General Personal Data Protection Policy

General Privacy Policy

Volta Medical - General Privacy Policy
Edition 2.0 – Updated as of April, 10th 2024

On this page you will find general information on all the processing of personal data that we carry out, our commitments in terms of privacy and processing, as well as all your rights as data subject and how to exercise them. Please take note of all these elements, as they apply to all the processing operations we carry out, regardless of our relationship with you. This document is entitled "Volta Medical - General Privacy Policy".

Following this general information, you will find Volta Medical's various personal data protection policies (hereinafter referred to jointly as the " Specific Policies "). Each of these Specific Policies is intended to inform you, depending on your situation, of the essential characteristics and the terms and conditions relating to how we carry out personal data processing in our capacity as data controller. Please refer to the Privacy Policy applicable to your situation to find out how we process your data.

All requests, questions, or comments relating to our Policies can be submitted to our Data Protection Officer, whose contact details are given in the " Contact " tab below.

Volta Medical processes the personal data entrusted to it in compliance with the Laws and Regulations in force, specifically the General Data Protection Regulation that entered into force on May 25, 2018 (GDPR), and the French Data Protection Act ("Loi Informatique et Libertés") of January 6, 1978, as well as the research guidelines and methodologies issued and published by the CNIL [National Commission on Data Privacy].

More specifically, our commitments regarding the processing of your data are as follows:

Transparency: Volta Medical undertakes to process personal data in a transparent, fair, and lawful way. To this end, we will provide you with relevant information when we collect your data or when they come from a third party or technology. When we collect data, we will notify you if this collection is mandatory, which mandatory data you should provide, if this collection is to satisfy a statutory or contractual requirement, and if it is a condition for the provision of a service or a contract, as well as the consequences of failing to provide this data. If we do not collect your personal data directly from you, you will still receive, either at the time of our first contact (through our intermediary or one of our processors) or at the time when the data are collected by the intermediary, information that is identical to that which we must provide in the case of direct collection. You will, in particular, be informed about the source of the data. Where necessary, we will notify you about any automatic decision-making (and the rationale for it), including profiling. This means that we will strive to inform you of the expected scope and consequences of any processing involving you.

Proportionality: We also undertake to only process your personal data for specific, explicit, and legitimate purposes or in order to comply with our legal/statutory obligations. Your personal data are not subsequently processed in any way that is incompatible with these purposes. If there is compatibility with the purpose for which the data are collected, and we intend to carry out further processing of said data, we will provide you with any information you may need to understand this new purpose and any relevant information. When the processing falls within our legitimate interests, this means that we have determined that it does not harm your interests nor your fundamental rights and freedoms. You may request information on how we weigh these factors at any time by contacting Volta Medical’s Data Protection Officer, whose contract details are specified in the “Contact” section of this General Policy.

Necessity: We take measures to limit the data we process to the "bare minimum". This means that we only collect data that is strictly necessary to achieve the objectives we have set for ourselves. In this context, the data is adequate, relevant, and limited to what is necessary for the purposes of each processing operation we carry out. Furthermore, we only retain data for as long as is necessary to achieve the purpose for which it was collected, unless a specific period of data retention is required by law, or a longer period is necessary to preserve our rights. However, your data may be retained for research or statistical purposes, provided that we implement appropriate technical and organizational measures to guarantee your interests or fundamental rights and freedoms (specifically the anonymization and aggregation of data).

In addition, we strictly regulate how potential recipients of your data can access it:
- Within our group, we limit collaborators access to the data strictly necessary for the performance of their duties, and regularly audit these access authorizations.
- Externally, we choose our data processors, partners, and service providers diligently (such as our data hosting providers), and frame our relationships with appropriate contractual safeguards so as to (i) ensure that they implement appropriate technical and organizational measures to ensure a high level of protection for your data and (ii) carry out processing in compliance with regulations on the protection of personal data.
‍
In exceptional circumstances, and in accordance with the law, we may have to extract and disclose your data when required to do so by a competent judicial or administrative authority, subject to respect for your fundamental rights and freedoms and the provisions of the French Code of Criminal Procedure. In such cases, disclosure of data is strictly regulated by law.

‍

Accuracy: We will ensure that your personal data are accurate and kept up to date. We will implement reasonable measures to ensure that inaccurate data, with respect to the purpose for which they are collected, are erased or rectified as soon as possible.

To this end, if your data has become incomplete or inaccurate, we encourage you to exercise your right to rectification under the conditions set out under the tab "What are your rights regarding the processing of your data and how can you exercise them" of Volta Medical's General Data Protection Policy.

Security: Your data are processed in a way that ensures appropriate security, particularly with respect to unauthorized or illegal processing and against accidental loss, destruction or damages by means of appropriate technical and organizational measures.

In particular, we employ encryption and/or pseudonymization techniques whenever possible or appropriate, and we carry out impact analyses prior to implementing any processing that is likely to result in a significant risk to your rights and freedoms.

Generally, we undertake to comply with all legal principles incumbent on us concerning personal data protection, including in particular:
- respect for rights conferred on individuals,
- compliance with storage periods (while taking into account, in accordance with applicable law, the purpose of the processing, contractual or operational requirements, and our legal/statutory obligations)
- obligations concerning international transfers, for which we will take the necessary measures to ensure compliance with European regulations in the case of recipients who are not located in a European Union member State.
- educating employees about data protection and the necessity of confidentiality,
- implementing organizational and technical measures to ensure effective compliance with these principles.

Your rights under the General Data Protection Regulation and the French Data Protection Act ("Loi Informatique et Libertés") of January 6, 1978 are as follows:

- Right of information: You have the right to be informed when we directly or indirectly collect data from you;

- Right of access: you have the right to be informed of whether or not we hold data about you, and if so, the personal data we hold about you, as well as the identity and contact information of the controller, the contact information of the Data Protection Officer, the purposes of the processing and its legal basis, our legitimate interests where applicable, the data categories collected, the recipients of the data, information about transfers to countries outside of the European Union, information about adequate safeguards, the storage period or if this is not possible, the criteria used to determine this period;

- Right of rectification: You have the right to have your personal data rectified in the event they are inaccurate and to have them completed (including by means of a supplementary statement) according to the type of processing in question;

- Right of erasure: You have the right to erasure of your data when specific conditions have been met: o they are no longer necessary in relation to the purposes for which they were collected, or o When you withdraw your consent on which the processing was based;

- Right to data portability: You have the right to have your data transferred to a third party in a structured, commonly used, and machine-readable format. This right is only available when the processing that we carry out is based on a contract made between us or when we process your data because you have consented to it;

- Right to restriction of processing: You have the right to request the restriction of the processing in some circumstances, namely: o when you contest the accuracy of the data (this restriction will be in effect for a limited period of time),
• in the event of unlawful processing by us for which you prefer that your data be restricted rather than erased,
• in the event that we no longer need your data but these are needed by you for the establishment, exercise, or defense of legal claims,
• if you have contested processing, we will restrict processing during the period needed to verify that the lawful grounds invoked by Volta Medical for the processing prevail over yours. We will also notify you before removing the restriction of the processing;

- Right to object: You have the right to object to your data being processed for the purposes of direct marketing and you have the right to object to your data being processed, to a certain extent, with respect to your specific circumstances, when the basis for this processing is our legitimate interest (particularly in the case of automated individual decision-making);

- Right to withdraw your consent at any time, if the legal basis for the processing is your consent;

- Right to define general and specific instructions defining the way you intend to exercise, after your death, the rights above mentioned.

If you have any unresolved concerns, a complaint, or if you suspect that a personal data breach has occurred, you have the right to lodge a complaint with the complaint with the competent supervisory authority, namely the “Commission Nationale de l’Informatique et des Libertés” (Postal address: 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07 – FRANCE).

Update Privacy Policy

What changes have been made to this new privacy policy?

When do these updates come into effect?

General Privacy Policy