InnoCon Medical needs to gather and use certain information about individuals.
These can include employees, test subjects, and other people the company has a relationship with or may need to contact.
In general, InnoCon Medical only processes personal data for specific purposes, where legitimate interests are present. Only personal data that is relevant and necessary to fulfil the specified purpose is processed, and the personal data is deleted, when it is no longer required.
This policy describes how InnoCon Medical:
- Complies with General Data Protection Regulation and follows good practice
- Protects the rights of employees, test subjects and other partners
- Is open about how the company stores and processes personal data
- Protects personal data from the risk of data breach
2. Contact information on data controller
InnoCon Medical is the data controller and responsible for personal data is processed in compliance with the regulation.
Address: Lyngvej 1, 9000 Aalborg
Telephone: +45 4051 7712
Contact person: Dianna Mærsk Knudsen
3. Purpose of data processing
InnoCon Medical is processing data for specific purposes, when legitimate interests are present.
Legitimate interests within InnoCon Medical:
- Processing is necessary for the performance of a contract (employee contract), Article 6, 1(b)
- Processing is necessary for compliance with legal obligation (employees, test subjects), Article 6, 1(c)
- The data subject has given consent to the processing (test subjects), Article 6, 1(a)
Purposes of processing:
- a. Administration of employment
- b. Fulfilment of law (employer obligations)
- c. Promotion of company on website
- Test subjects:
- a. Administration of study
- b. Fulfilment of law
- c. Assessment of test results
- a. Promotion of company on website and SoMe platforms
4. Personal data categories
InnoCon Medical is processing the following personal data:
- a. Personal data: Data regarding employment for administration, this includes:
- i. CPR number, name, address, position, employment, education, CV
- ii. Salary, banking data, pay checks, tax rates, pension
- iii. Sick leave, parental leave
- iv. Correspondence between employee and manager of specific circumstantial contents, disciplinary warnings etc.
- b. Special categories of personal data:
- i. Portrait photos
Besides this, personal data from potential applicants is processed occasionally. Data is limited to CV and contact information on applicant.
- a. Personal data: Contact information, this includes:
- i. Name, address, telephone, email
- ii. Data required for the specific study, e.g. anatomical data, physiological signals, number and types of genital piercings
- b. Special categories of personal data:
- i. Data required for the specific study, e.g. health data and race/ethnicity
5. Transfer of personal data
InnoCon Medical is transferring personal data on employees for fulfilment of employer obligations (e.g. to tax authorities). Besides this InnoCon Medical is not transferring any personal data to third parties.
6. Origin of personal data
In general, personal data processed within InnoCon Medical origins from the data subject.
For employee administration, personal data is also retrieved from public authorities, e.g. tax authorities.
7. Data storage and erasure
- Personal data on applicants is deleted at latest 2 years after termination of recruitment case.
- Personal data on former employees is deleted 5 years after termination of employee case to fulfil Danish accounting laws, however the following data is kept for compliance with documentation retention requirements related to medical devices (~ at least 15 years after the last device has been placed on the market): name, position, employment, education, and CV.
- Personal data on test subjects is anonymized/pseudonymized and thereby not possible/difficult to track back to individual test subject. Personal data making possible to identify test subject is deleted at latest 18 months after termination of the project, for which the data is needed.
Visitors on website and SoMe platforms:
When possible, InnoCon Medical will process personal data on legitimate interest on other legal basis than consent. InnoCon Medical only collects consent from data subjects, when it is necessary for processing of personal data according to the purposes described above, e.g. test subjects in studies.
In case, InnoCon Medical asks for your consent, your consent is voluntary and can be withdrawn at any time, by contacting InnoCon Medical.
If you choose to withdraw your consent, it does not affect the legality of InnoCon Medical’s processing of your personal data based on your prior consent and until the date of withdrawal. If you withdraw your consent, it will therefore not be effective until this date.
9. Rights of data subject
According to the regulation, you have some fundamental rights as data subject, in relation to InnoCon Medicals processing of your personal data:
- Right to be informed, about whether personal data concerning you is processed within InnoCon Medical.
- Right of access, to the personal data InnoCon Medical is processing on you.
- Right to rectification, if the personal data that InnoCon Medical is processing is inaccurate.
- Right to erasure, of your personal data that InnoCon Medical is processing, when there is no longer legitimate interests for retaining the data.
- Right to restriction of processing, if the data is contested to be inaccurate or no longer needed, or the processing is unlawful or you have objected to processing.
- Right to data portability, so your personal data can be transmitted in a structured, commonly used format to another controller.
- Right to object, to InnoCon Medical’s processing of personal data concerning you.
You can make use of your rights, including objecting to the processing of InnoCon Medical of personal data concerning you, by contacting InnoCon Medial, using the contact information above.
If you contact InnoCon Medical with a request regarding e.g. rectification or erasure of your personal data, InnoCon Medical will assess if the conditions are met, and in that case, implement the rectification or erasure as soon as possible.
10. Complaint authority
You have the right to lodge a complaint to the data protection authority, if you are unsatisfied with the way, InnoCon Medical is processing your personal data. In Denmark the relevant authority is Datatilsynet (datatilsynet.dk).