Privacy Policy

Version: 10-12-2019

PRIVACY POLICY

This privacy policy lays out how MedTrace Group consisting of MedTrace Pharma A/S, MedTrace AB and MedTrace Pharma, Inc., (in the following “MedTrace”) processes personal data on:

  • Visitors on our website
  • Data subjects in our Customer Relationship Management-system
  • Contact persons at suppliers, service providers, other contracting partners and research partners
  • Next of kin to MedTrace employees
  • Members of the board of directors
  • Shareholders, investors, loan providers
  • Clinical trial subjects (MedTrace sponsored studies)

 

A. Identity and the contact details of the controller
Address:

 

B. Contact details of the Data Protection Officer
MedTrace is not obligated to designate a Data Protection officer, cf. Article 37 (1) GDPR, and has chosen not to appoint a Data Protection Officer.

 

C. Categories of personal data, purposes of the processing and the legal basis for the processing

Please note: Not all the information listed in a “Category of personal data” will necessarily be processed on the data subject in the corresponding “category of data subject”. In some circumstances, only some of the categories of personal data will be processed on the relevant data subject.

 

Category of data subject

  • Visitors on our website
  • Admins on our website
  • Data subjects in our Customer Relationship Management system
  • Contact persons at suppliers, service providers, other contracting partners and research partners
  • Next of kin to MedTrace employees
  • Members of the board of directors
  • Shareholders, investors, loan providers
  • Clinical trial subjects (MedTrace sponsored studies)

 

Category of personal data per data subject
Visitors to website

  • Persistent cookies including language settings, type of browser, operating system, geographic location of data subject, behavior on website, duration of session on website
  • Acceptance/rejection of cookies

 

Admins on our website

  • Persistent cookies including language settings, type of browser, operating system, geographic location of data subject, behavior on website, duration of session on website
  • Admin settings including customized user interface
  • Time of latest changed made

 

Data Subjects in our CRM system

  • Name, employer, function, prefix, title, business address, business telephone number, business email address, company information
  • Registration to receive invitation to events and news about MedTrace
  • Registration to receive Christmas cards
  • History on participation in events
  • E-mail correspondence and notes from relevant meetings with the data subject
  • Documentation of consent
  • Type of organization

 

Contact persons at suppliers, service providers, other contracting partners and research partners

  • Name, employer, title, business address, business telephone number, business email address, company information

 

Next of kin of MedTrace Employees

  • Name, private address, private telephone number, private email address, relation to MedTrace employee

 

Members of the Board of Directors

  • Name, private address, business address, private telephone number, business telephone number, private email address, business email address, employer, title, company information
  • CPR-number
  • Financial information, bank account number, tax information
  • Photos

 

Shareholders, investors, loan providers

  • Name, private address, business address, private telephone number, business telephone number, private email address, business email address, employer, title, company information, investment or loan information

 

Clinical trial subjects (MedTrace sponsored studies)

  • Name, private address, private telephone number, private email address
  • Birthdate, birth year, gender, nationality, civil status, family members, government identity number
  • Special categories of personal data:
  • Race and ethnicity
  • Health, including physical health history, inclusion criteria, clinical trial results

 

MedTrace uses a Data Processor, a “Contract Research Organization”, to perform the clinical trials. MedTrace will have no access to the information on the clinical trial subjects but seeing as MedTrace is the sponsor of the clinical trials, MedTrace is considered the Controller and thereby responsible for the protection of data.

 

Purpose of processing per data subject

Visitors to website

  • To load the website and to optimize the website
  • To create a better experience on the website

 

Admins on our website

  • To load the website and to optimize the website
  • To create a better experience on the website

 

Data subjects in our Customer Relationship Management system

  • Communication purposes, to maintain contact information in order to communicate
  • Marketing purposes, to send customized invitations and updates in relation to MedTrace
  • Booking of travels in connection with meetings and events
  • Relationship management purposes, to maintain information on the relation and former communication with the data subject in order to improve continuity and customize the customer contact

 

Contact persons at suppliers, service providers, other contracting partners and research partners

  • Communication purposes, to communicate with our contact persons at suppliers, service providers, other contracting partners and research partners

 

Next of kin of MedTrace Employees

  • Communication purposes, to communicate with next of kin in cases where this is necessary

 

Members of the Board of Directors

  • Communication purposes, to communicate with members of the board of directors
  • Administration of compensation
  • Use of photos on website and for marketing purposes

 

Shareholders, investors, loan providers

  • Communication purposes, to communicate with shareholders, investors and loan providers

 

Clinical trial subjects (MedTrace sponsored studies)

  • Clinical trial purposes, to carry out the clinical tests sufficient to demonstrate and confirm the safety and efficiency of the MedTrace technology

 

Legal basis for processing
Visitors to website

  • MedTrace’s legitimate interest in delivering the website, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).
  • Cookies are based on consent, cf. The Executive Order on Cookies (in Danish: Cookie-bekendtgørelsen) section 3.
  • MedTrace’s legitimate interest in delivering the website, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).
  • Cookies are based on consent, cf. The Executive Order on Cookies (in Danish: Cookie-bekendtgørelsen) section 3.

 

Admins on our website

  • MedTrace’s legitimate interest in being able to communicate with the data subjects in the CRM-system, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).
  • MedTrace’s legitimate interest in providing relevant data subjects with updates about the development in the company by sending invitations and news updates, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).
  • Collection and transfer of copies of passport, CPR-number for the use of booking travels are based on consent, cf. art. 6 (1) (a) GDPR, cf. The Data Protection Act section 6.

 

Data subjects in our Customer Relationship Management system

  • Transfer of ordinary personal data for the use of booking travels are based in MedTrace’s legitimate interest in providing this service, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).

 

Contact persons at suppliers, service providers, other contracting partners and research partners

  • MedTrace’s legitimate interest in being able to communicate with contracting partners and research partners, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).

 

Next of kin of MedTrace Employees

  • MedTrace’s legitimate interest in being able to communicate with a next of kin of an employee, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).

 

Members of the Board of Directors

  • MedTrace’s legitimate interest in being able to communicate with members of the board of directors, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).
  • Collection and processing of financial information is necessary for the performance of a contract, cf. art. 6 (1)(b) GDPR, cf. The Data Protection Act section 12.
  • Collection and processing of CPR-number and tax information is processed for administration of compensation and reporting to the tax authority, cf. The Data Protection Act section 11 (2) no. 1 and 2, cf. art. 87 GDPR.
  • Collection and processing of photos are based on consent, cf. art. 6 (1)(a), cf. The Data Protection Act section 6.

 

Shareholders, investors, loan providers

  • MedTrace’s legitimate interest in being able to communicate with shareholders, investors and loan providers, cf. art. 6 (1) (f) GDPR, cf. The Data Protection Act section 6 (1).

 

Clinical trial subjects (MedTrace sponsored studies)

  • Collection and processing is based on consent, cf. art. 6 (1) (a) and art. 9 (2) (a) GDPR, cf. The Data Protection Act section 6 (1) and section 7 (1).
  • Transfer of your personal data is based on consent, cf. art. 6 (1) (a) and art. 9 (2) (a) GDPR, cf. The Data Protection Act section 6 (1) and section 7 (1).

 

D. Consent
You can withdraw your consent to MedTrace’s processing of your personal data at any time. You can withdraw your consent by contacting us using the contact information provided above (section A).

The lawfulness of the processing and transfer based on your consent before your withdrawal is not affected if you choose to withdraw your consent. If you choose to withdraw your consent it will thus first have effect from this point of time.

 

E. Sources
The personal data we process on you is primarily provided directly from you or from your unit. In some cases, the information is provided from your employer or from public authorities such as tax authorities.

 

F. Provision and failure to provide
In most circumstances when we collect personal data directly from you, you provide us with the information voluntarily or in order to enter into or to fulfill the requirements of a contract with us. In some circumstances, you are obligated to provide the information to us, e.g. your personal identity/social security-number for reporting to the tax authorities.

The consequence of not providing the personal data, as listed above, is that we cannot address the purposes mentioned above. Thus, we cannot make the website available to you, we cannot communicate with you, we cannot comply with our obligations as your contracting party and cannot comply with our obligations towards public authorities.

 

G. Data Processors
MedTrace uses Data Processors to host personal data and to support our use of systems.

In relation to clinical trial subjects, MedTrace uses a Data Processor, Cardiovascular Clinical Studies located in Boston, USA, to manage the clinical trials (a “Contract Research Organizations” or “CRO”). The CRO will in many cases also use processors (e.g. “Principal Investigators”).

 

H. Transfer of personal data
In some cases, MedTrace transfers personal data to Data processors, to the MedTrace website, to public authorities or to external legal advisors and accountants.

 

I. Transfer to third countries
In some situations, MedTrace transfers personal data to countries outside of the EU/EEA countries, currently to the US. We transfer information to the US, because MedTrace has a US based department of MedTrace, MedTrace Pharma, Inc (US). In relation to clinical trials, MedTrace will transfer personal data to and from the US as the trials will take place in the US.

The Commission of the European Union has not made a decision on the legality of the practice on data protection in the US or the EU-US Privacy Shield. In most cases, transfers will be based on your consent, based on the necessity for the performance of a contract between you and MedTrace or based on the necessity for the performance of a contract in your interest between MedTrace and another natural or legal person, cf. art. 49 (1) (a), (b) and (c) GDPR.

 

J. Period of storage
Visitors on our website: Persistent cookies are stored for a period of up to 2 years and information on consent to cookies are stored for a period of up to 1 year.

Admins on our website: Persistent cookies are stored for a period of up to 2 years and information on admin settings are stored for a period of up to 1 year.

Data subjects in our CRM-system: We store personal data on you in our CRM-system until you ask to be deleted or until we have not had any interaction with you for more than five years.

Contact persons at contracting partners and research partners: We store personal data on you as long as it is relevant for our relationship, and as long as necessary to establish, determine or defend a legal claim.

Next of kin to MedTrace employees: We delete your personal data when the employee resigns.

Owners, members of management and members of the board of directors, members of the advisory board: We store personal data on you as long as it is relevant for our relationship, and as long as necessary to establish, determine or defend a legal claim.

Clinical trial subjects: Via our Data Processor, the CRO, we indirectly store personal data on you as long as necessary in order to address the purpose to which your personal data was collected. When determining how long we will store your personal data, we will consider (a) compliance with requirements to documentation according to legislation and (b) our opportunity to establish, determine or defend a legal claim.

 

K. Your rights
According to GPDR, you have the following rights (on those conditions and with the exceptions that follows from the regulation). If you wish to exercise any of the below-mentioned rights, you will need to contact us using the contact details provided above (section A).

 

  • Right of access
    You have the right to access the personal data we process on you
  • Right to rectification
    You have the right to have inaccurate personal data rectified
  • Right to erasure
    In some circumstances, you have the right to have personal data deleted
  • Right to restriction of processing
    In some circumstances, you have the right to have the processing of your personal data restricted
  • Right to data portability (where processing is based on consent)
    In some circumstances, you have the right to receive your personal data in a structured, commonly used and machine-readable formal and to transmit those data to another controller without hindrance
  • Right to object to processing (where processing is based on legitimate interests)
    In some circumstances, you have the right to object to our processing of your personal data

 

L. Complaints
You also the right to complain to the Danish Data Protection Authority (in Danish: Datatilsynet), if you are dissatisfied with the way we process your personal data. You can find the contact details of the Danish Data Protection Authority on www.datatilsynet.dk.

 

M. Contact
Please do not hesitate to contact us if you have any questions in regard to the protection of your personal data or if you wish to exercise your legal rights. You can find the contact information above in section A.

 

N. Changes to this privacy notice
We reserve the right to change this privacy notice.

[Version: 02-07-2020]