DaVita Privacy Principles This Enterprise Privacy Policy sets the minimum standards for the handling of Personal Information (as defined therein) under DaVita’s custody or control. DaVita has adopted the following privacy principles that guide our policies, procedures and practices: Accountability: We define, document, communicate, and assign responsibility for our privacy and data protection policies and procedures. We provide regular training and education for our employees on relevant state and federal regulations including, but not limited to, HIPAA, GDPR, and CCPA. Notice: We provide notice regarding our privacy practices and we identify the purposes for which Personal Information is collected, used, retained and disclosed. Choice and Consent: We provide individuals with the opportunity to reasonably determine whether and how we use Personal Information, and with whom it can be disclosed. We describe the choices available to the individual, and where appropriate, we obtain implicit or explicit consent with respect to the collection, use and disclosure of Personal Information. Collection, Use & Disclosure: We limit the collection, use and disclosure of Personal Information to that which is relevant for the purpose(s) provided. Data Retention and Disposal: We retain Personal Information in accordance with DaVita’s Records Retention Policy and Schedule. Personal Information is thereafter appropriately disposed of in accordance with our secure disposal procedures. Access & Correction: We provide individuals with access to Personal Information about them for review, correction, or deletion, if inaccurate. Transfer & Disclosure to Third Parties: We apply the Privacy Principles wherever Personal Information is transferred to, including across national borders, to third parties who support our business, and to partners with whom we do business. Security for Privacy: We protect Personal Information against loss, misuse, or unauthorized access, use, disclosure, alteration, or destruction by using reasonable and appropriate technical, physical and administrative safeguards. Data Integrity: We strive to ensure that Personal Information is accurate, complete and relevant for the purpose for which it is to be used. Monitoring and Enforcement: We monitor, test, and remediate evidence of non-compliance with our privacy policies and procedures, and we follow documented procedures to address privacy- and security-related incidents, complaints and disputes. Additional Privacy & Data Security Information Information Security Policies and Systems Audit: External independent audits are conducted at least once every two years. Governance: One of the primary responsibilities of the Audit Committee is to oversee our policies and programs with respect to enterprise risk assessment and enterprise risk management, including the risks related to privacy and data security (including, for the avoidance of doubt, cybersecurity). Other cross-functional internal groups and committees assist and oversee in the governance of privacy and security practices at DaVita, such as DaVita’s Enterprise Governance Committee (EGC), which is a cross-departmental forum that includes the Privacy, Information Security, Information Governance, and Enterprise Risk (Audit) functions. The EGC is focused on enterprise policies and governance, that helps manage risk by cascading new policies, among other things. 23 DAVITA.COM/COMMUNITYCARE ESG DATA TABLES—SASB METRICS AND TCFD REPORT
DaVita Kidney Care ESG Report Page 22 Page 24