PRIVACY POLICY for Ortoma AB

1. CONTROLLER OF PERSONAL DATA

Ortoma AB (publ), registration number 556611–7585, (“Ortoma”, ”we”, ”us”, ”our”), is a public limited company. Ortoma specializes in developing controllable treatment solutions with cutting edge technology within orthopaedic surgical procedures. Ortoma’s goal is to improve patients’ lives by developing efficient, innovative products to support and enable surgeons to provide the best possible outcome for their patients.

Ortoma cares about your privacy. Therefore, it is important to us that you feel confident about how we process your personal data. This Privacy Policy (the “Policy”) contains information about how we process personal data and what rights you have when we process your data. As a controller, Ortoma must ensure that personal data is processed in a legal and secure manner, and that every natural or legal person who process personal data for Ortoma has the required qualifications and knowledge.

We ask that you read the Policy thoroughly and revisit it from time to time since it may be updated. The latest version of the Policy can always be found on our website. This Policy was last updated on June 16, 2021.

2. HOW WE PROCESS PERSONAL DATA IN DIFFERENT AREAS AND FUNCTIONS

2.1 General

We collect and process personal data for the different areas and functions listed below. When we collect personal data, we usually do so in order to meet statutory or contractual requirements, e.g. to enter into an agreement with an employee, a customer or a supplier.

2.2 Employees

For what purposes do we process personal data?

We process personal data for the following main purposes

  1. management
  2. payroll administration and human resource management
  3. to offer employees occupational health service
  4. fulfilment of obligations in employment agreements and legal obligations in applicable law
  5. in relation to our business operations and projects
  6. to promote, market and provide information about Ortoma
  7. to administer and conduct business trips and participation in events
  8. education and training for the employees
  9. to monitor work and performance
  10. to secure Ortoma’s premises and IT resources
  11. employment survey
  12. archive and statistics, and
  13. where applicable, establish, execute, and protect Ortoma against legal claims.

What is the legal basis for the processing?

Employees’ personal data is collected and processed to fulfil legal obligations, collective agreements and / or for the conclusion and fulfilment of individual agreements. We also process personal data based on our legitimate interest. In these cases, we always ensure that the processing is necessary to fulfil our legitimate interest and that our interest outweighs your interests, rights, and freedoms.

What personal data may be processed?

  1. contact information – such as name, postal address, e-mail address, phone number and workplace information
  2. identification information – such as social security number, birth date, citizenship, passport information, and photo
  3. work-related information – such as job title, department, location, leave of absence (vacation, parental leave etc.), start and end of employment, reason of termination of employment and other information related to the employment contract
  4. remuneration information – such as salary and other employee benefits, bank details, insurance, tax code, accrued payroll information and pension
  5. monitoring information – such as information related to the employees use of Ortoma’s IT network and similar technical resources, e.g. user ID, password, authorization, activity log, door and alarm code
  6. communication information – such as work-related e-mail content, content in business correspondence and business documents and other types of work-related electronic communication
  7. appraisal meetings and similar – such as notes from meetings with employees, evaluations and assessments, development plan, and where applicable, disciplinary processes and warnings
  8. contact information in relation to closely related persons (contact information only)
  9. sensitive personal data – which includes personal data provided to us and which constitutes “special categories of personal data” under the General Data Protection Regulation (GDPR), such as data that may reveal political opinions, religious or philosophical beliefs, trade union membership, or data related to health, biometric data, data concerning a natural person’s sexual life and sexual orientation. Under this category we may process the following information
  • the number of sick days and medical certificates,
  • information about work-related accidents,
  • information about disability (only if provided voluntarily), and
  • union membership.
  1. recruitment-related data (CV) – such as educational background, previous work experience, language skills, hobbies, interview notes and communication information (e.g. e-mail conversations with you in connection with the recruitment process).

Who has access to the personal data?

Those who mainly process the personal data within Ortoma are the CEO and relevant managers. To some extent, external actors can also get access to the data, e.g. companies we hire to administer salary payments and other benefits, as well as authorities when required. External actors only have access to such personal data that is necessary for the implementation of an agreement or that is necessary for us to be able to fulfil a legal obligation that is incumbent on us.

How long will we retain the personal data?

We never store personal data longer than is necessary with regard to the purposes of the processing. We therefore regularly sort out personal data that is no longer needed for the explicit purpose. When an employment ends, there is basically no reason for us to save the personal data. However, sometimes we need to retain personal data for a certain period of time in accordance with applicable law or to safeguard our legal rights. This means that even if we cease to process the personal data for a purpose, we may need to continue the processing for another purpose, but then only for the remaining purpose. To exemplify: by law, we are obliged to store certain personal data in order to comply with law such as the Swedish Employment Protection Act (Sw. Lag om anställningsskydd), the Swedish Discrimination Act (Sw. Diskrimineringslag) (up to 2 years), and the Swedish Accounting Act (Sw. Bokföringslag) (up to 7 years), and, when necessary to defend and enforce our legal rights (up to 10 years). Personal data will be deleted or anonymised when we no longer have a legitimate purpose to process them.

2.3 Recruitment

For what purposes do we process personal data?

In recruitment processes, we process personal data in order to handle applications, interview candidates, reference persons and assess candidates’ suitability for a particular position. When we receive an application that we deem might be of interest in the future, we may store the application for up to 2 years to be able to contact the candidate with job offers.

What is the legal basis for the processing?

To handle an application, interview and make decisions in a recruitment process, we need to process certain personal data. Our legal basis for the processing of personal data in a recruitment process is our legitimate interest to be able to find the right employees for our business. We always ensure that the processing is necessary to fulfil our legitimate interest and that our interest outweighs the candidate’s interests, rights, and freedoms. We may also process personal data for the purpose of fulfilling legal requirements.

If a candidate sends us an application, but we currently have no job to offer, we may keep the candidate’s CV and contact information based on the candidate’s consent.

What personal data is processed?

The personal data that we need to process in a recruitment process is, e.g. contact information such as name, e-mail address and phone number, reference persons’ contact information and information that the reference persons provide to us. Further, we may need to process data about work experience, education, professional information in social media (e.g. LinkedIn), photo, hobbies, information about marital status and family, information about citizenship and status of work permit, notes from interviews and communication in connection with recruitment and where applicable, health information that the candidate voluntarily provide to us.

Who has access to the personal data?

Those who process the personal data within Ortoma are mainly the CEO and relevant managers. On occasions, we might hire a recruitment company to help with the recruitment. If a recruitment company handles the recruitment process, a personal data processing agreement is concluded with such company. This means that the recruitment company may only process the personal data according to instructions from us and for the purposes specified therein.

2.4 Consultants

For what purposes do we process personal data?

We process consultants’ personal data, e.g. to: enter into agreements with the consulting company, pay consulting fees and other remunerations, administer the relevant consulting services, maintain control systems, maintain documentation related to absence for assessment of consultancy fees, enable evaluation and review of performance and at a general level to ensure compliance with legal obligations.

What is the legal basis for the processing?

In order to fulfil legal obligations and/or to be able to enter into, fulfil and administer consulting agreements, we process the personal data of individual consultants. We process consultants’ personal data based on our legitimate interest. We ensure that the processing is necessary to fulfil our legitimate interest and that our interest outweighs the consultant’s interests, rights, and freedoms. In case the consultant offers the services through a sole proprietorship (sw. enskild firma), our processing is based on the agreement with the consultant.

What personal data is processed?

The personal data processed may include name, social security number, address, e-mail address, phone number, bank account number, information on qualifications, basis for calculating fees, work experience and other professional information (CV), data logs in IT systems, notes from meetings and where applicable, information about absence.

Who has access to the personal data?

Those who process the personal data within Ortoma are mainly the CEO and relevant managers. Authorities and other external actors who, e.g. administer fee payments, can also get access to the personal data when required.

2.5 Customers and Partners

For what purposes do we process personal data?

In customer relationships, we need to process personal data belonging to representatives of the customer/partner company. We do this, e.g. to be able to enter into agreements and have a dialogue with the customer/partner, administer the customer/partner relationship, provide information and offers, invoice and to fulfil legal obligations.

What is the legal basis for the processing?

In order to enter into, and manage agreements with our customers/partners, we process personal data belonging to persons who represents the customer/partner company. In these cases, we process the personal data based on our legitimate interest. We ensure that the processing is necessary to fulfil our legitimate interest and that our interest outweighs the representative’s interests, rights, and freedoms. When the customer/partner is a sole proprietorship (Sw. enskild firma), our processing is based on the agreement with the customer/partner. We may also process personal data for the purpose of fulfilling legal requirements.

What personal data is processed?

The personal data being processed is inter alia name, phone number, e-mail address, professional title, place of work, customer ID and company registration number. We may also process personal data regarding representatives of companies who are potential customers/partners. The personal data being processed is inter alia name, phone number and e-mail address.

Who has access to the personal data?

Those who process the personal data within Ortoma are the CEO, persons relevant to the agreement and relevant managers.

2.6 Suppliers

For what purposes do we process personal data?

In relation to our suppliers, we need to process personal data belonging to representatives of the supplier company. We do this, e.g. in order to enter into agreements and have a dialogue with the supplier, administer the supplier relationship, provide information and guidance, handle invoices and to fulfil legal obligations.

What is the legal basis for the processing?

In order to enter into and manage agreements with our suppliers, we process personal data belonging to persons who represents the supplier companies. We process the personal data based on our legitimate interest. We ensure that the processing is necessary to fulfil our legitimate interest and that our interest outweighs the representative’s interest, rights, and freedoms. In cases where the supplier offers its services through a sole proprietorship (Sw. enskild firma), our processing is based on the agreement with the supplier. We may also process personal data for the purpose of fulfilling legal requirements.

What personal data is processed?

The personal data being processed is inter alia name, phone number, e-mail address, address, professional title, place of work, customer ID and company registration number.

Who has access to the personal data?

Those who process the personal data within Ortoma are mainly the CEO and relevant managers.

2.7 Shareholders and Investors

For information about our processing of Shareholders/Investors personal data in connection with a general meeting of shareholders, please see Euroclear Sweden AB’s privacy notice.

3. WHO DO WE SHARE YOUR PERSONAL DATA WITH?

We do not disclose your personal data in any way other than as described in this Policy. Should a situation arise that makes it necessary to disclose your personal data in a way not mentioned in the Policy, we will inform you of this in an appropriate manner before disclosure, unless this is prevented by applicable law.

We may share your personal data with our partners, such as suppliers who provide us with services of various kinds, e.g. IT systems for e-mail, case management, invoicing and support and development of these systems. Further, we may share databases and analyses of data with our partners for research purposes, as well as engage consultants to act on our behalf. In cases where a partner processes personal data on our behalf, we enter into personal data processing agreements which includes instructions on how the personal data must be processed.

In some cases, we may be required to disclose personal data to authorities within the judicial system or other authorities in order to comply with a court ruling or official decision. This may particularly be the case in legal proceedings or in ongoing investigations, e.g. concerning fraud or other financial crimes.

In the event of company reconstruction, bankruptcy, merger, acquisition and similar events we reserve the right to transfer personal data to relevant actors linked to such a process.

4. WHERE DO WE PROCESS YOUR PERSONAL DATA?

We always strive to process your personal data within the EU / EEA. However, in certain situations, such as when we share information with a supplier, your personal data may be processed outside the EU / EEA. When processing takes place outside the EU / EEA, we will ensure that the country or organization to which the transfer takes place is subject to an adequacy decision by the European Commission or that the recipient/importer are bound by the European Commission’s standard contractual clauses and, when needed, additional protective measures.

5. HOW LONG DO WE PROCESS YOUR PERSONAL DATA?

We never store personal data longer than is necessary with regard to the purposes of the processing. We therefore regularly remove personal data that is no longer needed for the explicit purpose. However, sometimes we need to retain personal data for a certain period of time in accordance with applicable law or to safeguard our legal rights. This means that even if we cease to process the personal data for a purpose, we may need to continue the processing for another purpose, but then only for the remaining purpose. To exemplify: we may process personal data to comply with the Swedish Discrimination Act (Sw. Diskrimineringslag) (up to 2 years), the Swedish Accounting Act (Sw. Bokföringslag) (up to 7 years) and to be able to administer and handle warranties and claims for compensation and, when necessary, to establish, execute and protect our legal rights (up to 10 years). Personal data will be deleted or anonymised when we no longer have a legitimate purpose for the processing.

6. YOUR RIGHTS

6.1 Right to information

You have the right to be informed about how we process your personal data. We fulfil this obligation trough this Policy and by answering your questions when you contact us.

6.2 Right to access

When we process your personal data as a controller, you have the right to request and obtain a confirmation if your personal data is being processed. The confirmation is free of charge and can be requested from us.

6.3 Right to rectification

If the personal data we process about you is inaccurate or incorrect, you have the right to request us to rectify the inaccurate or incorrect personal data, or that we complete the personal data with a supplementary statement that is relevant to the purpose of the processing.

6.4 Right to erasure

You have the right to obtain from us the erasure of your personal data, e.g. when your personal data is no longer necessary for the purposes of which it was collected or when the processing is based on your consent and you withdraw your consent. However, sometimes we might be obliged to process personal data for a certain period of time to comply with legal obligations. We will then continue to process the personal data for this purpose as long as such obligation remains valid. When we process your personal data based on our legitimate interest, we will continue the processing, despite your request of erasure, if we can demonstrate compelling legitimate grounds for the processing which overrides your interests, rights and freedoms.

6.5 Right to object

When our processing is based on our legitimate interest you have the right to object to the processing. If you object, we will make an assessment whether or not we can continue to process your personal data. To do so, we need to be able to demonstrate compelling legitimate grounds for the processing which overrides your interests, rights and freedoms. Further, you always have the right to object to the processing of your personal data for the purpose of direct marketing.

6.6 Right to restriction of processing

You have the right to request that we restrict the processing of your personal data, e.g. if you have made an objection in relation to the processing. This means that you temporarily can prevent us from processing your personal data. However, during the restriction period we are entitled to process your personal data to be able to examine your request and for the establishment, exercise or defence of legal claims as well as for storage. If we, during the restriction period, identifies a need to process your personal data for any other purpose, we will ask for your consent to process the personal data.

6.7 Right to withdraw consent

When the processing is based on your consent, you have the right to withdraw the consent at any given time. If you withdraw your consent, we will cease to process the personal data for the given purpose. This applies as long as we do not have another legal basis to continue the processing.

6.8 Right to data portability

You have the right to demand that we transmit your personal data to another controller. The right applies if

(a) the transmission is technically feasible, and

(b) the processing is based on your consent or on a contract with you.

6.9 Right to lodge a complaint with the Swedish Data Protection Authority

If you are of the opinion that our processing of your personal data is incorrect, you have the right to lodge a complaint with the Swedish Data Protection Authority (Sw. Integritetsskyddsmyndigheten).

Contact information to Integritetsskyddsmyndigheten

Phone number: +46 8 657 61 00

Email address: [email protected]

7. COOKIES

We use cookies and similar technologies on our website. The purpose is mainly to give you a better user experience. When we are obliged to, we will ask for your consent before we collect your personal data using cookies. For more information about cookies, see cookie settings in cookie banner.

8. CONTACT INFORMATION

For questions about the Policy or other requests regarding our processing of personal data, please contact our personal data representative Linus Byström

Contact information

Phone number: +46 738 103660

Email address: [email protected]

9. CHANGES TO THE POLICY

We reserve the right to change and update this Policy. In the event of material changes in the Policy, we will inform about changes and updates in an appropriate manner.