Data Privacy Policy

1 GENERAL

1.1 This privacy policy (”Privacy Policy”), describes how AMRA Medical AB, registration number 556804-3227, Badhusgatan 5, SE-582 22 Linköping, Sweden (“AMRA”), collects, uses, discloses, stores and otherwise process personal data.

1.2 We respect your right to privacy, and we are committed to comply with applicable data protection rules and to safeguard your rights. We want to make sure that you are aware of what types of information we collect or obtain from you via the website or during your communication or interaction with us, how this information is used and how we work to protect it.

1.3 This Privacy Policy describes, amongst other things, which information we collect about you, how your personal data is processed and for what purposes we collect and use the personal data. This Privacy Policy also describes your rights and how you can contact us about the use of your personal data.

1.4 AMRA is the data controller responsible for processing your personal data in accordance with applicable data protection legislation.

2 WHAT TYPES OF DATA DO WE PROCESS?

2.1 Personal data means all types of information which can, directly or indirectly, be used to identify a living physical person (“Personal Data”).

2.2 AMRA collects and processes Personal Data about you when you visit our website, including:
(i) information about how you in particular use our website; and
(ii) technical data, which may include your URL, IP address, unique device ID, network and computer performance, browser type, language and identifying information, general geographical location and operating
system.

2.3 AMRA collects and processes Personal Data about you when you sign up for our newsletter, including name, email, what company you work for and your work title.

2.4 AMRA further collects information that is necessary for us to be able to contact you in your role as a representative for a company. AMRA collects and processes information about you if you represent a company that is a customer, supplier, contractor or otherwise partner of ours, as well as a potential customer, supplier, contractor or otherwise partner of ours. The information that we collect and process in such cases include contact information (such as name, address, title, company, email address and telephone number).

2.5 AMRA also collects Personal Data in connection with recruiting staff members. When you contact us to apply for a job opportunity with us, we collect such Personal Data that you provide us with in connection with such application. Personal Data normally included in a job application is contact information (name, address, email address and telephone number), CV (including previous work experience and education), and occasionally picture and personal registration number.

2.6 Furthermore, AMRA collects and processes Personal Data about you when you choose to participate in a study conducted by AMRA or agree to have your MRI image used by AMRA in marketing. Personal Data that
AMRA collects and processes in such cases include name, age, sex, height, weight, BMI and MRI images.

2.7 Information about how we store and use cookies is described in our cookie policy, available at https://www.amramedical.com/cookies.

3 WHY DO WE PROCESS YOUR DATA?

3.1 AMRA collects and process Personal Data relating to you for the following reasons:
(i) to ensure the technical functioning of the website;
(ii) to analyse your use of the website in order for us to develop and improve the website;
(iii) to send newsletters that you have requested and to respond to communications you have sent us;
(iv) to contact you as a representative for a customer, supplier, contractor or otherwise partner of ours;
(v) to market ourselves and our services and invite you to events we believe might be of interest to you or the company that you represent (provided however, that you will always have the right to opt-out of any marketing messages from us);
(vi) to develop and improve our services;
(vii) to process job applications;
(viii) to conduct clinical studies (only with your prior consent);
(ix) to produce marketing material in relation to MRI images (only with your prior consent); and
(x) to fulfil requirements by law.

4 THE LEGAL GROUNDS FOR PROCESSING PERSONAL DATA

4.1 AMRA’s processing of your Personal Data is based on the legal grounds as follows.

Legitimate interests

4.2 The legal basis for processing Personal Data such as technical data when you browse the AMRA website is that the processing is necessary for the purpose of the legitimate interests of AMRA, which is for AMRA to be able to develop and improve the website. The legitimate interest of AMRA may also constitute the legal basis for processing in situations where you provide us with your contact information by handing us a business card or otherwise has expressed an interest in our or services. The legitimate interests of AMRA in such cases are for AMRA to be able to market its services. Furthermore, the legitimate interest of AMRA is the legal basis for when AMRA is processing your personal data when you are a representative for a customer, supplier, contractor or otherwise partner of ours. The legitimate interests of AMRA in such cases are AMRA’s need to contact you as a representative to administrate the relationship AMRA has with the company that you represent. Furthermore, the legitimate interest of AMRA is the legal basis for AMRA’s processing of your Personal Data in connection with your job application, in which cases the legitimate interests of AMRA are to be able to secure that its employees has sufficient education and experience. Additionally, the legitimate interest of AMRA is the legal basis for AMRA’s processing of your Personal Data in connection with AMRA sending out its newsletters. The legitimate interests of AMRA in such cases are for AMRA to be able to market itself and its services.

Consent

4.3 AMRA’s processing of your Personal Data is based on your consent where you have chosen to participate in a clinical study and/or participate in AMRA’s production of marketing material, whereby a MRI image of you is taken. You can at any time withdraw your consent to such processing by contacting us. For contact details see section 10 below.

Legal obligation

4.4 AMRA may process your Personal Data for the purpose of complying with safety standards and other statutory requirements, based on the legal ground that this is necessary for compliance with a legal obligation to which AMRA is subject.

5 FOR HOW LONG DO WE STORE YOUR PERSONAL DATA?

5.1 Your Personal Data is stored only for as long as there is a need to keep the data in order to fulfil the purposes for which the data was collected in accordance with this Privacy Policy.

5.2 The Personal Data will be deleted if the purpose of collection and use of Personal Data has been achieved, or if you withdraw your consent (if applicable) to the collection of Personal Data by contacting us (for contact information, please see Section 10 below). Personal Data received in connection with a job application for an applicant that is not hired will be stored for no longer than one year after the date of the application.

6 HOW MAY THE DATA BE SHARED?

6.1 AMRA will not sell, trade or lease your Personal Data to third parties. However, AMRA may share Personal Data with our trusted subcontractors and co-operation partners in order to provide you with our services. They may need access to your Personal Data in their assignment for us, but they will not be allowed to use the Personal Data for any other purpose.

6.2 Unless otherwise set forth below or in any specific information regarding our processing of your Personal Data, AMRA will not transfer your Personal Data to any country outside the EU/EEA.

6.3 AMRA is part of an international group of companies, some of which are based outside of the EU/EEA. Personal Data may be transferred to AMRA Inc., a group company of AMRA based in the US. AMRA has secured the safety of transferred Personal Data by having entered into the EU-commission’s Standard Contractual Clauses for the transfer of personal data to companies established in third countries with such non-EU/EEA companies.

6.4 Personal Data that AMRA collect may be transferred to Internet service providers based outside of EU/EEA as a part of such Internet service provider’s provision of services to AMRA. Personal Data may also be transferred to USA through AMRA’s use of SalesForce, Google Analytics, and AMBRA. AMRA has ensured that your rights are guaranteed before making such transfer to USA by
SalesForce’s, Google’s, and AMBRA’s adherence to EU-US Privacy Shield. More information is available at www.privacyshield.gov

6.5 Personal Data may be disclosed by AMRA to comply with legal requirements or other requirements from official authorities, in order to safeguard AMRA’s legal interests or to detect, prevent, or draw attention to frauds
or other safety or technical problems.

7 PROTECTION OF YOUR PERSONAL DATA

7.1 You should always feel secure when you provide your Personal Data to us. We have employed a wide range of security measures to help protect your Personal Data against undue access, modification and deletion.

7.2 We protect your Personal Data using commercially reasonable safeguards to prevent loss, misuse, unauthorized access, disclosure, alteration, and destruction. These measures include data encryption, firewalls, automatic timeouts and pseudonymization where applicable. Therefore, you can rest assured that your Personal Data is in safe hands.

8 YOUR RIGHTS

Corrections, additions

8.1 You are always entitled to access your Personal Data for viewing, and to request that we correct or update your Personal Data. Restriction of use and data portability

8.2 Under certain circumstances (expressed in applicable data protection legislation), you may request that AMRA restricts the use of your Personal Data or delete your Personal Data. If you have provided us with Personal Data, you also have the right to have your Personal Data resubmitted to you, in a structured and accessible format, for transfer to another user/processor.

Requests and Complaints

8.3 If you wish to exercise any of the abovementioned rights or if you have any questions regarding Personal Data held by us or this online Privacy Policy, please do not hesitate to contact us (for contact information, please see section 10 below).

8.4 Should you be dissatisfied with our processing of your Personal Data, please let us know, and we will do our best to meet your complaints. Your integrity is very important to us, and we always strive to protect and secure your Personal Data in the best possible way. Should we nevertheless, in your opinion, fail in this ambition, please note that you are also entitled to lodge a complaint with the Swedish Data Protection Authority (Sw.
Datainspektionen, which will be changing name to Integritetsskyddsmyndigheten during 2018), or such other authority as may be determined in the future.

9 CHANGES TO THIS PRIVACY POLICY

AMRA may, at any time, make amendments to this Privacy Policy. AMRA will publish the amended version at our website. If the amendments are substantial, AMRA will send the amended Privacy Policy to your email, and if AMRA does not have your email, AMRA will send it to you by other means (if possible).

10 HOW TO CONTACT US

You can contact us at: AMRA Medical AB, Badhusgatan 5, SE-582 22
Linköping, Sweden, or at our email: data-protection.officer@amramedical.com