Medical Technology and Devices SA, with registered offices at Via Nassa 5, CH-6900 Lugano, Switzerland (hereinafter the “Company” or the “Data Controller”), data controller of the processing of personal data of the users of this website (“Data Subjects”), provides below the privacy policy pursuant to art. 13 of Regulation (EU) 2016/679 (hereafter “GDPR”). The Company, as data controller, undertakes to protect the confidentiality and the rights of the Data Subjects and, according to the principles established by the aforementioned regulation as well as by the Federal Act on Data Protection dated June 19, 1992 (the “FADP”), the processing activity of the data provided by the Data Subjects will be based on all the principles under FADP and GDPR and, in particular, on principles of correctness, lawfulness and transparency.

This privacy notice is provided only for the Company’s website and not for other websites that may be consulted by the Data Subject through links displayed on the same website.

Word and expressions used, unless otherwise provided, shall have the meaning attributed by the GDPR.


The Data Controller processes only those personal data that are necessary for the purposes of the processing as outlined hereinafter. Data Subjects are recommended to not provide unnecessary data and/or third parties’ personal data.

Unnecessary data (including special categories of personal data) and third parties’ personal data, when provided by the Data Subjects, will be immediately deleted by the Data Controller.


The Data Controller will process only those personal data that are voluntarily provided by Data Subjects if and when sending a request for information via the “Contact Us” website section. The website will not collect automatically any Data Subjects’ personal data during their navigation and use of this website.
This website does not install cookies.

The above personal data will be processed by the Company only to reply to specific requests for information forwarded by the Data Subjects via the “Contact Us” website section.

The applicable legal basis for the above processing is the necessity to perform a contract to which the Data Subject is party or to take steps at the request of the Data Subject prior to entering into a contract.

Processing of personal data for the above purpose is necessary to reply to Data Subjects’ request: therefore, in case of failure of the Data Subjects to provide relevant personal data, the Data Controller will not be able to reply to their requests.

The Data Controller may also process the personal data of the Data Subjects to comply with the provisions of laws and regulations, national and foreign (including without limitation GDPR and FADP), to which the Data Controller is subject.

Processing of personal data for the above purpose is not necessary for the Data Subject to navigate the website and forward requests for information to the Data Controller; however, the data provided by the Data Subject will be processed also for such purpose, on the legal basis of complying with a legal obligation to which the controller is subject.


Data processing is carried out electronically and / or on paper, by recording, processing, archiving and transmission of data, even with the support of IT tools. Tools and media used in carrying out the processing activities are appropriate to ensure the security and confidentiality of data. In carrying out the processing activities, the Company undertakes in particular to:

  • ensure the accuracy and updating of the data processed, and promptly acknowledge any adjustments and / or additions requested by the Data Subject;
  • adopt security measures to ensure adequate data protection, because of the potential impact that the processing involves the rights and freedoms of the data subject;
  • notify the data subject, in the times and in the cases provided for by the applicable legislation, of any violation of personal data (data breach);
  • guarantee the compliance of processing operations with the applicable laws.


For the purposes of processing listed above, the personal data of the Data Subjects may be accessible by and/or communicated by the Data Controller to:

  • employees and agents of the Data Controller who have been authorized for data processing;
  • third party service providers put in charge by the Data Controller of specific processing activities through a data processing agreement under section 28 of the GDPR. Unless communicated otherwise, such third party service providers will process the personal data of the Data Subjects only as data processors, and not as independent data controllers;
  • public authorities in general, administrations, public bodies and organizations;
  • national and foreign companies belonging to the same group to which the Data Controller belongs, which will act – on a case-by case basis – as independent data controllers or as data processors. The communication will take place only (i) in case of requests for information regarding another Group company and, therefore, on the basis of the necessity to reply to the specific request, and/or (ii) for internal administrative purposes and, therefore, on the legal basis of the pursuance of the legitimate interests of the Data Controller consisting in the centralization and rationalization of administrative activities. The Data Controller overtook a balancing test, proving that such interests are not overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data. More information on this balancing test will be provided upon request, to be forwarded at the addresses stated hereinafter in this privacy notice.

The Data Subjects are always entitled to object to the processing based on the legitimate interest of the data controller, as well as to exercise further rights granted by the applicable law and summarized further, sending a specific request to the Data Controller at the addresses stated at the end of this privacy notice.


Personal data will be stored and processed in Switzerland. As long as this implies a transfer of personal data according to the GDPR, the Data Controller will process personal data according to the Commission Adequacy Decision 2000/518/CE and pursuant to the derogation consisting in the necessity to perform a contract between the data subject and the controller or to implement pre-contractual measures taken at the data subject’s request.

In case the communication of personal data pursuant to section 4 above entails the transfer of personal data, such transfer will take place only (i) towards a country which offers an adequate level of protection, as ascertained by the European Commission through the issuance of an adequacy decision, or (ii) provided that the standard contractual clauses have been duly signed, or (iii) provided that further appropriate safeguards or derogations pursuant to applicable laws are met.


The Company keeps personal data in its systems in a form that allows identification of data subjects according to the following criteria:

  • for a period of time not exceeding the achievement of the purposes for which they are processed, unless otherwise required by regulatory or contractual obligations;
  • to comply with specific legislative, regulatory or contractual obligations.


At any time, the Data Subjects can assert their rights, recognized by the binding legislation and in particular by the articles from 15 to 22 of the GDPR, such as (when applicable):

  • Right of access: the right to obtain from the Data Controller confirmation that personal data is being processed and, in this case, to obtain access to personal data and to further information on the origin, purpose, categories of data processed, recipients of communication and / or data transfer, etc.
  • Right of rectification: right to obtain from the Data Controller the correction of incorrect personal data without undue delay, as well as the integration of incomplete personal data, also by providing an additional declaration.
  • Right to erasure: right to obtain from the Data Controller the cancellation of personal data without unjustified delay in the event that:
    – personal data are no longer necessary with respect to the purposes of the processing;
    – the consent on which the processing activity might be based has been revoked, or the Data Subject objected to the processing, and there is no other legal basis for the processing activity;
    – personal data have been processed unlawfully;
    – personal data must be deleted to fulfill a legal obligation.
  • Right to object to the processing activity: the right to object at any time to the processing of personal data that have as their legal basis a legitimate interest of the Data Controller.
  • Right to restriction of processing: the right to obtain from the Data Controller the limitation of processing, in cases where the accuracy of personal data is contested (for the period necessary for the Data Controller to verify the accuracy of such personal data), if the processing is unlawful and the data subject has not requested deletion of data but restriction of processing, if the personal data are necessary to the data subject for the assessment, exercise or defense of a right in court, if as a result of objection to the processing activity the data subject is awaiting verification of the prevalence of the legitimate interest of the Data Controller.
  • Data portability right: the right to receive personal data in a structured, commonly and automatically readable format, and to transmit such data to another data controller, only for cases where the processing is based on consent or on a contract and only for data processed by electronic means.
  • Right not to be subject to a decision based on automated processing: the right to obtain from the Data Processor not to be subjected to decisions based solely on automated processing, including profiling, which produce legal effects that affect the data subject or that significantly affect his person, except that such decisions are necessary for the conclusion or execution of a contract or are based on the consent given by the data subject.
  • Right to lodge a complaint with a supervisory authority: without prejudice to any other administrative or judicial appeal, the data subject who considers that the processing activity concerning him / her is in violation of the GDPR has the right to lodge a complaint with the competent supervisory authority.

In order to exercise the rights provided by the GDPR, the Data Subjects may:

– forward the requests to the Data Controller, at the email address or, as an alternative,

– contact the Data Controller at the following address:
Medical Technology and Devices SA – Via Nassa 5 – CH-6900 Lugano (Switzerland)
indicating in the subject “Privacy”.