Privacy policy

Medartis and its affiliates ("Medartis") take the protection of personal data very seriously and treat your personal data as confidential and in accordance with applicable laws and regulations, including, but not limited to, the Swiss Federal Act on Data Protection (FADP) and EU General Data Protection Regulation (GDPR). The use of your personal data by Medartis is carried out in strict compliance with the provisions on data protection, so you may feel safe with us in terms of the protection of your personal data.

It is important to us that you know what personal data is collected when you visit our website, and use our services and offers, as well as how we use such data afterwards. This privacy policy is intended to provide you with information about the scope and purpose of the collection and use of personal data on our website, and to inform you how we protect your personal data from manipulation, loss, destruction or improper use.

The introduction of new technologies and the further development of this website may result in changes to this privacy policy, we therefore recommend that you read this privacy policy regularly.

Definitions of the terms used in this privacy statement (e.g. "personal data" or "processing") can be found in Art. 5 Swiss Federal Act on Data Protection (FADP) and Art. 4 GDPR.


Responsible person

Medartis AG
Hochbergerstrasse 60E4057
Basel Switzerland

Phone: +41 61 633 34 34
Fax: +41 61 633 34 00
Mail: info@medartis.com

 

Representative in the EU

Medartis GmbH
Am Gansacker 10
79224 Umkirch
Germany

Phone: +41 61 633 34 34
Fax: +41 61 633 34 00
Mail: info@medartis.com


Data Protection Officer (Central Data Protection Officer Switzerland, EU and UK)


Medartis AG
Hochbergerstrasse 60E
4057 Basel

Phone: +41 61 633 34 34
Mail: dataprotection@medartis.com  

 

Storage period

We generally delete your personal data as soon as it is no longer needed for the purposes for which it was collected or otherwise processed.

If we have asked for your consent and you have given it, we will delete your personal data if you withdraw your consent and there is no other legal basis for the processing.

We will delete your personal data if you object to the processing and there are no overriding legitimate reasons for the processing.

If deletion of your personal data is not possible due to a legal obligation (statutory retention periods, etc.) or because such data is required in order to assert, exercise or defend legal claims, we will restrict the processing of your personal data.

Further information on the storage period can be found in the following sections.


Your rights as a data subject

You have the following rights with regard to your personal data:
- Right of access
- Right of rectification
- Right of erasure
- Right of restriction of processing
- Right of object
- Right of data portability
- Right of data output

You have the right, for any reasons that may arise from your particular situation, and at any time, to revoke your consent to the processing of your personal data. Your personal data will then no longer be processed unless we there are legitimate reasons, worthy of protection, for the processing which override any interests, rights and freedoms, you may have, or the processing serves to assert, exercise or defend legal claims. If we process your personal data in order to carry out direct marketing, you have the right to object to the processing of your personal data for the purpose of such advertising at any time. We will then no longer process your personal data for these purposes.

You have the right to revoke your consent to the processing of your personal data at any time if you have previously given us such consent. The revocation of consent does not affect the lawfulness of any processing carried out on the basis of such consent prior to the revocation. In order to revoke your consent, please contact the data protection officer listed above using the contact options provided.

You have the right to issue a complaint to a supervisory authority about our processing of your personal data.

 

Provision of your personal data

We process personal data in various ways in order to manage our business activities, improve our website, provide customer service and provide other products and services to our customers and potential customers. We do not share your personal data with unrelated third parties for their independent use except as permitted by law or with your consent and only pursuant to confidentiality agreements. To the extent required or permitted by law, we may also collect, use and disclose personal information in connection with security or law enforcement investigations or in the course of cooperating with authorities or the fulfilment of legal requirements.

Medartis only processes your personal data if there is a legal basis for doing so.

You are generally not obliged to provide any personal data. If this should nevertheless be the case, we will point this out to you separately when collecting your personal data (for example by marking the mandatory fields in input forms).

Failure to provide your personal data will regularly result in not processing your personal data for one of the purposes described below and you not being able to take advantage of an offer related to the respective processing (for example, receiving a newsletter).


Web hosting

We use external services for web hosting. These services may have access to personal data that is processed in the course of using our online services.

stepping stone AG

Supplier: stepping stone AG, CH-3011 Bern.

Website:

https://www.stepping-stone.ch/en/

Further information & data protection:

https://www.stepping-stone.ch/en/privacy-policy/

 

Microsoft Azure (For CMX)
Provider: In the European Economic Area (EEA) and Switzerland, Microsoft Ireland Operations Limited, Dublin is the data protection agent for Microsoft Corporation, United States of America.
Website: azure.microsoft.com/overview/trusted-cloud/privacy/
Further Information & Privacy:

privacy.microsoft.com

https://www.microsoft.com/trust-center/privacy

https://www.privacyshield.gov/welcome

Garantie: EU Standard Contractual Clauses.


Web server log files

We process your personal data in order to be able to display our online offer to you and to optimize the stability and security of our online offer. Information (e.g. requested element, URL, operating system, date and time of the request, browser type and version, IP address, protocol, amount of data transferred, user agent, referrer URL, time zone difference to Greenwich Mean Time (GMT) and/or HTTP status code) is stored in so-called log files (access log, error log, etc.).

If we have asked for your consent and you have given it, the legal basis for the processing is          Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP)) and Art. 6 para. 1 lit. a GDPR.

If we have not asked you for your consent, the legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the proper display of our online offer and optimizing the stability and security of our online offer.

 

Security

Medartis takes reasonable precautions to protect all personal data collected by us against unauthorised access and use, we regularly review security measures and conduct regular training and awareness-raising activities. However, you are responsible for keeping your login details and passwords confidential.

For security reasons and to protect the transmission of your personal data and other confidential content, we use encryption on our domain. You can recognise this in the browser line by the character string "https://" and the lock symbol.

 

Contact

If you contact us, we will process your personal data which you have provided to us in order to process your inquiry.

Contact form

We use your name, address, e-mail address, IP address and the information you provide in the contact form to process your request and contact you.

If we have asked for your consent and you have given it, the legal basis for the processing is          Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP) and Art. 6 para. 1 lit. a GDPR.

If we have not asked you for your consent, the legal basis for the processing is                                 Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the processing of your request.

We use Outlook (Microsoft Office) for e-mail correspondence.

Microsoft 365

Provider: In the European Economic Area (EEA) and Switzerland, Microsoft Ireland Operations Limited, Dublin is the data protection agent for Microsoft Corporation, United States of America.

Website:

www.microsoft.com/de-ch/microsoft-365/outlook/email-and-calendar-software-microsoft-outlook

Further information & data protection:

privacy.microsoft.com/de-de/privacystatement

www.microsoft.com/de-de/rechtliche-hinweise/nutzungsbedingungen

Guarantee: EU Standard Contractual Clauses

Recipient: Medartis AG / Microsoft EU

Storage location: Switzerland and EU

 

Compliance/ethics Form:

Medartis has a reporting platform to combat unethical behaviour and violations of internal guidelines and applicable legal regulations. This platform is focused on compliance violations. All reports submitted through this channel are treated confidentially. It is also possible to submit the report anonymously. If you do not submit anonymously, we will process your name and e-mail address to process your request.

If we have asked for your consent and you have given it, the legal basis for the processing is Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP) and Art. 6 para. 1 lit. a GDPR.

If we have not asked you for your consent, the legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the processing of your request.

We use Outlook (Microsoft Office) for e-mail correspondence.

 

Microsoft 365

Provider: In the European Economic Area (EEA) and Switzerland, Microsoft Ireland Operations Limited, Dublin is the data protection agent for Microsoft Corporation, United States of America.

Website:

www.microsoft.com/de-ch/microsoft-365/outlook/email-and-calendar-software-microsoft-outlook

Further information & data protection:

privacy.microsoft.com/de-de/privacystatement

www.microsoft.com/de-de/rechtliche-hinweise/nutzungsbedingungen

Guarantee: EU Standard Contractual Clauses

Recipient: Medartis AG / Microsoft EU

Storage location: Switzerland and EU

 

Subscription to ad-hoc releases:

Through the subscription form on the “investor relations” page, you have the possibility to subscribe to our ad-hoc releases. If you subscribe we will inform you about ad-hoc and media releases via e-mail. In order for you to receive such releases, we process your e-mail address and, if provided, your name, address, employer and any other information you provide.

We use the so-called double opt-in procedure to prevent possible misuse of your personal data. For this purpose, after collecting your e-mail address, we send you an e-mail to the e-mail address you provided in which we ask you to confirm that you actually want to receive such ad-hoc releases.

Your personal data is processed with the support of an external cloud service provider (EQS Group AG). Your personal data is preferably stored within the EU. In the event that your data is stored outside the European Economic Area (EEA), our processor will provide appropriate safeguards.

If we have asked for your consent and you have given it, the legal basis for the processing is Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP) and Art. 6 para. 1 lit. a GDPR.

You can revoke your consent at any time. The revocation of your consent does not affect the lawfulness of the processing carried out on the basis of such consent prior to the revocation. To withdraw your consent, you can use the link provided for this purpose in the e-mails or contact us at the contact details provided above.

If you have revoked your consent, we reserve the right to process your personal data in a so-called blacklist/blocklist in order to be able to ensure that no further ad-hoc releases are sent to you in the future. We would like to inform you that it may take up to 30 days from the time of revocation until your data is added to the blacklist/blocklist.

The legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest here is the avoidance of unwanted newsletters.

EQS Group AG

Provider: EQS Group AG, 8005 Zurich
Website: https://www.eqs.com

Data protection: https://www.eqs.com/about-eqs/data-protection/

Recipient: Medartis AG and EQS Group AG

Storage location: Switzerland and EU

 

New Idea Submission 

Since its foundation, Medartis has focused on the most innovative solutions to significantly improve the treatments of orthopedic diseases. You can share your ideas with us via the corresponding contact form. 

For this purpose, we process your name, title, phone number, email address and IP address and the information and attachments you provide in the contact form. 

If attachments contain personal data of third parties, such as patient data, we require you to obtain a legally compliant declaration of consent in advance. Please also refer to the point "Processing of patient data" in this data protection declaration.  

As a general rule, if attachments contain personal data and/or sensitive data, they must be anonymized before transmission. 

If we have asked for your consent and you have given it, the legal basis for the processing is           

Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP) and Art. 6 para. 1 lit. a GDPR. 

If we have not asked you for your consent, the legal basis for the processing is                                 

Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the processing of your request. 

If you have provided us with your consent, you can revoke it at any time. 

The processing of your idea submission as well as the email correspondence is carried out via Microsoft 365 (Outlook and Sharepoint). 

Sample: Patient consent 

Microsoft 365

Provider: In the European Economic Area (EEA) and Switzerland, Microsoft Ireland Operations Limited, Dublin is the data protection agent for Microsoft Corporation, United States of America.

Website:

www.microsoft.com/de-ch/microsoft-365/outlook/email-and-calendar-software-microsoft-outlook

Further information & data protection:

privacy.microsoft.com/de-de/privacystatement

www.microsoft.com/de-de/rechtliche-hinweise/nutzungsbedingungen

Guarantee: EU Standard Contractual Clauses

Recipient: Medartis AG / Microsoft EU

Storage location: Switzerland and EU

If your ideas cannot be considered within five years, all data including your personal data and attachments will be deleted.

 

Processing of Patient Data

Patient Data is processed in accordance with the respective requirements of the Medartis subsidiaries on behalf of the customer for the purpose of product ordering, delivery and if applicable, invoicing, and in order to comply with all applicable regulatory and legal requirements.

In processing patient data on behalf of the Customer, Medartis agrees to comply with GDPR.

The physician / data transmitter acknowledges that Patient Data is “sensitive data” and that for the Processing of Patient Data all obligations and requirements for the Processing of special categories of personal data under the GDPR have to be taken into account.

The physician / data transmitter confirms that the patient has been informed of and expressly agreed to the processing of his or her patient data by Medartis in the form required by law. A form that complies with the legal requirements (incl. GDPR) is available for download at.
Sample: Patient consent

The physican / data transmitter is free to use another form that meets the legal requirements.

For further information regarding the processing of patient data in the context of CMX, please follow this link

Medartis processes patient data on behalf of the physican / data transmitter for the above-mentioned purposes as data controller pursuant to Art. 9 lit. 2 a GDPR in order to comply with all applicable legal and regulatory requirements.

If we have asked for your consent and you have given it, the legal basis for the processing is Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP) and Art. 6 para. 1 lit. a GDPR.

The data will only be stored as long as the purpose of use and your consent are valid.

 

Microsoft Azure

Provider: In the European Economic Area (EEA) and Switzerland, Microsoft Ireland Operations Limited, Dublin is the data protection agent for Microsoft Corporation, United States of America.

Website:

azure.microsoft.com/de-de/overview/trusted-cloud/privacy/

More information & privacy:

privacy.microsoft.com

www.microsoft.com/trust-center/privacy

www.privacyshield.gov/welcome

Guarantee: EU standard contractual clauses

Recipient: Medartis AG / Microsoft EU

Storage location: Switzerland and EU

Storage period: Deletion periods are based on legal requirements.

 

Application procedure

If you send us an application, we process your name, address, e-mail address, CV and related documents and any information you have submitted via our online application form to process your application. The provision of personal data is not required by law or contract. However, without the provision of this data, we cannot consider your application.

After the application process, your data will be restricted for further processing and deleted or destroyed at the latest when the legal deadlines have been reached after you have received the rejection letter, or the application documents will be returned to you and any copies deleted or destroyed, unless you have expressly consented to our continued use of your data.

The legal basis for the processing is Art. 6 para. 1 lit. f GDPR, the protection of our legitimate and overriding interest in the defence against claims due to the rejection of an application.

If we have asked for your consent and you have given it, the legal basis for the processing is Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP) and Art. 6 para. 1 lit. a GDPR.

If we have not asked for your consent, the legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the processing of your inquiry and application. If the processing is necessary to fulfil contractual obligations or to carry out pre-contractual measures based on your request, the legal basis for the processing is further Art. 6 para 1 lit. b GDPR.

We do not use external online services to provide and maintain our e-mail mailboxes.

In this context, only the Microsoft Exchange application is used, which is operated by Medartis. The data is stored in our data centre in Switzerland.

SAP Germany SE & Co. KG

Provider: In the European Economic Area (EEA).

Website: www.sap.com/germany/cmp/dg/josh-bersin-best-practices/index.html

Further information & data protection: https://www.sap.com/germany/about/legal/privacy.html

Recipient: Medartis AG / SAP

Storage location: Switzerland and EU

The storage periods are based on the applicable legal provisions.

 

Cookies & similar technologies

We use Cookies and similar technologies on our website. Cookies are text information that are stored on your terminal device. A distinction is made between session cookies, which are deleted immediately after you close your browser, and permanent cookies, which are only deleted after a certain period of time.

The following statements on cookies also apply to similar technologies, and to further processing in connection with cookies and similar technologies (analysis & marketing, etc.). This also applies in particular to any consent you may have given for the use of cookies.

Cookies may be used to enable the use of certain functions. Cookies may also be used to measure the reach of our online offer, to design it according to needs and interests and thus to optimise our online offer and marketing. Cookies may be used by us and by external services.

We use a consent tool to manage the use of cookies and the related consents. Detailed information on the used cookies (purpose, storage period, external service, etc.) and the consent tool can be found in the following sections and is also provided in the consent tool on our website.

If we have asked for your consent and you have given it, the legal basis for the processing is Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP) and Art. 6 para. 1 lit. a GDPR.

If we have not asked you for your consent, the legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the management of the used cookies and the related consents. Depending on the purpose of the processing, our respective legitimate interests are specified in the following sections.

You can prevent cookies from being stored by setting up your browser accordingly. Below please find direct links for all common browsers where more detailed information on managing cookie settings is provided:
- Firefox: https://www.mozilla.org/en-US/privacy/websites/
- Chrome: https://support.google.com/chrome/answer/95647?hl=en&hlrm=en
- Internet Explorer / Edge: https://support.microsoft.com/en-us/windows/delete-and-manage-cookies-168dab11-0753-043d-7c16-ede5947fc64d
- Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac

- Opera: https://help.opera.com/en/latest/web-preferences/
- Yandex: https://browser.yandex.com/help/personal-data-protection/cookies.html

You can find further information about options to object to or restrict the use of cookies at the following links:

https://www.youronlinechoices.eu/

https://youradchoices.ca/en/tools

https://optout.aboutads.info/?c=2&lang=EN

https://optout.networkadvertising.org/?c=1.

If you prevent the storage of cookies, this may impair the functionality of our online services.

If you delete all cookies, the above-mentioned settings will also be lost and must be made again.

Furthermore, you can activate the "Do-Not-Track" function of your browser to signal that you do not want to be tracked. Below please find direct links for all common browsers where you can find further information on the "Do-Not-Track" setting:
- Firefox: https://www.mozilla.org/en-US/privacy/websites/
- Chrome: https://support.google.com/chrome/answer/2790761?co=GENIE.Platform%3DDesktop&hl=en

- Internet Explorer / Edge: https://support.microsoft.com/en-us/windows/use-do-not-track-in-internet-explorer-11-ad61fa73-d533-ce96-3f64-2aa3a332e792

- Opera: https://help.opera.com/en/latest/security-and-privacy/

Safari no longer supports the "Do-Not-Track" function as of February 2019.

The following link can be used to prevent cross-site tracking in Safari:

https://support.apple.com/guide/safari/prevent-cross-site-tracking-sfri40732/12.0/mac
- Yandex: https://browser.yandex.com/help/personal-data-protection/do-not-follow.html

You can also revoke or manage your consent with regard to the cookies used in the consent tool we use.

Link for an overview of data storage, duration and recipients:

https://www.medartis.com/privacy-notice/#c3430

www.medartis.com/de/datenschutz/

You also have the option of revoking your consent on our website by using this button:


Newsletter

Medartis offers a newsletter to keep you up to date at first hand. By subscribing to the newsletter, you agree to receive it. We use your name, address, e-mail address and any other information you provide in the registration form in order to provide and improve the newsletter services. You can withdraw your consent to receive the newsletter at any time and cancel your newsletter subscription. Upon receipt of your revocation, we will delete your data collected in connection with your registration for the newsletter. At the end of each newsletter you will find a link to cancel your subscription.

The legal basis for the processing is the Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP) and Art. 6 para. 1 lit. a GDPR.

The contents of the e-mail marketing are specifically described when obtaining your consent. Apart from that, the e-mail marketing contains information about Medartis, our goods and services.

We use the so-called double opt-in procedure to prevent possible misuse of your personal data. For this purpose, after collecting your e-mail address, we send you an e-mail to the e-mail address you provided in which we ask you to confirm that you actually want to receive e-mail marketing.

We log the time of granting your consent and the time of your confirmation as well as your IP address and the content of your declaration of consent in order to be able to prove that your consent was obtained in accordance with the law. The legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the legally compliant implementation of e-mail marketing.

We use external services for e-mail marketing. You can find more information about the used services at the end of this section and under the provided links.

You can revoke your consent at any time. The revocation of your consent does not affect the lawfulness of the processing carried out on the basis of such consent prior to the revocation thereof. To withdraw your consent, you can use the link provided for this purpose in the e-mails or contact us at the contact details given above.

If you have revoked your consent, we reserve the right to process your personal data in a so-called blacklist/blocklist in order to be able to ensure that no further e-mail marketing will be sent to you in the future. We would like to inform you that it may take up to 30 days from the time of revocation until your data is added to the blacklist/blocklist. The legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the prevention of unwanted e-mail marketing.

We process your personal data as part of a needs-based and interest-based design of our e-mail marketing.  If we have asked you for your consent and you have given it, the legal basis for the processing is the Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP) and Art. 6 para. 1 lit. a GDPR. If we have not asked you for your consent, the legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest here is the optimisation of our e-mail marketing. You may use the options mentioned above to revoke your consent or object to the processing of your personal data for the purpose of e-mail marketing.

 

Microsoft Dynamics 365 CRM

Provider: In the European Economic Area (EEA) and Switzerland, Microsoft Ireland Operations Limited, Dublin is the data protection representative of Microsoft Corporation, United States of America.

Website: dynamics.microsoft.com

Further information & data protection:

https://privacy.microsoft.com/privacystatement
https://www.microsoft.com/en-us/legal/terms-of-use

Garantie: EU standard contractual clauses.

Recipient: Medartis AG / Microsoft EU

Storage location: Switzerland and EU

The data storage takes place until the revocation of the given consent.

 

Order processing

For the purpose of order processing (order entry and order execution as well as invoicing) we process your name, title, address, country, telephone and fax number as well as your e-mail address.

For this purpose, we store your data in our SAP customer database.

Within the scope of an e-mail correspondence, we use Outlook (Microsoft Office).

If we have asked for your consent and you have given it, the legal basis for the processing is Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP)  and Art. 6 para. 1 lit. a DS-GVO. You can revoke your consent at any time. If we have not asked you for your consent, the legal basis for the processing is Art. 6 para. 1 lit. b DS-GVO.

 

SAP Germany SE & Co. KG

Provider: In the European Economic Area (EEA).

Website: www.sap.com/germany/cmp/dg/josh-bersin-best-practices/index.html

Further information & data protection: https://www.sap.com/germany/about/legal/privacy.html

Recipient: Medartis AG / Microsoft EU

Storage location: Switzerland and EU

 

Microsoft 365

Provider: In the European Economic Area (EEA) and Switzerland, Microsoft Ireland Operations Limited, Dublin is the data protection agent for Microsoft Corporation, United States of America.

Website:

www.microsoft.com/de-ch/microsoft-365/outlook/email-and-calendar-software-microsoft-outlook

Further information & data protection:

privacy.microsoft.com/de-de/privacystatement

www.microsoft.com/de-de/rechtliche-hinweise/nutzungsbedingungen

Guarantee: EU Standard Contractual Clauses

Recipient: Medartis AG / Microsoft EU

Storage location: Switzerland and EU

When the customer relationship ends, we will only process your data for the period of time required by applicable legal regulations in relation to the processing of the order.


Existing customer marketing – advertising by e-mail

If we have received your e-mail address in connection with the sale of a product or service, we will process your e-mail address, name, country and postal code in order to conduct e-mail marketing for our own similar goods or services, and possibly other personal data in order to address you personally. The legal basis for the processing is the Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP) and Art. 6 para. 1 lit. a GDPR. Our legitimate interest is direct advertising.

You have the right to object to the processing of your personal data for the purpose of e-mail marketing at any time. We will then no longer process your personal data for the purpose of e-mail marketing. To object to the processing of your personal data for the purpose of e-mail marketing, you may use the link provided for this purpose in the e-mails or contact us at the contact details provided above.

If you have objected to the processing of your personal data for the purpose of e-mail marketing, we reserve the right to process your personal data in a so-called blacklist/blocklist in order to be able to ensure that no further e-mail marketing takes place in connection with your personal data in the future. The legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the prevention of unwanted e-mail marketing.

We process your personal data as part of a needs-based and interest-based design of our e-mail marketing. If we have asked you for your consent and you have given it, the legal basis for the processing is the Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP) and Art. 6 para. 1 lit. a GDPR. If we have not asked for your consent, the legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest here is the optimisation of our e-mail marketing. You may use the above-mentioned options to object to the processing of your personal data for the purpose of e-mail marketing.new

 

Microsoft Dynamics 365 CRM

Provider: In the European Economic Area (EEA) and Switzerland, Microsoft Ireland Operations Limited, Dublin is the data protection agent for Microsoft Corporation, United States of America.

Website:

dynamics.microsoft.com/de-de/

Further information & data protection:

privacy.microsoft.com/de-de/privacystatement

www.microsoft.com/de-de/rechtliche-hinweise/nutzungsbedingungen

Guarantee: EU standard contractual clauses

Recipient: Medartis AG / Microsoft EU

Storage location: Switzerland and EU

The data storage takes place until the revocation of the consent given.

 

Existing customer marketing – advertising by post

If we have received your personal data in connection with the sale of a product or service and you have not objected to this, we will process your personal data in order to carry out marketing by post. The legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest here is direct advertising.

We may use external services (print shops, letter shops, etc.) for marketing by post.

You have the right to object to the processing of your personal data for the purpose of marketing by post at any time. We will then no longer process your personal data for the purpose of marketing by post. To object to the processing of your personal data for the purpose of marketing by post, you may contact us by using the contact details provided above.

If you have objected the processing of your personal data for the purpose of marketing by post, we reserve the right to process your personal data in a so-called blacklist/blocklist in order to be able to ensure in the future that no further marketing by post takes place in connection with this personal data. The legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the prevention of unwanted marketing by post.


Analysis & Marketing

We process your personal data in order to measure the range of our offer, to design it according to needs and interests and thus to optimise our online offer and marketing.

If we have asked you for your consent and you have given it, the legal basis for the processing is the Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP) and Art. 6 para. 1 lit. a GDPR. If we have not asked for your consent, the legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the optimisation of our online offer and our marketing.

When you access our website, we automatically record server log file information. This information does not allow any conclusions to be drawn about your person. This anonymous information is evaluated by us for purely statistical purposes. This evaluation serves our legitimate interest in being able to optimise our internet presence.

We use external services for marketing purposes. For more information on the services we use, please refer to the information at the end of this section and the provided links.

 

Google Analytics

Provider: In the European Economic Area (EEA) and Switzerland, Google services are provided
by Google Ireland Limited, Ireland.

Google Ireland Limited is a subsidiary of Google LLC, United States of America.
Website:

https://marketingplatform.google.com/intl/en_uk/about/analytics/

Further information & data protection:

https://support.google.com/analytics/answer/6004245?hl= 

https://policies.google.com/?hl=en
Transfer of personal data to Google services in third countries takes place depending on the respective Google service under the application of the various EU standard contractual clauses.

For more information on this and Google's responsibility, please see the following link:

https://privacy.google.com/businesses/compliance/#!#gdpr.

Google Tag Manager

Provider: In the European Economic Area (EEA) and Switzerland, Google services are provided by Google Ireland Limited, Ireland.

Google Ireland Limited is a subsidiary of Google LLC, United States of America.
Website:

https://support.google.com/tagmanager/answer/6102821?hl=

Further information & data protection:

https://policies.google.com/privacy?hl=en
Transfer of personal data to Google services in third countries takes place depending on the respective Google service under the application of the various EU standard contractual clauses.

For more information on this and Google's responsibility, please see the following link: https://privacy.google.com/businesses/compliance/#!#gdpr.

You can request a copy of the EU standard contractual clauses from us.

LinkedIn Insight Tag

Provider: If you are in the EU, European Economic Area (EEA) or Switzerland, this service is provided by LinkedIn Ireland Unlimited Company, Ireland.

If you are outside the EU, the European Economic Area (EEA) or Switzerland, this service is provided by LinkedIn Corporation, United States of America.
Website:

https://www.linkedin.com/

Further information & privacy:

https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy 

https://www.linkedin.com/legal/cookie-policy?trk=homepage-basic_footer-cookie-policy

Guarantee: EU standard contractual clauses.

 

Webinars & events

For the planning, registration, application and conducting of events, particularly (but not limited to) webinars, we process the personal data provided by you in order to fulfil contractual and pre-contractual obligations in connection with such events. We collect all necessary data directly from you or the person who registers you for the event.

In the context of conducting events, we process your personal data in accordance with the Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP) and Art. 6 para. 1 lit. a), b) GDPR. Invitations to events through newsletters are made on the basis of Art. 6 para. 1 lit. a), b), f) GDPR.

 

During the event, we record participants and, if applicable, entry and selection times of your attendance. This information serves the issuing of certificates of attendance. We process your personal data in accordance with Article 6 para. 1 lit. b), f) GDPR.

You have the option to unsubscribe from our newsletter, event and product information free of charge at any time and thus make use of your right to object.

You can either use the unsubscribe link or send an e-mail to:

dataprotection@medartis.com

In order to be able to offer and carry out events, we may use external processors and subprocessors. Depending on the processor, it may be a service provider based inside or outside the European Economic Area (EEA).

In order to comply with our duty of care and ensure the protection of your personal data, we conclude written agreements on commissioned processing and implement EU standard contractual clauses where required.

If we provide information on our website about events and provide the link for registration where we are only acting as a partner/sponsor and are not the data controller for data processing within the meaning set forth by the GDPR, this privacy policy does not govern such processing of your personal data. The data protection information of the respective responsible unit applies.

If webinars are recorded by us, you will receive information in advance.

We would like to expressly point out that during events organised and/or held by us, photo, audio and/or video recordings may be taken.

Recipient: Medartis AG

Storage location: Switzerland

The data is stored until you revoke your consent and, if applicable, until the required legal storage periods.

The following processors may be engaged in the context of webinars:

ZOOM

We use ZOOM to conduct telephone/video conferences, online meetings and webinars.

Please note that other users/participants may see your name during use.

When using ZOOM, different categories of personal data are processed. These depend, among other things, on the personal data you provide during the online meeting.

When you start the ZOOM application, you will not be seen or heard due to our default settings. You would have to actively turn on the camera and/or microphone. Some meetings may be recorded in order to later be made available, e.g., to persons who were unable to attend the event, and for research, training, marketing and other internal and/or external purposes. Therefore, please decide for yourself whether you want to activate your camera and/or microphone.

If a recording of the ZOOM event is planned, we will inform you of such intended recording and the intended use thereof prior to the start of the recording. In addition, any ongoing recording will always be visible to you on the ZOOM interface. By having the camera and/or microphone switched on after you have been informed of the intended recording and its intended use, we consider this as reasonable consent to such recording and the use of any sound, photo and/or video recordings for research, training, marketing and other internal or external purposes.

ZOOM is not located in the EU. Therefore, it is considered a third country provider.

Insofar as personal data are processed for the fulfilment of contractual obligations, we refer to the lawfulness of such processing pursuant to Art. 6 para. 1 lit. b and f GDPR.

If there are no contractual obligations, the legal basis is the Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP) and Art. 6 para. 1 lit. a GDPR. You give your consent by actively dialling in for the purpose of the respective event and agree that your data provided to us may be transmitted to ZOOM Video Communication, Inc, San Jose, CA 95113, USA for the purpose of your participation in the event.

Inactive dial-in will result in you will not be able to participate in the ZOOM based event.

If we have asked for your consent and you have given it, you have the right to revoke such consent to the processing of your personal data for the purpose of participating in ZOOM Meetings at any time. To revoke your consent to the processing of your personal data, you can contact us using the contact details provided above.

ZOOM

Provider: ZOOM Video Communication, Inc, San Jose, CA 95113, USA

Website:

https://zoom.us/

Further information & data protection:
https://zoom.us/privacy

Guarantee: EU standard contractual clauses and order processing contract.

Recipient: Medartis AG / ZOOM USA

Storage location: Switzerland, EU and USA

 

Microsoft Teams

We use Microsoft Teams to conduct telephone/video conferences, online meetings.

Please note that other users/participants may see your name during use.

When using Teams, different categories of personal data are processed. These depend, among other things, on the personal data you provide during the online meeting.

- E-mail address, if this contains a personal reference
- Name, if you provide it
- Content of the online session, if you are recognisable to other participants (voice, image or in speech and writing)
- Log files and metadata (IP address)
- User name, if you provide it

When you start the Teams application, you will not be seen or heard due to our default settings. You would have to actively turn on the camera and/or microphone. Some meetings may be recorded in order to later be made available, e.g., to persons who were unable to attend the event, and for research, training, marketing and other internal and/or external purposes. Therefore, please decide for yourself whether you want to activate your camera and/or microphone.

If a recording of the Teams event is planned, we will inform you of such intended recording and the intended use thereof prior to the start of the recording. In addition, any ongoing recording will always be visible to you on the Teams interface. By turning on the camera and/or microphone switched on after you have been informed of the intended recording and its intended use, we consider this as reasonable consent to such recording and the use of any sound, photo and/or video recordings for research, training, marketing and other internal or external purposes.

Microsoft Office is software produced by Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399 USA. Teams is a Microsoft application. Microsoft is an American company. In the European Economic Area (EEA) and Switzerland, Microsoft Ireland Operations Limited, Dublin is the data protection representative of Microsoft Corporation, United States of America.

Insofar as personal data are processed for the fulfilment of contractual obligations, we refer to the lawfulness of such processing pursuant to Art. 6 para. 1 lit. b and f GDPR.

If there are no contractual obligations, the legal basis is the Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP)  and Art. 6 para. 1 lit. a GDPR. You give your consent by actively dialling in for the purpose of the respective event and agree that your data provided to us may be transmitted to Microsoft for the purpose of your participation in the event.

Inactive dial-in will result in you will not be able to participate in the Teams based event.

If we have asked for your consent and you have given it, you have the right to revoke such consent to the processing of your personal data for the purpose of participating in Teams Meetings at any time. To revoke your consent to the processing of your personal data, you can contact us using the contact details provided above.

Microsoft Teams

Provider: In the European Economic Area (EEA) and Switzerland, Microsoft Ireland Operations Limited, Dublin is the data protection agent for Microsoft Corporation, United States of America.

Website:

www.microsoft.com/de-de/microsoft-teams/log-in

Further information & privacy:

privacy.microsoft.com/de-de/privacystatement

Guarantee EU Standard Contractual Clauses: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:DE:PDF

Recipient: Medartis AG / Microsoft EU

Storage location: Switzerland and EU

 

Social media presences

We maintain social media presences through external services in order to be able to communicate with users optimise our online offering and marketing. For this purpose, plug-ins or direct links of such platforms may be embedded on our website. By clicking on such plug-ins or direct links, personal data (e.g. IP address) may be transmitted to the corresponding social media platform.

Social media presences:

https://www.facebook.com/Medartis-124219381112774/?ref=bookmarkswww.linkedin.com/company/medartis/https://twitter.com/Medartis_Global?lang=de
https://www.youtube.com/channel/UCWKBW9bJpZg7Zdc8GDm5Iww
https://www.instagram.com/medartis_global/

If we have asked you for your consent and you have given it, the legal basis for the processing is the Art. 31 para. 1 Swiss Federal Act on Data Protection (FADP) and Art. 6 para.1 lit. a GDPR. If we have not asked for your consent, the legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the optimisation of our online offer and marketing.

We are not the responsible party in terms of data protection for any subsequent data collection and/or processing by such social media platforms. We would like to inform you that the respective privacy policy and further information on data protection of the respective responsible parties apply and must be taken into account.

Depending on the service provider, your data may be transferred and processed outside the European Economic Area (EEA). In addition to the inherent data protection risks associated with such transfer, it may be more difficult to protect and exercise your rights as a data subject.

We have no influence on the further use of your data, which is processed by the respective service provider.

During the use of such external social media services, profiling (for the purposes of advertising, personalised information, etc.) may occur. Profiling can also take place across services and devices. For more information on the used services, the scope of data processing and the technologies and procedures involved in the use of the respective services, as well as whether profiling takes place when using the respective services, and, if applicable, information on the logic involved and how, and to what extent, such processing may affect you, please refer to the further information on the services we use and the links provided at the end of this section.

Facebook
Provider: Facebook Ireland Limited, Ireland. Facebook Ireland Limited is a subsidiary of Facebook, Inc, United States of America.
Website:

https://www.facebook.com

Further information, shared responsibility & privacy:

https://developers.facebook.com/docs/plugins/

https://facebook.com/privacy/explanation

https://facebook.com/policies/cookies/  

https://www.facebook.com/help/566994660333381?ref=dp 

https://facebook.com/help/568137493302217

LinkedIn provider:

If you are in the EU, European Economic Area (EEA) or Switzerland, this service is provided by
LinkedIn Ireland Unlimited Company, Ireland. If you are located outside the EU, the European Economic Area (EEA) or Switzerland, this service is provided by LinkedIn Corporation, United States of America.
Website:

https://www.linkedin.com

Further information & privacy:

https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy 
https://www.linkedin.com/legal/cookie-policy?trk=homepage-basic_footer-cookie-policy

Guarantee: EU Standard Contractual Clauses.

 

Twitter provider:

If you live within the European Union, EFTA countries or the United Kingdom, the controller is Twitter International Company, Ireland. If you live in the United States of America or in another country outside the European Union, EFTA countries or the United Kingdom, the controller is Twitter, Inc, United States of America.
Website:

https://www.twitter.com

Further information & privacy:

https://twitter.com/en/privacy

https://help.twitter.com/en/safety-and-security

 

YouTube

Provider: In the European Economic Area (EEA) and Switzerland, Google services are provided
by Google Ireland Limited, Ireland. Google Ireland Limited is a subsidiary of Google LLC, United States of America.
Website:

https://www.youtube.com/

Further information & data protection:

https://policies.google.com/?hl=en
Transfer of personal data to Google services in third countries takes place depending on the respective Google service under the application of the various EU standard contractual clauses.

For more information on this and Google's responsibility, please see the following link: https://privacy.google.com/businesses/compliance/#!#gdpr

 

Instagram

Provider: In the European Economic Area (EEA) and Switzerland

Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Privacy Policy (Data Policy):

Website:

https://help.instagram.com/519522125107875

Opt-out and advertising settings:

Website: https://www.instagram.com/accounts/privacy_and_security/

 

Further links to other websites

Our website may contain links to other websites. Such websites are not covered by this privacy policy and we are not responsible for the privacy practices and/or the content of such other websites. We would like to inform you that the respective privacy policy and further information on data protection of the respective responsible parties apply and must be taken into account.

Depending on the service provider, your data may be transferred and processed outside the European Economic Area (EEA). In addition to the inherent data protection risks associated with such transfer, it may be more difficult to protect and exercise your rights as a data subject.

We have no influence on the further use of your data, which is processed by the respective service provider.

Scope and Amendment of this privacy policy

By using our website and the related offers and services, you consent to the collection and use of your personal data in accordance with this Privacy Policy. We reserve the right to change this privacy policy and related business practices at any time by uploading updated language on this website. Therefore, please check this page regularly for updates.

English translation

This is the English translation of the original document in German language. In case of any deviations between the present English version and the German original version, the latter shall prevail.

Thank you for visiting our website and for taking the time to read this privacy policy.

 

November, 2023

UK Data Protection Policy Document

Processing of special categories of personal data

1. This policy document

The following conditions for the processing of special category data require an appropriate policy document that set out and explain our procedures for ensuring and complying with the principles in Article 5 GDPR and the principles for the retention and deletion of such personal data. This document explains our processing and meets the requirements of Schedule 1, Part 1 of the UK DPA 2018.

In addition, this policy document contains some further information about our processing of special category data for which a policy document is not explicitly required. The information mentioned here is in addition to our privacy policy and the privacy notice for employees.

 

2. General

As part of our legal and corporate tasks, Medartis processes special category data in accordance with the requirements of Article 9 of the GDPR. Processing of personal data in connection with criminal convictions and offences pursuant to Article 10 of the GDPR does not take place. Schedule 1, Part 1 of the UK Data Protection Act 2018 ("DPA 2018") is taken into account.

 

2.1 Special categories of data

Special categories of data are defined in Article 9 of the GDPR as personal data revealing:

Race or ethnic origin;

Political opinions;

Religious or philosophical beliefs;

Membership of a trade union;

Genetic data;

Biometric data for the purpose of uniquely identifying a natural person;

Data on health; or

Data about a natural person's sex life or sexual orientation.

Data on criminal convictions

 

3. conditions for the processing of special category data and criminal offences

We process special categories of personal data in accordance with the following GDPR articles:

  • Article 9, paragraph 1 - Health data/Patient data

Example: Providing of our services

  • Article 9, paragraph 2 b) - where the processing is necessary for the performance or exercise of obligations or rights relating to employment.

Our role includes responsibility for monitoring and ensuring of the GDPR (and the UK Data Protection Act 2018) to protect the fundamental rights and freedoms of natural persons in relation to processing.

In cases where we obtain consent, we will ensure that the consent is explicit, relates to a specific purpose or purposes, is given by an affirmative act and verifiable.

An example of data processing based on consent is the processing of patient data for the manufacturing of customised implants.

 

3.1 Description of data processing

We process the special categories of data about our employees that are necessary to fulfil our obligations as an employer. This includes, among other things, information about sick leave, photographs and religious affiliation. For more information on this processing, please see our data protection notice for employees.

Patient data may be processed for billing purposes and for manufacturing of individual customised implants.

We also keep a register of our processing activities in accordance with Article 30 of the General Data Protection Regulation.

We have taken appropriate technical and organisational measures to meet accountability requirements. These include:

The appointment of a data protection officer who reports directly to our highest level of management.

We take a "data protection by design and default" approach to our activities.

Maintaining documentation of our processing activities.

Adopt and implement data protection policies and ensure that we have written contracts with our data processors.

Implement appropriate security measures in relation to the personal data we process.

Conduct data protection impact assessments for our high-risk processing.

We regularly review our accountability measures and update or amend them as necessary.

 

3.2 Principle: Legality, fairness and transparency

The processing of personal data must be lawful, fair and transparent. It is only lawful if and insofar as it is based on a legal basis and either the data subject has consented to the processing or the processing complies with a further legal basis under Art. 6 and/or Art. 9 GDPR.

We provide clear and transparent information about why we process personal data, including our legal basis for processing in our privacy notice, employee privacy notice and this policy document.               

Our processing for employment purposes relates to our obligations as an employer.

Our processing in relation to patient data relates to providing our service.

 

3.3 Principle: Earmarking

We process personal data exclusively for the above-mentioned purposes, provided that the processing is necessary for us to fulfil our duty as an employer as well as a service provider and manufacturer.          

If we share data with another data controller, we document that they are authorised.

We will not process personal data for purposes which are incompatible with the original purpose for which it was collected.

 

3.4 Principle: Data minimisation

We collect personal data which are necessary for the respective purposes and ensure that only actually relevant data are processed. The data we process is necessary and adequate for our purposes. If personal data is provided to us or we receive it, but it is not relevant for our specified purposes, we delete it.

 

3.5 Principle: Accuracy

If we notice that personal data is inaccurate or out of date in relation to the purpose for which it is processed, we will take all reasonable steps to ensure that such data is removed or corrected immediately. 

 

3.6 Principle: Limitation of storage

All special category data which we process for the purposes of employment or providing our services or customised manufacturing will be retained for the time periods wich we specified in our documentation unless it is retained for longer archival purposes. We determine the retention period for this data based on our legal obligations and the need to retain it for our business needs.

 

3.7 Principle: Integrity, Confidentiality and Security

We restrict the access to personal data for necessary processing and have taken technical and organisational measures to ensure that personal data is stored in a secure location and transferred securely to ensure adequate protection of that data.

Only employees who have a legitimate need to know the data to achieve a business objective will have access to personal data, and only for as long as they need. Employees are not permitted to disclose personal data to other employees or third parties unless permitted and in accordance with this policy and other internal data protection procedures.

We take reasonable precautions to secure all personal data against unauthorised access and use and regularly review security measures.

We also conduct risk assessments and ensure that our employees understand the importance of protecting personal data. We carefully select service providers who process personal data on our behalf so that they also take appropriate technical and organisational measures to protect personal data.

Medartis ensures all reasonable efforts to notify data subjects and the relevant authorities when there is a suspicion that personal data has been stolen, disclosed, changed or breached by an unauthorised person. In the event of a data breach, a personal data breach report will be prepared.

We maintain a register of personal data processing and assess the level of protection to be aware of the risks and sensitivity of the data.

 

4.0 Review date

This policy will be reviewed annually or revised more frequently if necessary.

Version 1 - 02/2022