Privacy Policy

Thank you for visiting our website.

The protection of your privacy is a top priority for ndd Medizintechnik AG. We are committed to looking after your personal data in a responsible manner when you access our services or when you visit our homepage and browse our sites. Therefore, we collect and process your data in accordance with legal provisions, in particular those of the Swiss Data Protection Act and the European General Data Protection Regulation (GDPR). We are aware that, as a company specializing in medical technology, we may come into contact with sensitive personal data, such as information concerning a person's health, particularly during our service and support activities. As specified by the GDPR, such particularly sensitive data require a higher level of protection.

This data protection policy explains why and how we process your personal data (also simply referred to as “data”) when you use our online services. "Personal data" refers to any information about you by which you can be identified. This can include information such as your name, date of birth, email address, postal address, phone number, mobile number, information about the device you use, and information relating to your personal circumstances and how you use our sites and services. The online services we provide include our website, all sites, functions and contents connected with our website, as well as related external online platforms (such as our social media profiles). For the purpose of this policy, we will refer to all of these collectively as "online services". With regard to the terms used in this policy, e.g., "processing", "controller" or "personal data", we refer to the definitions in Art. 4 of the GDPR.

The responsibility for the processing of data connected to our online services lies with the website operator. You can find the contact details in the imprint of this website.

Scope, Purpose and Legal Basis for How We Collect, Process and Use Personal Data 

What Personal Data We Process

  • general information (e.g., your name and postal address)
  • contact information (e.g., your email address and telephone number)
  • data relating to content provided by you (e.g., text, photos, videos)
  • your browsing history on our sites (e.g., websites you visited, contents you viewed, access times)
  • meta data or communication data (e.g., information relating to your device, such as your IP address)

Whose Data We Process

We process the data of visitors and users of our online services (henceforth referred to as "users").

Why We Process Personal Data

We use the information 

  • to provide, maintain and enhance our online services
  • to respond to queries and communicate with users
  • to ensure safety
  • to measure reach and to carry out marketing analysis

Legal Grounds for Using Your Personal Data

In compliance with Article 13 of the GDPR (General Data Protection Regulation) this policy provides information about the legal grounds on which we process your personal data. We will only use your data where we have a legal ground to do so. Unless otherwise specified the following applies: The legal basis for processing data with the data subject's consent is provided by point (a) of Art. 6(1) and by Art. 7 of the GDPR; the legal basis for the processing of data necessary to fulfill our services and contracts and to reply to queries is provided by point (b) of Art. 6(1) of the GDPR; the legal basis for processing data in order to comply with the legal obligations to which we are subject is provided by point (c) of Art. 6(1) of the GDPR; and the legal basis for the processing of data necessary to pursue our legitimate interests is provided by point (f) of Art. 6(1) of the GDPR. In the event that processing of personally identifiable data should become necessary in order to protect the vital interests of the data subject or of another natural person, point (d) of Art. 6(1) of the GDPR applies.

Security of Your Personal Data

In compliance with Art. 32 of the GDPR, we have implemented appropriate technical and organizational measures to protect your data adequately. We have done so specifically by taking into account the state of the art, the costs of implementation, the nature, scope, context and purpose of our processing your data, as well as the various risks to your rights and freedoms.

We protect the confidentiality, integrity and availability of your data in a number of ways: e.g., by controlling physical access to where the data are stored; by controlling the means to access, enter and transfer them; by ensuring the data are indeed available to authorized persons when needed; and by ensuring that appropriate means to separate the data from direct identifiers are available (e.g. to allow pseudonymisation). Pseudonymisation, as defined by the GDPR, is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information that is kept separately. Furthermore, we have established procedures which allow us to observe the rights of data subjects adequately, to delete data as needed and to act appropriately when data appear to be threatened. We further act in accordance with the principle laid out in Art. 25 of the GDPR, which requires that organizations integrate the necessary safeguards to protect your data both at the time of the determination of the means for processing them and at the time of the processing itself. We do so by taking into account data protection requirements early on, i.e., even as we develop or select the hardware, software and technologies we intend to use for our services.

Collaboration With Other Processors and Third Parties

We will only grant access to, disclose or transfer data to other persons or companies (processors or third parties) where we have legal grounds to do so. In every case, the legal grounds will be one referred to in Art. 6(1) of the GDPR, which includes the following: you have given consent, the processing is necessary in order to comply with a legal obligation, or our legitimate interests require it (e.g., when we employ other processors or use web hosts to deliver our services).

When we engage third parties to process data for us (by means of what is commonly referred to as an "order processing contract"), we do so in compliance with Art. 28 of the GDPR.

International Data Transfer

When we transfer personal data to a third country (i.e., outside of the European Union (EU) or outside of the European Economic Area (EEA)), we only do so on legal grounds. Your data may need to be transferred when we process information in a third country, when we use services provided by third parties, or when we disclose or transfer data to third parties. In every case, the legal ground will be one of the following: the transfer is necessary for us in order to comply with (pre-)contractual or with legal obligations, you have given consent, or our legitimate interests require it. Subject to legal or contractual permission, we allow data submitted to us to be processed in a third country only if the conditions laid down in Art. 44 ff. of the GDPR are complied with. This means, for instance, that the processing is only carried out when sufficient guarantees are provided to ensure an adequate level of protection of personal data, such as an official statement demonstrating the processor's adherence to EU standards (e.g., for the USA, compliance with the Privacy Shield scheme) or adherence to officially recognized special contracts (called "standard contractual clauses"). The EU-U.S. and Swiss-U.S. Privacy Shield scheme requires organizations to provide a level of protection in line with EU data protection law. You can find more information about the Privacy Shield by going to:  https://www.privacyshield.gov/welcome.

Your Rights with Regard to Personal Data

You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, obtain access to your personal data and to information about them, as set down by Art. 15 of the GDPR.

You also have the right to request the rectification of inaccurate personal data concerning you and to have incomplete personal data completed, as laid down in Art. 16 of the GDPR.

As stated in Art. 17 of the GDPR, you have the right to obtain, without undue delay, the erasure of personal data concerning you, or, as stated in Art. 18, to request restriction of processing.

Pursuant to Art. 20 of the GDPR, you have the right to receive the personal data concerning you that you have provided to us. You also have the right to request that those data be transmitted to another controller.

As stated by Art. 77 of the GDPR you have the right to lodge a complaint with a supervisory authority.

Right of Withdrawal

As laid down by Art. 7 of the GDPR, you have the right to withdraw your consent to the processing of your data at any time.

Right to Object

Pursuant to Art. 21 of the GDPR you have the right to object at any time to the processing of your of personal data, particularly when personal data are processed for direct marketing purposes.

Use of Cookies and Your Right to Opt Out from Direct Marketing

Cookies are small text files that are placed on your computer or mobile device by the websites you visit. They are able to record various types of data. A cookie is used primarily to store information about the user (or about the user's device on which the cookie is set) during or after the user's browsing of a particular website. Temporary cookies, also called "session cookies" or "transient cookies", are created temporarily while you are visiting a website. They are deleted once you leave the site or close your browser. Typical examples of such cookies are the online shopping cart feature or your login status. "Permanent" or "persistent cookies", on the other hand, remain stored in your browser's subfolder even after you have closed your browser. This allows the website to, for example, store your login status for several days and to remember it when you accesses the website again. Such cookies are also used to store information reflecting your interests, which can be used for reach measurement and for marketing purposes. The term "third-party cookie" refers to cookies placed on your device by a website other than the one you are actually visiting (cookies created by the website you are visiting are called "first-party cookies").

We may use temporary as well as permanent cookies in the manner described in this privacy policy.

If you do not want cookies to be saved on your device, you can set your browser to remove or reject cookies. You can do so by changing the system settings of you browser. The drawback of disabling cookies on your browser is that certain features and services may not function properly for you.

You can opt out from receiving personalized advertising. Personalized advertising (also known as "interest based advertising") enables advertisers to reach users based on their interests. You can opt out of interest based advertising, particularly with regard to tracking technologies, through the US-website http://optout.aboutads.info/choices or the EU-website http://www.youronlinechoices.com/. Tracking technologies follow and record your digital habits. They are used by providers to, e.g., understand how you navigate their websites and to determine which of their messages you open. It is also possible to stop your browser from saving cookies altogether by changing your browser’s cookie settings. You can usually find these settings in the “options” or “preferences” menu of your browser. Please be aware that disabling cookies will mean that certain functions may no longer be available to you.

How Long We Keep Your Data

We erase or restrict the use of the data we process in compliance with Art. 17 and Art. 18 of the GDPR. Unless otherwise specified in this policy, we delete data as soon as they are no longer needed to fulfill the purposes for which they were initially collected and as long as there is no legal obligation to retain them. When the law requires that certain data be retained, we do so but we restrict their processing. This means that the data will be blocked and not processed for any other purpose than the one specified by the law. This applies to, for example, data we are obliged to retain for commercial or tax reasons.

Swiss law requires business documentation to be retained for 10 years (Art. 958 ff. of the OR, short for "Obligationenrecht", the "Swiss Code of Obligations"). A retention period of 20 years applies to business documentation relating to immovable property.

When You Apply for a Job with Us

If you apply for a job we have advertised, we will process the personal data you submit with your application only in connection with the job application and in compliance with the law. We process the data job applicants supply to us in order to fulfill our (pre)contractual obligations in connection with job application procedures. We always do so pursuant to point (b) of Art. 6(1) of the GDPR or or to point (f) of Art. 6(1) of the GDPR, and as long as the processing is necessary, e.g., for us to be able to comply with legal obligations.

The procedures for job applications require that applicants submit personal data. Where we provide an online application form, we mark the fields for information that is required. The information we require is also evident from the job description. The data we collect when you apply for a job include: name, postal address, contact details and information pertaining to the job application, such as accompanying letter, details of your education and working career. You are free to submit any additional information.

By submitting your application you agree to let us to process your data for the purpose of your job application in the manner specified by this policy.

When you apply for a job and volunteer personal information of the kind specified in Art. 9(1) of the GDPR (e.g., data concerning health, such as serious disability, or data revealing ethnic origin), we will process it in compliance with point (b) of Art. 9(2) of the GDPR. Equally, if we ask you to submit information of the kind specified in Art. 9(1) of the GDPR when you apply for a job (e.g., data concerning health if it is relevant to the job), we will process it in compliance with point (b) of Art. 9(2) of the GDPR.

Where we provide an online form, you can send your application through our website. Data sent this way will be encrypted during the transmission by means of state of the art technology. You can also send us your application by email. Please note, however, that emails are not encrypted and that it is up to you to take the necessary precautions to safeguard your data. We cannot assume responsibility for the transmission of an application sent to us by email. We recommend that you either use our online form or that you send your application by post. Regular postal mail always remains an option for job applicants, alongside online forms and email.

If your job application is successful, we may continue to process the data you have submitted with your application for the purpose of your employment. If the job application is not successful we will delete the data you submitted with it. We will also delete your personal data if you decide to withdraw your application, which you have the right do at any point.

Unless you withdraw your application early, we will retain the data you submitted with it for a period of six months in order to be able to reply to follow-up queries about the application and to comply with requirements regarding accountability (anti-discrimination laws).

When You Contact Us

When you contact us (e.g., through our online contact form, by email, by phone or through one of our social media channels) we will process your data as needed to be able to reply to your enquiry, pursuant to point (b) of Art. 6(1) of the GDPR (performance of a contractual or pre-contractual commitment) and to point (f) of Art. 6(1) (other queries). Your data may be recorded in a CRM system (Customer Relationship Management System) or a similar tool to manage queries (see section below for information on CRM provided by salesforce).

We will delete the queries we receive when a record of them is no longer needed. We review the need for retention every two years. As a rule, we adhere to general record retention laws.

CRM System by salesforce

We use the CRM system issued by salesforce.com inc., The Landmark @ One Market Street, San Francisco, CA 94105, USA. We do so for the purpose of our legitimate interest, as salesforce helps us respond to user queries quickly and efficiently.

salesforce is certified under the Privacy Shield. It thus guarantees an additional level of compliance with EU data protection law when data are being processed in the USA (https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active).

salesforce uses personal data only for the technical processing of your enquiry and does not transfer it to third parties. To be able to use salesforce it is necessary to submit at least a valid email address. While your service query is being processed, additional information about you may be collected (e.g., your name and address). salesforce allows the pseudonymisation of personal data.

If you do not wish your data to be collected and stored by the external technology of salesforce, we provide alternative ways to get in touch with us. You can call us or send us your query by email or regular post.

Find more information about salesforce and its privacy policy by going to http://www.salesforce.org/legal-information/privacy-policy/.

Newsletter

This section describes the content of our newsletter, how you subscribe to it, how we deliver it, and the way in which we use personal data pertaining to if for statistical purposes. By signing up to our newsletter you agree to receive it under the conditions described here.

Newsletter Content: We will send you our newsletter, emails and other electronic notification with promotional content (henceforth referred to simply as "newsletter") only if we have your permission or if there is a legal basis for it. When you sign up for our newsletter, you may be given a description of the kind of content you should expect. By signing up you agree to receive it. Usually our newsletters provide content about our products or services and about us.

Double opt-in and record retention: We use a double opt-in to subscribe to our newsletter. This means that, when you sign up, you will receive an email to verify that you do indeed wish to be included in our mailing list. This verification is necessary to make sure no other person can subscribe in your name. We keep a record of newsletter subscriptions in order to comply with legal requirements. These include being able to provide evidence of the time of subscription, time of verification, IP addresses and changes made to your data.

Subscription details: All we need for your subscription to the newsletter is a valid email address. We will take your name, if you choose to submit one, to address you personally when we send you the newsletter.

We will send you our newsletter and carry out analyses to evaluate its effectiveness on the ground that you have given us your consent or, when consent is not required, on the basis of having a legitimate interest to do so in order to provide direct marketing.

We keep record of the subscription process on the ground of there being a legitimate interest. Our interest lies in wishing to be able to provide a user-friendly newsletter by means of a secure processing system, which will both serve our business interests and meet the users' expectations. A record also enables us to provide evidence of having obtained the users' consent.

You can unsubscribe from our newsletter at any time. You will find a link to unsubscribe at the bottom of each newsletter. On the basis of having a legitimate interest, we may keep the email address with which you subscribe for up to three years before deleting it, in order to be able to provide evidence of having obtained your consent before including you in our mailing list. We process the personal data you submit with your subscription for the sole purpose of protecting ourselves from unjustified claims. You have the right to request that your data be deleted at any time, provided you also confirm that you did indeed subscribe to the newsletter at an earlier point.

Newsletter – MailChimp

We deliver our newsletter through MailChimp, an online marketing automation platform to deliver newsletters. MailChimp is a company headquartered in the United States operated by The Rocket Science Group LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. You can find MailChimp's privacy policy at https://mailchimp.com/legal/privacy/. The Rocket Science Group, LLC d/b/a MailChimp is certified under the Privacy Shield Frameworks and thereby guarantees compliance with EU data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active). We use MailChimp's services on the basis of having legitimate interests and in order to comply with contractual obligations. The service provider may process your personal data to optimize or enhance the service, e.g., to implement technology that improves the distribution or the layout of our newsletter, or to carry out statistical analysis. When doing so, the service provider will apply pseudonymisation to the data, i.e., personal data will be processed in such a manner that the data subject cannot be identified. The service provider will not use your data to contact you and will not share it with any third parties.

Access Data and Log Files

On grounds of legitimate interests, we or our hosting provider will collect data every time you access the server that provides our services. Access data are stored in what is commonly referred to as "server log files". They include information such as: name of the website you accessed, time and date of access, amount of data transferred, notifications about successful access, information about the version and type of your browser, your operating system, your IP address and your provider.

For security reasons (e.g., to investigate abuse or fraud) we store log files for up to seven days before deleting them. Data deemed necessary to provide evidence are not deleted before the incident to which they pertain has been clarified and investigations have been closed.

Amazon CloudFront

We use Amazon CloudFront, a global content delivery network (CDN) service provided by Amazon.com, Inc., 410 Terry Avenue North, Seattle, WA 98109, USA. Amazon participates in the Privacy Shield Framework to comply with EU data protection law https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4.

A CDN is a network delivery service that allows fast transmission of online contents, particularly large data packages like graphs or scripts, with the help of regional servers connected to the Internet. Your personal data is processed by Amazon CloudFront solely for this purpose and to ensure the security and the functionality of the CDN.

We will rely on our legitimate interests (i.e., to be able to analyze, optimize and deliver secure and effective online services) and on our contractual obligations when we process your data in the way described above.

Find more information about how Amazon manages personal data in their privacy policy at: https://www.amazon.co.uk/gp/help/customer/display.html?nodeId=201909010

Rollbar – Server-Monitoring and Error-Tracking

We use server-monitoring & error-tracking technologies to ensure the availability and integrity of our online services. When we process personal data by means of such technologies, we do so for the technical enhancement of our online services.

We use the services provided by Rollbar, 51 Federal Street, San Francisco, CA 94107, USA. Rollbar participates in the Privacy Shield Framework to comply with EU data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TNcNAAW&status=Active).

Rollbar processes aggregate performance data. Such data provide technical information relating to, e.g., the performance or the capacity of our services. We use the information to gauge the stability of our online services and to detect deviations form set standards. Should we detect any errors or deviations, we will record individual instances of when users have accessed our online services in pseudonymised form in order to identify the cause and to resolve the problem. In this context, pseudonymisation means particularly that the captured IP addresses are stored by masking out the last two digits (in a process also called "IP masking"). We delete aggregate data after a period of three months, the pseudonymised data after seven days.

We use the services provided by Rollbar to pursue our legitimate interests, that is, to deliver secure, error free and optimizes online services.

Find more information about how Rollbar manages personal data in their privacy policy at: https://docs.rollbar.com/docs/privacy-policy

Google Analytics

We use Google Analytics, a web analysis service provided by Google LLC ("Google"), for the purpose of our legitimate interest (i.e., to analyze, optimize and maintain the efficiency of our online services) and to fulfill contractual obligations. Google uses cookies, which provide information about how you use our online services. This information will be transmitted to and stored by Google on servers in the United States.

Google is certified under the Privacy Shield Frameworks and thereby guarantees compliance with EU data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Google uses the collected data on our behalf, e.g., to analyze how you use our online services, to compile reports about your activity within those services, and to perform other services for us pertaining to user activity and online behavior on our website. From the processed data, Google creates pseudonymised user profiles.

When we use Google Analytics we always apply IP anonymisation. This means that, for users within the European Union (EU) and the European Economic Area (EEA), Google renders the IP address anonymous by removing details that identify the individual users. It is only in exceptional circumstances that we will transmit full IP address to a Google server in the USA to be shortened and anonymised there.

Google will not associate the IP address transmitted by your browser with any other data Google holds. You can change your browser settings to clear all cookies when you close your browser. You can also adjust your browser to stop transmitting to Google the data that cookies gather about your browsing history. To opt out of this function and prevent Google from processing your data, download and install the browser plug-in available through this link: https://tools.google.com/dlpage/gaoptout?hl=en.

You can read more about how Google uses personal data, or about how to manage your settings and how to opt out of personalized ads, by going to https://policies.google.com/technologies/ads. You will also find information in your advertising settings for Google at https://adssettings.google. com/authenticated

Your personal data are either deleted or rendered anonymous after 14 months.

Our Presence on Social Media

We are active on social media to communicate with our customers, users and other interested parties and to provide information about our services. When you access these networks and platforms, the terms and policies of the organizations providing them apply.

Unless otherwise specified in this policy, we will process the data you submit when you communicate with us through social media, e.g., when you leave comments on one of our platforms or when you send us a message.

Third-Party Services and Contents

We may include contents and services provided by third parties on our website on the ground of a legitimate interests, i.e., to analyze, optimize and deliver efficient online services. We do so to make additional content and services available to you, e.g., videos and fonts (henceforth simply referred to as "content").

Your IP address is necessary for such third-party content to be delivered to you and to display properly on your device. We will do our best to collaborate only with providers who will process your IP address solely for the purpose of delivering their contents. Third-party providers may also collect user information from our sites through pixel tags. Pixel tags (also known as "web beacons") are data similar to cookies but are collected through invisible, embedded images. Pixel tags can be used to carry out statistical analysis or for marketing purposes. They convey information about how you use our website. This information may be stored in pseudonymised form in the cookies on your device. It may contain technical information about your browser and operating system, the websites that direct you to our site, the time of your visit and other information about how you use our online services. Your pseudonymised data may also be linked to similar information provided by other outside sources.

YouTube

We use cookies to access videos on YouTube, a platform provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. You can find Google's data protection policy by going to https://policies.google.com/privacy and see information about your choices to opt out at https://adssettings.google.com/authenticated.

Font Awesome Icons

We use external icons from Font Awesome, a toolkit provided by Fonticons LLC, 6 Porter Rd Apt 3R, Cambridge, MA 02140, USA. The icons are embedded through a server call to Fonticons in the USA. You can find the data protection policy for Font Awesome at https://fontawesome.com/privacy.

Google reCAPTCHA

We use reCAPTCHA to protect our website from spam and abuse. reCAPTCHA keeps automated software from engaging in abusive activities on our site (e.g., by detecting and blocking bots trying to fill in our online forms). reCAPTCHA is a service provided by Google. You can find Google's data protection policy by going to https://policies.google.com/privacy and access information about your choices to opt out at https://adssettings.google.com /authenticated.

Twitter

Our website includes social media features, such as access to services and contents provided by Twitter. Twitter Inc. is based at 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The contents provided may include, e.g., images, videos or text, as well as interfaces through which users can share such content within the social network of Twitter. If you are active on Twitter, the social network will be able link content you viewed and the functions you accessed directly to your profile. Twitter is certified under the Privacy Shield Frameworks and thereby guarantees compliance with EU data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active). You can find Twitter's data protection policy by going to https://twitter.com/en/privacy as well as information about your choices to opt out at https://twitter.com/personalization.