Tandem Diabetes Care, Inc. (Tandem) participates in and complies with the EU-US Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information from European Union member countries and from Switzerland.
Tandem has certified to the Federal Trade Commission that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement and liability. If there is any conflict between the terms in this Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.
To learn more about the Privacy Shield program please visit the Department of Commerce’s dedicated Privacy Shield website, and to view our certification page, please visit www.privacyshield.gov/list.
Tandem is committed to protecting your privacy according to the Privacy Shield principles. This Privacy Shield Policy sets out the privacy principles which Tandem follows with respect to transfers of personal data from the European Union (EU) and/or Switzerland to the United States including personal data relating to employees, customers, distributors, vendors, contractors, and business partners.
Back to Top >>
Privacy Shield Scope
This Policy has been drafted to specifically address Tandem’s compliance with the EU-US and Swiss-US Privacy Shield Principles. As such, this Policy applies to all personal data, whether in electronic or paper format, received by Tandem in the United States from the EU member countries and from Switzerland, and outlines our general policy for the implementation of the Principles. Tandem’s Notice of Privacy Practices should be read in addition to this Privacy Shield Policy.
This Privacy Shield Policy does not apply to Personal Data transferred under Standard Contractual Clauses or any approved EU or Swiss data transfer mechanism. Further, this Policy does not govern Tandem’s processing of its employees’ Personal Data, which is subject to internal Tandem human resource policies and procedures, nor is it intended to satisfy privacy notices required by HIPAA or GDPR. Please review our Tandem’s HIPAA Notice of Privacy Practices and Tandem’s GDPR Notice of Privacy Practices.
Tandem’s adherence to the principles set forth in this Privacy Shield Policy may be subject to limitation to the extent necessary to meet national security, public interest, or law enforcement requirements; by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations; or if an EU, Member State, or Swiss law allows exceptions or derogations.
Back to Top >>
Privacy Shield Definitions
For the purposes of the Policy, the following definitions shall apply:
- “Agent” means any third-party processing personal information on behalf of, and under the instruction of Tandem.
- “European Union” or “(EU)” means for the purposes of this Policy all countries within the European Economic Area (EEA).
- “Tandem” means Tandem Diabetes Care, Inc. and any of its affiliates, subsidiaries, divisions, or groups in the United States listed on Tandem’s Privacy Shield certification at www.privacyshield.gov.
- “Personal Data” and “Personal Information” means data about an identified or identifiable individual in the EU, received by Tandem in the United States from the European Union, and recorded in any form. It does not include personal information that has been anonymized or that is publicly available, that has not been combined with non-public personal information.
- “Processing” of personal data means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
- “Sensitive Personal Information” means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information that concerns health or sex life. In addition, Tandem will treat as sensitive, any information received from a third party where that third party treats and identifies the information as sensitive.
Back to Top >>
Privacy Shield Principles
The privacy principles in this Policy are in accordance with the Principles set out in the EU-US Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.
Where Tandem collects Personal Information directly from individuals in the EU or in Switzerland, it will inform them about the purposes for which it collects and uses personal information about them, the types of non-agent third parties to which Tandem discloses that information, and the choices that Tandem offers individuals for limiting the use and disclosure of their personal information. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Information to Tandem, or as soon as practical thereafter, and in any event before Tandem uses the information for a purpose other than that for which it was originally collected.
Where Tandem receives personal information from its subsidiaries, affiliates or other entities in the EU, it will use such information in accordance with the notices provided by such entities and the choices made by the individuals to who such personal information relates.
In those instances where Tandem collects Personal Information directly from individuals in the EU or in Switzerland during business operations, such collection may include the processing of the following types of Personal Information from the following groups of individuals, for the following purposes:
- New or prospective customers. Tandem processes the name, contact details, insurance or other public health benefit information, and information about health and medical diagnosis and treatment from its prospective customers when they complete an online or hardcopy Patient Information form. Tandem processes this data to begin the process of getting a new customer an insulin pump and to help determine new customers’ health benefits/insurance coverage.
- Existing customers. Tandem processes its existing customers’ Personal Data in two primary ways: when providing customer support and when customers use Tandem’s t:connect suite of applications. For customer support, Tandem collects its customers’ names, email addresses, physical addresses, telephone numbers, reason(s) why customer support was contacted, limited credit card information, prescriptions, statements of medical necessity, laboratory and chart notes, and blood glucose logs. Tandem processes this Personal Data to help customers resolve problems with a product or service, confirm payment options, create a record of activity to troubleshoot issues, and ensure customers are satisfied with Tandem’s products and services.
When customers use any one of Tandem’s t:connect applications (including t:connect online, t:connect mobile, t:connect portal; or the Tandem Device Updater), Tandem processes the customers’ name, email address, pump serial number, t:connect log in credentials, security questions, date of birth, blood glucose information, and pump software version. Tandem processes this data to create a customer’s t:connect account and to provide customers a means to interact with, track, and save their pump data. Tandem also uses this data to perform safety and efficacy studies, for research purposes, to identify pump trends, and to troubleshoot pump issues.
- Health care providers. In some locations, Tandem may provide healthcare providers the opportunity to sign up for an online t:connect HCP diabetes management application. This application lets health care providers upload and view their patients’ pump data. When health care providers create an account and use t:connect, Tandem processes those health care providers’ names, business addresses, and HCP Account ID Number.
- Public. Tandem may collect individuals’ Personal Data through a “Contact Us” or similarly named form on its EU- or Swiss-facing website or landing pages. This data is collected so that Tandem can respond to requests and provide individuals with information about Tandem’s products and services. The Personal Data collected from these Contact forms includes name; contact information; whether the individual has diabetes, is a caregiver, is a healthcare professional, or is an investor; and any personal information voluntarily provided in the Comments box of the form.
- Vendors and contractors. Tandem processes Personal Data from the vendors and contractors with which it does business in the EU and Switzerland. This data includes name, address, email, telephone number, job title and position, tax identification number, and past performance/work experience qualifications. Tandem uses this data to comply with the terms of the contracts it has with its vendors and contractors.
- Job applicants. If Tandem seeks to hire job applicants in the EU or Switzerland, applicants may apply through the Careers section of Tandem’s EU- and/or Swiss-facing website(s). When they do, they will be asked to provide some Personal Data to complete the application process. The personal data collected includes the applicant’s name, contact information, job preferences and work authorization status, and the information provided in resumes or CVs. Tandem collects this data to determine if the applicant is a match for corresponding the job opportunity. Some of the data, such as work authorization status, is collected because the law requires Tandem to do so.
In addition to the above, Tandem may use the Personal Information it collects to comply with our legal obligations, policies and procedures, and for internal administrative purposes.
Personal Information collected and/or processed may be disclosed to Tandem business partners or third-party service providers that supports Tandem’s business and operations. Where required, Tandem may have to share Personal Data with government regulators or law enforcement agencies.
Tandem may not be required to give notice where processing is necessary to respond to a government inquiry, is required or authorized by applicable laws, court orders or government regulations, is necessary to protect Tandem's legal interests and providing notice would interfere with the above requirements, or when processing data for product safety and efficacy monitoring purposes.
Tandem ensures that it uses and discloses Personal Information in ways that are consistent with the individual’s expectations and choices. When required, Tandem offers individuals the opportunity to choose (opt out) whether and to what extent their Personal Information is (i) to be disclosed to a third party that is not an agent of Tandem, or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals will be provided with clear, conspicuous, and readily available mechanisms to exercise their choice.
When Processing Sensitive Personal Information that has been collected directly from individuals living in the EU or Switzerland, and when required, Tandem will obtain affirmative express consent (opt in) from those individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. In addition, Tandem will treat as sensitive any Personal Information received from a third-party where the third-party identifies and treats it as sensitive.
Tandem, however, is not required to obtain affirmative express consent (opt in) with respect to Sensitive Personal Data where the processing is:
- in the vital interests of the data subject or another person;
- necessary for the establishment of legal claims or defenses;
- required to provide medical care or diagnosis;
- carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects;
- necessary to carry out the organization’s obligations in the field of employment law;
- related to data that are manifestly made public by the individual; or
- for the purpose of product safety or efficacy monitoring.
Data Sharing and Accountability for Onward Transfer
Tandem does not transfer, sell, trade, or rent Personal Information to others outside of Tandem, except in the following instances: (i) permission is given for Tandem to do so; (ii) when the sharing is with customers’ insurance providers, Tandem affiliates, Tandem services providers, Tandem product distributors, and Tandem business partners (including the providers of the glucose monitoring products used with Tandem products); and (iii) in accordance with the Notice section above. We may also share Personal Information with other insulin pump manufacturers or sellers if a customer is switching from to Tandem’s products to facilitate the switch.
In rare instances, Tandem may have to share Personal Data with law enforcement agencies or to the extent permitted by law to protect its rights and comply with judicial process. Tandem may also be required by US governmental regulations to share its customers’ Personal Data with the Food and Drug Administration in the event of a pump malfunction or if an injury is caused by Tandem’s products or services.
When transferring Personal Information to a third-party, Tandem will execute a contract with the third-party. That contract will include some or all of the following terms, as appropriate, that address: (i) transfers of Personal Data will be made only for limited and specified purposes and according to the consent provided for such use; (ii) the third-party is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) the third-party must effectively Process the Personal Information transferred in a manner consistent with Tandem’s obligations under the Principles; (iv) the extent to which the third-party will notify Tandem if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) Tandem’s obligation to take reasonable and appropriate steps Tandem to stop and remediate any unauthorized Processing of which it is notified or becomes aware; and (vi) that Tandem will provide a summary or a representative copy of the relevant privacy provisions of its contract with the third-party to the Department of Commerce upon request.
Tandem is potentially liable in cases of onward transfer to third parties acting on Tandem’s behalf if that third-party processes the Personal Data in a manner inconsistent with the Privacy Shield Principles.
Tandem employs reasonable and appropriate technical, administrative and physical safeguards designed to protect the Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the Processing and the nature of the Personal Data being processed.
Data Integrity and Purpose Limitation
Tandem uses Personal Information only in ways that are consistent with the purposes for which it was collected or subsequently authorized by the individual. Tandem takes reasonable steps to ensure that Personal Information is reliable for its intended use, accurate, complete, and current.
Tandem will only collect and store Personal Information that is relevant to fulfil the purpose of its collection and will retain such information no longer than appropriate to fulfil the purpose, as is required by law or regulation, or to the extent necessary to reasonable serve the purposes of archiving for scientific research.
Access and Correction
Upon request, Tandem will promptly grant individuals confirmation whether or not Tandem Processes their Personal Information, and reasonable access to the Personal Information it holds about them. In addition, Tandem will take reasonable, good faith steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or has been Processed in violation of the Principles. Tandem will respond to access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual. Tandem may also charge an individual a reasonable fee for honoring an access request, and may refuse to grant access when a request is repetitious, vexatious, or fraudulent.
As exceptions to the above, Tandem may restrict an individual’s right to access when:
- the Personal Information sought is processed solely for research, statistical, product safety, or efficacy monitoring purposes;
- providing access would interfere with national security, defense, or public security;
- fulfilling an access request could violation the legitimate rights of persons other than the individual;
- the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question;
- providing access could reveal Tandem confidential information;
- providing access would interfere with the execution or enforcement of the law or with private causes of action;
- providing access would lead to a breach of legal or professional privilege or obligation;
- providing access would prejudice an employee security investigation or the succession planning of an employee; or
- providing access would prejudice the monitoring, inspection, or regulatory functions connected with sound management, or in future or ongoing negotiations involving the organization.
Tandem has the burden of demonstrating that a claimed exception, restriction, or limitation to an access request is necessary and legitimate. Tandem may charge a reasonable fee to fulfil access requests.
Access requests should be sent to firstname.lastname@example.org.
Recourse, Enforcement and Liability
Any complaints or concerns regarding Tandem’s use or disclosure of Personal Information transferred from the EU or Switzerland to the US should first be directed to the Tandem Legal Department at the address given below in the Contact Information section. Tandem will investigate and attempt to resolve complaints in accordance with the Privacy Shield Principles within 45 days of receiving a complaint, at no cost to the individual.
In instances where complaints cannot be resolved internally, Tandem has agreed to cooperate with JAMS, which is a U.S.-based alternative dispute resolution provider. Any complaints will be handled pursuant to the JAMS International Arbitration Rules. For more information and to submit a complaint to JAMS, visit www.jamsadr.com/eu-us-privacy-shield. Such independent dispute resolution mechanisms are available to Individuals free of charge. If any request remains unresolved, individuals may have a right to invoke binding arbitration under Privacy Shield. For more information about binding arbitration, visit www.privacyshield.gov/article?id=ANNEX-I-introduction.
Tandem complies with the Privacy Shield Principles and is subject to the investigatory and enforcement powers of the Federal Trade Commission.
Back to Top >>
Tandem will use a self-assessment verification approach and conduct compliance annual audits (or more frequently, if necessary) of its applicable privacy practices to verify adherence to the privacy practices described in this policy. Tandem's employees receive annual training on Tandem's privacy principles and practices. Any employee that Tandem determines is in violation of this policy will be subject to disciplinary action.
Back to Top >>
Limitation on Scope of Principles
Adherence by Tandem to this policy may be limited to the extent required to meet legal, governmental, or national security obligations, including requirements to cooperate with law enforcement.
Back to Top >>
Notification of Changes
As privacy laws and regulations change, and as its business progresses, it may be necessary for Tandem to revise or update its Privacy Shield Policy. Tandem will post the most recent version of this Policy on its website and will include the date it was updated at the top of this Policy.
Back to Top >>
If you have any questions about this Policy, the practices of this site, or your dealings with this site, please contact us by sending a letter to:
Tandem Diabetes Care
11075 Roselle St.
San Diego, CA 92121
Attn: Legal Dept
United States of America
You may also contact us by e-mail at email@example.com.
Back to Top >>