Data Privacy Statement for Service Desk users

Mint Medical GmbH operates an electronic service desk with a ticket system that documents customer error messages, maintenance requests and maintenance measures carried out in an audit-proof manner. This system is a key component of our quality management system, as required by DIN EN ISO 13485:2012/AC:2012 for placing a medical device on the market. While technical support is generally provided on behalf of the customer, the storage of personal data as part of quality assurance described above is not the primary objective of the orders, but is carried out by us as an independent specialist service that is required for the technical operation of the system, the maintenance of communication and the documentation of faults reported by the customer. For this reason, the Service Desk is operated by Mint Medical GmbH under its own responsibility under data protection law.

This processing mainly affects communication metadata, i.e. the name and professional contact details of our contact persons and the time stamp of the communication. In addition, we store the content that you send us to diagnose any problems. We therefore ask you to refrain from transmitting confidential data, in particular patient data, in the course of support inquiries.

The basis for the storage and processing of your communication data is Art. 6 para. 1 lit. f in conjunction with Art. 6 para. 1 lit. c of the GDPR. The operation of the Service Desk is not only part of the contractually agreed services, the fulfillment of which is in the company's interest; the audit-proof documentation of software errors and necessary software maintenance measures is part of a quality management system, as required by law to ensure high quality and safety standards in healthcare for the development of Class IIb medical devices. Retention periods for the aforementioned data are up to ten years due to regulatory requirements. If, in the course of maintenance requests, data is transmitted to us that is to be classified as health data, we will make every reasonable effort to remove this data before your request is permanently archived in our system. If this is not possible, such data will be archived on the basis of Art. 9 para. 2 lit. i of the GDPR ("Ensuring high standards of quality and safety of healthcare and of medicinal products and medical devices") for a period of up to ten years.

Note on third country transfers: Access to our electronic service desk is provided to employees of Mint Medical GmbH and its subsidiary Mint Medical, Inc. based in the U.S.A. An agreement on order processing has been concluded with Mint Medical, Inc. which contains the standard contractual clauses approved by the EU Commission.

This data will not be used for purposes other than those stated. Your data will also not be passed on to third parties and will only be stored password-protected and encrypted on data processing systems in the EU.

Should you wish your data to be deleted or corrected or wish to view the stored data, we must store the communication data arising in this context (such as the e-mail address used and the time of transmission) for the duration of the processing of your request.

Within our company, access to the personal data provided by you will only be granted to those groups of people who need it to fulfill the above-mentioned purposes.

You have the right to receive information free of charge at any time as to whether and what data we store about you and for what purpose the processing is carried out (Art. 15 GDPR). You have the right to have the stored data corrected (Art. 16 GDPR). You also have the right to receive the data stored about you in a structured, commonly used and machine-readable format (Art. 20 GDPR). If the processing of your data is based on consent, you have the right to withdraw this consent at any time with effect for the future. In the case of processing based on legitimate interest, you have the right to object to the processing (Art. 21 GDPR). In accordance with Art. 17 GDPR, you have the right to request that we erase your personal data. We are obliged to comply with this request immediately if one of the following reasons applies:

• The purposes for which the data was processed have ceased to apply.
• The legal basis for the processing - e.g. an existing contractual relationship, a contractual relationship in the process of being established, or consent on your part - has ceased to exist, and there is no other legal basis pursuant to Art. 6 (1) GDPR.
• The personal data has been processed unlawfully.
• The deletion of the personal data is necessary to comply with a legal obligation under Union, federal or state law.

You also have the right to request the restriction of processing (Art. 18 GDPR) if you dispute the accuracy of the personal data, if the processing is unlawful but you do not wish it to be erased, or if the purpose of processing no longer applies but you need the data to assert legal claims.

The contact person for these processes is the controller named below.

If you believe that your data is not being processed in accordance with the GDPR, you have the right to lodge a complaint with the supervisory authority (Art. 77 GDPR). Please contact the competent supervisory authority.