17 Patient Privacy and Data Security At Zimmer Biomet, the patient is always the patient, and never the product. Patient data is used to improve outcomes and create value for patients and their care teams through our algorithms, systems and products in order to support our commitment to the highest standards of patient safety, quality and integrity. Our commitment to protecting patient and customer data is embodied in our four Privacy and Data Security Pillars: • Privacy. Privacy is a fundamental human right and we maintain robust practices to help ensure that that right is protected. Patients and customers decide what they share with us. • Security. Zimmer Biomet protects the data that patients and customers entrust us with through strong safeguards. Among other measures, we apply encryption in transit and at rest, scheduled annual security risk assessments and penetration testing by third parties. • Data usage. We only use customer and patient data to provide the services we have agreed upon, and for purposes that are compatible with providing those services. • Ownership. We put patients and customers in control of their data and have established tools and processes that give patients easy options to exercise their rights with respect to their personal data. Privacy There have never been more opportunities to use information collected in the course of treatment to create innovative solutions to improve patient outcomes. At the same time, the importance of protecting patient privacy has never been higher. Privacy is built into our products and services by design and by default. By taking this approach, we accommodate privacy in an effective and user-friendly way. Zimmer Biomet has engaged with OneTrust, the industry-leading privacy management solution, to embed privacy in our products and services. Our mymobility® platform, for example, is supported with a dedicated portal for individuals to exercise their privacy rights, with user-friendly features such as explanatory hovertext, local-language accessibility, and automated identity verification. We want to make it as easy as possible for patients to communicate their privacy preferences. Data Security Zimmer Biomet implements and verifies stringent security requirements to protect data we hold for patients and customers. These include a broad array of controls, including encryption, third-party penetration testing, malware defenses, access limitations and auditing. We also have our compliance with security requirements arising under the Health Insurance Portability and Accountability Act (HIPA A), General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), LGPD (Brazil), China’s Personal Information Protection Law (PIPL) and other key data protection regulations reviewed and verified by third-party experts. We are transparent regarding our security controls so that customers can understand and document the ways in which their information is protected. Data Usage Zimmer Biomet ensures that information is only collected, used and disclosed for permissible purposes. Through our contracts with customers, notice and consent forms, and other means, we are transparent about the ways we use information to create value for patients and providers. We have implemented robust policies, procedures and trainings designed to ensure that patients’ and customers’ information is being handled consistent with those statements. Ownership The patient, provider and Zimmer Biomet each have rights and responsibilities regarding data collected in the course of treatment. Zimmer Biomet’s customer engagements, patient consents and notices and other privacy and information security practices are designed to ensure that these rights and responsibilities are respected.