Abbott LibreView Professional Online Privacy Notice

Effective Date: October 2019

Abbott Diabetes Care, Inc. (“Abbott” or “us”, “our”, “we”) recognizes the importance of data protection and privacy and is committed to protecting personal information, including health-related information. This Privacy Notice describes how the personal information you provide to us about you and your practice, including the health-related information of your patients, is collected and used by Abbott and how it is uploaded, transmitted and stored by you in the LibreView System.

Abbott is the developer of sensors, readers and glucose test meters for the FreeStyle family of products and the FreeStyle Libre branded mobile applications (“Libre App”).

The LibreView website (“LibreView”) and the LibreLinkUp mobile app ("LibreLinkUp App") have been developed by Newyu, Inc. (“Newyu”). The Libre App, LibreView and LibreLinkUp App together make up the "LibreView System".

Please read this Privacy Notice carefully before creating a LibreView System account as it applies to your use of the LibreView System and to the processing, transfer and storage of the personal information you provide to us, including health-related information in the cloud by Abbott and certain affiliated companies or our processors as described below. Certain of our affiliated companies and our processors may have access to personal information and health-related information of your patients if required to resolve a customer service issue you may have with LibreView. This Notice also sets out the information that you, as a Professional User, should provide to your patients.

This Privacy Notice only applies to professional visitors to LibreView and to professionals that create a LibreView system account as a Professional User. This Privacy Notice does not apply to personal information collected through the use of other websites controlled by other Abbott affiliates or subsidiaries or via other methods, such as other Abbott websites, other Abbott customer call centers, or use of FreeStyle Libre Software, and other privacy policies may apply to the personal information processed or collected through these methods

BY ACCEPTING OR AGREEING TO THIS PRIVACY NOTICE AND CREATING A LIBREVIEW SYSTEM ACCOUNT AS A PROFESSIONAL USER, YOU EXPLICITLY ACKNOWLEDGE THAT YOUR USE OF THE LIBREVIEW SYSTEM IS CONDITIONED UPON YOUR ACCEPTANCE OF THIS PRIVACY NOTICE AND TO THE PROCESSING AND TRANSFER OF PERSONAL INFORMATION, INCLUDING THE HEALTH-RELATED INFORMATION OF YOUR PATIENTS, AS DESCRIBED IN THIS PRIVACY NOTICE AND THAT YOU HAVE THE APPROPRIATE AUTHORIZATIONS, CONSENTS OR PERMISSIONS FOR YOURSELF, YOUR PRACTICE AND YOUR PATIENTS, AS APPLICABLE, TO ACCEPT THIS PRIVACY NOTICE.

YOUR CONSENT IS GRANTED AT YOUR FREE WILL AND YOU ACKNOWLEDGE THAT YOU ARE NOT UNDER ANY LEGAL OBLIGATION TO PROVIDE PERSONAL INFORMATION TO ABBOTT.

+About Us and Controller Information

Abbott Diabetes Care, Inc. of 1420 Harbor Bay Parkway, Alameda, CA 94502, USA is the developer of sensors, readers and glucose test meters for the FreeStyle Libre family of products and the Libre App. The LibreView System includes the Libre App and LibreLinkUp App which may be compatible with LibreView located at www.LibreView.com.

Abbott is the controller of the personal data you provide when creating your LibreView System account.

EXCEPT AS OTHERWISE PROVIDED IN THIS PRIVACY NOTICE, YOU ARE A CONTROLLER OF THE PERSONAL INFORMATION, INCLUDING HEALTH-RELATED INFORMATION, OF YOUR PATIENTS FOR WHOM YOU HAVE CREATED A PATIENT PROFILE. YOU SHOULD NOTIFY YOUR PATIENTS ABOUT YOUR, YOUR PRACTICE’S AND ABBOTT’S PROCESSING OF THEIR PERSONAL INFORMATION AND HEALTH-RELATED INFORMATION, INCLUDING TRANSFERS, OR ACCESS WHICH MAY BE REQUIRED. Abbott will process the personal information of your patients, including their health-related information, as a ‘processor’ for the purpose of the health care you provide to your patients to protect their vital interests, and you will be the controller of your patients’ personal data in such instances. Abbott also processes patient personal information as a ‘controller’ for the purposes set out in this Privacy Notice (see +Abbott’s Use of Your Patients’ Information and +Data Analysis for more information and where your patient has their own LibreView System account).

+Background of the LibreView System

“Professional User” includes only those medical professionals (and their duly authorized representatives and agents) who either have registered a clinical practice or have registered as a professional user of the LibreView System.

The LibreView System is a cloud-based diabetes information management system that may be used by Abbott, Professional Users, and patients to aid in the review, analysis and evaluation of patients’ historical glucose data, glucose test results, ketone test results and user-entered information including insulin, food, exercise, and notes to support an effective diabetes health management program. The LibreView System also allows individual users to create their own LibreView System accounts, upload their own information and share that information with Professional Users. Alternatively, patients can visit their health care professional, allowing their health care professional to connect the patient’s reader or meter to their own Professional User LibreView System account. The LibreView System also permits Professional Users to create patient profiles and to remotely manage patients who have LibreView System accounts, as well as to share those reports with other professionals in their practice.

The LibreView System allows Abbott to provide improved guidance for patients utilizing Abbott’s meters, readers and mobile apps. It also enables Abbott to improve quality, security and effectiveness of medical devices and systems and allows Abbott to develop innovative and effective treatment for and management of diabetes in the interests of public health.

AS A PROFESSIONAL USER YOU ARE RESPONSIBLE FOR (I) ANY PATIENT INFORMATION YOU ENTER INTO THE LIBREVIEW SYSTEM, (II) THE PERSONAL INFORMATION OF OTHER PROFESSIONALS YOU INVITE TO JOIN A PRACTICE ACCOUNT, AND (III) YOUR USE OF PERSONAL INFORMATION OF ANY INDIVIDUAL WITH A LIBREVIEW SYSTEM ACCOUNT. YOU ARE THEREFORE RESPONSIBLE FOR COMPLYING WITH APPLICABLE DATA PROTECTION AND PRIVACY LAWS AND FOR OBTAINING, WHERE REQUIRED, ANY CONSENTS (INCLUDING EXPLICIT CONSENT) NEEDED UNDER APPLICABLE LAW.

+Personal Information Collection via the LibreView System

This Privacy Notice applies to:

Your account profile information is maintained in a separate database that does not include your patients’ health-related information, and Abbott uses technical and administrative measures to ensure data separation.

Where you create a practice on the LibreView System (“Practice”), you will be required to provide us with practice information, which includes the practice name, address, phone number and whether you wish to transfer your existing patients into the practice. When you create a Practice, you become the administrator for that Practice. An automatic Practice ID is assigned, which if you provide to your patients, will allow them to connect with your Practice.

To invite a patient to create a LibreView System account, you will be required to enter the patient’s name, date of birth, country, and email address for adult users and, in the case of pediatric use, the email address of the parent/guardian, the child’s name, date of birth and country. If the patient you invited has already registered for a LibreView System account, when you connect with that patient, you will see patient account information and previous uploads of data from their compatible sensors, readers or meters and related statistics. In addition to the categories of information listed here, other categories of personal information may be collected from patients on occasion and in relation to certain programs. If and when that collection of information is necessary, we will explain how that information is collected, used, and shared. If there is any conflict between that explanation and this Notice, you should rely upon that explanation and not the Notice.

You may also create a patient profile where you can upload information from a patient’s meter or reader to the LibreView System, without inviting the patient to create a LibreView System account. You may delete patient profiles and any information you enter into such profiles at any time. To create a patient profile, you will be asked to enter the following information: patient’s name, date of birth and email (optional).

+Use of Personal Information

Abbott will use the personal information collected via the LibreView System to provide you with a LibreView System account, including:

+Data Storage

Abbott uses Amazon Web Services (AWS) to host your LibreView System accounts in the cloud. The servers that host LibreView System accounts may be located in North America, Europe and the Asia Pacific region. For French users Abbott hosts LibreView System accounts with OVH. OVH is accredited by the French Ministry of Health, the ASIP Santé, to host health-related information. The personal information (including your patients’ health-related information) you upload to your LibreView System account will be stored in the region closest to your country of residence or otherwise in accordance with the data storage and privacy requirements of your selected country/region. When your personal information is hosted in a country other than the country you selected, it may become subject to the laws of the host country, which may not be equivalent to the laws of the country you selected. Abbott has implemented appropriate security measures and controls to protect your personal information.

+Data Analysis

Abbott uses de-identified, pseudonymized, aggregated and/or anonymized information for limited purposes. Our parent company Abbott Laboratories assists us as a data processor with this data analytics process. In particular, Abbott Laboratories helps us with the processes related to de-identifying, pseudonymizing and/or anonymizing personal information. This information is securely held by Abbott and will not be used to identify you individually by your name or email address. The purposes for which Abbott will use this information are:

Abbott does product usage analysis based on de-identified and pseudonymized data for limited purposes, in particular to help us understand the performance of the LibreView System. This information is also available to Newyu as the developer of LibreLinkUp App and LibreView.

+Use of Cookies and Similar Technologies on LibreView

We use cookies and similar technologies on LibreView to collect technical information. Cookies are text files containing small amounts of data that are downloaded to your computer when you visit a website. Cookies are useful because they allow us to recognize your computer and improve your experience on our websites. We also use Google’s Invisible reCAPTCHA service to maintain the integrity of LibreView. The use of the Invisible reCAPTCHA service is subject to Google’s Privacy Policy and Terms of Use.

Your web browser (such as Internet Explorer, Firefox, Safari or Chrome) then sends these cookies or similar technologies back to the website on each subsequent visit so that we can recognize you. These cookies can only be read by the server that sent them to your browser. Our systems may not recognize Do Not Track (DNT) headers or similar mechanisms from some or all browsers.

The cookies and similar technologies used on LibreView collect the following technical information: your domain name, browser type and operating system, the webpages you view, links you click, IP address, length of time you visit LibreView, the referring URL or the webpage that led you to LibreView and troubleshooting and analytical data to help us provide the LibreView System to you. We may combine this automatically collected information with other information we have about you.

There are various ways that you can control and manage your cookies. Please remember that any settings you change will not just affect these cookies used by LibreView. These changes may apply to all websites that you visit (unless you choose to block cookies from particular sites).

LibreView uses the following types of cookies:

To find out more about cookies visit https://www.allaboutcookies.org.

+Retention of Personal Information

Abbott will continue to store personal information associated with your LibreView System account while you have an active account. Your LibreView System account will be considered to be inactive once there has been no activity on it for six (6) months. If your LibreView System account is considered inactive, all personal information associated with that account may be de-identified for the purposes set out in the section entitled +Data Analysis and all other personal information, including any patient profile you have created, may be permanently and irrevocably deleted, subject to compliance with applicable law. LibreView should not be used as a patient health record and you must download or print out information you may require from the LibreView System. The deletion of your LibreView System account will not have an impact on any individual user account created by any of your patients independently. We will notify you in advance by sending an email to the email address associated with your LibreView System account so that you have an opportunity to ensure your account stays current and available for your use. The section entitled +Deleting your LibreView System Account explains how you can delete your account and what happens to your personal information once your account has been deleted.

+Disclosure of Personal Information by Us

We share personal information with the following:

Abbott Laboratories: We share personal information with our parent company to assist us as a data processor with the data analytics process, in particular, the processes related to de-identifying, pseudonymizing and/or anonymizing information.

Third-party suppliers: We share personal information with third-party suppliers as needed to provide, maintain, host, and support the LibreView System. Newyu will process personal information, including your patients’ health-related information, on our behalf as a third-party supplier and as our Business Associate under HIPAA (please see our HIPAA Notice of Privacy Practices at HIPAA Notice of Privacy Practices and the section entitled +USA below for further information). Abbott uses Amazon Web Services (AWS) and other cloud providers to host LibreView System accounts in the cloud. Where we provide your personal information to third-party suppliers to assist us with the provision of your LibreView System account, they are required to keep your personal information confidential and secure and to use your personal information to the minimum extent necessary. Where possible, Abbott uses third party service providers to report system errors so that we can support and improve the LibreView System and in such instances the information sent to such third parties will not involve the use of personal information.

Abbott uses third-party service providers to provide you with the LibreView System. The information sent to such third parties will not involve the use of personal information.

Abbott uses AWS and OVH to store LibreView System accounts (please see the section entitled +Data Storage for further information). Abbott uses Lomaco et AGPS to ensure invoicing of telemedicine acts in France to the social security system.

Local affiliated Abbott companies: We share personal information with local affiliates so that you can receive direct marketing communications from us (if required by law, you will only receive such communications where you have opted-in).

Other Third Parties: We may share de-identified, pseudonymized, aggregated, and/or anonymized information with affiliated Abbott companies and with other third parties for the purposes relating to the +Data Analysis set out above. This is information that Abbott securely holds and will not be used to identify you individually by your name or email address.

We may also share personal information with third parties (including affiliated Abbott companies) with whom we are jointly marketing a product or service or jointly conducting a program, survey or activity.

We will not sell or license personal information to third parties except in connection with the sale, merger, or transfer of a product line or division, so that the buyer can continue to provide you with information and services. For the avoidance of doubt, we will never sell personal information for commercial purposes to third parties and we may only share personal information with third parties where you have provided consent or where permitted by applicable law.

We reserve the right to disclose personal information to respond to authorized information requests from government authorities, to address national security situations, or when otherwise required by law. Furthermore, where permitted or required by law, we may also disclose the information we collect from you where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of this Privacy Notice, or as evidence in litigation in which we are involved. The personal information associated with your LibreView System account may be subject to foreign laws and may be accessible by foreign governments, courts, law enforcement, and regulatory agencies.

+Security of Your Personal Information

We have implemented administrative, technical and physical safeguards to protect personal information, including health-related information, from unauthorized or unlawful access, accidental loss, destruction, damage, misuse, disclosure and alteration, including through the use of cryptographic technologies. Abbott restricts access to personal information by its employees on a need to know basis. Please keep in mind that no internet or Wi-Fi transmission is 100% secure, so please exercise caution when uploading personal information, especially health-related information, to your LibreView System account.

You are responsible for protecting against unauthorized access to your LibreView System account, practice and patient profiles. We recommend securing access to LibreView and thereby your practice and patient profile by always logging-out, choosing a robust password for your LibreView System account that nobody else knows or can easily guess, implementing security settings your mobile device or computer such as a password to access it, keeping your device locked when not in use and keeping your account information and password private. Abbott is not responsible for any lost, stolen or compromised passwords or for any activity on your LibreView System account from unauthorized users where caused by you. If you think your LibreView System account has been compromised, please contact us as soon as you are able at DiabetesCarePrivacy@Abbott.com.

+Cross-Border Transfers of Personal Information

If you selected a country outside the United States of America as your location, we may occasionally need to access or view your personal information, such as your name and email address, and in certain exceptional circumstances the health-related information of your patients, via a secure network from the United States of America to the extent it is necessary for us to provide you with technical support or to troubleshoot any LibreView System issues in relation to your account.

In addition, we also transfer de-identified or pseudonymized data, which does not identify your patients by name, for the purpose of conducting data analysis as described in the section entitled +Data Analysis. The United States of America may not provide data protection or privacy laws equivalent to the laws of your country; however, we put appropriate measures in place to protect your personal information.

BY CREATING A LIBREVIEW SYSTEM ACCOUNT AND BY ACKNOWLEDGING AND AGREEING TO THIS PRIVACY NOTICE, WE ARE INFORMING YOU OF THESE TRANSFERS OF PERSONAL INFORMATION TO THE UNITED STATES OF AMERICA AND TO THE ACCESS OF PERSONAL INFORMATION, INCLUDING YOUR PATIENTS’ HEALTH-RELATED INFORMATION, WHICH MAY BE REQUIRED IN EXCEPTIONAL CIRCUMSTANCES TO RESPOND TO ANY SUPPORT REQUESTS YOU SUBMIT. THE UNITED STATES OF AMERICA MAY NOT OFFER AN EQUIVALENT LEVEL OF PROTECTION FOR PERSONAL INFORMATION WHEN COMPARED TO SWITZERLAND, A EUROPEAN ECONOMIC AREA COUNTRY OR OTHER COUNTRY WITH DATA PROTECTION OR PRIVACY LAWS IN WHICH YOU ARE LOCATED.

+How Abbott Sends You Marketing and Other Material

Abbott (or its affiliates) may use your personal information to send you advertising and marketing-related information about diabetes care or their other products and services if (where required by law) you opted-in to receive such communications when you set up your LibreView System account. We may also invite you to participate in surveys about our products, provide you with news and newsletters, or notify you about special offers and promotions at any time. These materials may be sent by us or by an affiliate of Abbott. You may opt out from receiving marketing-related communications by either clicking on the unsubscribe link at the bottom of marketing-related emails or by contacting us at DiabetesCarePrivacy@Abbott.com.

Abbott will not sell personal information to third parties for direct marketing.

Where you opt out of receiving marketing-related information about diabetes care, we may continue to send you non-marketing related information. This information may be in relation to necessary system and service updates or issues including product safety.

+How Professional Users Can Access and Correct Personal Information and Your Rights

You may correct your profile information (your name, email address and password) through the LibreView System account settings which can be accessed through LibreView. We are not able to correct or amend any sensor readings or any data uploaded from a FreeStyle Libre reader or meter by you or your patients, but we will assist you with deleting your LibreView System account and creating a new one so that you can reload the correct information.

Depending on the location of your practice, you may have the right to: (a) access the personal information we hold about you; (b) request we correct any inaccurate personal information we hold about you; (c) delete any personal information we hold about you; (d) restrict the processing of personal information we hold about you; (e) object to the processing of personal information we hold about you; and/or (f) receive any personal information you have provided to us on the basis of your consent in a structured and commonly used machine-readable format or have such personal information transmitted to another company by using the export function in your LibreView System account, where accessible.

To request the exercise of these rights, please contact us using any of the methods set out in the section entitled +Contact Us.

Your patients may also have these rights in relation to the personal information held about them through the LibreView System. Abbott will provide reasonable assistance and cooperation in assisting you to respond to any request by your patient to exercise their rights.

+Deleting your LibreView System Account

If you would like to delete your LibreView System account, you may do so by logging into your LibreView System account via www.libreview.com and using the delete account functionality. Please be aware that if you delete your account, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.

Once your LibreView System account and any associated personal information has been deleted, you will no longer have access to the LibreView System and deletion of your account is irreversible. You are not therefore able to reactivate your LibreView System account or retrieve any personal information, including health-related information, so you may want to download and save any required information before requesting that we delete your account from the LibreView System.

If your patient has shared their LibreView System account information with you and requests that we delete their LibreView System account, once deleted, you will no longer be able to remotely view information from their meter, reader or Libre App.

Abbott reserves the right to delete inactive LibreView System accounts after six (6) months. We will notify you in advance by sending an email to the email address associated with your LibreView System account so that you have an opportunity to ensure your account stays current and available for your use.

+Third Party Links to LibreView

LibreView may contain links to third-party websites. Any access to and use of such linked websites is not governed by this Privacy Notice, but instead is governed by the privacy notices of those third-party websites. We are not responsible for the information practices of such third-party websites.

+Contact Us

If you have questions, comments, or complaints about our privacy practices, please contact us by clicking on the “Contact Us” link in one of our websites or emailing us at DiabetesCarePrivacy@Abbott.com. Alternatively, you may write to us at:

Attn: Privacy Officer
Abbott Diabetes Care Inc.
1420 Harbor Bay Parkway
Alameda, CA 94502
USA

For HIPAA-related inquiries, please contact us at: DiabetesCareHIPAA@Abbott.com.

For EEA Users see also below under your regional section for additional contact details.

In all communications to us, please include the email address used to create your LibreView System account and a detailed explanation of your request.

+Changes to this Privacy Notice

If we make material changes to our privacy practices, an updated version of this Privacy Notice will reflect those changes. You will be alerted to updates to this Privacy Notice by email or when you next log into LibreView. You will be notified if there is a new version of this Privacy Notice and will be prompted to read and accept it so that you can continue to access and use your LibreView System account via LibreView.

Without prejudice to your rights under applicable law, we reserve the right to update and amend this Privacy Notice without prior notice to reflect technological advancements, legal and regulatory changes, and good business practices to the extent that it does not change the privacy practices as set out in this Privacy Notice.

If you do not agree to the changes to this Privacy Notice, you should delete your LibreView System account by logging into your account via www.libreview.com and using the delete account functionality.

+INFORMATION YOU MUST PROVIDE TO PATIENTS ABOUT HOW PERSONAL INFORMATION, INCLUDING HEALTH-RELATED INFORMATION, ABOUT THEM AND UPLOADED BY YOU IN THE LIBREVIEW SYSTEM IS PROCESSED

YOU AS A PROFESSIONAL USER AND HEALTH CARE PROFESSIONAL ARE A CONTROLLER, EXCEPT AS OTHERWISE PROVIDED IN THIS PRIVACY NOTICE, OF THE PERSONAL INFORMATION, INCLUDING HEALTH-RELATED INFORMATION OF THOSE OF YOUR PATIENTS FOR WHOM YOU HAVE CREATED A PATIENT PROFILE. YOU MUST NOTIFY YOUR PATIENTS OF ALL OF THE INFORMATION CONTAINED WITHIN THIS SECTION. Abbott processes patient personal information as a ‘controller’ for the purposes set out in this Privacy Notice (see +Abbott’s Use of Your Patients’ Information and +Data Analysis for more information and where your patient has their own LibreView System account).

+Abbott’s Use of Your Patients’ Information

You should advise your patients that we use their personal information provided by you for the following reasons:

+Data Analysis

Abbott uses de-identified, pseudonymized, aggregated and/or anonymized information for limited purposes. Our parent company Abbott Laboratories assists us as a data processor with this data analytics process. In particular, Abbott Laboratories helps us with the processes related to de-identifying, pseudonymizing and/or anonymizing your patients’ personal information. De-identification and pseudonymization is an automated process that takes place within the servers where users’ LibreView System accounts are held. This is information that Abbott securely holds and will not be used to identify you individually by your name or email address. The purposes for which Abbott will use this information are:

Abbott does product usage analysis based on de-identified and pseudonymized data for limited purposes, in particular to help us understand the performance of the LibreLinkUp App and Libre App, to help us understand issues which may need fixing with the Apps and to help us understand how many times the Apps have been downloaded from App Stores. This information is also available to Newyu as the developer of LibreLinkUp App.

If your patient uses the FreeStyle Libre Desktop Software: information uploaded to the LibreView System is hosted separately and independently from the FreeStyle Libre Desktop Software. Abbott will never combine these data (the de-identified data obtained through the FreeStyle Libre Desktop Software and the data uploaded to the LibreView System). Abbott uses administrative, technical and organizational measures to ensure that these data flows remain separate.

+Record Retention

You should inform your patients that Abbott will continue to store personal information while there is an active LibreView System account. Their LibreView System account will be considered to be inactive once there has been no activity on it for six (6) months. If their LibreView System account is considered inactive, all personal information, including data derived from their use of the LibreLinkUp App, Libre App, or a FreeStyle meter or reader, from the computer used to interact with LibreView and health-related information associated with that account may be de-identified for the purposes set out in the section entitled +Data Analysis and all other personal information may be permanently and irrevocably deleted. We will notify individuals in advance by sending an email to the email address associated with their LibreView System account so that they have an opportunity to ensure that their account stays current and available for your use.

If your patients did not opt to create a LibreView System account, your patients’ personal information, as contained within their patient profile, will be retained for as long as you have an active LibreView System account, unless you choose to delete that information sooner.

+How Abbott Protects the Privacy of Children

Where your patient is a child, you should advise their parent/guardian of the following:

+Data Storage

You should inform your patients that Abbott uses Amazon Web Services (AWS) to host LibreView System accounts in the cloud. The servers that host LibreView System accounts may be located in North America, Europe and the Asia Pacific region. For French users Abbott hosts LibreView System accounts with OVH. OVH is accredited by the French Ministry of Health, the ASIP Santé to host health-related information. The personal information and health-related information you upload to their LibreView System account, or your LibreView System account which contains their patient profile, will be stored in the region closest to the patient’s country of residence or otherwise in accordance with the data storage and privacy requirements of your selected country/region. When the patient’s personal information is hosted in a country other than the country it selected (or you selected on its behalf), it may become subject to the laws of the host country, which may not be equivalent to the laws of the country you selected. Abbott has implemented appropriate security measures and controls to protect personal information.

+How Abbott Shares Personal Information of your Patients with Third Parties

You should inform your patients that we share their personal information as follows.

Abbott Laboratories: We share their personal information with our parent company to assist us as a data processor with the data analytics process, in particular, the processes related to de-identifying, pseudonymizing and/or anonymizing information.

Third-party suppliers: We share their personal information with third-party suppliers to provide, maintain, host, and support the LibreView System. Newyu will process personal information, including health-related information, on our behalf as a third-party supplier and as our Business Associate under HIPAA (please see our HIPAA Notice of Privacy Practices at HIPAA Notice of Privacy Practices and the section entitled +USA below for further information). Abbott uses Amazon Web Services (AWS) and other cloud providers to host LibreView System accounts in the cloud. Where we provide personal information to third-party suppliers to assist us with the provision of the LibreView System account, they are required to keep personal information confidential and secure and to use Personal Information to the minimum extent necessary. Where possible, Abbott uses third party service providers to report system errors so that we can support and improve the LibreView System and in such instances the information sent to such third parties will not involve the use of personal information.

Abbott uses third-party service providers to provide the LibreView System. The information sent to such third parties will not involve the use of personal information.

Abbott uses AWS and OVH in France to store LibreView System accounts (please see the section entitled +Data Storage for further information). Abbott uses Lomaco et AGPS to ensure invoicing of telemedicine acts in France to the social security system.

Local affiliated Abbott companies: Where your patients opt-in to receive direct marketing communications from us, we may share their personal information, such as name and email address but not health-related data, with local affiliated Abbott companies with whom we are jointly marketing a product or service or jointly conducting a program, survey or activity. For patients located in the United States of America, provided that such disclosure complies with HIPAA (please see the section entitled +U.S. for further information).

Other Third Parties: We may share de-identified, pseudonymized, aggregated, and/or anonymized information with affiliated Abbott companies and with other third parties for the purposes relating to the +Data Analysis set out above. This is information that Abbott securely holds and will not be used to identify your patients individually by name or email address.

We also may share Personal Information with third parties where your patient has expressly asked us to do so, including where they use the share functionality in the Libre App or choose to share reports with you. We will not sell or license Personal Information to third parties except in connection with the sale, merger, or transfer of a product line or division, so that the buyer can continue to provide you with information and services. For the avoidance of doubt, we will never sell Personal Information for commercial purposes to third parties and we may only share Personal Information with third parties where you have provided consent or where permitted by applicable law.

For Libre App users with Android devices, Android requires location services permissions to be granted in order to connect apps with Bluetooth devices. Google’s Location Services include features that collect a user’s precise location data, including GPS signals, device sensors, Wi-Fi access points, and cell tower IDs. This data will be collected by Google if a user grants access to his or her location. For more information on Google’s privacy practices relating to this data, please see Android’s support website. After the initial connection between the Libre App and a Sensor, you may choose to stop sharing location data with Google using your mobile device settings, but you will have to turn on Google’s Location Services to connect a new Sensor. Abbott will not use your Personal Information derived from Google’s Location Services.

We reserve the right to disclose Personal Information to respond to authorized information requests from government authorities, to address national security situations, or when otherwise required by law. Furthermore, where permitted or required by law, we may also disclose the information we collect from your patients where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of this Privacy Notice, or as evidence in litigation in which we are involved. Personal Information may be subject to foreign laws and may be accessible by foreign governments, courts, law enforcement, and regulatory agencies.

+Security of Your Patients’ Personal Information

You should inform your patients that we have implemented administrative, technical and physical safeguards to protect personal information, including health-related information, from unauthorized or unlawful access, accidental loss, destruction, damage, misuse, disclosure and alteration, including through the use of cryptographic technologies. Abbott restricts access to personal information by its employees on a need to know basis. Please keep in mind and remind your patients that no internet or Wi-Fi transmission is 100% secure, so please exercise caution when uploading their personal information, especially health-related information, to your LibreView System account.

+Cross Border Transfers of Your Patients’ Personal Information

If your patients are located outside the United States of America, we may occasionally need to access or view their personal information, such as their name and email address, and in certain exceptional circumstances your patients’ health-related information, via a secure network from the United States of America where necessary for us to provide you with technical support or to troubleshoot any LibreView or System issues with your account or a patient profile.

In addition, we also transfer de-identified or pseudonymized data, which does not identify your patients by name, for the purpose of conducting data analysis as described in the section entitled +Data Analysis. The United States of America may not provide data protection or privacy laws equivalent to the laws of their country of residence; however, we put appropriate measures in place to protect personal information.

+How Abbott Sends Marketing and Other Material

Abbott will not send marketing materials to those of your patients for whom you create a patient profile. If, however, your patient has their own LibreView System account, Abbott (or its affiliates) may send those of your patients who have created a LibreView System account advertising and marketing-related information or ask if they would like to participate in surveys about diabetes care or other products and services if (where required by law) they opted-in to receive such communications. Such patients may also receive marketing information which is tailored to their specific needs based on the information uploaded or connected to their LibreView System account (including health-related information). We may also invite them to participate in surveys about our products, provide them with news and newsletters, or to notify them about special offers and promotions. These materials may be sent by us or by an affiliate of Abbott. They may opt out from receiving marketing-related communications by either clicking on the unsubscribe link at the bottom of marketing-related emails we send them or by contacting us at DiabetesCarePrivacy@Abbott.com. We will process opt-out requests without undue delay.

Neither Abbott nor its affiliates or licensors will knowingly send advertising or marketing-related information to children.

Abbott will not sell your patients’ personal information to third parties for direct marketing.

Where patients opt-out of receiving marketing-related information about diabetes care, we or Newyu may send them non-marketing related information. This information may be in relation to necessary system and service updates or issues relating to product safety.

+How Individual Users Can Access and Correct Personal Information and Their Rights

Once device related data is uploaded to the LibreView System, it may not be changed by Abbott. Where a patient has created a LibreView System account, they may correct their profile information via their account settings.

Depending on your patients’ place of residence, they may have the right to: (a) access the personal information we hold about them; (b) request we correct any inaccurate personal information we hold about them; (c) delete any personal information we hold about them; (d) restrict the processing of personal information we hold about them; (e) object to the processing of personal information we hold about them; and/or (f) receive any personal information they have provided to us on the basis of your consent in a structured and commonly used machine-readable format or have such personal information transmitted to another company by using the export function in their LibreView System account, where accessible.

Where a patient requests to exercise such rights to the personal information you hold about them, for example in their patient profile, you are responsible for handling their request in accordance with applicable data protection and privacy laws.

Where you have created or added a patient to the LibreView System, we will co-operate with you to delete their information following notice from you to remove them from the LibreView System.

COUNTRY SPECIFIC PROVISIONS FOR PROFESSIONALS

+Argentina

The Public Information Access Agency, in its capacity as supervisory body of Act No. 25.326, has jurisdiction over all accusations and complaints made by those affected in their rights for infringements to regulations in force referred to the protection of personal information.

+Australia

If you wish to make a complaint about a breach of the Privacy Act, the Australian Privacy Principle (“APPs”) or a privacy code that applies to us, or if you have any queries or concerns about our Privacy Notice or the way we handle your personal information, please contact us using the details above and we will take reasonable steps to investigate and respond to you.

If after this process you are not satisfied with our response, you can submit a complaint to the Office of the Information Commissioner. See http://www.oaic.gov.au/privacy/privacy-complaints, to obtain the relevant complaint forms, or contact the Information Commissioner’s office. We are not likely to disclose personal information overseas, except as permitted by the Privacy Act 1988 (Cth), unless we otherwise advise you in writing. We may transfer personal information to the United States. You consent (or, in the case of your patients’ personal information commit to obtaining the necessary consent) to that disclosure and agree that by giving or obtaining that consent, Australian Privacy Principle 8.1 no longer applies, and we are not required to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information.

+EEA and Switzerland

YOU ACKNOWLEDGE AND AGREE THAT WHERE YOU ENTER PATIENT DATA INTO THE LIBREVIEW SYSTEM OR USE THE PERSONAL INFORMATION OF ANY INDIVIDUAL WITH A LIBREVIEW SYSTEM ACCOUNT FOR THE PURPOSE OF PROVIDING MEDICAL TREATMENT, EXCEPT AS OTHERWISE PROVIDED IN THIS PRIVACY NOTICE, YOU ARE THE CONTROLLER AND ARE RESPONSIBLE FOR COMPLYING WITH APPLICABLE DATA PROTECTION AND PRIVACY LAWS. Where Abbott uses identifiable patient data you enter into the LibreView system for the purposes of analytics, system troubleshooting, system and/or customer support, research or reporting, Abbott will be the controller and will comply with applicable local data protection and privacy laws. Where your patient has independently created a LibreView system account, either for their own use or for the use of a child or other person for whom they provide care, Abbott will be the controller and will comply with applicable local data protection and privacy laws. Abbott will treat all such patient personal information for which it is a controller, including health-information, in accordance with the LibreView Individual User Privacy Notice. When your patient has created a LibreView system account and grants you access to that account or where you set up a LibreView system account for your patient, Abbott (through the LibreView system) will be processing both your and your patient’s personal data as a ‘data processor’ on your behalf as a healthcare professional where you process your patient information to protect their vital interests as determined in your sole discretion as their healthcare professional.

You should ensure that your patients are made aware of the following information, which applies equally to them and to you:

Both you and your patients have the right to lodge a complaint with your local data protection authority if you are unhappy with any aspect of Abbott’s processing of your personal information. The contact details of our European data protection officer along with other useful contact information are available at www.EU-DPO.abbott.com.

If you or your patients would like to exercise any rights in respect of your personal data, as set out in the Privacy Notice, and are contacting us by email, please title your email subject line accordingly (for example, “Correction Request” or “Access Request”), or other right as applicable in the subject line of the email. We will do our best to respond to all reasonable requests in a timely manner, or at the very least, in accordance with any applicable legal requirement.

Abbott processes personal information as a controller based on the following legal bases as set out in the General Data Protection Regulation (“GDPR”):

+California

California Civil Code Section 1798.83 permits residents of the State of California to request from certain businesses with whom the California resident has an established business relationship a list of all third parties to which the business, during the immediately preceding calendar year, has disclosed certain personally identifiable information for direct marketing purposes. Abbott is required to respond to a customer request only once during any calendar year. To make such a request you should send a letter to Abbott Diabetes Care Inc., Attn: Privacy Officer, 1420 Harbor Bay Parkway, Alameda, CA 94502, USA. In your request, please attest to the fact that you are a California resident and provide a current California address for our response. Please be aware that not all information sharing is covered by the California Privacy Rights requirements and only information sharing that is covered will be included in our response.

You should ensure that your patients are also made aware of this right.

+Chile, Colombia and Saudi Arabia

Your consent is required for Abbott to process your personal information generally. By accepting the terms of this Privacy Notice, you are deemed to have consented to the processing of your personal information as described herein. You may withdraw your consent at any time by logging into your LibreView System account via www.libreview.com and using the delete account functionality.

You are also responsible for obtaining your patients’ consent for Abbott to process their personal data as described in this Privacy Notice.

+France

It is important when you sign up for a LibreView System account that you select France as your country of residence as this will determine where your data is stored. If you have incorrectly identified a different country as your country of residence, do not complete the installation. Instead, return to www.libreview.com and click “Sign Up”. The controller for your LibreView System account is Abbott Diabetes Care, Inc., 1420 Harbor Bay Parkway, Alameda, California 94502 United States. Our local representative is Abbott Diabetes Care France (Diabétologie), Bâtiment Cologne, 12 Rue de la Couture, BP 20235, 94518 Rungis Cedex.

+South Africa

You have the right to lodge a complaint to the Information Regulator regarding the processing of your personal information, by writing to: The Information Regulator, SALU Building, 316 Thabo Sehume Street, PRETORIA, Ms Mmamoroke Mphelo, Tel: 012 406 4818, Fax: 086 500 3351, inforeg@justice.gov.za

You should ensure that your patients are also made aware of this right.

+USA

Some functions within Abbott may operate as a “Covered Entity” pursuant to the Health Insurance Portability and Accountability Act and its implementing regulations (collectively “HIPAA”) and may use any patient personal information, including health information, that you provide to us through the LibreView System for the purpose of improving treatment guidance for patients utilizing Abbott’s FreeStyle family of products or Libre App. Abbott’s use of patient personal information, including health information, that you provide to us through the LibreView System will be additionally governed by our HIPAA Notice of Privacy Practices, available on LibreView at HIPAA Notice of Privacy Practices and which sets out your patients’ rights with respect to any health information provided by you to us.

If you choose to delete your LibreView System account, Abbott may also retain any patient personal information, including health-related information, that you provide to us through the LibreView System for the purpose of improving treatment guidance for patients utilizing Abbott’s FreeStyle family of products or Libre App.

It is your responsibility to ensure that your patients are made aware of the following pieces of information:

Please contact DiabetesCareHIPAA@abbott.com with any questions about your patients’ HIPAA rights.

DOC40648-002_rev-A_en_US