Privacy and Security Policy – Volta Medical – Edition 1
Who are we?
Volta Medical is the trade name of SUBSTRATE HD SAS.
We are a company with our headquarters in Marseille (France) at 29 boulevard de Louvain – 13008 Marseille. You can contact us at the following address: firstname.lastname@example.org
The contact details of our Data Protection Officer are provided at the end of this document.
General overview of the privacy and security policy
Volta Medical’s personal data protection policy is a document that details how we collect the data of natural persons, how we use these data, and how we may share them in the context of our business operations and research and development activity.
This privacy and security policy covers Substrate HD SAS (Volta Medical), its websites and applications. The websites and applications are termed “platforms” in this policy.
In accordance with the goals of transparency and fairness that we set for ourselves and pursuant to the European regulation on personal data (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, referred to by the term “GDPR” in this document), our goal is for this Privacy and Security Policy to be understandable and easily accessible.
We have therefore divided it into several sections so that you can easily find the information that you are looking for.
It contains general information and information on the specific ways we use it. You can request more information at any time about any examples that have not been explained.
To facilitate reading, we will refer to this privacy and security policy by the shortened term of “Policy” throughout the rest of the document.
Who does this Policy apply to?
This policy applies to any natural person who has a relationship with our company and whose personal data is processed by us. It does not apply to employment relationships; another policy available to Volta Medical employees governs this relationship.
This Policy applies in particular to individuals who have agreed to participate in research. It also serves as an information document for anyone interested in the way in which we process personal data.
This Policy is available on our websites and may also be obtained free of charge on request by any other method. This request can be addressed to our Data Protection Officer whose contact details are provided below.
As part of our operations, we may work with entities which are not part of our group; if you would like to know how these entities process your data, we encourage you to contact them directly to learn about their commitments and/or to exercise your rights under the GDPR.
We may occasionally amend this Policy in order to reflect changes in our operations and/or to comply with our legal obligations.
In the event of any amendments, these will be made to the relevant pages of the Policy on the Platforms available online and we recommend that you consult this on every visit. However, if the amendments to this Policy are substantial, we will draw your attention to this by publishing a notice on our website and, where applicable, in the relevant section of each Platform.
What are personal data?
According to the GDPR, personal data are information about an identified or a directly or indirectly identifiable person. In this policy we refer to them by the terms “personal data” or “data”. The personal data that we process may be private or professional. Anonymous, anonymized, or aggregate data are not personal data.
What is the processing of personal data?
Processing is an operation on one or more personal data. We process personal data in accordance with the GDPR:
– for ourselves; in this case, we are the controller because we determine the purpose and the methods of the processing of the personal data, or
– for our customers, partners, or organizations; in this case we act as a processor as defined by the GDPR.
What are our commitments?
Transparency: Volta Medical undertakes to process personal data in a transparent, fair, and lawful way.
To this end, we will provide you with relevant information when we collect your data or when they come from a third party or technology. When we collect data, we will notify you if this collection is mandatory, which mandatory data you should provide, if this collection is to satisfy a statutory or contractual requirement, and if it is a condition for the provision of a service or a contract, as well as the consequences of failing to provide this data. If we do not collect your personal data directly from you, you will still receive, either at the time of our first contact (through our intermediary or one of our processors) or at the time when the data are collected by the intermediary, information that is identical to that which we must provide in the case of direct collection. You will, in particular, be informed about the source of the data. Where necessary, we will notify you about any automatic decision-making (and the rationale for it), including profiling. This means that we will strive to inform you of the expected scope and consequences of any processing involving you.
Proportionality: We also undertake to only process your personal data for specific, explicit, and legitimate purposes or in order to comply with our legal/statutory obligations. Your personal data are not subsequently processed in any way that is incompatible with these purposes. If there is compatibility with the purpose for which the data are collected, and we intend to carry out further processing of said data, we will provide you with any information you may need to understand this new purpose and any relevant information. When the processing falls within our legitimate interests, this means that we have determined that it does not harm your interests nor your fundamental rights and freedoms. You may request information on how we weigh these factors at any time
Necessity: We will restrict the collection and processing of your personal data to only what is adequate, relevant, and limited to what is needed for our operations. We will only retain the data in question for a period not exceeding that which is necessary for the purposes for which they are processed. They may nonetheless be retained for research or statistical purposes as long as we implement appropriate technical and organizational measures to ensure your rights and freedoms.
We only disclose certain portions of your data to authorized recipients, such as departments at our group who have need of them, as well as to any relevant third parties for the efficient performance of our services, operations, and/or research, but also to parties participating in potential business transactions (for example, prospective buyers or investors or parties involved in a legal reorganization). We oversee relationships with the recipients of these data and our processors through the implementation of appropriate safeguards and in line with our legal obligations. We also disclose your data when required to do so under a legal or statutory obligation or if the recipients are legally entitled to access the data (such as competent judicial or administrative authorities, court-appointed bailiffs, etc.). The disclosure of these data is detailed in legal/statutory documents.
Accuracy: We will ensure that your personal data are accurate and kept up to date. We will implement reasonable measures to ensure that inaccurate data, with respect to the purpose for which they are collected, are erased or rectified as soon as possible.
Security: Your data are processed in a way that ensures appropriate security, particularly with respect to unauthorized or illegal processing and against loss or destruction by means of relevant technical and organizational measures.
Generally, we undertake to comply with all legal principles incumbent on us concerning personal data protection, including in particular:
– respect for rights conferred on individuals,
– compliance with storage periods (while taking into account, in accordance with applicable law, the purpose of the processing, contractual or operational requirements, and our legal/statutory obligations)
– obligations concerning international transfers, for which we will take the necessary measures to ensure compliance with European regulations in the case of recipients who are not located in a European Union member State.
– educating employees about data protection and the necessity of confidentiality,
– implementing organizational and technical measures to ensure effective compliance with these principles.
What personal data do we collect?
We may collect personal data directly from you or via a third party and by means of various sources. For example, directly from you means that when you submit a job or internship application or when you contact us for a product or service but also when you register for a training session or when you use our products and services.
We can also collect your personal data in the case of interaction with us, for example through cookies or other similar technology installed on your computer with an Internet connection (we can also collect your connecting IP address).
We can also collect your personal data through your healthcare facility in the context of healthcare that you receive: either because your physician/healthcare facility uses one of our products or services (we are then their processor) or because you have explicitly agreed to participate in research (we are the controllers).
The collection of personal data that we carry out is not the same for all processing. Personal data that is collected will vary according to the processing in question, their purpose, but also depending on the kind of relationship that exists with the data subject. These data may also vary in accordance with the category of the data subject.
For this reason, we collect data on the following categories of individuals:
– job/internship applicants, or similar,
– prospective customers,
– training participants,
– visitors to our Platforms,
– individuals receiving healthcare from a healthcare professional using our products or services,
– individuals participating in research with their consent in the framework of a research protocol validated by the research center authorities,
– healthcare professionals including (investigating physicians, physicians using our products, members of our scientific advisory board)
– healthcare staff or staff involved in research,
– employees and/or representatives of our service providers, partners, suppliers, contractors.
Information categories that we directly or indirectly collect:
NB: Depending on your relationship with us (research participant, employee of one of our suppliers, physicians using our products or services or a physician belonging to the scientific advisory board, etc.), the information that you directly or indirectly provide to us is not the same.
The information categories that you can provide us depending on our relationship with you are:
– personally identifiable information such as your last name, first name, mailing address, date of birth, your electronic mailing address, your telephone number (personal or work depending on the case), your country of residence, your nationality, your picture or clips of you,
– professional data such as your training, your qualifications, your professional experience, your salary, and your current and previous employers, your business identification number, your trade and specializations, any gifts and hospitality that you might receive;
– data concerning your health, such as care received by the data subject (duration of the procedure, radiofrequency, fluoroscopy, type of intervention carried out by the physician, procedure parameters, procedure outcome), extra-cardiac electrical signals collected as part of the procedure, electroanatomical data; these data are disclosed to us by the healthcare facility in the framework of research and in a pseudonymized and encrypted format;
– commercial data: data concerning an invoice, payment methods and dates, banking details, information about the offered/sold products/services,
– data concerning your consent to the collection of personal data.
We may also automatically collect information at our discretion during our relationship with you. For example, when you browse on one of our Platforms, when you read our marketing-oriented electronic messages (e-mail in particular), when you attend events that we organize.
The information categories that we automatically collect:
– personally identifiable information: your IP address, cookie identifiers, and other similar technologies,
– device usage data: Internet sites visited, browser type and version, etc.
What processing do we carry out on personal data?
We process personal data for specific, explicit, and lawful purposes. All processing set out below do not apply to the same individuals; that depends on our relationship with you.
This relationship may be related to management of our business relationship and communication with you.
Your data will consequently be processed for the purposes of:
– making contact with prospective customers that we think may be interested in our products and services (except where such solicitation is explicitly unwanted) or our research, marketing, and advertising operations. Processing is based on our legitimate interest (legal basis for the processing).
– sales, technical and commercial support, after-sales/Maintenance, signing contracts, invoicing, managing litigation, contracting with processors, buying goods and services. Processing is here based on a contract currently in effect between us or pre-contractual steps (legal basis for processing).
We are the controllers. Data are only sent to authorized departments when necessary for their assigned tasks. Data may also be disclosed to processors when the transmission and processing of these data have been contractually codified to ensure sufficient safeguards with respect to personal data protection. Data are only stored for the period needed for each purpose and, where necessary, in compliance with legal storage obligations.
In the context of the provision of healthcare services
Volta Medical will carry out personal data processing for its customers (healthcare facilities, physicians) in the framework of providing operational support software called VX1 and The Recorder. The Recorder is an operational annotating tool that physicians are free to use. VX1 is a decision-making solution but is not a substitute for a physician who remains the sole decision-maker about the intervention to be carried out. This is not a diagnostic tool. Data processing is carried out under the supervision of physicians. The physician and/or healthcare facility is/are responsible for both the VX1 or The Recorder processing; Volta Medical is a processor as defined by the GDPR as the provider of a technological solution. Processing is based on a contract between us and the healthcare facilities or physicians (legal basis for the processing).
In the framework of our research operations not involving human subjects
To acquire and improve knowledge about the occurrence of cardiac rhythm disorders and the mechanisms and interactions affecting the heart, we have undertaken research based on using artificial intelligence algorithms on healthcare data collected during interventions. Upon completion of the research, our aim is to make it easier for physicians to make diagnoses. During the research, algorithms are applied to patients’ electrical signals which are collected after the medical intervention, with the consent of the patient or of their legal representative. The algorithms have no bearing on decision-making with respect to the data subjects in question. Data are collected on our behalf by healthcare facilities with whom we have a scientific research protocol and are submitted to us in a pseudonymized format. Processing of personal data is based on Volta Medical’s legitimate interest in research and development (legal basis for the processing), without, however, affecting the rights and freedoms of the data subjects. In the context of this research, we are controllers and the healthcare facilities/physicians who participate in collection on our behalf, are our processors as defined by the GDPR. Since participation in the research is optional, individuals participating in this research are notified by means of a specific notice to ensure they understand what it consists of and are aware of their rights. They are free to either participate in the research or refrain from doing so without any impact on the healthcare they receive. They are free to withdraw their consent at any time. Data are only sent to authorized departments when necessary for their assigned tasks. Data may also be disclosed to third-party processors when the transmission and processing of these data have been contractually codified to ensure sufficient safeguards with respect to personal data protection. Data are stored throughout the period needed for the research in addition to the period authorized by the regulations. At the end of this period, personal data are either anonymized or destroyed.
As part of this research, we also collect personal data concerning the professionals involved in the research, such as scientific officers (the legal basis for processing here is the contract made with us), participating physicians, and, where applicable, staff involved in research (the legal basis for processing is our legitimate interest or the contract made with them). A specific information notice is sent to these professionals within statutory timeframes and states the legal basis applicable to the processing. The personal data of professionals involved in the research are stored for the period needed for the research in addition to the period authorized by regulations. They are then archived in paper or electronic format for a period compliant with current regulations.
As part of our statutory obligations concerning transparency and the avoidance of conflicts of interest
In strict compliance with applicable regulation, we may compensate, pay, or award hospitality to healthcare professionals. We may also make donations and/or gifts for research or for organizations, or fund training in the field of healthcare. Consequently, we collect information needed for completing procedures required by regulations concerning transparency and the avoidance of conflicts of interest. The legal basis for this processing is compliance with our legal obligations. A GDPR-compliant notice is provided in this regard to the healthcare professionals and data subjects by appropriate means. The necessary data are processed by authorized staff internally and are also disclosed to certain authorized third parties (in particular regulatory bodies, such as the Council of the Order of Physicians, the French Transparency Register, and their foreign equivalents, etc.). You are encouraged to consult the confidentiality policies of these bodies. Depending on the context, the storage period that we apply may vary (duration based on the performance of a contract or research, duration of the requirement)
In the context of hiring
We collect information concerning you in order to manage job applications. These data are sent to both internal and external authorized hiring staff. We only store the data you disclosed to us for the period needed for assessing your application and for a longer period if we do not hire you, in order to offer future opportunities that might be suitable for you. You may nonetheless object or exercise any of your rights as stated below. Processing is based on the following principles: pre-contractual measures or a contract made between us on the basis of our legitimate interest (legal basis for the processing).
Technical cookies do not require your consent to be installed on your terminal when they fulfil certain criteria. (However, they may be generally blocked by your browser settings, though this could have a negative impact on your use of the site.) These are trackers that retain the choices you made about the installation of trackers, those intended for the authentication of a service, those enabling you to customize the interface (choice of language), those allowing visitor statistics. These trackers are only installed for 13 months and the information collected by them is not stored for longer than 25 months. At the 13-month deadline, a new cookie will be installed in the former technical cookie’s place.
Other cookies may only be installed with your consent and after you have been notified with all the necessary information to be able to make an informed decision. Your consent may be withdrawn at any time. We encourage you to read our Cookies Management page.
Transfer outside of the EU
We may carry out data transfers to a country outside of the European Union in the framework of our operations. In this case, we will take all appropriate steps to ensure compliance with applicable regulations within the European Union. You may obtain a copy of these safeguards from our Data Protection Officer.
What are your rights concerning personal data?
Any natural person enjoys rights concerning their personal data granted by law. When the law allows it, we may invoice you for this service, for example when your request is manifestly unfounded or excessive.
Your rights will be exercised vis-a-vis the controller. Consequently, we are only able to respond to requests concerning processing for which we are the controller. We cannot fulfill your request when we act in the capacity of processor.
When you wish to exercise any of your rights, we may require information and documentation from you in order to verify your identity. This ensures no confidential information is disclosed to unauthorized individuals.
Subject to legal considerations allowing it or, for example, that we do not infringe on our duty of confidentiality towards a third party, or subject to it not seriously compromising the purpose of the processing, we will send you the requested information or will notify you of any additional data needed to process your request in a timely manner.
Your requests may be made in writing or verbally but in the case of the latter, you must be able to prove your identity by other means. However, we will keep a written paper record enabling us to know that: you made your request verbally, how you verified your identity, and the information that you provided to us.
What are your rights?
– You have the right to be informed when we directly or indirectly collect data from you.
– You have the right to be informed of whether or not we hold data about you, and if so, the personal data we hold about you, as well as the identity and contact information of the controller, the contact information of the Data Protection Officer, the purposes of the processing and its legal basis, our legitimate interests where applicable, the data categories collected, the recipients of the data, information about transfers to countries outside of the European Union, information about adequate safeguards, the storage period or if this is not possible, the criteria used to determine this period.
– You have the right to have your personal data rectified in the event they are inaccurate and to have them completed (including by means of a supplementary statement) according to the type of processing in question,
– You have the right to erasure of your data when specific conditions have been met:
o they are no longer necessary in relation to the purposes for which they were collected, or
o When you withdraw your consent on which the processing was based, or
– You have the right to request the restriction of the processing in some circumstances, namely:
o when you contest the accuracy of the data (this restriction will be in effect for a limited period of time),
o in the event of unlawful processing by us for which you prefer that your data be restricted rather than erased,
o in the event that we no longer need your data but these are needed by you for the establishment, exercise, or defense of legal claims,
o if you have contested processing, we will restrict processing during the period needed to verify that the lawful grounds invoked by Volta Medical for the processing prevail over yours. We will also notify you before removing the restriction of the processing;
– You have the right to have your data transferred to a third party in a structured, commonly used, and machine-readable format. This right is only available when the processing that we carry out is based on a contract made between us or when we process your data because you have consented to it;
– You have the right to object to your data being processed for the purposes of direct marketing.
– You have the right to object to your data being processed, to a certain extent, with respect to your specific circumstances, when the basis for this processing is our legitimate interest (particularly in the case of automated individual decision-making);
– If you believe that we have not satisfactorily dealt with the exercise of your rights, you may contact the relevant supervisory authority which, for Volta Medical, is the French Data Protection Authority (Commission Nationale Informatiques et Libertés) www.cnil.fr
Volta Medical undertakes to consider all requests concerning personal data. If you have any questions about this Policy or you wish to exercise one of your rights, please contact us. We will reply in a timely manner and in all cases within the regulatory mandated time frames. We will respond to you in writing, including by electronic means, or also verbally if you request it (please see above for the terms and conditions applicable to verbal replies).
To exercise your rights, please contact the Data Protection Officer (DPO) appointed by Volta Medical at the following address: email@example.com
Data Protection Officer
Volta Medical has appointed a data protection officer whose role is to ensure the dissemination of a culture of personal data protection at Volta Medical, but also with its partners, providers, and customers. He/she is involved in processing projects to ensure that individual rights are taken into account. He/she will also respond to any questions you might have about regulations concerning personal data and to your requests to exercise your rights.
His/Her address is: firstname.lastname@example.org