Data Protection Policy

PRIVACY POLICY

 

ARTICLE 1: FOREWORD

The GDPR and you…

Personal data protection is one of our major concerns. The privacy policy fits into a legal context marked by the EU General Data Protection Regulation (EU Regulation 2016/679 of 27 April 2016), applicable since 25 May 2018 and the amended French Data Protection Act no. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties. The purpose of this data protection policy is to tell you about:

• The personal data controller
• How your data is collected and processed. Personal data is any information which enables a natural person to be identified.
• Your rights regarding the use of your personal data
• The recipients to whom your data is transmitted
• The website's cookie management policy

This privacy policy supplements the legal notices on the websites.

ARTICLE 2: GLOSSARY

You’ll understand us... promise!

Personal Data is any information relating to an identified or identifiable person, i.e. enabling the person to be identified directly (e.g., surname and first name) or indirectly (e.g. cookies).

The Processing of personal data is any operation or set of operations (automated or not) which is performed on data or sets of personal data, such as collection, recording, organisation, storage, data transmission, etc.

The Data Controller determines the purposes (objectives of the processing) and the means of processing.

The Data Processor processes personal data on behalf of the data controller and carries out its instructions.

ARTICLE 3: GENERAL PRINCIPLES

Legal obligations... we’ve got them!

In accordance with the provisions of Article 5 of the General Data Protection Regulation (GDPR), the collection and processing of your personal data shall comply with the following principles:

• Lawfulness, fairness and transparency: the collection and processing of personal data can only be based on a legal basis defined in advance (performance of a contract, legal obligation, consent, legitimate interest, preservation of vital interests)
• Purpose limitation: the collection and processing of personal data is carried out to meet one or more defined objectives
• Data minimisation: only the data strictly necessary for the proper execution of the objectives pursued are collected
• Storage limitation: the data controller is under an obligation to define retention periods for the personal data processed
• Integrity and confidentiality: the data controller undertakes to guarantee the integrity and confidentiality of the data collected.

ARTICLE 4: DATA CONTROLLER

We are responsible for the data entrusted to us!

As data controller, QUANTEL MEDICAL undertakes to comply with the obligations resulting from the Regulation and the amended French Data Protection Act, concerning the collection and processing of personal data. In accordance with Article 32 of the GDPR, we implement all technical and organisational measures to ensure your personal data are protected.

ARTICLE 5: PERSONAL DATA COLLECTED AND PROCESSED: WHAT DATA?

What do we know about you?

In accordance with the principle of minimisation, we only collect the data necessary to carry out our missions. Therefore, as part of our activity in the manufacture of ophthalmic lasers and ultrasound scanners, and the organisation of training courses for our customers, distributors and healthcare professionals, as well as our research, studies and development of new products, QUANTEL MEDICAL may collect and process the following information:

• Identity: Surname, first name, age and gender
• Work Life : Qualification, occupation, work e-mail address, RPPS no. (Collective Database of Health Professionals)
• Login data : Usernames and passwords for access to distributor space
• Internet: IP address, login history
• Personal life : Address, e-mail, telephone number
• Financial information : Bank account details, banking and payment data
• Sensitive data : Health data, Social Security Number

As part of our mission to research and manufacture lasers and ultrasound scanners, we are required to have knowledge of sensitive data, such as medical data (illness, symptoms, treatment) and social security numbers, in order to conduct clinical studies and carry out maintenance on our devices and any monitoring of their side effects on patients. We are aware of the level of sensitivity of this information and are dedicated to ensuring a maximum level of confidentiality, as well as a commitment to meeting our legal and regulatory obligations. All the data collected are therefore strictly necessary to carry out the mission entrusted to us.

ARTICLE 6: PERSONAL DATA COLLECTED AND PROCESSED: WHY?

We’d like to explain!

In all of these situations, QUANTEL MEDICAL acts as a "Data Controller" under the GDPR.

DATA COLLECTED	REASONS FOR COLLECTION	RETENTION PERIOD	LEGAL BASIS
WEBSITE VISITS
- Identity; - Personal life - Work life - Login data - Internet	We use these data to: - Send you marketing communications (if you have given your consent) - Contact you when you fill in the contact form - Identify you on the website's specialist area when you register (www.mydryeyedisease.com)	The data collected through the form are kept for 3 years from collection or the last contact from the prospect The data are kept as long as you do not unsubscribe   Your browsing data on our website are kept for a maximum of 6 months	Consent
	- Offer you tailored services - Monitor and improve our websites and applications - Conduct audience analyses or create statistics - Secure our websites/applications and protect both you and ourselves against fraud.		Legitimate interest

 

DATA COLLECTED	REASONS FOR COLLECTION	RETENTION PERIOD	LEGAL BASIS
WEBSITE VISITS
- Identity; - Personal life - Work life - Financial information - Login data - Internet - Sensitive data	We use these data to: - Manage and fulfil customer orders and requirements - Conclude and perform customer contracts, service agreements and distribution agreements - Tailor the offer and prepare quotations - Manufacture the products and prepare manufacturing orders - Manage and organise product deliveries - Manage regulatory export sales permits - Install products and monitor their compliance (including preparation of expert reports and compliance reports) - Monitor side effects on patients and manage complaints and product returns - Prepare repair estimates - Perform daily product maintenance - Provide a distributor area, an online medical platform and a hotline for distributor technical support - Answer your questions and interact with you in any other way - Manage your participation in satisfaction surveys to take into account your advice and suggestions - Monitor our relationship - Manage payments, invoices, etc.	Invoices are kept for 10 years The data collected are kept for 3 years from collection or the last contact with you   Kept for the length of the business relationship and 5 years after the relationship ends.	Performance of a contract
	- Send you marketing communications to inform you of our future offers and events (mailings, newsletters, invitation to symposiums, etc.) - Contact ophthalmologists to offer you devices tailored to your needs - Send you marketing communications (mailings)		Legitimate interest

 

DATA COLLECTED	REASONS FOR COLLECTION	RETENTION PERIOD	LEGAL BASIS
ORGANISATION OF TRAINING COURSES FOR CUSTOMERS, DISTRIBUTORS AND HEALTHCARE PROFESSIONALS
- Identity; - Personal life - Work life - Financial information	We use these data to: - Conclude and perform distribution agreements - Manage training course enrolment and invitations - Organise the training courses - Draw up partnership agreements with service providers and manage stakeholders - Present certificates to the distributor’s trained technicians - Manage payments, invoices, etc. - Answer your questions and interact with you in any other way - Monitor our contractual relationship and inform you of future training courses	Kept for the length of the contractual relationship and 5 years after the relationship ends.   Invoices are kept for 10 years. The data collected are kept for 3 years from collection or the last contact with you	Performance of a contract
	- Send you marketing communications to inform you of our future offers and events (mailings, newsletters, invitation to symposiums, etc.)		Legitimate interest

 

DATA COLLECTED	REASONS FOR COLLECTION	RETENTION PERIOD	LEGAL BASIS
RESEARCH, STUDIES AND DEVELOPMENT OF NEW PRODUCTS
- Identity; - Personal life - Work life - Financial information - Sensitive data	We use these data to: - Conduct clinical studies on products - Enter into and perform partnership agreements and single contracts with doctors - Conduct clinical investigations and maintain records of clinical observations	Investigation documents kept for 15 years.   Kept for the length of the contractual relationship and 5 years after the relationship ends.   Invoices are kept for 10 years.	Legal obligation
	- Conduct research on technological studies and develop new products - Enter into and perform partnership agreements and single contracts with doctors, academics and partner companies - Manage and monitor purchases of development services and equipment from partners - Monitor our contractual relationship and interact with you in any other way - Edit purchase orders and manage payments		Performance of a contract

 

RECRUITMENT MANAGEMENT
- Identity - Personal life - Work life	We use these data for: - Application management - Interview management	2 years after the last contact with the candidate upon the candidate’s consent	Legitimate interest

 

ARTICLE 7: PERSONAL DATA: WHO HAS ACCESS TO YOUR PERSONAL DATA?

We don't pass them on to just anyone!

QUANTEL MEDICAL undertakes to transmit your personal data only to authorised people in-house and to authorised third parties such as the tax, customs or economic authorities, the administration of justice, the police and the gendarmerie or the administration of social action and health authorities such as the Committee for the Protection of Persons (CPP), the Ethics Committee or the French National Agency for Medicines and Health Products Safety (ANSM), for example.

QUANTEL MEDICAL may, perhaps, transmit your personal data to data processors for hosting and managing its database in France, hosting its websites or carrying out accounting and employment missions (e.g. accounting firms, recruitment agencies or law firms). The use of these service providers is necessary for the proper performance of our services. We undertake to verify and ensure their compliance with the GDPR and the amended French Data Protection Act.

Other than the companies and subsidiaries of the LUMIBIRD SA Group, the distributors, the doctors, hospitals and statistical analysts in the context of clinical studies and the monitoring of side effects on patients and the recipients mentioned above, QUANTEL MEDICAL undertakes not to transmit your personal data to third parties or to external agencies without your express agreement.

QUANTEL MEDICAL does not and shall not sell, transfer or communicate your personal data to unauthorised third parties.

QUANTEL MEDICAL does not make any automated decisions based on your personal data. No profiling is implemented during processing, and the data we collect will never be used without human intervention.

ARTICLE 8: YOUR RIGHTS

You hold all the cards!

8.1 Your rights

In accordance with current regulations, you have the following rights in relation to your personal data:

• RIGHT OF ACCESS: You may, at any time, access the personal data we hold about you.
• RIGHT TO RECTIFICATION If you notice an error, omission or ambiguity in your personal data, you may make a request to complete, correct or clarify your personal information.
• RIGHT TO OBJECT : At all times, you retain the right to object to the use of your personal data in the course of our company's activities in relation to the processing of your data.
• RIGHT TO RESTRICTION OF PROCESSING: You may demand that the future processing of your personal data be restricted under certain conditions
• RIGHT TO ERASURE : You may also ask us to erase your personal data.

8.2 The DPO

QUANTEL MEDICAL has appointed a Data Protection Officer (DPO). In order to exercise your rights, you can contact our Data Protection Officer (DPO) at the following address:

QUANTEL MEDICAL
1 rue du Bois Joli
63800 COURNON D’AUVERGNE

or send an e-mail to: rgpd@quantelmedical.fr

8.3 Complaining to the CNIL

You may at any time lodge a complaint with the competent authority i.e. the French Data Protection Agency (CNIL) using the following link: https://www.cnil.fr/fr/plaintes.

ARTICLE 9: SECURITY MEASURES

You entrust us with your data and we look after it!

QUANTEL MEDICAL is concerned about the security of personal data which it undertakes to process securely and only for the length of time necessary to achieve the intended purpose.

QUANTEL MEDICAL has put in place technical and organisational measures to ensure an adequate level of data protection in relation to the nature and purpose of the processing.

Therefore, in accordance with Article 32 of the GDPR on the security of processing, QUANTEL MEDICAL has implemented:

• The pseudonymisation of personal data
• Ways of guaranteeing the constant confidentiality, integrity, availability and resilience of processing systems and services
• Ways of restoring data availability and access within an appropriate timescale in the event of a physical or technical incident
• A procedure to regularly test, analyse and evaluate the effectiveness of the technical and organisational measures to ensure the processing is secure.

However, the security obligation remains an obligation of means, i.e. we do everything possible to ensure the confidentiality and integrity of your personal data.

Everyone who has access to your personal data has been made aware of best data protection practices. They are bound by a confidentiality obligation, and are liable to disciplinary action in the event of non-compliance with this provision.

ARTICLE 10: DATA TRANSFERS OUTSIDE THE EUROPEAN UNION

A well-organised trip!

As part of our business and for the management of your requests, we may transfer data to our subsidiaries and distributors, located outside the European Union. However, prior to any transmission of your personal data, we check the applicable rules on data transfers outside the European Union and ensure that they provide sufficient and adequate data protection safeguards.

ARTICLE 11: COOKIES

You can choose between eating cookies and going on a diet

CAs with most websites, our website uses cookies that can be classified into four categories:

• STRICTLY NECESSARY: These cookies are essential to allow you to browse our websites and use their features.
• PERFORMANCE/ANALYTICAL: These cookies collect anonymous information about your use of our website. The information collected by these cookies is used only to improve your browsing experience on our website and never for identifying you. Sometimes these cookies are placed by third-party providers of web traffic analysis services, such as Google Analytics.
• FUNCTIONALITIES: These cookies remember the choices you make to improve your experience on our website and make your visit more personal and friendly. The information that these cookies collect can be anonymised and cannot be used to track your browsing activities on other websites.
• SOCIAL NETWORKS: These cookies allow you to share your activity on our website with social networking companies. Please refer to the privacy policies of these companies to find out how their cookies work.

If you wish to limit your tracking, it is recommended that you reject them by default via the cookie management banner we have set up on our website. In our cookie policy you will also find the procedure for accepting, customising or refusing cookies by expressing your choice using the banner that appears at the bottom of your screen.

ARTICLE 12: DATA PROTECTION POLICY UPDATES

Hang in there, you’ve almost finished!

This personal data protection policy may evolve. The last update was made on October 22nd.