Privacy Policy

Version 2019-09-27

1. INTRODUCTION

This Privacy Policy (referred to as the “Policy”) describes how OssDsign AB, reg. no 556841-7546 (“OssDsign” “we”, “us” or “our”), at the address Virdings Allé 2, 754 50 Uppsala, Sweden, process personal data regarding users of our Customer Communication Platform (“CCP Service”), representatives of our business contacts and visitors of our website.
We safeguard your personal integrity. It is therefore important for us to protect your personal data and ensure that our processing of your personal data is correct and lawful. This Policy will help you understand what kind of personal data we collect and how we use it in our business and daily operations, and it will inform you of your rights as a data subject. It also contains other information relevant for you to understand how we process your personal data.
We may sometimes need to make updates or changes to this Policy. You can always find the latest version of this Policy on our website, www.ossdsign.com/privacy-policy.
We ask that you read this Policy carefully and familiarize yourself with its content. If you have any questions, please contact us at the address above or at dpo@ossdsign.com.

2. HOW WE COLLECT YOUR PERSONAL DATA

We collect your personal data that you provide us with when you interact or otherwise communicate with us; including, for example, information you enter when completing a new account form or when contacting a representative of us or our customer service. For our collection of personal data through cookies, we refer to our Cookie Policy www.ossdsign.com/cookie-policy

3. HOW WE PROCESS YOUR PERSONAL DATA

In this section, we describe for what purposes we process your personal data, the legal basis for our processing and the storage period of the data. 

3.1 In order to create and manage user accounts in the CCP Service

We process personal data in order to create and manage user accounts in the CCP Service set up by representatives of our customers, such as surgeons, nurses and hospital administrators, in the following way.  

Purpose
Processing
Categories of personal data
  • To be able to create and manage user accounts, including the provision of authorization for login.
  • To be able to manage your use of our platform services.
  • To be able to manage orders and production processes
  • To be able to contact you and provide information about OssDsign or the CCP Service.
  • Storage of collected personal data in our business systems and back-up systems.
  • Communication with you.
  • Name
  • Contact details (such as e-mail address, telephone number, hospital/clinic, department and delivery address).
  • Professional title.
  • Other information you have stated in the account form (including password).
Legal basis: Legitimate interest. The processing is necessary to fulfil our legitimate interest of creating and thereafter managing user account in the CCP Service, providing our platform services, managing orders and production processes, providing information about us and the CCP Service, and otherwise communicate with existing and new users. 
Storage period: We process the personal data as long as it is necessary for the purposes above (or other legitimate purposes, such as fulfilling our legal obligations or exercising legal claims, see sections 3.5). We erase or anonymize your data when it is no linger necessary or adequate, for example if our relationship with you or the hospital/clinical you represent ends and we are informed about this. We will also erase your data if you terminate your account of if your account is terminated by us. 


3.2 In order to create and develop potential business relationships

We process personal data in order to create and thereafter maintain and develop business relationships with potential customers, partners and other business contacts (including for example consultants, potential investors and suppliers).

If you are or represent a potential customer, partner or other business contact and we meet you either personally (e.g. at conferences, fairs, other personal meetings or otherwise) or come in contact by e-mail or through our online contact form, we may process your personal data in the following way.

Purpose
Processing
Categories of personal data
  • To be able to contact you in order to create and thereafter maintain and develop our business relationship with you or the hospital/clinic/company you represent
  • Storage of collected personal data in our business systems and back-up systems.
  • Communication with you regarding our services and business relationships.
  • Name
  • Contact details (such as e-mail address, telephone number, hospital/clinic/company and business address).
  • Professional title.
  • Information regarding the hospital/clinic/company you represent.
Legal basis: Legitimate interest. The processing is necessary to fulfil our legitimate interest of creating and thereafter maintaining and developing business relationships with you or the hospital/clinic/company you represent.
Storage period: We process the personal data for a period of six (6) months after our latest contact with you or the hospital/clinic/company you represent, unless a business relationship has been established between us and you or the hospital/clinic/company you represent (see section 3.3).


3.3 In order to maintain, manage and develop existing business relationships

We process personal data in order to maintain, administer and develop our business relationships with existing customers, partners and other business contacts (including for example consultants, potential investors and suppliers). 

If you are or represent an existing customer, partner or other business contact we process your personal data in the following way. 

Purpose
Processing
Categories of personal data
  • To be able to contact you as a customer, partner or other business con-tact or in your capacity as representative of our customer, partner or other business contact.
  • To be able to maintain, manage and develop our existing business rela-tionship with you or the hospital/clinic/company you represent. 
  • To be able to manage orders, billing and deliveries.
  • Storage of collected personal data in our business systems and back-up systems.
  • Communication with you regarding our services and business relationships.
  • Name
  • Contact details (such as e-mail address, telephone number, hospital/clinic/company and business address).
  • Professional title.
  • Information regarding the hospital/clinic/company you represent.
  • Information related to our business relationship, including communication and documentation regarding provided services and contracts entered with you or the company you represent.
Legal basis: Legitimate interest. The processing is necessary to fulfil our legitimate interest of maintaining, administrating and developing our business relationship with you or the hospital/clinic/company you represent.
Storage period: We process the personal data as long as it is necessary for the purposes above (or other legitimate purposes, such as fulfilling our legal obligations or exercising legal claims, see section 3.5). We erase or anonymize your data when it is no longer necessary or adequate, for example if our relationship with you or the hospital/clinic/company you represent ends and the data is no longer necessary or adequate.


3.4 In order to evaluate and improve our website

If you visit our website (www.ossdsign.com), we process information generated by your visit to analyze and produce statistical information concerning our web traffic in order to improve the usability and content of our website and web-based communication. We also temporarily log communication data, including your IP address, for security analytics.  

Purpose
Processing
Categories of personal data
  • To be able to evaluate and improve the usability and content of our website and web-based communication.
  • To be able to detect potential security attacks triggered by many failed login attempts.
  • Collection of visitor generated traffic data and production of statistics concerning web traffic and the use of our website.
  • Security analysis of collected traffic data.

  • Browser information.
  • IP-address.
  • Other website traffic data.
Legal basis: Legitimate interest. The processing is necessary to fulfil our legitimate interest of being able to evaluate and improve our website and web-based communication, as well as detecting potential security attacks. 
Storage period: We process the personal data for as long as it is necessary for the purposes above, however not longer than for a time period of three (3) months. In most cases, the personal data concerned is converted into aggregate data (anonymized data) in connection to our production of statistical information within a shorter time period. The statistics do not track any interaction relating to user accounts in the CCP Service.


3.5 In order to comply with legal obligations or to exercise legal claims

We may process and share your personal data if this is necessary for us to comply with legal obligations set out in law, regulations or decisions issued by public authorities. These obligations may relate to matters such as bookkeeping or money laundering legislation. We may also process and share your personal data if it is requested by a court of law or if it is necessary in order for us to establish or exercise our legal rights or defend us against legal claims.

4. HOW WE SHARE YOUR PERSONAL DATA

The personal data that we collect may be shared with our distributors and other third parties in order for us to provide our services. The types of third parties with whom we may share your personal data are the following:

a) Service providers: We use third party service providers to manage some aspects of our business operations. We share personal data with such third parties with regard to IT infrastructure, operating and hosting services, marketing and communications and other IT services such as IT support, maintenance and development.

b) Subcontractors: We may share your personal data with subcontractors that we use for the production of our products.

c) Authorities: We may share your personal data with public authorities such as the police or tax authorities in order to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or as otherwise required by law.

Most of the service providers and subcontractors that we share personal data with are, in relation to us, so called data processors or sub processors. Such data processors and sub processors may only process transferred personal data on behalf of us and in accordance with our expressed instructions. When we use data processors and sub processors, we will enter into a data processing agreement or sub processing agreement that requires the other party to ensure that the personal data is only processed in accordance with our instructions, the agreement and applicable data pro-tection legislation. The data processors and sub processors currently used by OssDsign are listed in Appendix 1.

Authorities, and in some instances service providers, that we may transfer personal data to are independent data controllers. When your personal data is transferred to an independent data controller we do not control how the information is processed. The responsibility for the processing then falls on the authority or the company to which the transfer was made, including inter alia ensuring that you are informed of how the data is processed and that the processing is legal.

5. HOW WE PROCESS YOUR PERSONAL DATA

All personal data that we process is securely stored on Amazon AWS servers in Ireland, Europe. In general, we always strive to process your personal data within the EU and EEA. However, we may transfer your personal data to service providers who, either themselves or through hired sub-contractors, are located in or have business activities in a country outside the EU or EEA. In the event of such transfer, it will be made in accordance with applicable data protection legislation, for example, by ensuring that the country in which the recipient is located ensures an adequate level of data protection according to the European Commission or by use of standard contractual clauses that the European Commission has issued ensuring suitable measures to safeguard your rights and freedoms. 

6. SECURITY MEASURES

We have taken a number of security measures to ensure that your personal data is kept secure. For example, access to the personal data is limited to employees and service providers who require it in the course of their duties and who are subject to a confidentiality agreement. Furthermore, we maintain appropriate safeguards and security standards to protect your personal data against unauthorized access, disclosure or misuse. We also monitor our systems to discover vulnerabilities in or-der to protect your personal data.

7. YOUR RIGHTS

7.1 Introduction

In this section, we describe your rights under applicable data protection legislation. You are welcome to email us at dpo@ossdsign.com to exercise your rights or if you have any questions or queries regarding our processing of your personal data or this Policy. We will respond within a reasonable period of time upon verification of your identity.

7.2 Right of access

Information regarding what personal data we have stored about you is available to you in your SecureMailbox account if you are a registered user of our platform. If you are such user and would like to receive more information regarding what personal data we process about you or if you are an-other business contact of ours or a visitor to our website, you have the right to request access to such data. The information will then be provided in the form of a register extract that specifies the personal data processed by us, the purposes for which it is processed, where the data has been collected, third parties to which the data has been shared with and how long the data will be stored. If you make your request electronically, the information will be provided in a commonly used electronic format, unless you have requested otherwise.

7.3 Right of rectification

You have the right to have incorrect information about you rectified without undue delay. You also have the right to amend incomplete information. You have the possibility to make corrections your-self to the information listed in your SecureMailbox account if you are a registered user of our plat-form and you may otherwise contact us for such rectification. You may also contact us if you want to correct any entered or collected information about you related to the CCP Service.

7.4 Right to erasure

You may request that we erase your personal data without undue delay in the following circum-stances:

a) the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) you withdraw your consent on which the processing is based (if applicable) and there is no other legal basis for the processing;

c) you object to our processing of personal data and we do not have any overriding legitimate grounds for the processing;

d) the processed personal data is unlawfully processed; or

e) the processed personal data has to be erased for compliance with legal obligations.

Your request for erasure may be sent to dpo@ossdsign.com. We will reply within the SecureMailbox service if you are a registered user of our platform, and will otherwise contact you through the contact details you have provided us with earlier. We may, however, deny your request if we are pre-vented from erasing your personal data by requirements set out in applicable laws and regulations (for example in relation to accounting and tax legislation) or if they are needed for the establishment, exercise or defense of legal claims. If we cannot meet your request, we will instead restrict the personal data so they cannot be used for other purposes than the purpose of preventing the erasure.

7.5 Right to restriction

You have the right to restrict the processing of your personal data in the following circumstances:

a) you contest the accuracy of the personal data during a period enabling us to verify the accuracy of such data;

b) the processing is unlawful and you oppose erasure of the personal data and request restriction instead;

c) the personal data is no longer needed for the purposes of the processing, but are necessary for you for the establishment, exercise or defense of legal claims;

d) you have objected to the processing of the personal data, pending the verification whether our legitimate grounds for our processing override your interests, rights and freedoms.

If your personal data has been restricted in accordance with this section it may, with exception of storage, only be processed for the establishment, exercise or defense of legal claims, or for the protection of the rights of a third party or for reasons of important public interest according to EU or EU member state legislation.

7.6 Right to object

You have the general right to object to our processing of your personal data when it is based on our legitimate interest. If you object and we believe that we may still process your personal data, we must demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

7.7 Right to data portability 

If your personal data has been provided by you and our processing of such data is based on your consent or on the performance of a contract with you, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format in order to transmit these to another service provider where it would be technically feasible and can be carried out by automated means.

7.8 Right to withdraw consent

When our processing of your personal data is based on your consent, you have the right to with-draw your consent at any time. Please note that the lawfulness of processing based on consent before its withdrawal is not affected.

7.9 Right to file a complaint

You may at any time file a complaint at the competent supervisory authority if you believe that our processing is performed in breach of applicable data protection legislation. Please note that you are also always welcome to contact us in such event.