Resmed Data Privacy Framework Notice

This Data Privacy Framework Notice (“DPF Notice”) applies to Resmed Inc. and the following U.S. operating subsidiaries (Resmed Corp., Resmed Operations Inc., Resmed Digital Health Inc., and Somnoware Healthcare Systems Inc.; collectively referred to as “Resmed,” “Company,” “we” or “our”) regarding the collection, use and retention of personal data transferred from the European Union (EU), United Kingdom (UK), or Switzerland to the United States as described in this DPF Notice (“Personal Information”). This DPF Notice supplements any Resmed privacy notice and policy (“Resmed Privacy Notice”) which reference this DPF Notice.

Resmed complies with, and has certified to, the EU-U.S. Data Privacy Framework, the UK extension to the DPF, and the Swiss-U.S. Data Privacy Framework (collectively, “DPF”), as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EU, UK, and Switzerland to the United States in accordance with the DPF Principles, including supplemental Principles and Annex I of the Principles (collectively the “DPF Principles”). If there is any conflict between the terms in this DPF Notice and the DPF Principles, the DPF Principles shall govern. Resmed’s compliance with the DPF Principles is subject to the investigatory and enforcement powers of the Federal Trade Commission.

To learn more about the DPF program, the DPF Principles, and our certification, please visit https://www.dataprivacyframework.gov/s/.

NOTICE. If Resmed collects Personal Information directly from you, then you will be provided with a Resmed Privacy Notice that describes the purposes for which we collect and use your Personal Information, the types of third parties to which Resmed discloses that information, and the choices and means Resmed offers you to limit the use and disclosure of your Personal Information. In circumstances where Resmed obtains personal data as a service provider for our clients, Resmed’s clients are responsible for providing you with appropriate notice and obtaining any requisite consent for the transfer of your personal data to the U.S.

SCOPE OF TRANSFERS UNDER THIS NOTICE: This DPF Notice describes how Resmed collects, uses, shares and safeguards certain Personal Information transferred from the European Union (EU), United Kingdom (UK), or Switzerland to the United States under the DPF and as described in the “Personal Information Transfers” section below. This DPF Notice also describes your rights and choices regarding your Personal Information.

LIMITATIONS ON SCOPE: Please note that only the use cases described in the “Personal Information Transfers” section below are covered by this DPF Notice and Resmed’s participation in the DPF. For all other transfers of personal data from the EU, UK, and Switzerland to the U.S., Resmed employs standard contractual clauses and other mechanisms approved by the EU. Please refer to Resmed privacy notices and policies which reference this Policy for information about how Resmed collects, uses, shares and safeguards personal data. Further, adherence by Resmed to this DPF Notice may be limited to the extent required to meet legal, governmental, or national security obligations, including requirements to cooperate with law enforcement, and to protect the health or safety of individuals.

PERSONAL INFORMATION TRANSFERS: Resmed may transfer Personal Information from the European Union (EU), United Kingdom (UK), or Switzerland to the United States in as part of its participation in the DPF as follows:

• Investigations and Incident Management. Resmed specialists in the U.S. may access your Personal Information in the course of incidents and troubleshooting that require expedited resolution and the involvement of experts (including cybersecurity experts) located in the U.S.
• Operations Support. Resmed staff in the U.S. may access your Personal Information to provide operations support, to assist in developing and improving Resmed’s services and products, to deploy products and updates, for maintenance, and to provide customer support services.
• Product Analytics. Resmed staff in the U.S. may access your Personal Information to help us understand how our products are being used and distributed in order to improve Resmed’s processes and products, and to expand individual’s access to our products and services.
• Data Analytics. Resmed staff in the U.S. may access your Personal Information to help us understand the effectiveness and adoption of our products and services on a global scale, which may lead to more accurate analyses for all regions.
• Provision of Services to Our Customers. Resmed staff in the U.S. may access your Personal Information to provide services to our business customers with whom you may have a direct relationship.
• Compliance with Laws. Resmed reserves the right to share your Personal Information as required or authorized by law or regulation or in response to duly authorized information requests of government authorities.

YOUR INDIVIDUAL RIGHTS
You have rights in relation to your Personal Information, as described in the Data Privacy Framework Principles. Please see the applicable Resmed Privacy Notice for more information about your rights to access your Personal Information and limit how it is used and disclosed. To protect your privacy, we may take steps to verify your identity and/or authority prior to acting on a request regarding your Personal Information. In circumstances where Resmed obtains personal data as a service provider for our clients, please reach out to the company with which you have a direct relationship to exercise your individual rights.

TRANSFERS AND DISCLOSURES TO THIRD PARTIES
Resmed may share your Personal Information with our service providers, consultants and affiliates that process information on our behalf for the purposes set forth in the “Personal Information Transfers” section above. Resmed will endeavor to only transfer Personal Information to a third party where such third party has given assurances that it provides at least the same level of privacy protection as required by the DPF Principles and this DPF Notice. For example, Resmed may provide your Personal Information to third party cloud providers so that our U.S. teams can assist with product maintenance and troubleshooting. Resmed will be liable under the Data Privacy Framework for any failure by the third party to comply with Resmed’s DPF obligations, unless we prove we are not responsible for the event giving rise to the damage.

RECOURSE, ENFORCEMENT AND LIABILITY
If you have any inquiries or complaints about Resmed’s handling of your Personal Information under the DPF, please contact us using the information in the “Contact Information” section below.

If you still have a specific privacy concern that has not been resolved after attempting to address your privacy question or concern with Resmed directly, you can contact our U.S.-based third-party dispute resolution provider, JAMS. If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit the JAMS complaint link here. The services of JAMS are provided at no cost to you.

Under certain limited conditions, if your complaint is not resolved through these channels, it may be possible for Individuals to invoke binding arbitration before the EU-U.S. DPF Panel to be created by the U.S. Department of Commerce and the European Commission. For additional information, please visit the U.S. Department of Commerce’s website on submitting complaints located here. If you have any concerns regarding the use of your data by US intelligence agencies, you have the right to submit a complaint with the European Data Protection Board.

In circumstances in which Resmed obtained or maintains your Personal Information as a service provider, you may submit complaints concerning the processing of your Personal Information to the relevant party with whom you have a direct relationship, in accordance with their dispute resolution process. Resmed will participate in this process upon either party’s request, as appropriate.

CONTACT INFORMATION: Complaints, questions, comments, or concerns on this DPF Notice, our data collection, or our data processing practices should be sent to:

Head of Privacy Assurance
Resmed Corp.
9001 Spectrum Center Blvd, San Diego, CA 92123
Tel: +1 (800) 424-0737
Email: privacy@resmed.com

CHANGES TO THE POLICY: This DPF Notice may be reviewed and amended from time to time, without advance notice, to ensure that an appropriate level of protection for Personal Information is maintained. All amendments will be posted on this website. Please check back periodically for updates to this DPF Notice.
RH-1111064/1 2025-01