Privacy Policy and Cookies.
1. General points to note
SIS MEDICAL AG, Hungerbüelstrasse 12a, CH-8500 Frauenfeld, Switzerland, and its group companies (also “SIS MEDICAL”, “we” or “us”) process personal data relating to you or other persons in different ways and for different purposes. A list of the group companies can be found under link.
Where we refer below to «SIS MEDICAL», “we” or ”us”, this refers in each case to the group company acting as a controller for data processing. “Personal data” (also “data”) is any information that can be linked to a particular individual, and “process” means any handling of personal data, such as obtaining, using and disclosing it.
This privacy notice explains how we process personal data, particularly in the course of our business dealings, in connection with our website and other tools, when you communicate with us, when you register for services (e.g. our newsletter) and when you interact with us in the context of any other data processing related to our offers.
You may provide data to us that relates to other individuals. If you do this, we understand that you confirm this data is accurate. As we may not be in direct contact with these third parties, we expect you to inform them about our processing of their data (for example by referring to this privacy notice).
We have based this privacy notice on both the Swiss Data Protection Act (FADP) and the European Union’s General Data Protection Regulation (GDPR). If and to what extent the GDPR applies depends on each individual case.
Please take the time to read this privacy notice to understand how and why we process your personal data, how we protect your personal data and to learn more about your rights. If you have any questions or would like further information on our data processing, please do not hesitate to contact us (see Section 2).
2. Who is responsible for processing your data?
The following company (also “we”) is the “controller”, i.e. the party that is primarily responsible for the processing of personal data in accordance with this policy:
SIS MEDICAL AG
Hungerbüelstrasse 12a
CH-8500 Frauenfeld
Switzerland
If you are in contact with another group company, e.g. because you or your company obtain a service from this company or because you directly correspond with this company, then this company is the controller.
If you have any questions about our processing of your data, you may contact any of the controllers, but it will be easiest for us to respond if you direct communication to the following address:
+41 (0)52 245 09 90
info@sis-medical.com
3. How do we process data in connection with our products and services?
If you use or if you enter into an agreement for the use of our products and services (together “Products”), we process data to enter into and perform a contract:
- We process data when we are in contact with the company you work for in view of a contract, for example if your company purchases a Product from us or discusses a potential purchase with us. We will process your contact details as well as information about your professional role and about the activities, you perform for your company, including discussions and negotiations, we may conduct with your participation and the conclusion of a contract.
- We also process personal data during and after the term of the contract. Examples are information on the purchase of Products, but also on payments, contacts with customer service, claims, complaints and vigilance reports, defects, returns, data on the termination of the contract and – should disputes in connection with the contract arise – also on these and corresponding procedures. In all these cases, we may process data about you as you act for your company.
- We also process the aforementioned data for statistical analysis (for example, which products sell best, in which regions, which customer groups buy which products etc.). Such evaluations help us with the improvement and development of products and business strategies. We may also use them on a personal basis for marketing purposes; please see Section 4 for details.
- We may also process limited patient data in order to fulfill regulatory requirements for medical devices, e.g. in relation with complaints and adverse event reporting.
4. How do we process data in connection with newsletter and marketing?
We also process personal data in order to promote our services and those of third parties.
- Newsletters: We send out electronic newsletters that may contain advertising for our offerings. We ask for your consent, except when we promote certain offers to existing customers. To receive newsletters, a valid e-mail address is required, and we also collect the IP address you use when you sign up for our newsletter and the date when you sign up. Because we use double opt-in standard, we also process data about sign-up confirmation. You can unsubscribe at any time using the link that is included in every newsletter, and on our website. You can also tell us that you wish to unsubscribe by contacting us directly.
- Market research: We also process data to improve services and develop new products, for example information about purchases, your reaction to newsletters or information from customer surveys or from social media, media monitoring services and public sources. While this data is largely focused on companies, it may include data about you as well.
More information about online ads are set out below in Section 7.
5. How do we disclose personal data?
We work in a group of companies (see sec. 1). Our group companies can exchange data, sometimes including personal data, as reasonably required for their activities and reporting and collaboration purposes. We assume that such disclosures do not conflict with any interests of confidentiality, unless you tell us otherwise.
We also use services from third parties, especially IT services (for example from providers of hosting or data analysis services), shipping and logistics services and services from banks, post and couriers, consultants etc. For service providers for our website, please see Section 7. These service providers may all process personal data to the extent it is necessary for their tasks.
Where we collect patient data, we process it as required to fulfill regulatory requirements for medical devices and may share related contact details with “National Competent Authorities”, ”Notified Bodies” or country representatives.
6. Can we disclose data abroad?
The recipients of data are not all located in Switzerland, for example SIS Medical GmbH in Germany and our service providers, who can be located abroad including outside the European Economic Area (EEA) and Switzerland, in particular in the USA, but also in other countries worldwide. For example, we may transfer data to authorities and other persons including National Competent Authorities, Notified Bodies or country representatives abroad if we are legally obliged to do so or, for example, in the context of a company sale or legal proceedings. Not all of these countries currently ensure an adequate level of data protection according to the standards of Swiss law. We therefore take contractual precautions to contractually compensate for the lower level of legal protection, especially with the standard contractual clauses issued by the European Commission and recognized by the Swiss Data Protection and Information Commissioner (FDPIC). For more information and a copy of these clauses please visit www.edoeb.admin.ch/edoeb/en/home/data-protection/handel-und-wirtschaft/transborder-data-flows.html
7. Do we use online tracking and online advertising?
7.1 Log data
Each time you visit a website, the service collects certain information that is kept temporarily in log files (“log data”), in particular the device IP address and information about the internet service provider and the operating system of the device and browser used, about the referring URL, about the date and time of access, and about content that is accessed throughout the visit. We use this type of data in order to maintain our website, ensure the security and stability of the website and to optimize content, and also for statistics.
7.2 Cookies and similar technology
We use technology that allow us and others we engage to collect information about visits to our website, and in some cases also visits to other websites. In order to do that, we allocate an identifier – such as an IP address or a cookie ID – to the device you use, to distinguish your visits from those of others. This helps us understand the visitor flow to and on our website to ensure its functionality and to carry out analysis and personalization. We have no intention and usually no way of identifying you using this type of data.
We mentioned cookies above – these are small files that your browser puts on your device. These files are kept for the set expiration time, and include unique numbers that allows us to distinguish individual browsers, but without identifying you. When you next visit our website or third-party websites, these can read the cookie and recognize you (i.e., your system).
We may use other technologies that can recognize your unique device such as “fingerprinting”. A “fingerprint” is a combination of data that your system tells the server when establishing a connection, in particular IP address, your browser, screen resolution, language settings and other information.
Therefore, your visits can be «tracked» whenever you access a server (for example when you use a website, or because an e-mail includes a visible or invisible image). If we integrate offerings from an ad partner or a provider of an analysis tool on our website, they may track you in the same way, even if you cannot be identified in a particular case. Depending on the specific purpose, we ask for your consent first.
You can set your browser to block most cookies or other technology or remove stored data from your browser. You can also add software to your browser that blocks certain third-party tracking. You can find more information on the help pages of your browser or on the websites of the third parties set out below.
Because cookies are used for different purposes, there are different categories of cookies (and other technology):
- Necessary cookies: These cookies are necessary for the website as such or its features. For example, they enable you to go from one page another without losing some information, such as data entered in a form. These cookies are kept only temporarily (and therefore are “session cookies”). If you block these cookies the website will not always work properly. Some cookies are necessary to keep data such as language settings beyond your visit. These cookies are set to expire after [24 months].
- Performance cookies: Other cookies are used to optimize and personalize the website. These record and analyze the use of our website and may be kept after you leave the website. For that, we use third parties that provode analytics services (see below) them below. [We ask for your consent before we use performance cookies. You can withdraw consent any time through the cookie settings: [link]]. Performance cookies have an expiration date of [24 months].
- Marketing Cookies: We and ad partners we work with wish to customize ads, i.e. only show ads to those we want to address. Below is a list of these partners. For that purpose, we and the partners use cookies that record the contents you access. [We ask for your consent before we use performance cookies. You can withdraw consent any time through the cookie settings: [link]] We and our partners can then display ads that we think will be of interest to you, on our website and on other websites as well. The cookies used for this purpose have an expiration period of a few days up to [12 months] months. If you consent for us use these cookies you will be shown more relevant ads. If you do not consent you will not see less but other, less specific ads.
Our most important third-party provider for our website is Google. Other third parties generally process personal and other data in a similar way. For instance, we use Google Analytics and Google reCAPTCHA on our website, analysis services provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA, USA) and Google Ireland Ltd. (Google Building Gordon House, Barrow St, Dublin 4, Ireland). Google collects certain information about the behavior of users on the website and the device used. The IP addresses of visitors are truncated in Europe before being forwarded to the USA. Google provides us with analyses based on the recorded data, but also processes certain data for its own purposes. You can find information on the data protection of Google Analytics here, and if you have a Google account, you can find further details here.
8. How do we process data in connection with social media?
We operate our own social media pages on third-party platforms (e.g. LinkedIn). If you communicate with us there or comment or share content, we collect information for this purpose, which we use primarily to communicate with you, for marketing purposes and for statistical evaluations. Please note that when you visit our social media pages, the platform provider also collects and processes data itself (e.g. on user behavior), possibly together with other data known to it (e.g. for marketing purposes). Further information on data processing by social network providers can be found in the privacy notice of the platform.
9. Do we process data for other purposes?
Yes, because many tasks involve some form of data processing. It is not always possible to determine these types of processing nor the extent of the data processed in advance, but the following list includes the most relevant processing:
- Communication: When you and we communicate with each other, we process the content of communication exchanged as well as information about its nature, time and location, for the purpose of communicating with you and keep a record of communication. If you use the online form or an application on your mobile phone to contact us or to make a complaint, we will process the information you provide in the form or application, and when we need to identify you we will also process data about your proof of identity.
- Compliance with legal requirements: We may disclose information to authorities and Notified Bodies as required by law and as necessary to comply with regulations.
- Prevention: We process data to prevent criminal offences and other breaches, for example in the context of fraud prevention or internal investigations.
- Legal proceedings: Where as we are involved in legal proceedings (for example before a court or administrative body), we process data about the parties to the proceedings and other persons involved, such as witnesses, and disclose data to these parties and to courts and authorities, possibly outside of your country.
- Job applications: If you apply for a job with us, we process the relevant data to assess the application, carry out the application process and in the case of successful applications to enter into an employment agreement. We will also process the data submitted with your application and data we obtain about you from job-related social networks, the internet, the media and from references (if you consent for us to obtaining a reference). We generally keep your data for six months.
- IT security: We process data for monitoring, controlling, analyzing and securing our IT infrastructure, as well as for backups and archiving data.
- Competition: We process data about our competitors and the market environment in general. We may process data about key individuals, in particular their name, contact details, role or function and public statements.
- Transactions: If we sell or acquire assets, businesses or companies, we process data as reasonably necessary to prepare and execute these transactions, for example information about our customers’ contact persons or employees, and disclose that data to potential buyers or sellers.
- According to separate information and consent: We may collect and process personal data in accordance with information provided separately, and/or on the basis of separate consent, for example if you allow us to use video or photo content involving you for marketing purposes.
- Other purposes: We process data for other purposes such as training and education, for administration (for example contract management or accounting), to enforce and defend of claims, to evaluate and improve how we work internally, to create non-personal statistics, and protect other legitimate interests.
10. What is the legal basis for processing personal data?
Depending on the applicable law, data processing is only permitted if the applicable law specifically allows it. This does not apply under the Swiss Data Protection Act (FADP), but it does under the GDPR where it applies (this can only be determined on a case-by-case basis). In such cases, we process personal data on the basis that it is
- necessary to enter an agreement with the relevant person or for pre-contractual measures at their request (e.g. to review a request for an agreement, to communicate in relation with a contract, to verify performance and to enforce an agreement);
- necessary to safeguard legitimate interests, for example when we work together within the group or for certain direct marketing measures in relation to existing customers, or when we analyze data for statistical purposes or need to comply with legal obligations arising under non-EEA laws;
- based on consent, for example when you opt in for a newsletter or consent for us to use video or photo content involving you;
- required for compliance with legal obligations under EEA laws.
Where the GDPR applies, these legal grounds are in article 6 and, should we process sensitive personal data (see sec. 3), in article 9 GDPR.
You are not obliged to disclose data to us, except in some cases (for example if a contractual obligation involves disclosing data to us). However, we need to process data for legal and operational reasons when we conclude and execute contracts. The use of our website is also not possible without data processing (see Section 7).
11. How long do we process personal data?
We process your personal data for as long as it is necessary for the processing purpose (in case of contracts, generally for the duration of the relationship), as long as we have a legitimate interest in keeping data (for example to enforce legal claims, or for archiving and or ensuring IT security) and as long as we are under a legal retention obligation (for example, a ten-year retention period applies for some business-related data). When these periods expire, we delete or anonymize your personal data.
12. What are your rights?
You have the right to object to data processing, in particular if we process your personal data on the basis of a legitimate interest and the other applicable requirements are met. You can also object to data processing in connection with direct advertising (e.g. advertising e-mails) at any time.
Provided the applicable conditions are met and there are no applicable statutory exceptions, you also have the following rights:
- If you wish to receive further information and a copy of your data, you can also submit an access request to us (information about your personal data stored by us);
- the right to have inaccurate or incomplete personal data corrected or completed, or have it supplemented by a note of objection;
- the right to receive certain personal data in a structured, common and machine-readable format;
- the right to request the deletion or anonymization of your personal data;
- the right to request that the processing of your personal data be restricted;
- if we process data on the basis of your consent, you can withdraw consent at any time. Withdrawal is only effective going forward, and we reserve the right to continue to process data on another basis, where applicable.
Note please that these rights may be subject to conditions and restrictions.
If you wish to exercise such a right, please feel free to contact us (Section Who is responsible for processing your data? ). We will have to verify your identity. You are also free to lodge a complaint against our processing of your data with the competent supervisory authority. In Switzerland, the competent supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC).