Bittium Medical Devices and MEDI Service Desk Privacy Statement
Privacy Statements
Customer Relationships and Marketing Privacy Statement
Bittium Tough Mobile Privacy Statement
Bittium Medical Devices and MEDI Service Desk Privacy Statement
Bittium Medical Devices and MEDI Service Desk Privacy Statement
1. Controller contact Information
Bittium Biosignals Oy (´Bittium´)
Pioneerinkatu 6
70800 Kuopio, Finland
[email protected]
1. The legal basis and purpose of processing personal data
When in the role of a controller, on the basis of implementation of contract, Bittium processes personal data for contractual and customer relations purposes and to provide support services to Bittium products. Personal data is also used to improve and develop medical products and services for Bittium customers as agreed in the contract.
Personal data is processed when customers create a support request (MEDI-ticket) to Bittium product support. Personal data may then be accessed, depending on the nature of the request. Without a support request, Bittium will not access customer data.
Personal data are processed through the MEDI Service Desk for the purpose of providing technical support and customer service to end users, customers, and distributors of medical devices manufactured by Bittium Biosignals Ltd.
The MEDI Service Desk operates as an official communication channel for managing medical device–related inquiries, feedback, complaints, and maintenance requests. Access to records is restricted, and records are protected from unauthorized alteration or deletion.
Support request data is also used for post-market surveillance (PMS) purposes to ensure that the products are safe, function efficiently in their intended use, and are in line with customer requirements as required by the European Union Medical Device Regulation (EU MDR) 2017/745. Personal data is excluded or minimized to the extent possible in PMS processing. Bittium aggregates volumes of measuring data to generate statistical models, reports, incident investigations, and analyses about service performance. In addition, Bittium may use measuring data, such as EKG, to test the functioning of our services and products.
Bittium de-identifies the measuring data to the extent possible, for example, by anonymizing or pseudonymizing any personal data identifiers.
When Bittium products are used by a licensed user, all the personal identifying data is processed by the licensed party and Bittium has no role in the processing. In that case, Bittium acts only as the license seller for a medical product that has privacy by design features built into the device, but Bittium has no part in the actual processing of personal data collected with Bittium device and software.
When in the role of a processor, the basis of implementation of a contract, Bittium processes personal data as defined in the contract and/or in a separate Data Processing Agreement (DPA).
On the basis of legitime interest, we use third party tools to analyze customer experience in our medical products. These tools allow us to better understand how our customers use our products, they enable us to better instruct our customers and conduct surveys. A balance test has been conducted as required by the GDPR (General Data Protection Regulation).
2. Personal data we process
Medical products
Personal data processed by different roles when using Bittium’s Medical devices contains the types of personal data listed below:
Technicians, business users, and specialists:
System identifiers: name, email address
Service provider:
- Administrations information
- Log files
Patients:
- Year of birth
- Gender
- Height
- Weight
- Medication
- Diseases
- Habits
- Symptoms
- Place of remittance
- Recorded measurement data
- Additional optional information given to the cardiologist related to the analysis
- Additional information in the diagnosis given by the specialist
MEDI Service Desk
Depending on the nature of the support request, feedback, or regulatory obligation, the MEDI Service Desk may process the following categories of personal data:
Identification and Contact Data
- Name, surname
- Job title or role
- Company or organization name (e.g., healthcare provider, distributor)
- Business address
- Email address
- Telephone number
Personal data processed may vary depending on whether the request relates to general support, maintenance, complaint handling, or regulatory reporting.
Account and User Information
- User ID or username within the service desk portal
- Authentication and access role information
- Communication preferences
- Communication and Case Management Data
- Content of support tickets, inquiries, feedback, complaints, and maintenance requests
- Correspondence exchanged via the service desk (e.g., messages, comments, attachments)
- Date, time, and status of service requests
- Internal notes related to case handling
Device and Product-Related Data
- Medical device type, model, and configuration
- Serial number, batch, or lot number (where applicable)
- Installation location (e.g., facility or department)
- Usage context relevant to the reported issue
- Maintenance, repair, or service history associated with the device
Technical and System Data (restricted access rights, used only in fault situations)
- IP address
- Device identifiers (e.g., browser type, operating system)
- Log data related to access and use of the MEDI Service Desk
- Time zone and language settings
Regulatory and Quality Management Data
- Complaint classification and investigation outcomes
- Post-market surveillance and vigilance records
- Corrective and preventive action (CAPA) references
- Regulatory reporting references (where applicable)
3. Regular sources of personal data
Personal data is collected from MedicalSuite Platform Service, recording device, such as Faros and/or the customer or service provider of Bittium.
Personal data processed through the MEDI Service Desk are obtained from the following sources:
- Data provided directly by end users, customers, distributors, or authorized service partners when submitting support requests, feedback, or complaints
- Information generated during communication and interaction with the Service Desk, including ticket metadata and correspondence
- Information provided by distributors or customers acting on behalf of end users
- Information generated internally by Bittium Biosignals Ltd. in the course of technical investigations, complaint handling, post-market surveillance, and corrective or preventive actions
- Limited technical information automatically generated by the MEDI Service Desk system, such as access logs and timestamps
4. Storage time of the personal data
Bittium processes the personal data as long as the legal basis of the collection of personal data exists, and the purpose of the collection of personal data is valid, or the data subject prohibits the processing of personal data related to the data subject. Bittium will implement all reasonable efforts related to rectification without undue delay. Bittium evaluates the validity of the personal data processed continuously.
Personal data processed through the MEDI Service Desk are handled as quality records within Bittium Biosignals Ltd.’s quality management system in accordance with ISO 13485.
Service Desk records related to technical support, maintenance, and customer inquiries are generally retained for up to 10 years after case closure.
Records relating to complaints, safety incidents, or post-market surveillance activities are retained for a period consistent with applicable medical device regulations, typically at least 10 years after the last device has been placed on the market.
Upon expiration of the applicable retention period (usually 10 years), personal data are securely deleted or anonymized in accordance with established record control procedures.
5. Sharing of the personal data
Bittium may share personal data within the limits of the applicable law within the Bittium group of companies for the same purpose the data was originally collected. Bittium may also use subcontractors for data processing (storage, analytics, sales, customer relations and support, marketing automation), so customer personal data is processed by them according to Bittium instructions. Bittium has strict requirements for subcontractors for data security and a valid Data Processing Agreement with them.
Where necessary for the provision of support services or the handling of complaints, personal data may also be shared with authorized distributors or service partners, subject to appropriate contractual and confidentiality safeguards.
Personal data may be disclosed to competent regulatory authorities or notified bodies when required to comply with applicable medical device regulations or legal obligations.
In limited cases, personal data may be shared with legal or professional advisors where it is necessary to establish, exercise, or defend legal claims.
6. Transferring of the personal data outside the EU or EEA
Bittium may transfer personal data within the limits of applicable law outside the EU or EEA within the Bittium group of companies. Personal data may also be transferred outside the EU or EEA by Bittium within the limits of the applicable law when using US owned subcontractors for data processing (storage, analytics, marketing automation, AI) e.g. Google, Microsoft. Actual personal data is not moved from the location agreed with the customer in the contract.
When processing personal data of a non-EU company outside the EU, local data protection legislation is followed.
7. The protection of personal data
Bittium has implemented appropriate technical and organizational measures to protect personal data from accidental or unlawful loss, extradition, misuse, alteration, destruction, or unauthorized access. The employees of Bittium who have access to customer personal data have access due to their work role and are obliged to keep the personal data received during the processing confidential.
8. The rights of the data subject
The data subject has, to the extent permitted by the law (the used legal bases for processing), following rights under the Data Protection Regulation:
Right to obtain information on the processing of their personal data
The data subject shall have the right to be informed of the collection and processing of their personal data. The processing of personal data shall be done in a transparent manner.
Right of access
The data subject shall have the right to obtain from Bittium confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
Right to rectification
The data subject shall have the right to obtain from Bittium without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure
The data subject shall have the right to obtain from Bittium the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay provided that the legal grounds apply.
Right to restriction of processing
The data subject shall have the right to obtain from Bittium for restriction of processing provided that the legal grounds apply.
Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on, for example legitimate interests of Bittium or direct marketing.
Right to data portability
The data subject shall have the right to receive the personal data which he or she has provided to Bittium, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from Bittium when the processing is based on consent and the processing is carried out by automated means.
Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. Bittium does not perform profiling or automated decisions at this level.
Right not to be subjected to automated decision-making applies (with minor differences) when the processing is based on a consent or a contract, processing is based on the controller’s legal obligations or processing is based on a task carried out in the public interest or the exercise of public authority.
Right to lodge a complaint with a supervisory authority
The data subject shall have the right to lodge a complaint with a supervisory authority.
9. Changes to this Privacy Statement
Bittium reserves the right to make changes to this privacy statement.