Effective Date: 26.8.2025

GE HealthCare values your privacy and is committed to transparency regarding the use of personal data in artificial intelligence (AI) research and development. We collaborate extensively with healthcare providers and research organizations to enhance medical diagnostics, patient care, and healthcare operational efficiency through advanced AI technologies. This notice describes how we process the personal and health-related data of EU data subjects that we obtain from third-party entities such as hospitals, clinics, academic institutions, and research consortia with whom we collaborate for our AI research purposes.

GE HealthCare adheres to applicable data protection laws, including guidance issued by the French Data Protection Authority (CNIL) and provisions of the EU Artificial Intelligence Act. Our data processing activities are regularly reviewed to maintain compliance and ensure transparency.

1. Identity of the Controller

In this notice, "GE HealthCare", "we", "us", and "our" refer to GE Precision Healthcare LLC or any of its Affiliates that are responsible for processing your personal data collected within the European Union. The responsible entity is typically the one receiving your personal data from third parties. "Affiliate" means any current or future entity, including, any individual, corporation, company, partnership, limited liability company or group, that directly, or indirectly through one or more intermediaries, controls, is controlled by or is under common control with GE Precision Healthcare LLC.

2. Personal Data we collect

GE HealthCare typically collects and processes the following categories of personal data for AI research and development:

• Health data, such as imaging data (e.g., MRI, CT scans, X-rays), clinical records, EEG results, and digital biomarkers;
• Demographic information, such as age, gender, and other relevant clinical attributes;
• Technical metadata that is essential for effective AI processing.

The data that we collect is typically pseudonymised, meaning that it does not directly identify individuals, and GE HealthCare does not attempt to identify individuals from such data.

In certain cases, the data we collect is fully anonymized prior to reaching us. Such data is not covered by this notice.

3. Sources of Personal Data

GE HealthCare does not collect data directly from individuals. Instead, data is obtained from third-party entities, including:

• Hospitals, clinics, and healthcare providers;
• Academic research institutions and universities;
• Clinical research consortia, Public-Private Partnerships such as Innovative Health Initiative (IHI).

4. How we use Personal Data and legal bases for Processing

We process personal data to support our AI research and development objectives. These objectives include developing, training, validating, and improving AI models that aim to enhance medical diagnostics, patient care, healthcare management, and operational efficiency.

GE HealthCare's AI models usually analyse large volumes of data, including health-related information, to identify medical patterns and advance diagnostic capabilities. All outputs generated by our AI models are aggregated and pseudonymised to ensure as much as possible that individuals cannot be directly or indirectly identified.

The relevant legal bases under the EU General Data Protection Regulation (GDPR) for processing your personal data include:

• Our legitimate interests in conducting innovative research and development activities in medical technologies and developing innovative medical technology to advance healthcare solutions.
• The scientific research exemption under the GDPR: we process special categories of personal data (such as health data) when necessary for conducting research aimed at advancing healthcare technology and medical diagnostics. This is subject to appropriate safeguards, in accordance with applicable law.

GE HealthCare has implemented robust safeguards to protect the privacy and security of your personal data.

5. Your Rights

Although GE HealthCare typically cannot directly identify individuals from pseudonymized data, you retain rights under the GDPR, in accordance with the relevant conditions and limitations set out in that regulation:

• Access: you may request information on GE HealthCare's processing of your data.
• Rectification: you may request GE HealthCare to correct or update inaccuracies in your data.
• Erasure: you may request GE HealthCare to delete your data.
• Restriction: you may request GE HealthCare to restrict the processing of your data.
• Objection: you may object to certain GE HealthCare's processing activities
• Right to lodge a complaint with a supervisory authority: If you believe your rights have been infringed, you may lodge a complaint with a data protection authority (e.g., the CNIL in France).

GE HealthCare will respond transparently to any requests. Due to pseudonymisation, we might be unable to directly identify your personal data or fully comply with certain requests. In these cases, we will inform you of the limitations and provide reasonable assistance to guide you to the original data source (e.g., healthcare provider or research institution).

If GE HealthCare receives a request concerning your personal data from another data controller (such as a healthcare provider or research institution that initially collected your data), we will respond transparently and promptly.

6. Retention of Personal Data

GE HealthCare retains data only for as long as necessary to develop, validate, and improve our AI models, and to comply with applicable regulatory, legal, and audit requirements. Once the data is no longer required, it is securely destroyed or fully anonymized.

7. Data sharing and transfers

GE HealthCare may share your data with third-party vendors who support our AI research and development activities, or with consortium partners and research entities with whom we collaborate.

Data may be transferred outside of the European Union to countries that do not offer a similar level of data protection, including for instance the United States. International transfers are conducted using GDPR-compliant mechanisms as applicable, such as the standard contractual clauses under Article 46 GDPR, ensuring your data remains protected and secure.

8. Changes to this Notice

This notice may be updated from time to time to account for changes in our procedures or in applicable regulatory requirements. The date of the most recent update appears at the top of this notice.

9. How to contact us

If you have any questions or comments about this privacy notice, or wish to exercise your rights, please fill the form here, directly reach out to us using the list of privacy contacts below or write to us at:

Chief Privacy Officer, GL&P Department
GE HealthCare
500 W. Monroe St., 16th Floor
Chicago, IL 60661, USA
E-mail: privacy.gehc@gehealthcare.com

For a list of privacy contacts, click here.

If you have an unresolved privacy or data use concern that has not been resolved, you have the right to lodge a complaint with a supervisory authority. Additional details and a list of the competent EU supervisory authorities can be found at: https://edpb.europa.eu/about-edpb/board/members_en.

Thank you for your trust in GE HealthCare. We remain dedicated to ethical, secure, and responsible innovation in healthcare AI research.