compliance.

Please see below a general overview which details the Company’s compliance with applicable Data Protection Regulations. For additional information please contact our privacy team at: privacy@itamar-medical.com.

**********

Personal Data and PHI Processing

Company only processes Personal Data (as such term is defined under the GDPR) and protected health information (“PHI”) (as such term is defined under HIPAA) to the extent necessary and in accordance with applicable privacy laws including the GDPR and HIPAA. Company has ensured that there is an applicable lawful basis for any and all processing of European Economic Area (EEA) data subjects Personal Data and has entered into applicable Data Processing Agreements and Business Associate Agreements (or a combination of the two) with its vendors and sub-contractors when required under applicable law. Company only processes Personal Data and PHI to the extent necessary and in accordance with applicable privacy laws including the GDPR, the Israeli Privacy Law and HIPAA. In addition, Company has ensured all legal documents, including without limitations, agreements, terms of use and its privacy policy are compliant with the applicable laws, including GDPR and HIPAA (where required).

Technological, Physical, Organizational and Security Standards

The Company has completed an in-depth audit data mapping for all of the Personal Data and data sets which it processes, as well as the technical, physical and organizational security measures used in order to safeguard and protect such data as well as any PHI that it receives, processes or retains. For additional information, please see the Company’s security policy available at: www.itamar-medical.com/security.

Education

Company conducts ongoing training for its personnel and employees with regards to the Data Protection Regulations’ requirements that may apply to it, to the Company’s data and information security practices and the importance of maintaining and safeguarding the security of Personal Data and PHI.

Transparency to Regulators

Company maintains accurate and accessible written records to the extent legally required to provide supervisory authorities and/or other regulatory authorities with, in a timely manner, as required under applicable laws including the GDPR and HIPAA.

User Rights

GDPR

In accordance with GDPR, data subjects may exercise the following rights:

(i) request to access Personal Data; (ii) request the rectification of Personal Data; (iii) request the erasure of Personal Data; (iv) request to restrict processing of Personal Data; (v) object to processing of Personal Data; (vi) request to exercise right of data portability; (vii) right to file a complaint to a supervisory authority; and (viii) right to withdraw consent (to the extent applicable).

Israeli Privacy Law

The Israeli Privacy Law allows Israeli residents to exercise the following rights: (i) to request the correction of their personal information; (ii) to access their personal information that is being processed; (iii) to request that their personal information stop being processed; and (iv) to stop receiving direct marketing and be erased from such direct marketing data base.

HIPAA

HIPAA allows for individuals to exercise the following rights with respect to their PHI:

An individual may request the following of an entity that is a considered a Covered Entity under HIPPA (e.g. health care provider): (i) access and receive a copy of his/her medical records; (ii) rectify his/her information that is incorrect or add information to his/her records; (iii) to know who his/her information is being shared with (e.g. the Company) and how it is being shared (there are exceptions to this for example when disclosures are made in the scope of research that has been authorized by the individual); (iv) not to share his/her information with certain individuals or entities. An individual is also entitled to file a complaint with his/her provider, health insurer or the U.S. Department of Health and Human Services if he/she feels that his/her rights are being denied or his/her health information is not being properly protected.

CCPA

The CCPA provides consumers who are residents of California with the following rights: (i) to receive notice at or before the point of collection as to what categories of personal information will be collected about them and the purposes that such categories will be used for; (ii) to access personal information that has been collected about them; (iii) to request the deletion of their personal information, subject to certain restrictions; (iv) to opt-out i.e., prevent the sharing or selling of their personal information to third parties; and (v) to receive the same service and prices as all other consumers even if they have exercised their privacy rights.

General

We have trained our designated privacy and security team to respond to such requests and follow the privacy by design and privacy by default values when developing additional platforms, features and services. In order to exercise any of the above rights please contact our privacy team at: privacy@itamar-medical.com.

Incident Responsiveness

Company has implemented a process, in the event of a breach of any personal data or PHI and will provide the data controllers, Covered Entities, regulators, end users, patients and any other relevant individual or entity with immediate notification of such breach, to the extent required under applicable law.

Legal Documentation

Our Legal team is busy ensuring that our legal documentation is updated to reflect any changes and to include the mandatory Processor provisions required by Article 28 of the GDPR and any relevant updates necessary in order to comply with HIPAA as well.

Data Protection Officer

We have appointed a DPO in order to ensure ongoing compliance with the GDPR. The Company’s DPO can be contacted at: DPO@itamar-medical.com.

DISCLAIMER: THIS WEBSITE IS NEITHER A MAGNUM OPUS ON DATA AND PRIVACY LAWS NOR SHOULD IT BE USED IN PLACE OF LEGAL ADVICE FOR YOUR COMPANY TO ASSIST IT IN COMPLYING WITH EU AND OTHER DATA AND PRIVACY LAWS LIKE THE GDPR AND HIPAA. INSTEAD, IT PROVIDES BACKGROUND INFORMATION TO HELP YOU BETTER UNDERSTAND HOW WE HAVE ADDRESSED SOME IMPORTANT LEGAL MATTERS. THIS LEGAL INFORMATION IS NOT THE SAME AS LEGAL ADVICE, WHERE AN ATTORNEY APPLIES THE LAW TO YOUR SPECIFIC CIRCUMSTANCES. AS SUCH WE INSIST THAT YOU CONSULT AN ATTORNEY IF YOU WOULD LIKE ADVICE, ASSISTANCE IN INTERPRETING THIS INFORMATION OR ITS ACCURACY. YOU MAY NOT RELY ON THIS INFORMATION AS LEGAL ADVICE, NOR AS A RECOMMENDATION OF ANY PARTICULAR LEGAL UNDERSTANDING.