Privacy Policy
1 EXECUTIVE SUMMARY
This Privacy Policy describes how Sedana Medical AB (publ), reg. no. 556670-2519, and Sedana Medical group entities handle personal data. Such Sedana Medical group entities act as controller for their respective processing of personal data. Regarding our use of cookies, we refer to our Cookie Policy.
We care about your personal integrity. It is therefore important for us to protect your personal data and ensure that our processing of your personal data is correct and lawful. This Privacy Policy will help you understand what kind of personal data about you we collect and how it is used as well as your rights as a data subject. We ask that you read this Privacy Policy carefully and familiarize yourself with its content.
We trust that this Privacy Policy answers your questions about our collection, use, protection and disclosure of your personal data. If you have additional questions, please contact us at the address above or to gdpr@sedanamedical.com.
We may sometimes need to make updates or changes to this Privacy Policy. The date of the most recent update of this Privacy Policy is given at the end of the policy.
2 HOW DO WE PROCESS PERSONAL DATA?
2.1 How we collect your personal data
We collect your personal data when you sign up for newsletters, events, or product training, register in Sedasource, ShowPad, PromoMats or similar systems or in any other way provide us with your personal data, including if we come in contact with you personally or if we receive your personal data from service providers or collaboration partners such as our distributors.
2.2 Why we process your personal data, legal ground for our processing and storage period
In this section, we describe why we process your personal data, what legal grounds our processing is based on and for how long we store the data.
2.2.1 Create and develop potential business relationships
We process personal data to create and thereafter to maintain and develop business relationships with current or potential customers, partners and other business contacts (including for example investors, suppliers, manufacturers, research and development contacts, consultants, symposium speakers for events and clinical study investigators).
If you work for a current or potential customer, partner or other business contact and we come into contact with you personally, for example during hospital visits or trainings, detailing calls, at conferences, fairs, other personal meetings or otherwise, we may process your personal data as follows:
| Purpose | Processing | Categories of personal data |
| – To be able to contact you for the purpose of creating and thereafter maintaining and developing our level of service or our relationship with you or your organization | – Storage of personal data in our systems – Communication with you |
– Name – Contact details (such as company address, email address and telephone number) – Information regarding the organization you represent |
| Legal ground: Legitimate interest. The processing is necessary to fulfil our legitimate interest of creating and thereafter maintaining and developing professional relationships with potential customers and other partners. | ||
| Storage period: For a period of six (6) months after the gathering of the personal data (unless during this time a professional relationship is created between us and you as a contact or you have otherwise indicated that you want to stay in contact with us). | ||
2.2.2 Maintain and develop existing business relationships
We process personal data to maintain and develop business relationships of existing customers, partners and other business contacts (including for example investors, suppliers, manufacturers, research and development contacts, consultants, symposium speakers for events and clinical study investigators).
If you are or work for a current customer, partner or other business contact we process your personal data as follows:
| Purpose | Processing | Categories of personal data |
| – To be able to contact you in your capacity as contact person of our customer, partner or other business contact | – Storage of personal data in our systems, including storage of contracts you have signed on behalf of an organization – Communicate with you – Make payments to |
– Name – Contact details (such as company address, email address and telephone number) – Information regarding the organization you represent (including banking information) |
| Legal ground: Legitimate interest. The processing is necessary to fulfil our legitimate interest of maintaining and developing our professional relationships with our customers, partners and business contacts, including for the purpose of providing our goods and services. | ||
| Storage period: As long as we deem the personal data necessary for this purpose. We erase or anonymize your data when we deem that the data no longer is necessary for this purpose or if it is no longer adequate, for example if our relationship with your company ends, you no longer represent the relevant company or upon your request. | ||
2.2.3 Comply with our quality requirements
We process personal data to comply with the quality standard ISO 13485:2016 and relevant GXP areas which sets out requirements for the maintenance and improvement of a quality management system for organizations providing medical devices and pharmaceuticals that fulfils and meets regulatory requirements as well as customer requirements.
| Purpose | Processing | Categories of personal data |
| – To fulfil requirements set out in ISO 13485:2016 and relevant GXP areas such as cGCP, cGDP, cGVP. | – Storage of contact details of our suppliers or distributors – Keeping a record of filed complaints – Storage of training records pertaining to our customers |
– Name – Contact details (such as company address, profession, CVs, email address and telephone number) |
| Legal ground: Legitimate interest or legal obligation. The processing is necessary to fulfil our legitimate interest of maintaining our ISO 13485:2016 quality management system and fulfil applicable legislation for reporting complaints. | ||
| Storage period: During the relevant contract term or a period of 15 years from the date of receipt of goods or complaint. | ||
2.2.4 Send you newsletters and marketing
We process your name and email address to send you requested information or newsletters. You may opt-out from further newsletters at any time by using the un-subscription link provided in every message.
| Purpose | Processing | Categories of personal data |
| – To be able to update you on scientific information or activities in your capacity as contact person of our customer, partner or other business contact | – Storage of personal data in our systems, – Communicate with you |
– Name – Contact details (such as email address, IP address, profession and telephone number) |
| Legal ground:Legitimate interest. The processing is necessary to fulfil our legitimate interest of maintaining and developing our professional relationships with our customers, partners and business contacts, including for the purpose of providing scientific and educational information. Opt-in/consent is also used in certain countries. | ||
| Storage period:We store your data for this purpose as long as you subscribe to our newsletters. If you have opted out from further messages, we will keep a note of such opt-out and block your email address in order to ensure that you do not receive further messages. | ||
2.3 Protect our services
When you sign up for our newsletter, we also store your IP address at the time of registration, as well as the date and time of the registration. We store this data in order to understand the (possible) misuse of e-mail addresses and to prevent misuse of our services.
Our processing for this purpose is necessary to fulfil our legitimate interest of protecting and preventing misuse of our services.
We store your data for this purpose during the time period you subscribe to our newsletter and will delete or otherwise anonymize the data thereafter.
2.3.1 Comply with legal obligations
We may also process your personal data in order to comply with legal obligations set out in law or as decided by a court or other authorities. These requirements may be related to bookkeeping, medical device, pharmaceutical, and anti-bribery legislation. Our processing for this purpose is that it is necessary for us to comply with legal obligations applicable to us.
2.4 How we share your personal data
We may share your personal data with the following types of third parties:
- Service providers: We use third party service providers to manage some aspects of our business operations. We share personal data with such third parties with regard to IT infrastructure, operating and hosting services, email communications and other IT services. When we use such service providers we will enter into a data processing agreement with the service provider which requires it to ensure that your personal data is only processed in accordance with our instructions and this Privacy Policy.
- Business Partners:
- Authorities: When we are required by law we may share your personal data to public authorities such as the police or tax authorities.
3 SECURITY MEASURES
We have taken a number of security measures to ensure that the personal data we keep is secure. For example, access to areas where personal data is stored is limited to our employees and service providers who require it in the course of their duties and who are informed of the importance of maintaining the security and confidentiality of the personal data we keep. We maintain appropriate safeguards and security standards to protect your personal data against unauthorized access, disclosure or misuse. We also monitor our systems to discover vulnerabilities in order to protect your personal data.
3.1 Where do we process your personal data?
We strive to always process your personal data within the EU and EEA. However, we may transfer your personal data to our service providers who may be located in or have business activities in a country outside the EU/EEA. In the event of such transfer, it will be made in accordance with applicable data protection law for example by ensuring that the country in which the recipient is located ensures an adequate level of data protection according to the European Commission or by use of standard contractual clauses that the European Commission has issued in addition to suitable supplementary measures to safeguard your rights and freedoms.
4 YOUR RIGHTS
In this section, we describe your rights under applicable data protection law. You are welcome to email us at gdpr@sedanamedical.com to exercise your rights or if you have any questions or comments regarding our processing of your personal data or this Privacy Policy. We will respond within undue delay upon verification of your identity.
Your rights in relation to your personal data are as follows:
- Right to information
You have the right to be informed when your personal data is being processed. We provide you with such information through this notice and by responding to questions from you.
- Right of access
You have the right to request a copy of your personal data if you want to know what information we have and process about you.
- Right of rectification
You have the right to have inaccurate personal data corrected. In addition, you have the right to supplement any incomplete personal data considering the purpose for which we process your personal data.
- Right to erasure
You have the right to request to have your personal data erased, which also can be referred to as a “right to be forgotten”.
- Right to restriction of processing
You have the right to request that the processing of personal data be restricted.
- Right to object and to withdraw consent
You have the right to object to the processing of personal data carried out by us as a pursuant to our legitimate interest. If you object to such processing, we may only continue to process the data if we demonstrate that there are legitimate grounds for us to process the data where our interests outweigh your interests, for example where the processing is for the establishment, exercise or defense of legal claims. An example of where your interests outweigh ours is when you object to marketing. Whenever we are processing personal data based on your previously given consent, you may also withdraw such given consent.
- Right to data portability
When we process personal data by automated means on the basis of your consent or for the performance of a contract with you, you have the right to obtain your personal data in a structured, commonly used and machine-readable format for the purpose of transferring the data to another data controller.
- Right to lodge a complaint
You have the right to lodge a complaint with the Swedish data protection authority, Integritetsskyddsmyndigheten (IMY), which is the Swedish supervisory authority for the personal data processing Sedana Medical AB (publ) carries out. Please note that you are also always welcome to contact us in such event.
For more information regarding each right, please see here (in Swedish).
5 REVISIONS
We may change this Privacy Policy at any time and from time to time. The most recent version of the Privacy Policy is reflected by the version date located at the bottom of this Privacy Policy. All updates and amendments are effective immediately upon notice, which we may give by any means, including, but not limited to, by posting a revised version of this Privacy Policy or other notice on our Website. We encourage you to review this Privacy Policy often in order to stay informed of changes that may affect you, as your continued use of the Website signifies your continuing consent to be bound by this Privacy Policy. Our electronically or otherwise properly stored copies of this Privacy Policy are each deemed to be the true, complete, valid, authentic, and enforceable copy of the version of this Privacy Policy which were in effect on each respective date you visited the Website.