Ankyras
Version 1.0 – Effective Date: May 15th, 2023
This document describes our data protection policy for Mentice Spain S.L. (“Mentice Spain” or “Data Controller”). For more information on Mentice’s corporate data protection policy, please visit www.mentice.com/data-protection-policy.
For persons located in the European Union (EU), European Economic Area (EEA),Switzerland and United Kingdom (UK): The EU General Data Protection Regulation (“GDPR”) governs the rights you have in relation to your personal data, and what companies that process your personal data are permitted and required to do.
In accordance with the provisions of the Regulation(EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC(“GDPR”), and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights (“LOPDyDD”) we inform you below of our data protection policy.
1. Data Controller details; about Data Controller’s services and personal data collected
1.1 Data Controller details:
· Company Name: MenticeSpain S.L.
· ID number: CIF - B72674646
· Postal address: Rambla Catalunya 53-55, 4º-H, 08007 Barcelona
· Email: ankyras@mentice.com
· Contact details of the Data Protection Officer (DPO): privacy-msl@mentice.com
1.2 About Data Controller’s services (”Services”)
Ankyras is intended to assist healthcare professionals in the selection of a proper braided device for treatment of intracranial aneurysms, also allowing them to assess the fit of each particular braided device in the patients’ anatomy. The service allows the prediction of the final position of the device after being placed inside the vascular patient anatomy, the changes in the braided device geometry after being placed inside the vascular patient anatomy and the geometrical characteristics of the braided device such as the radial expansion and the local surface porosity.
It is intended for use by qualified medical professionals experienced in examining and evaluating 3D rotational angiography images, for the purpose of obtaining diagnostic information as part of a comprehensive diagnostic decision-making process.
Ankyras is intended to view only 3Drotational angiography images, CT scanners and Magnetic Resonances with sufficient spacing (below 0.3 mm) stored in a DICOM format.
1.3 Personal data collected
MENTICE SPAIN collects the following personal data when users first sign up on the Services:
MENTICESPAIN does not collect special categories of data, such as, information regarding your race, political opinion, religion or sexual orientation, nor use it for marketing analysis.
Your personal data is used to assign you with a unique identification number (ID number) that allows MENTICE SPAIN to identify and provide you with the Services detailed in section 1.2 above. The ID number will uniquely identify you if you sign up using the same account on a new device.
We also inform you that MENTICE SPAIN will have access to patient data uploaded by you in your capacity as either data controller (for healthcare providers) or data processor (for medical device companies) of such personal data.
When MENTICE SPAIN acts as a data processor (to healthcare providers)or sub-processor (to medical device companies), we will provide information to the customer who has contracted the Services about how the system processes personal information. The data controller or processor will in turn be responsible for informing their respective clients, patients or staff about the processing and will obtain consent from patients and, where necessary, from clients or staff as part of the enrolment process. The personal information of individuals enrolled may only be used in a manner consistent with the consents obtained or information provided to them by the data controller at the time of enrolment.
2. Purpose, legitimacy of processing and period of data retention
Below you will find a table identifying the purpose of the treatment of your personal data, that is, the reason why MENTICE SPAIN treats your personal data, the legal basis that allows the treatment for the indicated purpose and the period of data retention.
Purpose
Legitimacy
Period of data retention
Managing your registration as a user of the Services, owned by MENTICE SPAIN, in order to give you access to it.
Execution of the agreement consisting in the user’s registration in the Services application.
As long as the users do no express their willingness to unsubscribe as an Services application user.
To manage your profile as a user of the referred Ankyras’ application, give you access to the information – case data – uploaded by your side and, therefore, provide you with the Services.
Management, where appropriate, of your rights as an interested party.
The fulfilment of a legal obligation applicable to MENTICE SPAIN.
During the time necessary to resolve requests and/or complaints.
In the event that MENTICE SPAIN treats your personal data for purposes other than those listed in the above table, MENTICE SPAIN will inform you prior to processing and provide you with any additional relevant information in accordance with applicable law, and shall request your consent, if applicable, if such consent is necessary to justify lawful processing.
Likewise, we inform you that, apart from the aforementioned retention periods, we will keep your personal data during the statute limitation period in order to fulfil our legal obligations, to exercise our legal rights (to lodge or defend a claim). Likewise, the provisions of the corporate regulations relating to archiving and retention of documentation periods shall apply.
3. Recipients of the personal data: assignees and data processors
We inform you that your personal data will not be communicated to third parties, unless legally obligated to do so.
Additionally, we inform you that, in certain cases, we may provide access to your personal data to third parties (sub-processors) which provide us with application maintenance or hosting services, among others, and which help us to manage our Services applications, properly, efficiently and within the legal framework. In this regard, we inform you that MENTICE SPAIN stores its data on a server located in Germany owned by Hetzner Online GmbH. A complete and updated list of sub-processor scan be found at the end of this page under section 5.
The processing of personal data by these sub-processors, with whom a contract has been concluded under Article 28 of the GDPR and Article 33 of the LOPDyDD, may be carried out both within and outside the European Union territory. Processing carried out outside the European Union territory is undertaken on the basis of an adequacy decision (third country or international organization guaranteeing an adequate level of protection).
4. Data subject right
We hereby inform you that, in relation to the processing of your personal data, you have the right:
To obtain confirmation as to whether or not MENTICE SPAIN is processing your personal data.
To request access, rectification of inaccurate or incomplete data and, where appropriate, the deletion of your data when, among other reasons, they are no longer necessary for the purposes for which they were collected.
In certain circumstances, you may:
request a restriction on the processing of your personal data, in which case we will only retain it for the purpose of lodging or defending claims;
for reasons related to your particular situation, object to the processing of your personal data, in which case MENTICE SPAIN will cease to process it except for compelling legitimate reasons, or to lodge or defend any claims; and, if you have given your consent for a particular purpose.
To receive the personal data which concerns you, and which you have provided to MENTICE SPAIN, in a structured, commonly used and machine-readable format, and to transmit that data to another controller without hindrance from MENTICESPAIN. In this regard, you may request MENTICE SPAIN to transmit your personal data directly, if technically feasible, to the new controller indicated in your communication.
To withdraw your consent if you have given your consent for a particular purpose. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to withdrawal.
You may exercise your rights at any time and free of charge by:
The content of the application must include: your name and surname; a photocopy of your national identity card, passport or other valid document identifying you and, if necessary, the person representing you, as well as the electronic document or instrument accrediting such representation; detail of the request made, address for service, date and signature of the applicant; and supporting documents for the request you make, if necessary. Additional information about your rights can be found here.
If you consider that the processing of personal data concerning you infringes applicable legislation or you are simply not satisfied with the exercise of your rights, you have the right to file a complaint before the Spanish Data Protection Agency, by any of the following means:
(i) by calling +34 901 100 099, or+34 912 663 517;
(ii) by electronic means, by visiting the website https://sedeagpd.gob.es/sede-electronica-web;
(iii) in person, at Calle Jorge Juan,6, 28001 Madrid.
5. List of sub-processors
List of sub-processors:
Sub-processors may change from time to time and may include third parties or MENTICE SPAIN’s affiliates.
6. Data transfer
MENTICESPAIN is committed to complying with all applicable laws and regulations for personal information we process; as well as EU and Swiss-approved Standard Contractual Clauses (“SCCs”), which allows for the transfer of personal information from individuals in the UK, European Union and Switzerland to the United States. MENTICE SPAIN adheres to the SCCs and Privacy Shield Principles. To learn more about the Privacy Shield Framework, please visit www.privacyshield.gov.
Additionally, MENTICE SPAIN has and will continue to maintain appropriate contractual agreements with our customers, affiliates and partners. Furthermore, MENTICESPAIN has and will continue to work with and comply with the applicable Data Protection Authorities in the UK, EU and Switzerland.
MENTICESPAIN and our affiliates may disclose personal information as required by law, regulation, warrant, subpoena, court order, or regulator or law enforcement agency or personnel, as well as in respect to a criminal investigation or to meet government tax reporting requirements. In some instances, such as a legal proceeding or court order, we may also be required to disclose certain information to government authorities. Only the information specifically requested is disclosed and we take precautions to verify that the authorities making the request have legitimate grounds todo so. We also may release certain personal information when we believe that such release is reasonably necessary to protect the rights, property, and safety of others and ourselves.
MENTICESPAIN may transfer your personal information to other companies within the Mentice group of companies or to third parties such as external service providers. In cases of onward transfers to third parties, MENTICE SPAIN will limit the personal information shared to the minimum amount necessary and will obtain assurances from third party business partners (agents) that they will safeguard personal information consistent with our policies. Where MENTICESPAIN has knowledge that a third-party business partner is using or disclosing personal information in a manner contrary to our company policy, MENTICE SPAIN will take reasonable steps to prevent or stop the use or disclosure.
