Privacy Policy

1 EXECUTIVE SUMMARY

This Privacy Policy describes how Sedana Medical AB (publ), corp. reg. no. 556670-2519, at the address Berga Backe 2, SE-182 53 Danderyd, Sweden and all Sedana Medical group entities handle personal data. Such Sedana Medical group entities act as controller for their respective processing of personal data. Regarding our use of cookies, we refer to our Cookie Policy.

We safeguard your personal integrity. It is therefore important for us to protect your personal data and ensure that our processing of your personal data is correct and lawful. This Privacy Policy will help you understand what kind of personal data about you we collect and how it is used as well as your rights as a data subject. We ask that you read this Privacy Policy carefully and familiarize yourself with its content.

We trust that this Privacy Policy answers your questions about our collection, use, protection and disclosure of your personal data. If you have additional questions, please contact us at the address above or by contacting any of the Sedana Medical group entities or at gdpr@sedanamedical.com.

We may sometimes need to make updates or changes to this Privacy Policy. If we do so, we will inform you in an appropriate manner and we ask you to then carefully read through the updated Privacy Policy. The date of the most recent update of this Privacy Policy is given at the top of the policy.

 

2 HOW DO WE PROCESS PERSONAL DATA?

2.1 How we collect your personal data

We collect your personal data when you sign up for newsletters or in any other way provide us with your personal data, including if we come in contact with you personally or if we receive your personal data from third parties.

2.2 Why we process your personal data, legal ground for our processing and storage period

In this section, we describe why we process your personal data, what legal grounds our processing is based on and for how long we store the data.

2.2.1 Create and develop potential business relationships

We process personal data to create and thereafter to maintain and develop business relationships of potential customers, partners and other business contacts (including for example investors, suppliers, manufacturers, research and development contacts, consultants, symposium speakers for events and clinical study investigators).

If you work for a potential customer, partner or other business contact and we come into contact with you personally, for example at conferences, fairs, other personal meetings or otherwise, we may process your personal data as follows:

 

Purpose	Processing	Categories of personal data
– To be able to contact you for the purpose of creating and thereafter maintaining and developing our relationship with you or your company	– Storage of personal data in our systems – Communication with you	– Name – Contact details (such as company address, email address and telephone number)  – Information regarding the company you represent
Legal ground: Legitimate interest. The processing is necessary to fulfil our legitimate interest of creating and thereafter maintaining and developing professional relationships with potential customers and other partners.
Storage period:  For a period of six (6) months after the gathering of the personal data (unless during this time a professional relationship is created between us and you as a contact or you have otherwise indicated that you want to stay in contact with us).

 

2.2.2 Maintain and develop existing business relationships

We process personal data to maintain and develop business relationships of existing customers, partners and other business contacts (including for example investors, suppliers, manufacturers, research and development contacts, consultants, symposium speakers for events and clinical study investigators).

If you are or work for a current customer, partner or other business contact we process your personal data as follows:

Purpose	Processing	Categories of personal data
– To be able to contact you in your capacity as contact person of our customer, partner or other business contact	– Storage of personal data in our systems, including storage of contracts you have signed on behalf of your company – Communicate with you – Make payments to your company	– Name – Contact details (such as company address, email address and telephone number)  – Information regarding the company you represent (including banking information)
Legal ground: Legitimate interest. The processing is necessary to fulfil our legitimate interest of maintaining and developing our professional relationships with our customers, partners and business contacts, including for the purpose of providing our goods and services.
Storage period: As long as we deem the personal data necessary for this purpose. We erase or anonymize your data when we deem that the data no longer is necessary for this purpose or if it is no longer adequate, for example if our relationship with your company ends, you no longer represent the relevant company or upon your request.

2.2.3 Comply with our quality requirements

We process personal data to comply with the quality standard ISO 13485:2016 which sets out requirements for a quality management system for companies and organizations providing medical devices that fulfils and meets regulatory requirements as well as customer requirements.

Purpose	Processing	Categories of personal data
– To fulfil requirements set out in ISO 13485:2016	– Storage of contact details of our suppliers – Keeping a record of filed complaints – Storage of training records pertaining to our customers	– Name – Contact details (such as company address, email address and telephone number)
Legal ground: Legitimate interest. The processing is necessary to fulfil our legitimate interest of maintaining our ISO 13485:2016 quality management system.
Storage period: During the relevant contract term or a period of 15 years from the date of receipt of goods or complaint.

 

2.2.4 Send you newsletters and marketing

We also process your name and email address to send you newsletters if you have opted in for such letters on our website. You may opt-out from further messages at any time by using the un-subscription link provided in every message.

Our processing for the purpose of sending you newsletters is based on your explicit consent you provide when you sign up for our newsletter and marketing.

We store your data for this purpose as long as you subscribe to our newsletters. If you have opted out from further messages, we will keep a note of such opt-out and block your email address in order to ensure that you do not receive further messages.

2.3 Protect our services

When you sign up for our newsletter, we also store your IP address at the time of registration, as well as the date and time of the registration. We store this data in order to understand the (possible) misuse of e-mail addresses and to prevent misuse of our services.

Our processing for this purpose is necessary to fulfil our legitimate interest of protecting and preventing misuse of our services.

We store your data for this purpose during the time period you subscribe to our newsletter and will delete or otherwise anonymize the data thereafter.

2.3.1 Comply with legal obligations

We may also process your personal data in order to comply with legal obligations set out in law or as decided by a court or other authorities. These requirements may be related to bookkeeping, medical device and anti-money laundering legislation. Our processing for this purpose is that it is necessary for us to comply with legal obligations applicable to us.

2.4 How we share your personal data

We may share your personal data with the following types of third parties:

1. Service providers: We use third party service providers to manage some aspects of our business operations. We share personal data with such third parties with regard to IT infrastructure, operating and hosting services, email communications and other IT services. When we use such service providers we will enter into a data processing agreement with the service provider which requires it to ensure that your personal data is only processed in accordance with our instructions and this Privacy Policy.
2. Authorities: When we are required by law we may share your personal data to public authorities such as the police or tax authorities.

 

3 SECURITY MEASURES

We have taken a number of security measures to ensure that the personal data we keep is secure. For example, access to areas where personal data is stored is limited to our employees and service providers who require it in the course of their duties and who are informed of the importance of maintaining the security and confidentiality of the personal data we keep. We maintain appropriate safeguards and security standards to protect your personal data against unauthorized access, disclosure or misuse. We also monitor our systems to discover vulnerabilities in order to protect your personal data.

3.1 Where do we process your personal data?

We strive to always process your personal data within the EU and EEA. However, we may transfer your personal data to our service providers who may be located in or have business activities in a country outside the EU/EEA. In the event of such transfer, it will be made in accordance with applicable data protection law for example by ensuring that the country in which the recipient is located ensures an adequate level of data protection according to the European Commission or by use of standard contractual clauses that the European Commission has issued ensuring suitable measures to safeguard your rights and freedoms. 

 

4 YOUR RIGHTS

4.1 Introduction

In this section, we describe your rights under applicable data protection law. You are welcome to email us at gdpr@sedanamedical.com to exercise your rights or if you have any questions or comments regarding our processing of your personal data or this Privacy Policy. We will respond within a reasonable period of time upon verification of your identity.

4.2 Right of access and rectification

You have the right to information regarding which of your personal data we process and to access and rectify such personal data. To learn more about the information we store about you, please do not hesitate to email gdpr@sedanamedical.com and specify which information you request access to or information regarding.

4.3 Right to erasure

You may request that we erase your personal data without undue delay in the following circumstances:

1. the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. you withdraw your consent on which the processing is based (if applicable) and there is no other legal ground for the processing;
3. you object to our processing of personal data and we do not have any overriding legitimate grounds for the processing;
4. the processed personal data is unlawfully processed; or
5. the processed personal data has to be erased for compliance with legal obligations.

We may deny your request if we are prevented from erasing your personal data by requirements set out in applicable laws and regulations (e.g. in relation to accounting and tax legislation) or if they are needed for the establishment, exercise or defense of legal claims. If we cannot meet your request, we will instead restrict the personal data so they cannot be used for another purpose than the purpose preventing the erasure.

4.4 Right to restriction

You have the right to restrict the processing of your personal data in the following circumstances:

1. you contest the accuracy of the personal data during a period enabling us to verify the accuracy of such data;
2. the processing is unlawful and you oppose erasure of the personal data and request restriction instead;
3. the personal data is no longer needed for the purposes of the processing, but are necessary for you for the establishment, exercise or defense of legal claims;
4. you have objected to the processing of the personal data, pending the verification whether our legitimate grounds for our processing override your interests, rights and freedoms.

If your personal data has been restricted in accordance with this section they may, with exception of storage, only be processed for the establishment, exercise or defense of legal claims, or for the protection of the rights of a third party or for reasons of important public interest according to EU or EU member state legislation.

4.5 Right to object

You have the general right to object to our processing of your personal data when it is based on our legitimate interest. If you object and we believe that we may still process your personal data, we must demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

4.6 Right to data portability

If your personal data has been provided by you and our processing of your personal data is based on your consent or on the performance of a contract with you, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format in order to transmit these to another service provider where it would be technically feasible and can be carried out by automated means.

4.7 Right to withdraw consent

When our processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. Please note that the lawfulness of processing based on consent before its withdrawal is not affected.

4.8 Right to file a complaint

You may at any time lodge a complaint with the supervisory authority if you believe that our processing is performed in breach of applicable data protection law. Please note that you are also always welcome to contact us in such event.

 

5 REVISIONS

We may change this Privacy Policy at any time and from time to time. The most recent version of the Privacy Policy is reflected by the version date located at the bottom of this Privacy Policy. All updates and amendments are effective immediately upon notice, which we may give by any means, including, but not limited to, by posting a revised version of this Privacy Policy or other notice on our Website. We encourage you to review this Privacy Policy often in order to stay informed of changes that may affect you, as your continued use of the Website signifies your continuing consent to be bound by this Privacy Policy. Our electronically or otherwise properly stored copies of this Privacy Policy are each deemed to be the true, complete, valid, authentic, and enforceable copy of the version of this Privacy Policy which were in effect on each respective date you visited the Website.

 

Document   Privacy Policy Sedana Medical	Revision  2,0	Pages  7
Written by Oliver Moser with assistance of Setterwalls Advokatrbyrå	Date 17 July 2018	Valid from 25 May 2018
Reviewed by Maria Engström	Date 17 July 2018
Approved by Christer Ahlberg	Date 18 July 2018

 

Rev	Written date	Valid from date	Description of changes	Resp.
1.0	25 May 2018	25 May 2018	New Procedure	OM
2.0	17 July 2018	18 July 2018	Revision with Setterwalls Advokatsbyrå	OM