Varian Medical Systems Privacy Statement | Varian

Version: June 2025

Varian Medical Systems, Inc., a Siemens Healthineers¹ Company, including its affiliated entities (collectively "Varian," “our”, “us” or “we”) is committed to protecting and respecting the privacy of your personal data/ personal information (“personal data”). This Privacy Policy explains how Varian (including Varian Medical Systems Australasia Pty Ltd (ACN 086 249 630)(NZBN: 9429037630263)) in Australia and New Zealand) may collect, use, store, share and otherwise process your personal data in accordance with applicable data privacy and data security laws, including where applicable, with the Australian Privacy Act 1988 (Cth) (including the Australian Privacy Principles), other Australian State and Territory privacy legislation (including any related information privacy principles), the New Zealand Privacy Act 2020 (including the Information Privacy Principles) and the EU General Data Protection Regulation (“GDPR”).

Personal data

In general terms, ‘personal data’ is information (whether fact or opinion) about an individual who is identified or reasonably identifiable. The personal data we collect and hold is information required for us to communicate with you or to enable you to work with us as a customer, supplier, job applicant or employee. Examples of such personal data include your name, contact and payment details, date of birth or your trading, credit or working history. In some instances sensitive information, including without limitation, health information may be collected if it is required for us to perform a service, or in the case of a job application, if it is a requirement of the position.

We usually collect personal data directly from you, for example when you complete an application form, deal with us over the phone, send us a letter, use our website, register for/use our services, download a Mobile App, respond to a survey or otherwise through interactions with us and our affiliated companies or service providers. Sometimes personal data may be collected from a third party that provides credit, compliance and/or security checks if this data is necessary to enable us to work with you.

Processing of your personal data

Varian processes your personal data as part of your use of our websites, online services and other offerings. Further details of the types of personal data processed and the purposes for which we process such personal data are described in this Privacy Policy.

We will not collect any personal data about you through our websites or otherwise, unless you voluntarily choose to provide us with it, provide your consent or unless we are otherwise permitted to do so by applicable laws.

We process personal data supplied by you online, or through other means, only for the purposes disclosed to you, unless such processing:

• is a use of the personal data for any additional purpose that is directly related to the original purpose for which the personal data was collected;
• is necessary to prepare, negotiate and/or perform a contract with you;
• is required by law or the competent governmental or judicial authorities;
• is necessary to establish or preserve a legal claim or defence; or
• is necessary to prevent fraud or other illegal activities, such as wilful attacks on our information technology systems.

Use of websites

When using our websites, Varian processes information which is technically necessary for communication to take place and which may also be automatically sent to us by your browser or device (e.g. IP address, device type, browser type, pages visited, date and time of the request).

We process this information to enable you to visit the websites, to improve and accelerate the presentation of the websites, to adapt and prepare the information offered for specific target groups and to design the websites according to user preferences.

In addition, we process this information to ensure compliance with our Terms of Use, to exercise or defend ourselves against legal claims, and to prevent and counter fraudulent and similar actions, including attacks on our IT infrastructure.

The legal basis for the processing is the safeguarding of the legitimate interests of Varian as website operator (Art. 6 para. 1 lit. f GDPR) and/or other legal basis under applicable data privacy laws.

Subscription to information and participation in surveys

On our websites you can subscribe to various information, such as subscribe to newsletters or provide us with comments and feedback by participating in surveys. Varian processes the personal data that you have entered via the website (e.g. contact information such as first and last name, e-mail address, telephone number and/or comments).

Varian may use this personal data to contact you and provide the requested information, to process your comments and feedback and to adapt and prepare the information offered for specific target groups.

The processing of your personal data is based on your consent (Art. 6 para. 1 lit. a GDPR), the performance of a contract (Art. 6 para. 1 lit. b GDPR) or on our legitimate business interests in processing your comments and feedback (Art. 6 para 1 lit. f GDPR) and/or other legal basis under applicable data privacy laws.

Use of contact forms and chatbots

You can contact us directly via contact forms and chatbots on our website and in particular provide your contact details. Varian processes the contact information you provide, such as your first and last name, e-mail address or telephone number, as well as information you provide in a support request, in order to respond to and clarify your contact or request.

The processing of your personal data is based on your consent (Art. 6 para. 1 lit. a GDPR), the performance of a contract (Art. 6 para. 1 lit. b GDPR) or on our legitimate business interests in answering your inquiry (Art. 6 para 1 lit. f GDPR) and/or other legal basis under applicable data privacy laws.

Online Services

On our websites you can register for various Varian Online Services by providing your personal data, for example to access technical documents of our products or to exchange information in user forums.

Varian processes the personal data that you have entered when using the Varian Online Services for example when registering or logging in, such as your first and last name, e-mail address, telephone number, comments or forum posts.

Varian processes your personal data:
•to provide the services and features of the Online Services and to manage your use; or to enable you to use the services and features of the Online Services;

• to verify your identity and enable user authentication; and
• to ensure compliance with our Terms of Use, establish or defend against legal claims, and prevent fraudulent or similar acts, including attacks on our IT infrastructure.

The processing of your personal data is based on your consent (Art. 6 para. 1 lit. a GDPR), the performance of a contract (Art. 6 para. 1 lit. b GDPR) or on our legitimate business interests as the provider of online services (Art. 6 para 1 lit. f GDPR) and/or other legal basis under applicable data privacy security laws.

Processing of personal data related to your business relationship with Varian

In the context of a business relationship with Varian, we process personal data of contact persons of our customers, suppliers, sales partners and partners ("business partners"). For further information, please refer to the Siemens Healthineers Privacy Notice for Business Partners.

If you choose not to have your personal data used to support our relationship, we will respect your choice, but we may not be able to deal with you. We do not sell or otherwise market your personal data to third parties.

Cookies and other similar technologies

Varian and our partners use cookies and other similar technologies to operate the Varian websites and personalise content and ads.

On our websites we may also use a variety of third-party analytics, and “pixel tracking” (also referred to as “web beacons”), in order to improve the site, identify errors, and/or customise the information included in the site. For this purpose certain data may be stored such as the website visited, including its metadata, the internet pages referring to Varian, the time at which the website was called up and the browser used.

For more information about which cookies and other similar technologies we use and how you can manage your cookie settings and disable certain types of tracking, please see the details in the Cookie Information and Consent Center.

Marketing, social media and events

Varian processes your personal data when you register for and use the various Varian services, such as participating in events and webinars or subscribing to newsletters or communicating via various channels, including social media.

If our websites contain symbols from social media providers, we only use these to passively link to the pages of the respective providers.

Further information can be found in the Privacy Notice for Marketing, Social Media and Events.

Links to other websites

Varian websites may contain links to third-party websites and applications.

This Privacy Policy applies only to Varian websites and does not cover how third-party organisations process personal data. For information on the processing of your personal data, we encourage you to read their data privacy policies.

Mobile Apps

Varian also offers a variety of applications that you can download to your mobile device ("Mobile Apps"). Some of these have their own privacy notice. These privacy notices can be viewed on the App Store prior to downloading the Mobile App and in the Mobile App itself.

Recipients and transfer of personal data

Varian may employ third party companies to host or support our websites, applications, or the services to which they relate. These third parties may have access to your personal data to perform such tasks. We do not sell or otherwise share or market your personal data to third parties that are unaffiliated with Varian.

Varian may share your personal data with the following recipients, if and to the extent it is necessary to do so:

• Siemens Healthineers and other affiliated Varian entities which process personal data to support in fulfilling our contractual or legal obligations or internal functions such as customer services;
• other recipients such as business partners or (IT-) service providers which process personal data as part of their service provision for Varian (e.g. hosting or IT maintenance and support services);
• third parties in connection with complying with legal obligations or establishing, exercising, or defending rights or claims or in relation to corporate transactions (e.g. for court and arbitration proceedings, to law enforcement authorities and regulators, to attorneys and consultants).

Varian, a Siemens Healthineers company, as a global corporation, has affiliates located in countries around the world where Varian operates. Varian also uses service providers and third parties that may be based all over the world. As such, we may transfer your personal data and process it outside your country of residence. Sometimes a recipient to whom Varian transfers personal data may be located in a country in which applicable laws do not provide the same level of data protection as your country of residence. In such cases, unless permitted otherwise by applicable law, Varian will only transfer personal data if appropriate and suitable safeguards for the protection of personal data are implemented (including through contractual arrangements or by ensuring that the recipient is bound by adequate data privacy and data security laws).

Further information on the safeguards in place is available by contacting the Varian Data Privacy Organisation (see links below).

Storage and Security

To protect your personal data against accidental or unlawful destruction, loss or alteration and against unauthorised disclosure or access, we use technical and organisational security measures. These measures can include electronic and physical access controls, data and file encryption, monitoring and audits.

We may store your personal data in hardcopy documents or electronically. In most cases, we use password protected electronic databases maintained at own sites, or that of a service provider, possibly involving a cloud hosting service. Backups of electronic information may be stored offsite. Hard copy information is generally stored in our offices, which are secured to prevent entry by unauthorised people. Varian will only process your personal data for as long as it is necessary to fulfil the purpose of the processing (e.g. until the matter you have contacted us about is completely resolved) or until you withdraw your consent (if applicable), unless another legal basis exists or legal obligations or the establishment, exercise or defense of legal claims make a longer retention necessary.

Over time, personal data is archived and may be stored by a third-party secure storage provider. Where personal data is held and or stored with a third party, we have arrangements in place to limit the purpose for which the service provider holds the personal data and requiring those third parties to comply with applicable privacy laws. We take reasonable steps to protect the privacy and security of that information.

Your rights

In accordance with applicable data privacy laws, we will respond to reasonable requests to review your personal data and to correct, amend or delete any inaccuracies. To the extent that the GDPR is applicable, you may have specific rights in relation to your personal data. In particular, and subject to the statutory requirements, you may be entitled to:

• obtain confirmation as to whether Varian processes personal data about you and, where that is the case, obtain access to your personal data processed by Varian as well as other information;
• obtain the rectification of any inaccurate personal data about you processed by Varian;
• obtain from Varian the erasure of your personal data processed by Varian;
• obtain from Varian restriction of processing of your personal data;
• obtain a copy of your personal data that you have provided to Varian or request that your personal data be transmitted to another recipient; and
• object to the processing of your personal data by Varian on grounds relating to your particular situation insofar as the processing of your personal data is based on legitimate interests.

If you have given Varian your consent to process your personal data, you have the right to withdraw your consent at any time with effect for the future (i.e. your withdrawal does not affect the lawfulness of the processing based on the consent before its withdrawal). If you withdraw your consent, your personal data may only be processed further where there is another legal basis for the processing.

Where Varian relies on its legitimate interests for processing personal data, Varian has determined that, after a balancing of interests, its legitimate interests are not overridden by your interests and rights or freedoms. More information on the balancing of interests can be obtained by contacting the Siemens Healthineers Data Privacy Organisation (see links below).

Contact Details for Siemens Healthineers Data Privacy Organisation and Data Protection/ Data Privacy Officer

The applicable Siemens Healthineers Data Protection/ Data Privacy Officer and the wider Siemens Healthineers Data Privacy Organisation can provide support with any data privacy related questions, comments, concerns, or complaints which you may have or if you would like to exercise any of your data privacy related rights.

The global Siemens Healthineers Data Protection Officer and the Siemens Healthineers Data Privacy Organisation may be contacted at: dataprivacy.func@siemens-healthineers.com.

The Data Privacy Officer for Varian Medical Systems Australasia Pty Ltd may be contacted at:

Australia – Head Office Address:
Siemens Healthcare Pty Ltd, Level 3, 141 Camberwell Road, Hawthorn East, Victoria 3123, Australia
Email: healthcare.dataprivacy.au@siemens-healthineers.com

New Zealand – Head Office Address:
Siemens Healthcare Limited, Level 3, Building C, Millennium Centre, 600 Great South Road, Ellerslie, Auckland 1051, New Zealand
Email: healthcare.dataprivacy.au@siemens-healthineers.com

The applicable Siemens Healthineers Data Protection/ Data Privacy Officer and the Siemens Healthineers Data Privacy Organisation will always use best efforts to address and settle any requests or complaints brought to its attention. In addition, you may also contact the Varian person, business area or office that you have been dealing with or the applicable supervisory authority/regulator with any requests or complaints.

The competent lead supervisory authority for Siemens Healthineers in Germany is: Bavarian State Office for Data Protection Supervision, Promenade 18, 91522 Ansbach, Germany, lda.bayern.de/en/index/html.

The lead privacy regulators in Australia and New Zealand are:

For Australia
The Office of the Australian Information Commissioner – OAIC
Website: https://www.oaic.gov.au/

For New Zealand 
Office of the Privacy Commissioner – OPC
Website: https://www.privacy.org.nz/

Changes to this Privacy Policy

We keep our Privacy Policy under regular review to make sure it is up to date and accurate. The date of the last update can be found at the beginning of this Privacy Policy. We recommend that you visit this page regularly to check for any updates that may have been made.

¹ Siemens Healthineers AG, Siemensstr. 3, 91301 Forchheim, Germany and its affiliated companies within the meaning of Sec. 15 et. seq. German Stock  Corporation Act (Aktiengesetz)