CODE OF CONDUCT CONCERNING DATA PROTECTION POLICY

The protection of natural person in relation to the processing of personal data is a fundamental right. Therefore, it is essential to respect the European legislation (among others the General Regulation on the Protection of the Data, the RGPD.
Lymphatica Medtech (and its members) undertake to manage and use the personal data in a secure, and legal way.
The information below explains what data is collected, why it is collected, the duration of the process and how much concerned people will be able to control it.

1    Definitions

Controller means the natural person, public authority, agency, or other body which, alone, or jointly with others, determines the purposes and means of the processing of personal data.
Processor means the natural person, public authority, agency, or other body which processes personal data on behalf of the controller.
Processing means any activity performed on personal data, whether or not by automated means, including collection, use, recording etc.
Personal data means any information related to a natural person or ‘data subject’, that can be used to directly or indirectly identify the person.

2    Subjects protected by this code

Lymphatica processes personal data of its employees, advisors and external collaborators. In addition, Lymphatica processes personal data concerning health in the context of clinical studies and post-market surveillance of patients using Lymphatica’s products. Lymphatica Medtech SA – EPFL Innovation Park, 1015 Lausanne is in this case the controller.
This code of conduct applies to:
  • – Patients included in the different clinical trials having Lymphatica as sponsor.
  • – Employees of Lymphatica.
  • – Advisors and external collaborators of Lymphatica.
This code of conduct also applies during visits to our offices or those of our supplier, hospitals visits, or visits to our websites.
Lymphatica will respect its obligations as well as the rights of the persons concerned, whenever their data will be processed by the company.

3    Purpose of data processing

Lymphatica only process personal data if they are necessary and for specific purposes. As part of the development of medical device, Lymphatica may be subject to conduct clinical trials and process health data.
More, concretely, Lymphatica processes personal data:
- In the context of the preparation or execution and analysis of clinical data coming from our clinical trials.
- To comply with the legal provisions to which we may be subject to.
- For storage of information belonging to its employees, suppliers, advisors, customers and collaborators.
Data are processed only if Lymphatica has received authorization to process data by data subjects.

4    Informed consent

Under the GDPR, it is prohibited to process data concerning health unless the subject has given explicit consent to the processing of those data. In the context of clinical studies and activities that will involve patients, Lymphatica will collected informed consent from data subjects.
The request for consent shall be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. The data subject shall have the right to withdraw his or her consent at any time, in an easy way.

5    Security of data

Security of data is guaranteed by design (e.g. pseudonymization of patients involved in the clinical trials, encryption of personal computers and emails containing personal data) and by limiting processing of information to personal data that are strictly necessary to the purpose. Security of data storage and transfer is ensured by conducting due diligence on processors and by selecting only processors that can ensure the necessary level of security.
Lymphatica uses internal and / or external resources that guarantee the security of the networks, infrastructures and information systems used. In addition, Lymphatica uses technical measures to protect the data in question, such as: password protection, firewall, antivirus, and controlled access for employees and partners.
In the case where the involvement of a processor is required (e.g. CRO, Hospitals, external IT service, etc.), Lymphatica concludes a data processing contract. It is agreed that the processor will only act on the instructions of the controller (Lymphatica) and will be bound by the same obligations as the controller.
In case of breach of personal data with likelihood of high risk, Lymphatica will notify the breach to the supervisory authority and to the individual. Lymphatica must notify the supervisory authority without undue delay within 72 hours after becoming aware.

6    Rights of data subjects

Lymphatica ensures that the concerned subjects are able to access, on request, their personal data. The purpose of the processing, the categories of personal data, their recipients and a copy of the personal data collected are also available to them.
When the data relating to a person are inaccurate or incomplete, the subject has the right to request their rectification. If the inaccurate data are passed on to third parties, Lymphatica will inform these parties of this inaccuracy.
Lymphatica responds to all inquiries within one month, which can be extended for another two months depending on the complexity of the request.
The persons concerned also have a right of opposition. If the data subject objects to their data processing activities, Lymphatica will stop processing them or will prove that Lymphatica has legitimate and compelling reasons for the treatment that prevails over the interests, rights and freedoms of the person concerned.
The data subject shall have a right to obtain from Lymphatica the erasure of personal data concerning him or her without undue delay.

7    Register

Lymphatica keeps a record of its processing activities. This registry contains: the type of data processed, the purposes of the processing, the recipients of the data, the place where the data is stored, how the data is secured and the retention periods as well as the categories of people involved in the processing ( employees, suppliers, customers, patients etc.)

8    Retention period of personal data

Personal data are only kept for the time necessary to achieve the purpose for which they were collected.

9    Website

Lymphatica’s websites can be visited without having to share any personal data. Personal data are stored only if data subjects decide to subscribe to our newsletter. In that case, the email address, the name, the surname and the profession of the data subject is stored.
Health-related information is processed for marketing purposes upon obtaining consent from data subject.

10    Contact

Data subjects can contact Lymphatica either in writing, by phone, electronically or via Lymphatica’s website. Requests concerning right of access to the data of data subjects, rectification or deletion of personal data must be in writing form.

11    Change control

Personal data that are collected through the various communication channels (e.g. in writing or via phone) are recorded in Lymphatica’s processing registry. This also applies to our suppliers processing health data.
Lymphatica and its processors can change their code of conduct. Data subjects may request the latest version on Lymphatica’s or processors’ websites.
The last code of conduct has, in case of conflict, priority over earlier versions.