Quality Medical Devices - WIS 3.0 [Domain: QMD] 64bit OS: True 64bit Process: True

Data Protection Regulations
Data Protection Regulations

The aim of QMD Services GmbH (briefly referred to as “QMD Services”) is to establish a leading independent Conformity Assessment Body for medical devices to advance patient safety and care, as well as optimized patient outcomes, by complying to the MDR/IVDR and by adhering to key principles and standards of medical device vigilance, post market surveillance and device risk management. QMD Services was is established in 2019.

Who is responsible for data processing, and whom can I contact?
QMD Services GmbH
Zelinkagasse 10/3
1010 Vienna, Austria, Europe
Tel.: +43 1 533 0077
E-Mail: dataprotection(at)qmdservices.com

What sources and data do we use?
When providing our services in the field of conformity assessment, we process personal data that the customer (the party ordering the service, including its contact person) makes available to us just as much as data that we acquire ourselves when providing our services (e.g. in the course of an audit). As a rule, QMD Services cannot provide the desired services without this data.
Relevant personal data may include particulars such as name, address and other contact data, day and place of birth), legitimization data, contract data (e.g. audit documentation, documentation of events, data about Certificates, accounting data, bank data).

For what purpose we process your data, and on what legal basis?
The personal data that we acquire on the occasion of the QMD Services service will be processed for purposes of performing contracts according to the stipulatedcontract, our Terms and Conditions of Services, as well as relevant legal requirements such as REGULATION (EU) 2017/745 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC, REGULATION (EU) 2017/746 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU and normative requirements (above all ISO/IEC 17021) as applicable. In addition personal data will be processed for purposes of bookkeeping and accounting, for establishing and defending legal claims as well as for Customer Relationship Management, including drawing up of offers for further services (e.g. re-certifications and add-on certifications). The legal basis for these types of processing is formed by Art. 6 (1) lit. b of the General Data Protection Regulation (GDPR) (performance of a contract and steps prior to entering into a contract) (as far as the person concerned is a contracting party himself or herself) and Art. 6 (1) lit. f of the GDPR (legitimate interests in the provision of the agreed services of conformity assessment, which are pursued by QMD Services and the customer) and Art. 9 (2) lit. f of the GDPR (establishment, exercise or defence of legal claims). Partly processing also is prescribed by law (e.g. fiscal rules, bookkeeping and accounting; legal requirements placed by the Austrian Accreditation Act).
For maintaining our legitimate interests in direct advertising for our range of services, we use the customer’s personal data (name, title, address, contact data, details of the order, past orders) for our own advertising and marketing purposes in order to send the customer information about our services and products, news and other customer information that might be interesting for the customer as long as the customer has not objected to processing for purposes of direct advertising.
If you have given us a consent to our processing personal data for definite purposes (e.g. participation in events, passing on of information), the lawfulness of this processing will be given on the basis of your consent. Consent that has been given can be revoked, at any time. This also applies to the revocation of declarations of consent that were made before the GDPR entered into force.

Who will receive my data?
Within QMD Services, only Departments that need your data for fulfilling the contractual and legal obligations or for processing due to legitimate interest will be granted access to your data.
It is for purposes of providing service desired by the customer that QMD Services will pass data on to any external auditors, reviewers or clinical specialists acting as QMD Services contract processors. Moreover, QMD Services avails of services provided by external IT providers.
Acc. to the Accreditation Act, relevant Standards (in particular ISO/IEC 17021), QMD Services shall be obliged to provide a publicly accessible list of certifications conducted or to had on data to accessible databases (e.g. EUDAMED). Only required personal data will be passed on or published.
Based on normative and legal requirements, QMD Services is obliged to make information on the services available to Notifying and Accreditation Bodies and/or grant these bodies access upon their request. In this process, it also is personal data that can be passed on to the Accreditation and Notification Bodies. Furthermore, QMD Services can transmit personal data to additional recipients (e.g. public authorities) in order to fulfil legal reporting duties.

Is data transmitted into a third country or to an international organization?
Data will be transmitted into countries outside the European Union to the extent as this is necessary for QMD Services carrying out the orders (e.g. if the customer is based in a third country), prescribed by law or you have given an explicit consent.

How long will my data be saved?
The data will be saved for the period in which this is necessary for enabling QMD Services to fulfil its contractual and legal obligations. Master data about the customer (including organs that have general powers of representation and contact persons at the customer’s) as well as the order history will be archived until the end of the business relationship and, beyond this, until the expiration of the warranty periods, limitation periods and legal retention periods. Application documents, audit and verification reports as well as other documents relating to certification will basically be retained for 12 years as far as normative or legal requirements do not require a longer retention period and for product certification until the end of life of the certified product. Civil-law limitation periods can, in the single case, amount to up to 30 years.

What data protection rights do I have?
Acc. to the General Data Protection Regulation (GDPR), each person concerned shall have the right to be informed of the personal data that we process about him or her as well as the rights to rectification, to erasure, to restriction of processing and to data portability. Furthermore, persons concerned can, for reasons resulting from their special situation, object to our processing of personal data that refer to them for the future on the basis of a legitimate interest, at any time. Moreover, they can, at any time, object to future use of their personal data for purposes of direct advertising free of charge and without giving reasons. If you object to processing for purposes of direct advertising, we will thus no longer use your personal data for these purposes.
Besides, there is a right to file a complaint with the competent data protection authority. A consent that has been given can be revoked, at any time.
For exercising their rights as persons concerned and in case of questions about data protection guaranteed by QMD Services, persons concerned can contact dataprotection(at)qmdservices.com.

back to login