Privacy Policy

1. Introduction

Swiss MPC GmbH ("Swiss MPC", "we", "us", or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at swissmpc.com (the "Website") or engage with our regulatory consulting services.

This policy applies to all personal data processed by Swiss MPC in connection with our Website and services, and is designed to comply with the European Union General Data Protection Regulation (EU GDPR, Regulation 2016/679), the Swiss Federal Act on Data Protection (nDSG/FADP, in force since 1 September 2023), and other applicable data protection laws.

2. Data Controller

The data controller responsible for processing your personal data is:

Swiss MPC GmbH
Mugerenstrasse 72
6330 Cham, Switzerland
Email: info@swissmpc.com

For all data protection inquiries, you may contact us at the above address or by emailing info@swissmpc.com with the subject line "Data Protection Inquiry".

3. Data We Collect

We collect and process the following categories of personal data, depending on how you interact with our Website and services:

3.1 Data You Provide Directly

• Contact form submissions: Name, email address, company name, phone number (optional), and project description or message content.
• Email correspondence: Any personal data you include when contacting us via email at info@swissmpc.com.
• Consultation requests: Information about your medical device regulatory needs, project scope, and company details provided during initial consultations.
• Newsletter subscriptions: Email address and name (if applicable), should you subscribe to any newsletter or communications we offer.

3.2 Data Collected Automatically

• Technical data: IP address, browser type and version, operating system, referring URL, pages visited, date and time of access, and time spent on pages.
• Cookies and similar technologies: We use cookies and similar tracking technologies to enhance your browsing experience. See Section 10 for our Cookie Policy.
• Analytics data: Aggregated and anonymised data about website usage patterns, collected through web analytics services to help us understand how visitors interact with our Website.

3.3 Data from Third Parties

We may receive information about you from publicly available sources, professional networks such as LinkedIn, or from referrals by existing clients. This data is limited to business contact information such as name, job title, company name, and professional email address.

4. Legal Basis for Processing

Under the GDPR and Swiss FADP, we process your personal data based on one or more of the following legal grounds:

• Consent (Art. 6(1)(a) GDPR / Art. 31(1) nDSG): Where you have given explicit consent, such as subscribing to newsletters, accepting non-essential cookies, or opting in to marketing communications. You may withdraw consent at any time.
• Contract performance (Art. 6(1)(b) GDPR): Where processing is necessary to respond to your enquiry, provide a quotation, or deliver our consulting services under a contractual agreement.
• Legitimate interest (Art. 6(1)(f) GDPR / Art. 31(1) nDSG): Where we have a legitimate business interest that is not overridden by your rights, including: improving our Website and services, ensuring security of our systems, marketing our services to relevant industry professionals, and managing client relationships.
• Legal obligation (Art. 6(1)(c) GDPR): Where processing is required to comply with applicable law, such as tax and accounting regulations or responding to lawful requests from public authorities.

5. How We Use Your Data

We use the personal data we collect for the following purposes:

• Responding to enquiries: Processing contact form submissions and replying to your questions about our regulatory consulting services.
• Service delivery: Providing medical device regulatory consulting services, including EU MDR/IVDR compliance, FDA submissions, UDI implementation, and other services described on our Website.
• Communication: Sending you relevant information about our services, regulatory updates, or industry insights where you have consented or where we have a legitimate interest to do so.
• Website improvement: Analysing usage data to improve the functionality, content, and user experience of our Website.
• Security: Protecting our Website and systems against unauthorised access, fraud, and other security threats.
• Legal compliance: Fulfilling legal and regulatory obligations, including recordkeeping, tax reporting, and responding to legitimate legal requests.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We may share your data with the following categories of recipients, only to the extent necessary:

• Service providers: Trusted third-party providers who assist us in operating our Website and delivering our services, including web hosting providers, email service providers (for form submissions and newsletters), and analytics providers. These providers are contractually bound to process your data only on our behalf and in accordance with applicable data protection laws.
• Professional advisors: Legal, accounting, and tax advisors, as necessary for business operations and legal compliance.
• Legal requirements: Public authorities, courts, or regulatory bodies where disclosure is required by law or to protect our legitimate interests.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your personal data may be transferred as part of the transaction, subject to applicable data protection obligations.

7. International Data Transfers

Swiss MPC is based in Switzerland, which the European Commission has recognised as providing an adequate level of data protection. Where we transfer personal data outside of Switzerland or the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with applicable law, including:

• Transfers to countries recognised by the European Commission or the Swiss Federal Council as providing an adequate level of data protection.
• Standard Contractual Clauses (SCCs) approved by the European Commission (as supplemented where necessary).
• Other lawful transfer mechanisms, including binding corporate rules or explicit consent where applicable.

You may request further details on the specific safeguards applied to international data transfers by contacting us at info@swissmpc.com.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised. If deletion is not possible (for example, because data is stored in backup archives), we will isolate the data and apply protective measures until deletion becomes possible.

9. Your Rights Under the GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the GDPR with respect to your personal data:

• Right of access (Art. 15): You may request confirmation of whether we process your personal data and, if so, obtain a copy of that data along with information about the processing.
• Right to rectification (Art. 16): You may request correction of inaccurate personal data or completion of incomplete data.
• Right to erasure (Art. 17): You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where processing is unlawful.
• Right to restriction of processing (Art. 18): You may request restriction of processing in certain circumstances, such as when you contest the accuracy of your data or object to processing.
• Right to data portability (Art. 20): You may request to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller.
• Right to object (Art. 21): You may object to the processing of your personal data where processing is based on legitimate interests, including for direct marketing purposes.
• Right not to be subject to automated decision-making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you. Swiss MPC does not engage in automated decision-making.

To exercise any of these rights, please contact us at info@swissmpc.com. We will respond to your request within 30 days, in accordance with applicable law.

10. Your Rights Under the Swiss Federal Act on Data Protection (nDSG/FADP)

If you are located in Switzerland, you have the following rights under the revised Swiss Federal Act on Data Protection (nDSG), which has been in force since 1 September 2023:

• Right to information (Art. 25 nDSG): You may request information about whether and what personal data we process about you, the purpose of processing, the retention period, the source of the data (if not collected from you directly), and any recipients of your data.
• Right to data portability (Art. 28 nDSG): You may request the delivery or transfer of your personal data in a commonly used electronic format.
• Right to rectification: You may request that inaccurate personal data be corrected.
• Right to erasure or destruction: You may request the deletion or destruction of your personal data, subject to any legal retention obligations.
• Right to object: You may object to the processing of your personal data at any time where processing is based on our legitimate interests.

Swiss MPC does not engage in profiling that carries a high risk under the nDSG and does not process personal data for automated individual decision-making.

11. Cookie Policy

Our Website uses cookies and similar tracking technologies. Cookies are small text files stored on your device that help us provide and improve our services.

11.1 Types of Cookies We Use

• Strictly necessary cookies: Essential for the operation of our Website. These cookies enable basic functions such as page navigation, security features, and remembering your cookie consent preferences. These cookies do not require your consent.
• Analytics cookies: Help us understand how visitors interact with our Website by collecting information about pages visited, time spent on the site, and any errors encountered. This data is collected in anonymised or aggregated form. These cookies are placed only with your consent.
• Functional cookies: Enable enhanced functionality and personalisation, such as remembering your language preference. These cookies are placed only with your consent.

11.2 Managing Cookies

When you first visit our Website, you will be presented with a cookie consent banner that allows you to accept or reject non-essential cookies. You may change your cookie preferences at any time by clearing your browser cookies and revisiting our Website, or by adjusting your browser settings.

Most web browsers allow you to control cookies through their settings. Please note that disabling certain cookies may affect the functionality of our Website.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/SSL protocols.
• Access controls and authentication requirements for internal systems.
• Regular security assessments and updates to our systems and processes.
• Contractual data protection obligations for all service providers processing data on our behalf.
• Staff awareness and training on data protection principles.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining best-practice safeguards.

13. Third-Party Links

Our Website may contain links to third-party websites, including regulatory authorities, industry organisations, and professional networks. We are not responsible for the privacy practices or content of these external websites. We encourage you to review the privacy policies of any third-party website you visit.

14. Children's Privacy

Our Website and services are intended for business professionals in the medical device industry. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that we have inadvertently collected personal data from a child, we will take immediate steps to delete such data.

15. Complaints and Supervisory Authorities

If you believe that our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with a supervisory authority:

• Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — Feldeggweg 1, 3003 Bern, Switzerland — www.edoeb.admin.ch
• European Union: The supervisory authority of the EU/EEA member state in which you reside or in which the alleged infringement occurred. A list of EU data protection authorities is available on the European Data Protection Board website.

We encourage you to contact us first at info@swissmpc.com so that we may attempt to resolve your concerns directly.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this Privacy Policy periodically.

If we make changes that materially affect your rights or our obligations, we will provide prominent notice on our Website or contact you directly where appropriate and required by law.

17. Contact Us

If you have any questions about this Privacy Policy, our data processing practices, or wish to exercise your data protection rights, please contact us:

Swiss MPC GmbH
Mugerenstrasse 72
6330 Cham, Switzerland
Email: info@swissmpc.com