Privacy policy

Version from 25 May 2018

This privacy policy lays out how MedTrace Group consisting of MedTrace Pharma A/S, MedTrace AB and MedTrace Pharma, Inc., (in the following “MedTrace”) processes personal data on:

 

  • Visitors on our website
  • Data subjects in our Customer Relationship Management-system
  • Contact persons at suppliers, service providers, other contracting partners and research partners
  • Next of kin to MedTrace employees
  • Members of the board of directors
  • Shareholders, investors, loan providers
  • Clinical trial subjects

A. Identity and the contact details of the controller

Address:
MedTrace Pharma A/S
Diplomvej 381
2800 Kgs. Lyngby
Denmark

Company registration no.: 36 49 76 61
Phone: + 45 28 10 41 49 (DK)
+1 833 615-4261 (US)
Email: connect@medtrace.dk
Website: www.medtrace.dk

B. Contact details of the Data Protection Officer

MedTrace is not obligated to designate a Data Protection officer, cf. Article 37 (1) GDPR, and has chosen not to appoint a Data Protection Officer.

C. Categories of personal data, purposes of the processing and the legal basis for the processing

Please note: Not all the information listed in a “Category of personal data” will necessarily be processed on the data subject in the corresponding “category of data subject”. In some circumstances, only some of the categories of personal data will be processed on the relevant data subject.

Category of data subject

Category of personal data

Purpose of processing

Legal basis for processing

Visitors on our website

  • Persistent cookies including language settings, type of browser, operating system, geographic location of data subject, behavior on website, duration of session on website
  • Acceptance/rejection of cookies
  • To load the website and to optimize the website
  • To create a better experience on the website
  • MedTrace’s legitimate interest in delivering the website, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).
  • Cookies are based on consent, cf. The Executive Order on Cookies (in Danish: Cookie-bekendtgørelsen) section 3.

Admins on our website

  • Persistent cookies including language settings, type of browser, operating system, geographic location of data subject, behavior on website, duration of session on website
  • Admin settings including customized user interface
  • Time of latest changed made
  • To load the website and to optimize the website
  • To create a better experience on the website
  • MedTrace’s legitimate interest in delivering the website, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).
  • Cookies are based on consent, cf. The Executive Order on Cookies (in Danish: Cookie-bekendtgørelsen) section 3.

Data subjects in our Customer Relationship Management system

  • Name, employer, function, prefix, title, business address, business telephone number, business email address, company information
  • Registration to receive invitation to events and news about MedTrace
  • Registration to receive Christmas cards
  • History on participation in events
  • E-mail correspondence and notes from relevant meetings with the data subject
  • Documentation of consent
  • Communication purposes, to maintain contact information in order to communicate
  • Marketing purposes, to send customized invitations and updates in relation to MedTrace
  • Booking of travels in connection with meetings and events
  • Communication purposes, to maintain information on the relation and former communication with the data subject in order to improve continuity and customize the customer contact
  • MedTrace’s legitimate interest in being able to communicate with the data subjects in the CRM-system, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).
  • MedTrace’s legitimate interest in providing relevant data subjects with updates about the development in the company by sending invitations and news updates, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).
  • Collection and transfer of copies of passport, CPR-number for the use of booking travels are based on consent, cf. art. 6 (1) (a) GDPR, cf. The Data Protection Act section 6.
  • Transfer of ordinary personal data for the use of booking travels are based in MedTrace’s legitimate interest in providing this service, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).

Contact persons at suppliers, service providers, other contracting partners and research partners

  • Name, employer, title, business address, business telephone number, business email address, company information
  • Communication purposes, to communicate with our contact persons at suppliers, service providers, other contracting partners and research partners
  • MedTrace’s legitimate interest in being able to communicate with contracting partners and research partners, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).

Next of kin to MedTrace employees

  • Name, private address, private telephone number, private email address, relation to MedTrace employee
  • Communication purposes, to communicate with next of kin to in cases where this is necessary
  • MedTrace’s legitimate interest in being able to communicate with a next of kin of an employee, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).

Members of the board of directors

  • Name, private address, business address private telephone number, business telephone number, private email address, business email address, employer, title, company information
  • CPR-number
  • Financial information, bank account number, tax information
  • Photos
  • Communication purposes, to communicate with members of board of directors
  • Administration of compensation
  • Use of photos on website and for marketing purposes
  • MedTrace’s legitimate interest in being able to communicate with members of board of directors, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).
  • Collection and processing of and financial information is necessary for the performance of a contract, cf. art. 6 (1)(b) GDPR, cf. The Data Protection Act section 12.
  • Collection and processing of CPR-number and tax information is processed for administration of compensation and reporting to the tax authority, cf. The Data Protection Act section 11 (2) no. 1 and 2, cf. art. 87 GDPR.
  • Collection and processing of photos are based on consent, cf. art. 6 (1)(a), cf. The Data Protection Act section 6.

Shareholders, investors, loan providers

  • Name, private address, business address, private telephone number, business telephone number, private email address, business email address, employer, title, company information
  • Communication purposes, to communicate with shareholders, investors and loan providers
  • MedTrace’s legitimate interest in being able to communicate with shareholders, investors and loan providers, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).

Clinical trial subjects

  • Name, private address, private telephone number, private email address
  • Birthday, birth year, gender, nationality, civil status, family members, government identity number Special categories of personal data:
  • Race and ethnicity
  • Health, including physical health history, inclusion criteria, clinical trial results

MedTrace uses a Data Processor, a “Contract Research Organization”, to perform the clinical trials. MedTrace will have no access to the information on the clinical trial subjects but seeing as MedTrace is the sponsor of the clinical trials, MedTrace is considered the Controller and thereby responsible for the protection of data.

  • Clinical trial purposes, to carry out the clinical tests sufficient to demonstrate and confirm the safety and efficiency of the MT-100
  • Collection and processing is based on consent, cf. art. 6 (1) (a) and art. 9 (2) (a) GDPR, cf. The Data Protection Act section 6 (1) and section 7 (1).
  • Transfer of your personal data is based on consent, cf. art. 6 (1) (a) and art. 9 (2) (a) GDPR, cf. The Data Protection Act section 6 (1) and section 7 (1).

D. Consent:

You can withdraw your consent to MedTrace’s processing of your personal data at any time. You can withdraw your consent by contacting us using the contact information provided above.

The lawfulness of the processing and transfer based on your consent before your withdrawal is not affected if you choose to withdraw your consent. If you choose to withdraw your consent it will thus first have effect from this point of time.

E. Sources

The personal data we process on you is primarily provided directly from you or from your unit. In some cases, the information is provided from your employer or from public authorities such as tax authorities.

F. Provision and failure to provide

In most circumstances when we collect personal data directly from you, you provide us with the information voluntarily or in order to enter into or to fulfill the requirements of a contract with us. In some circumstances, you are obligated to provide the information to us, e.g. your personal identity/social security-number for reporting to the tax authorities.

The consequence of not providing the personal data, as listed above, is that we cannot address the purposes mentioned above. Thus, we cannot make the website available to you, we cannot communicate with you, we cannot comply with our obligations as your contracting party and cannot comply with our obligations towards public authorities.

G. Data Processors

MedTrace uses Data Processors to host personal data and to support our use of systems.

In relation to clinical trial subjects, MedTrace uses a Data Processor, Cardiovascular Clinical Studies located in Boston, USA, to manage the clinical trials (a “Contract Research Organizations” or “CRO”). The CRO will in many cases also use processors (e.g. “Principal Investigators”).

H. Transfer of personal data

In some cases, MedTrace transfers personal data to Data processors, to the MedTrace website, to public authorities or to external legal advisors and accountants.

I. Transfer to third countries

In some situations, MedTrace transfers personal data to countries outside of the EU/EEA countries, currently to the US. We transfer information to the US, because MedTrace has a US based department of MedTrace, MedTrace Pharma, Inc (US). In relation to clinical trials, MedTrace will transfer personal data to and from the US as the trials will take place in the US.

The Commission of the European Union has not made a decision on the legality of the practice on data protection in the US or the EU-US Privacy Shield. In most cases, transfers will be based on your consent, based on the necessity for the performance of a contract between you and MedTrace or based on the necessity for the performance of a contract in your interest between MedTrace and another natural or legal person, cf. art. 49 (1) (a), (b) and (c) GDPR.

J. Period of storage

Visitors on our website: Persistent cookies are stored for a period of up to 2 years and information on consent to cookies are stored for a period of up to 1 year

Admins on our website: Persistent cookies are stored for a period of up to 2 years and information on admin settings are stored for a period of up to 1 year

Data subjects in our CRM-system: We store personal data on you in our CRM-system until you ask to be deleted or until we have not had any interaction with you for more than five years

Contact persons at contracting partners and research partners: We store personal data on you as long as it is relevant for our relationship, and as long as necessary to establish, determine or defend a legal claim

Next of kin to MedTrace employees: We delete your personal data when the employee resigns.

Owners, members of management and members of the board of directors, members of the advisory board: We store personal data on you as long as it is relevant for our relationship, and as long as necessary to establish, determine or defend a legal claim

Clinical trial subjects: Via our Data Processor, the CRO, we indirectly store personal data on you as long as necessary in order to address the purpose to which your personal data was collected. When determining how long we will store your personal data, we will consider (a) compliance with requirements to documentation according to legislation and (b) our opportunity to establish, determine or defend a legal claim.

K. Your rights

According to GPDR, you have the following rights (on those conditions and with the exceptions that follows from the regulation). If you wish to exercise any of the above-mentioned rights, you will need to contact us using the contact details provided above.

 

    • Right of access

You have the right to access the personal data we process on you

    • Right to rectification

You have the right to have inaccurate personal data rectified

    • Right to erasure

In some circumstances, you have the right to have personal data deleted

    • Right to restriction of processing

In some circumstances, you have the right to have the processing of your personal data restricted

    • Right to data portability (where processing is based on consent)

In some circumstances, you have the right to receive your personal data in a structured, commonly used and machine-readable formal and to transmit those data to another controller without hindrance

    • Right to object to processing (where processing is based on legitimate interests)

In some circumstances, you have the right to object to our processing of your personal data

L. Complaints

You also the right to complain to the Danish Data Protection Authority (in Danish: Datatilsynet), if you are dissatisfied with the way we process your personal data. You can find the contact details of the Danish Data Protection Authority on www.datatilsynet.dk

Contact

+45 28 10 41 49 (GMT+1)
+1 (833) 615-4261 (USA)
connect@medtrace.dk

Social

Contact

+45 28 10 41 49 (GMT+1)
+1 (833) 615-4261 (USA)
connect@medtrace.dk

Social