The information contained on this website is for general information purposes only. The information is provided by Norso Medical and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability concerning the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.As a leading global developer, manufacturer, and supplier of medical devices, Mindray is dedicated to deliver high-quality, richly featured medical products making healthcare more accessible and affordable around the world. Since founded in 1991, Mindray has been striving not only to provide medical devices and industry solutions, but also practice corporate value into every aspect of company. To better serve clients, Mindray follows the most stringent international and FDA manufacturing and quality control standards in each of its state-of-the art manufacturing facilities, ensuring efficiency and traceability throughout the entire process. This White Paper aims to provide our clients and stakeholders information to better understand the Mindray privacy policy. Specifically, this White Paper describes how Mindray implements its privacy policy to collect, store, transfer and delete data in the process of product design, manufacture, sales and use. With the approaching effective date of General Data Protection Regulation (GDPR) of European Union, Mindray has been taking effective actions to comply with GDPR compliance frameworks. Mindray is a leading practitioner at the forefront of industry compliance practices all along. In this White Paper, it will help you to understand: • Mindray’s overall privacy protection policy, including guiding principles adopted by Mindray Headquarters and its subsidiaries; • Mindray GDPR compliance programme illustrating the corporate governance and internal controls with regards to the considerations of privacy protection; • The mechanism of Mindray’s products, including PMLS, IVD, MIS, on how to collect, store, transfer and delete data. Disclaimer: This White Paper is provided solely for informational purposes and aimed to help existing and prospective business partners understand how Mindray may facilitate your compliance with the GDPR. It shall not be construed or used as legal advice about the GDPR, its implementing rules or regulatory guidelines. The White Paper summarises Mindray’s GDPR compliance measures and status as of the release date of this document, and is subject to future changes without prior notice. As each business partner may have substantially different demands and may be operating under different personal data protection regimes, Mindray strongly encourages you to obtain properly customised legal advice on personal data protection in general and the GDPR compliance in particular. This White Paper does not constitute or create any warranties, responsibilities, representations, contractual commitments, conditions, endorsement or assurances from Mindray. Introduction 01 Mindray GDPR Compliance White Paper Our Company Mindray is a leading global designer, developer, and manufacturer of medical devices and solutions, dedicated to making better healthcare more accessible to humanity. Since its foundation in 1991, Mindray has been exclusively focused on the medical industry in the fields of Patient Monitoring & Life Support, InVitro Diagnostics, and Medical Imaging. Mindray strives to be innovative, accessible, localized, and responsible. Mindray’s insightful, human-centric research creates solutions that are designed with accessibility in mind, resulting in ease-ofuse solutions in any solution. With corporate headquarters located in Shenzhen, China, and 42 international subsidiaries with branch offices in 32 countries, Mindray has approximately 7,500 employees worldwide. Eight global R&D centers and an industry leading investment of 10% of annual revenue into research and development further demonstrates Mindray’s commitment to innovation and advancing technology in a global market. Our Vision Better healthcare for all. Our Mission Advance medical technologies to make healthcare more accessible. Our Commitment Mindray is strongly committed to protecting the privacy of personal data that they maintain about our clients, employees and other individuals. As part of this commitment to privacy, Mindray regularly reviews its data protection practices to comply with applicable laws, industry standards and best practices. In preparation for May 25, 2018, when the European Union’s General Data Protection Regulation (GDPR) will be enforced, and because of other territorial regulations impacting privacy, a GDPR compliance programme has been initiated to provide on a basis for, and a consistent approach to, data protection compliance across the Mindray Headquarters and European subsidiaries. All related subsidiaries are now in the process of implementing the requirements of GDPR, building on existing confidentiality and security processes and standards. The new GDPR compliance programme are extensive and cover multiple functional areas and aspects of our business, all in pursuit of accountability and transparency in how Mindray collects, process, protects and disposes of personal data. Despite that the present GDPR compliance program will finish in May 2018, Mindray’s continuous improvement in this area is a long lasting mission Mindray Corporate Practices in Privacy Protection 1. Privacy by Design Privacy by Design is such an approach applied to system/product engineering that promotes privacy and data protection compliance from the beginning of project and throughout the entire lifecycle. Taking a Privacy by Design approach is an essential tool in minimising privacy risks and building trust with our clients. Designing projects, processes, products or systems with privacy in mind at the outset can lead to the benefits that include: • Potential problems identified at an early stage, when addressing them will often be simpler and less costly; • Increased awareness of privacy and data protection across an organisation; • Organisations are more likely to meet their legal obligations and less likely to breach the laws; • Actions are less likely to be privacy intrusive and have a negative impact on individuals. From a more essential and specific perspective, this approach will help organisations comply with their obligations under legislation. For example, General Data Protection Regulation (GDPR) from European Union clearly defines the requirements and obligations of company and organisation to take positive and effective measures of data protection. These measures can be classified into two types, organisational and technical. Organisations shall modify and optimise internal control processes based on GDPR. This encourages a cultural change to consider privacy and security controls and safeguards throughout the data lifecycle process. Specifically, these controls contains the data minimisation, access controls, retention, accessibility and other factors in the design phase. Since its foundation, Mindray has attached great importance to the privacy protection of its clients all along. A completely well-designed and stringent internal control system has established and been implementing for more than two decades. With the approaching effective date of GDPR, Mindray takes effective actions in advance to comply with the regulation. Specifically, Mindray develops a practical work plan to assess and improve current processes as shown below. • Privacy Impact Assessment (PIA): Assess current-state privacy controls throughout product development lifecycle, and identify compliance gaps and risks in data privacy; • Privacy-by-Design (PbD) Implementation Roadmap: Assist in the design and implementation of PbD framework at enterprise level, with enhancements to technology, policies, procedures, and operations; • PbD Recommendations Report: Continuously enhance and update privacy controls in respo