A. ABOUT THIS POLICY
We are committed to providing you with professional and valuable products and services whilst safeguarding your privacy.
B. WHO IS ACCOUNTABLE FOR YOUR DATA?
We, Coopersurgical–with its head office in Europe at: Knardrupvej 2, 2760 Målov, Denmark – are the data controller of your Personal Data. We can be contacted at DPO@coopersurgical.com.
C. WHAT DATA DO WE PROCESS AND WHY?
The types of information that we may collect from you, depending on how you interact with us (e.g. how you use our websites), and the purposes of processing, include:
|Data Subject category||Type of information||Purposes of processing||Legal basis of processing|
|Clinics and Doctors||
|Customers (including clinics)||
|Users of our websites||
Our business purposes – we may also use your Personal Data for our internal business purposes (our legitimate interests) such as:
- record keeping, statistical analysis, internal reporting and research purposes;
- to investigate any complaints you make;
- to provide evidence in any disputes or anticipated disputes between you and us;
- for the detection and prevention of fraud, other criminal offences and for risk management purposes;
- for business and disaster recovery (e.g. to create back-ups);
- to ensure network and information security;
- to host, maintain and otherwise support the operation of our websites, including to customize various aspects of our websites to improve your experience;
- for document and data retention/storage;
- to protect the rights, property, and/or safety of CooperSurgical, any of the Affiliates, its personnel and others; and
- to ensure the quality of the services we provide to our clients and other Data Subjects.
We believe the risk to your data protection rights in connection with Personal Data that we process on the basis of our legitimate interests is not excessive or overly intrusive. We have also put in place protections for your rights by ensuring proper retention periods and security controls.
In addition, we may use your Personal Data for additional specific purposes made clear at the point of collection of your Personal Data.
If you choose not to provide the Personal Data requested by us, we may not be able to provide you with the products and/or services you have requested or otherwise fulfil the purpose(s) for which we have asked for the Personal Data.
D. HOW AND WHEN DO WE SHARE DATA WITH THIRD PARTIES?
Some products and/or services that we provide require the involvement of third parties. We do not sell, rent, distribute or otherwise make Personal Data commercially available to any third party, except that we may share information within our group of companies, with our service providers and other third parties for the purposes set out in this Policy:
a) Data sharing within CooperSurgical group
CooperSurgical may share your Personal Data with the Affiliates:
- where we need to do so in order to provide the products and/or services or information that you have requested; for example, we transfer your Personal Data to United States and South Africa.
- if you consent to us doing so (e.g. when you give us consent for marketing communications with Affiliates)
b) Data sharing with service providers
We also share your Personal Data with our third-party service providers, whom we engage to provide various services, in relation to:
- deliveries of our products (e.g., couriers and clinics);
- marketing and advertising services (e.g. marketing agencies, interactive agencies, e-mailing solution providers);
- our websites (e.g., hosting and maintaining our websites);
- IT services and solutions (e.g., providing data storage, assisting us with database management);
We have carefully selected these service providers and taken steps to ensure that your Personal Data is adequately protected. All of our service providers are bound by written contract to process Personal Data provided to them only for the purposes of providing the specific service to us and to maintain appropriate security measures to protect your Personal Data.
c) Data sharing with other recipients
We may also share your Personal Data with:
- our accountants, auditors, lawyers or similar advisers when we ask them to provide us with professional advice;
- any other third party if we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or to protect the rights, property and/or safety of CooperSurgical, any of the Affiliates, its personnel and others;
- any other third party for the purposes of acting in accordance with the requirements of a court, regulator or government agency, for example, complying with a court order or acting in accordance with an applicable law or regulation; or
- investors and other relevant third parties in the event of a potential sale or other corporate transaction related to CooperSurgical and/or any of the Affiliates.
E. INTERNATIONAL TRANSFERS OF PERSONAL DATA
The transfer of your Personal Data to and between the Affiliates, service providers or other recipients may involve your Personal Data being sent outside of the European Economic Area (“EEA”), to locations that may not provide the same level of protection as those within the EEA countries, including to third countries that are not covered by an adequacy decision of the European Commission, including to such countries as: USA and South Africa
However, we may only transfer your Personal Data outside of the EEA:
- where the transfer is to a place or by a method or in circumstances that is regarded by the European Commission as providing adequate protection for your Personal Data;
- where we have put in place standard data protection clauses adopted by the European Commission or a relevant data protection authority; or
- where none of the above apply but we are still legally permitted to do so, for example if the transfer is necessary for the performance of a contract concluded with you or in your interest, or for the establishment, exercise or defence of legal claims.
You can request further details about the safeguards that we have in place in respect of transfers of Personal Data outside of the EEA and where applicable a copy of the standard data protection clauses that we have in place by contacting us at: DPO@coopersurgical.com.
F. HOW LONG DO WE STORE PERSONAL DATA?
It is our policy to retain your Personal Data for the length of time required for the specific purpose or purposes for which it was collected (e.g., for the fulfilment of an agreement with you). However, we may be obliged to store some Personal Data for a longer time, taking into account factors including:
- legal obligation(s) under applicable law to retain data for a certain period of time (e.g. compliance with tax and accountancy requirements);
- the establishment, exercise or defence of legal claims (e.g., for the purposes of a potential dispute).
G. HOW DO WE PROTECT YOUR DATA?
We have implemented technological and operational security measures in order to protect your Personal Data from loss, misuse, or unauthorized alteration or destruction. Such measures include the use of firewalls, encryption, proper access rights management processes, careful selection of processors and other technically and commercially reasonable measures to provide appropriate protection for your Personal Data. Where appropriate, we may also make backup copies and use other such means to prevent accidental damage to or destruction of your Personal Data. These measures ensure an appropriate level of security in relation to the risks inherent in the processing and the nature of the Personal Data to be protected.
Please note however that where you are transmitting information to us over the internet this can never be guaranteed to be 100% secure. For any payments which we take from you online we will use a recognised online secure payment system.
We will notify you promptly in the event of any breach of your Personal Data that might expose you to serious risk.
H. YOUR RIGHTS
The following section explains your rights that you may exercise. The various rights are not absolute and each is subject to certain exceptions or qualifications in accordance with the GDPR and other generally applicable provisions of data privacy law.
- The right of access – you have the right to obtain from us confirmation as to whether or not your Personal Data is being processed by us, and about certain other information (similar to that provided in this Policy) about how it is used. You also have the right to access your Personal Data, by requesting a copy of the Personal Data concerning you. This is so you are aware and can check that we are using your information in accordance with data protection law. We can refuse to provide information where to do so may reveal personal data about another person or would otherwise negatively impact another person’s rights.
- The right to rectification – you can ask us to take measures to correct your Personal Data if it is inaccurate or incomplete (e.g., if we have the wrong name or address for you).
- The right to erasure – this is also known as the ‘right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your Personal Data where, for example, there is no compelling reason for us to keep using it or its use is unlawful. This is however not a general right to erasure and there are some exceptions, e.g. where we need to use the information in defence of a legal claim or to be able to comply with a legal obligation.
- The right to restrict processing – you have the right to ‘block’ or suppress the further use of your Personal Data when we are assessing a request for rectification or as an alternative to erasure. When processing is restricted, we can still store your Personal Data, but may not use it further.
- The right to data portability – you have the right to obtain and reuse certain Personal Data for your own purposes across different organisations (being separate data controllers). This only applies to your Personal Data that you have provided to us that we are processing with your consent and for the purposes of contract fulfilment, which is being processed by automated means. In such a case we will provide you with a copy of your data in a structured, commonly used and machine-readable format or (where technically feasible) we may transmit your data directly to a separate data controller.
- The right to object – you have the right to object to certain types of processing, on grounds relating to your particular situation, at any time insofar as that processing takes place for the purposes of legitimate interests pursued by CooperSurgical, any of the Affiliates, or by a data recipient. We will be allowed to continue to process the Personal Data if we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or we need this for the establishment, exercise or defence of legal claims. If you object to the processing of your Personal Data for direct marketing purposes, we will no longer process your Personal Data for such purposes.
- The right to withdraw consent – where we process your Personal Data on the basis of your consent, you have the right to withdraw your consent at any time. However, such withdrawal does not affect the lawfulness of the processing that occurred prior to such withdrawal.
I. HOW TO CONTACT US
If you wish to request further information or exercise any of the above rights, or if you are unhappy with how we have handled your Personal Data, contact our Data Protection Officer at: DPO@coopersurgical.com.
Before assessing your request, we may request additional information in order to identify you. If you do not provide the requested information and, as a result, we are not in a position to identify you, we may refuse to action your request.
We will generally respond to your request within one month of receiving your request. We can extend this period by an additional two months if this is necessary taking into account the complexity and number of requests that you have submitted.
We will not charge you for such communications or actions we take, unless:
- you request additional copies of your Personal Data undergoing processing, in which case we may charge for our reasonable administrative costs, or
- you submit manifestly unfounded or excessive requests, in particular because of their repetitive character, in which case we may either charge for our reasonable administrative costs or refuse to act on the request.
If you are not satisfied with our response to your complaint or believe our processing of your Personal Data does not comply with data protection law, you can file a complaint to the relevant data protection authority. Inspector General for Personal Data Protection (Datatilysnet), or its successor, is the data protection authority in Denmark.