Inion Oy Data Protection Clause
The purpose of this Data Protection Clause is to give information on collecting, handling and retaining personal data in Inion Oy.
Inion Oy complies with EU General Data Protection Regulation (GDPR).
Inion Oy is committed to protecting the privacy of people whose personal data it holds.
Collecting personal data
In connection with, but not limited to, distribution, sales, training, education, consulting, complaint handling, post-marketing surveillance, clinical studies and clinical evaluation of Inion’s products, Inion Oy collects relevant personal data of the people involved in these connections. Inion Oy collects and evaluates patient data only in a manner that it is not connected to the patient’s identity.
Regular sources of personal data
Inion Oy gets the personal data from the persons themselves upon request in the above-mentioned connections and during clinical trials in pseudonymised form.
Purpose of collecting personal data
The personal data is collected from customers, distributors, healthcare professionals, patients, suppliers, training and education attendees, job applicants, and consultants for the purpose of conducting the tasks and/or demonstrating qualifications of people related to product testing and registrations, quality management system, marketing, customer acquisition, customer relationship maintenance, distribution, delivery, purchasing, sales, training, education, complaint handling, clinical investigations, clinical evaluation, post marketing surveillance, consulting, and recruitment between Inion Oy and the person in question.
Processing of personal data is based on 1) consent of the data subject, 2) contract with the data subject, 3) legal obligations, such as regulatory requirements for medical device manufacturers, or 4) legitimate interests pursued by the controllers that are part of a group of undertakings, for internal administrative purposes including the processing of clients’ or job applicants’ personal data. Inion is part of a corporate group and is therefore obliged to share some personal data with its affiliates.
- Where processing is based on 1) consent, the data subject shall have the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof.
- Where processing is based on 2) contract, the data subject shall be informed of collection of personal data in accordance with the GDPR in the contract.
- Where processing is based on 3) legal obligations for medical device manufacturers, the qualifications and identities of the persons involved in medical device testing, clinical evaluation and clinical investigation are collected based on the requirements of EU and US legislation for medical device manufacturers. Inion is obliged to present this information to the relevant authorities upon request. The data subject shall be informed thereof in testing statements and/or contracts.
Content of the register
The register contains personal data, such as (but not limited to) name, contact information, position, place of work qualifications and CV provided by the person in question.
Persons handling the personal data
Access to personal data is limited to relevant staff only, as well as IT administration. The staff handling the personal data has acquired GDPR training.
Transferring personal data outside European Union (EU) or European Economic Area (EEA)
The personal data from customers is not transferred outside European Union (EU) or European Economic Area (EEA), unless the person is informed separately.
- Where processing is based on 3) legal obligations for medical device manufacturers, the personal data is required by authorities for the purposes of quality audits and product registration and thus may be transferred outside the EU or EEA without informing the person afresh in addition to the original data protection notice. The local authority and local registration partners take care of the appropriate protection of the personal data according to local laws and are bound to keep all information confidential in line with articles 109 and 110 of EU Medical Device Regulation.
- Where processing is based on 4) legitimate interests pursued by the controller(s) that are part of a group of undertakings, the data is transferred on the basis of the external data processing agreement of these companies, and the transfer is carried out in accordance with the GDPR with the EU Commission’s standard contractual clauses.
Description of the register and its protection
The registers exist on the Inion Oy servers, which are located inside the EU. External access to Inion servers is prevented by firewalls. Inion implements technical and organizational measures to protect data from both external and unauthorized internal access. In order to access personal data, the person must be employed by Inion and have precise and role-specific access rights. Access rights are managed by the IT administration and are strictly monitored.
Retaining personal data
- Inion has defined retaining periods and/or retaining criteria for all the personal data it processes, which are determined by the type of personal data and the purpose of use.
- The personal data required by the authorities/legal obligations is retained by Inion Oy for the retention period set in the applicable regulations.
Checking, updating and removing the personal data
A person has the right to check the personal data, which Inion Oy holds of him/her Upon the person’s request, Inion Oy will correct, complete or remove personal data, which is incorrect, unnecessary, incomplete or outdated for the original purpose of collecting the data. A person can check, update or ask for removal of his/hers personal data by contacting Inion Oy Data Protection Officer. As the person makes the request to check, update or ask for removal of his/hers personal data, additional checks will be conducted by Data Protection Officer to verify the person’s identity.
Should you consider that Inion Oy processes your personal data in violation of applicable legislation, you have the right to lodge a complaint with a data protection supervisory authority; Finnish Office of the Data Protection Ombudsman, tietosuoja(at)om.fi
Data Protection Officer
Anna Haavisto
tietosuojavastaava(at)inion.com
Contact information
Inion Oy
Lääkärinkatu 2
33520 Tampere
Finland