How Philips complies with the GDPR

Our mission is to improve people’s lives through meaningful innovation. We see an opportunity to transform the delivery of care by connecting professional healthcare and consumer health propositions across the health continuum. By integrating and combining data, we are able to create smarter, more meaningful connected health solutions for our customers. We use data to develop predictive analytics that deliver personalized, actionable insights, and algorithms that support clinical decision-making.

We are a data-driven health technology company focused on improving people’s health and enabling better outcomes across the health continuum. Philips processes personal data responsibly. Privacy rights and data protection are embedded in our operating model and our company culture. We handle personal data with integrity, in accordance with our General Business Principles. This means respecting the privacy rights of everyone we interact with – customers, business partners, employees and others, and protecting personal data. Our commitment is also outlined in our Binding Corporate Rules, which provide a solid basis for the responsible handling of personal data in our day-to-day efforts to accomplish our goal and mission.

Accountability

We are well aware of our responsibilities under the General Data Protection Regulation (GDPR) when processing personal data of individuals, in our dual role as data controller and data processor (on behalf of our business customers). In this respect, we have created an accountability framework. This framework is supported by the following measures (among others):

We keep a detailed record of data processing activities we carry out.
The contract templates that we use for our various processing activities comply with the requirements of the GDPR.
Where necessary, we perform Data Protection Impact Assessments (DPIA) in line with the GDPR.
We have appropriate measures in place to keep personal data secure and protected.
Our internal principles, policies and procedures address the data protection principles set forth by the GDPR.
We have embedded privacy by design and default principles in the early stages of product development processes.
We have a global network of privacy personnel to provide our various businesses, functions and markets with privacy support and advice.
We continuously train our employees to increase their knowledge on privacy and data protection. These trainings are tailor-made for the specific job functions and audience.
We have Binding Corporate Rules in place for our dual role as data controller and data processor.

Transparency

We strive to be transparent about how we handle personal data. Philips has a global webpage dedicated to privacy. This page explains how Philips deals with personal data and how individuals can exercise their privacy rights. Where required – for example, in our mobile apps or in certain research studies – we provide individuals with timely and specific information via an accessible form, using clear language. Our global website also explains how Philips handles personal data in the privacy notice on that page.

Individuals’ rights

Philips treats personal data responsibly and we respect the privacy rights of individuals. We have embedded procedures and processes in our practices and IT systems in order to be able to duly respond to individuals exercising their privacy rights. Our contract templates also account for arrangements on how we act in order to respond to data subjects rights requests. Our global website features an intake form to allow individuals to file requests in a standardized manner.

Lawful processing and consent

We carefully consider the requirement to identify a legal basis when processing personal data. When relying on a legitimate interest, we observe the guidance on legitimate interest assessments and take expectations, interests and rights of individuals into consideration. Where we rely on consent, we respect the requirements for obtaining valid consent. Moreover, processes are in place to honor withdrawals of consent.

Data breach notification

We spend a lot of time and effort on the protection of our systems and the personal data we process. In the unfortunate event a personal data breach would occur, we have a breach notification procedure in place that, among other steps, includes breach detection measures and an incident response strategy. We are aware of the human factor in identifying a personal data breach. We therefore continuously train our employees on how to prevent, identify and (in a timely manner) respond to security incidents, including personal data breaches.

Data Protection Officer

We have appointed a Data Protection Officer at Group level, reporting to the highest management layer. Where required, we have appointed local data protection officers in certain member states to deal locally within different jurisdictions. These officers, liaise with the Group Data Protection Officer, who can be reached via privacy@philips.com .