Potential Adverse Event Reporting Privacy Notice
Please click here to view this Privacy Notice translated into other languages
At Olympus Corporation and our family of companies (“Olympus”, “our” or “we”), our vision is making people’s lives healthier, safer, and more fulfilling. To this end, Patient Safety is at the core of our business.
To continuously improve our products and ensure Patient Safety, we work closely with healthcare professionals and organizations (such as hospitals), regulators (such as oversight bodies and government agencies) and service providers.
To monitor, report and investigate the safety and quality of our products and manage potential adverse events, we may receive information from reporters that contains personal data about themselves and affected individuals, such as patients. These reports may lead to processing personal data. This process is typically called “Potential Adverse Event Reporting” or “Medical Device Vigilance” and is an important cornerstone of medical device regulations worldwide.
We protect the privacy of reporters and other individuals potentially affected by a report or Potential Adverse Event (such as a patient) through organizational and technical measures. Olympus is committed to maintain and use such information in a de-identified form, where applicable, and does not attempt to re-identify the information, unless required by applicable law.
This notice is designed to help you understand the privacy implications arising in connection with Potential Adverse Event Reporting at Olympus and how it affects you, whether you are a patient undergoing a procedure using an Olympus product, the healthcare professional administering that procedure or making a report, or a concerned third party.
What does the process for handling Potential Adverse Events look like at Olympus?
When a patient, healthcare professional or anyone else makes a report about an Olympus product, we take those reports extremely seriously.
We may receive reports about our products from different sources, such as direct contact through call centers or emails and distributors. We may also receive formal complaints by healthcare professionals, which may include information about medical procedures and potentially impacted patients. Other sources of information include publications, presentations, meetings, and social media to the extent that relevant information comes to the attention of Olympus.
Olympus is legally required to follow up on such reports and to sometimes collect more information about the circumstances and individuals involved. These obligations are independent of the age of the affected individuals. After an additional investigation, we evaluate the information and decide whether to make a report to a regulator if necessary. To ensure that this process is efficient and globally consistent, Olympus catalogues information about Potential Adverse Events in a global database.
Olympus may not be able to process your report, respond to your inquiry, meet regulatory obligations or our commitment to Patient Safety if it does not process information about Potential Adverse Events, including personal data.
What personal data about a reporter does Olympus collect in connection with a Potential Adverse Event?
We might have to (or a regulator might) follow-up with a reporter to collect more information in connection with a Potential Adverse Event.
For this purpose, we may process the name, title and contact details of the person who provided a report or is named in a report as the contact person. This information includes the postal address of the healthcare organization where the individual works (if applicable), phone and fax numbers, and email addresses where available.
What patient-related information does Olympus collect in connection with Potential Adverse Events?
In many jurisdictions, regulators require us to collect some statistical and health-related information about patients potentially impacted by a Potential Adverse Event. Such information may include the age, ethnicity, sex, gender, and weight of the patient. The outcome of the procedure during which the Potential Adverse Event occurred will also be recorded.
Regulators use this information, for example, to monitor whether certain Potential Adverse Events affect patients from a certain group (such as women, children, or certain ethnicities) disproportionately.
Olympus does not intentionally process the name of a patient and takes steps to minimize the information collected in connection with its reporting obligations. Where a report is provided directly by an affected individual, the identity of the individual may become known to Olympus. Processing of the individual’s personal data is strictly limited to what we need to know to fulfill our obligations.
With whom does Olympus share this information?
We may share the information provided in connection with a Potential Adverse Event with authorized personnel of members of the Olympus group, as well as our business partners, suppliers, and service providers (for example, for hosting, follow up or audit) on a need-to-know basis. These recipients are required by law and contractual agreements to safeguard this information. We do not sell the personal data that we collect in connection with Potential Adverse Events.
Olympus is also legally required to disclose certain information to regulators and agencies globally that oversee the safety of medical devices, such as the Food and Drug Administration (FDA) in the United States of America, and national authorities in the European Union or the Asia-Pacific.
The jurisdictions in which these regulators, agencies and other recipients are located may have privacy regulations which are less protective than those of the jurisdiction in which you are located. While we have established risk-appropriate physical, electronic, and managerial processes to protect your personal data from any unauthorized access or disclosure, we cannot guarantee its security with absolute certainty. When you submit a report to Olympus, please do not include any more personal data about yourself and affected patients than necessary or requested.
Does Olympus transfer this information outside of the jurisdiction where the applicable individual is located?
Olympus is a multi-national company headquartered in Tokyo, Japan and operates in many jurisdictions globally. Olympus may transfer information to, or make it accessible by recipients in, other jurisdictions, including:
- Where Olympus is legally required to report Potential Adverse Events to regulators that are located outside your jurisdiction;
- To maintain a global database of inquiries, reports and complaints worldwide;
- To transfer information to other Olympus group companies, business partners, suppliers, or service providers.
In all cases where information is transferred out of its originating jurisdiction, Olympus takes steps through organizational and technical measures and contractual arrangements to provide for an adequate level of protection.
What is Olympus’ legal basis for processing personal data?
Depending on the laws applicable to your personal data, it may be processed on the basis of one or more of the following grounds:
- Your explicit or implicit consent.
- Compliance with contractual obligations.
- The legitimate interest of Olympus to provide a high standard of safety and quality.
- Compliance with regulatory and legal requirements, including ensuring high standards of quality and safety of our products in the public interest, and reporting and vigilance requirements globally.
How long does Olympus retain this information for?
Information related to a Potential Adverse Event is retained for as long as legally required in each applicable jurisdiction. Such retention periods vary worldwide and may depend on the type of product, the outcome of the Potential Adverse Event, regulator decisions and other factors.
How can you exercise your rights?
At any time, you may request:
- confirmation that Olympus is processing your personal data;
- information about and access to the personal data we may process relating to you in connection with our potential Adverse Event Process;
- any inaccuracies to be corrected; or
- deletion or limitation of the processing of your personal data in some circumstances.
Depending on which laws apply to our processing of your personal data, you may have other rights or some of these rights may be limited (or you may not be able to exercise them fully or immediately). For example, to the extent and for the duration that the processing of your information is for the purpose of compliance with a legal obligation, we may not be able to delete your personal data. If we refuse your request, we will explain your legal rights, the reason for our refusal and any recourse you may have.
To exercise your rights, or to get more information about privacy at Olympus, you can contact us via email at firstname.lastname@example.org.
How can you find out more information about our privacy practices?
For more information about Olympus’ privacy practices, including your rights, and how to contact us, visit our Olympus Global Privacy Notice page:
Version 1.1 – last changed on June 27, 2023