QMD Services is an independent Conformiy Assessment body for medical devices. Responsible for data processing, and contact person:
QMD Services GmbHZelinkagasse 10/31010 Vienna, Austria, EuropeTel: +43 1 533 0077E-Mail: datenschutz(at)qmdservices.com
What sources and data do we use?
When providing our services in the fields of system certification, and product conformity assessment, as well as customer information, we process personal data that the customer (the party ordering the QMD services service, including its contact person, or a person participating in a service) makes available to us as well as data that we acquire ourselves when providing the our services (e.g. in the course of an audit or product review). As a rule, QMD Services cannot provide the desired services without this data.Relevant personal data includes particulars (e.g. name, address and other contact data, day and place of birth), legitimization data, contract data (e.g. audit documentation, documentation of events, data about Certificates, accounting data, bank data).
What do we process your data for (purpose of data processing)? And on what legal basis?
The personal data that we acquire on the occasion of the QMD service will be processed for purposes of performing contracts according to the most important contractual documents and our Terms and Conditions as well as for the required documentation in conformity to the normative requirements (above all assessment and certification within the scope of CE marking, ISO/IEC 17021, and possible additional requirements from models to be audited by order of the customer), for bookkeeping and accounting, for establishing and defending legal claims as well as for Customer Relationship Management, including drawing up of offers for further QMD services (e.g. re-certifications and add-on certifications or customer information). The legal basis for these types of processing is formed by Art. 6 (1) lit. b of the General Data Protection Regulation (GDPR) (performance of a contract and steps prior to entering into a contract) (as far as the person concerned is a contracting party himself or herself) and Art. 6 (1) lit. f of the GDPR (legitimate interests in the provision of the agreed QMD services serving to increase business excellence, which are pursued by QMD Services and the customer) and Art. 9 (2) lit. f of the GDPR (establishment, exercise or defence of legal claims). Partly processing also is prescribed by law (e.g. fiscal rules, bookkeeping and accounting; legal requirements placed by the Accreditation Act, RE(EU) 2017/745, RE(EU) 2017/746 and Austrian Medizinproduktegesetz).
For maintaining our legitimate interests in direct advertising for our range of services, we use the customer’s personal data (name, title, address, contact data, details of the order, past orders) for our own advertising and marketing purposes in order to send the customer information and advertisements about services and products, news and other customer information that might be interesting for the customer as long as the customer has not objected to processing for purposes of direct advertising.
If you have given us a consent to our processing personal data for definite purposes (e.g. participation in events, passing on of information), the lawfulness of this processing will be given on the basis of your consent. Consent that has been given can be revoked, at any time. This also applies to the revocation of declarations of consent that were made before the GDPR entered into force.
Who will receive my data?
Within QMD Services, only Departments that need your data for fulfilling the contractual and legal obligations or for processing due to legitimate interest will be granted access to your data.
It is for purposes of providing the QMD Services services desired by the customer that QMD Services will pass data on to the external QMD Services auditors, reviewers and experts, acting as QMD Services contract processors. Moreover, QMD Services avails of services provided by external IT providers.
Based on normative requirements, QMD Services shall further be obliged to make information on the QMD Services services available to the Competent Authorities for notified bodies, Notified Bodies, Accreditation and Certification Bodies and/or grant these bodies access upon their request. In this process, it also is personal data that can be passed on to the respective Competent Authorities for notified bodies, Notified Bodies, Accreditation and Certification Bodies. Furthermore, QMD Services may transmit personal data to additional recipients (e.g. public authorities) in order to fulfil legal reporting duties.
Is data transmitted into a third country or to an international organization?
Data will be transmitted into countries outside the European Union to the extent as this is necessary for QMD Services carrying out the orders (e.g. if the auditee is based in a third country), prescribed by law or you have given an explicit consent.
How long will my data be saved?
The data will be saved for the period in which this is necessary for enabling QMD Services to fulfil its contractual and legal obligations. Master data about the customer (including organs that have general powers of representation and contact persons at the customer’s) as well as the order history will be archived until the end of the business relationship and, beyond this, until the expiration of the warranty periods, limitation periods and legal retention periods. In addition, within the scope of the activities as a notified body, there are official requirements for the archiving of procedural documents which are 10 years (or 15 years for implants) after the end of the validity of the last certificate.
Application documents, audit reports as well as other documents relating to ISO 17021 based system certification will basically be retained for 12 years as far as normative or legal requirements do not require a longer retention period. Civil-law limitation periods can, in the single case, amount to up to 30 years.
What data protection rights do I have?
Acc. to the General Data Protection Regulation (GDPR), each person concerned shall have the right to be informed of the personal data that we process about him or her as well as the rights to rectification, to erasure, to restriction of processing and to data portability. Furthermore, persons concerned can, for reasons resulting from their special situation, object to our processing of personal data that refer to them for the future on the basis of a legitimate interest, at any time. Moreover, they can, at any time, object to future use of their personal data for purposes of direct advertising free of charge and without giving reasons. If you object to processing for purposes of direct advertising, we will thus no longer use your personal data for these purposes.Besides, there is a right to lodge a complaint with the competent data protection authority. A consent that has been given can be revoked, at any time.
For exercising their rights as persons concerned and in case of questions about data protection guaranteed by QMD Services, persons concerned can contact datenschutz(at)qmdservices.com.
To what extent are decisions taken in an automated manner?
Does profiling take place?
To establish and conduct business relations we do not use any fully automated decision making (profiling) in accordance with Article 22 GDPR.
Good To Know
QMD Services GmbH
1010 Vienna, Austria
Tel.: +43 1 533 0077
Am Winterhafen 1
4020 Linz, Austria
+43 1 5330077