| Purpose of Processing |
Processed Personal Data |
Legal Basis for Processing |
Retention Period |
| Fulfilment of contract (e-commerce purchases) |
Identity data (e.g., name, surname, date of birth, personal ID number)
Contact data (e.g., email, phone number, address) |
GDPR Art 6 (1)(b) |
During contract validity and for 3 years after its termination |
| Handling inquiries, requests and complaints |
Identity data (e.g., name, surname, date of birth, personal ID number)
Contact data (e.g., email, phone number, address)
Contextual data (the nature and particulars of your situation and the issue raised, depending on your individual inquiry, request or complaint) |
GDPR Art 6 (1)(f)
Legitimate interest to adequately evaluate, process, take action and provide an answer to your inquiry, request or complaint |
Until the complaint is resolved or the issue prompting the inquiry is resolved |
| Handling product complaints |
Identity data (e.g., name, surname, date of birth, personal ID number)
Contact data (e.g., email, phone number, address)
Contextual data (the nature and particulars of your situation and the issue raised, depending on individual product complaint |
GDPR Art 6 (1)(c), MDR Art 14(5) |
Up to 10 years after the product was last placed on the market, 15 years for implantable devices |
| Web analytics, monitoring, tracking and advertising technologies |
Device information, IP address, browser type, and user behaviour on our website through the use of cookies |
GDPR Art 6 (1)(a), GDPR Art 6 (1)(f) –
We want to improve our marketing effectiveness, optimize advertisements spending, and understand website usage trends. The legal basis for this processing is your consent, which we request through our cookie banner, and/or our legitimate interests in promoting our business and improving our services |
Until consent is withdrawn or as long as necessary for the improvement purpose |
| Communication with cooperation partners |
Identity data (e.g., name, surname, date of birth, personal ID number)
Contact data (e.g., email, phone number, address) |
GDPR Art 6 (1)(f) |
As long as necessary for the communication purpose or until objection is raised |
| Marketing |
Contact data (e.g., email, phone number, address) |
GDPR Art 6 (1)(a) |
Until consent is withdrawn |
| Depersonalization (anonymization) of personal data for the purpose of optimizing the performance of medical equipment distributed by Surgitech and improving and developing future products and services |
Identity data (e.g., name, surname, date of birth, personal ID number)
Contact data (e.g., email, phone number, address)
Contextual information regarding the usage of the device, including the content of a complaint or inquiry (if applicable) |
GDPR Art 6 (1)(f)
Legitimate interest to ensure the safety, reliability, and effectiveness of medical technologies, support innovation, and meet the evolving needs of healthcare providers and patients. |
Until the data is anonymized; anonymized data may be stored as long as necessary for development purposes, as it is no longer considered personal data |
- How do we protect your personal data
We take the protection of your personal data very seriously. We implement advanced technical and organizational measures to ensure that your personal data is kept secure, confidential, and protected against unauthorized access, loss, alteration, or disclosure. These measures include secure servers, access controls, password protection, encryption technologies, staff training, and internal policies governing data handling. Access to your data is strictly limited to those who need it to perform their duties and who are subject to confidentiality obligations.
- Who Has Access to Your Personal Data
Access to your personal data is limited to:
- Authorized personnel within our company who require the information to fulfil orders, provide support, or manage regulatory obligations.
- Suppliers and manufacturers of medical devices with whom we have entered into data processing agreements.
- Third-party service providers, such as IT support, logistics partners, or cloud storage providers, who process data on our behalf under strict contractual agreements that ensure compliance with applicable data protection laws.
- Regulatory authorities (e.g., health authorities or notified bodies) when required to comply with legal or regulatory obligations related to medical device distribution and safety monitoring.
We ensure that all third parties with access to your data are bound by data protection agreements.
- Transfers of Personal Data to Third Countries
As part of our operations, we may transfer your personal data to countries outside the European Economic Area (EEA), including to countries that may not offer the same level of data protection as your home jurisdiction.
Such transfers may occur, for example, when:
- We work with international suppliers, service providers, or affiliates based outside the EEA;
- Cloud-based systems or data hosting services we use are located outside your jurisdiction;
- We are required to share data with manufacturers or regulatory bodies located in third countries as part of post-market surveillance, product support, or complaint handling.
When we transfer personal data to a third country, we ensure that appropriate safeguards are in place to protect your rights in accordance with applicable data protection laws. These safeguards may include:
- Transfers to countries deemed to provide an adequate level of protection by the European Commission;
- Standard Contractual Clauses approved by the European Commission.
You may request further information about the safeguards in place for international transfers by contacting us using the details provided in section 8.
- What are your rights with regard to your personal data and how can you exercise them
You have the following rights:
- Right of access – You can request details of the personal data we hold about you.
- Right to rectification – You can request corrections to inaccurate or incomplete data.
- Right to erasure – You can request deletion of your data, subject to any legal or regulatory retention obligations.
- Right to restrict processing – You can ask us to limit the use of your data in certain circumstances.
- Right to data portability – Where applicable, you can request a copy of your data in a commonly used format to transfer to another controller.
- Right to object – You can object to the processing of your data where it is based on our legitimate interests.
- Right to withdraw consent – Where processing is based on your consent, you may withdraw it at any time.
- You may also opt out of personalized advertising by adjusting your preferences in your Google and Meta accounts.
To exercise your rights, please contact us using the information provided below. We may need to verify your identity before responding to your request. We aim to respond within one month as of receiving your request.
- Contact information for questions or complaints
If you have any questions, concerns, or complaints regarding the processing of your personal data, or if you would like to exercise any of your data protection rights or file a complaint, please contact:
aktsiaselts Surgitech
Email: surgitech@surgitech.ee
Phone: +372 646 0660
Address: Pärnu mnt 148, III floor, Tallinn 11317, Estonia
If you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority:
Andmekaitse Inspektsioon
Address: Tatari 39, Tallinn 10134, Estonia
Phone: +372 627 4135
Email: info@aki.ee
