This new version of the "Volta Medical Personal Data Protection Policy" introduces various additions and modifications, the main ones of which are listed below. This policy is effective July 2nd, 2026.
What changes have been made to this new privacy policy?
Modification of the "How to exercise your rights?" section of the General Policy, in order to clarify and update the modalities for exercising the rights of data subjects;
Updating the privacy policy applicable to persons with whom we have or are likely to have a commercial, scientific, sponsorship or partnership relationship, including additions to the categories of data processed and the purposes of processing;
Addition of specific privacy policies, applicable to separate processing, namely: - the Privacy policy applicable to users of Volta Medical's Information System - the specific privacy policy applicable to processing carried out in the context of professional whistleblowing; - the specific privacy policy applicable to data processing carried out in the context of health vigilance.
Privacy policy applicable to data processing carried out in the context of health vigilance
For complete information on the characteristics of the processing operations we carry out, as well as on your rights and how to exercise them, please also read the information contained in Volta Medical's General Personal Protection Policy.
This privacy policy describes all the processing of personal data carried out by Volta Medical as part of the implementation and management of its health vigilance system, including the collection, recording, management and analysis of the information necessary for the proper management of these events, as well as, where applicable, their notification to the competent authorities and the implementation of appropriate corrective and preventive measures.
Health vigilance refers to any serious incident, as defined in Article 2 of Regulation (EU) 2017/745, that occurs during the use of a medical device, as well as any serious adverse reaction or any defect, alteration of the characteristics or performance of a device, likely to cause or have resulted in such an incident. Such situations shall give rise to an assessment in the framework of a vigilance system, and, where appropriate, to the implementation of appropriate remedial measures, as well as to notification to the competent authorities, in accordance with the obligations laid down in Articles 87 to 90 of that Regulation and the applicable national provisions.
What categories of personal data may we collect and process as a Data Controller?
The personal data that may be processed in the context of health vigilance cases are the following:
Data related to patients affected by a health vigilance case: Name of the institution concerned, date and time of the procedure, any date-related elements (date of birth, date of admission, date of discharge, date of death, etc.) as well as the age of patients over 89 years of age and all data elements (including year) revealing the age of the patient, gender, weight, medical history and concomitant treatments, type of ablation, type of atrial fibrillation (AF), data related to the management of the event (medical or surgical, prolongation of the procedure, if yes, duration, etc.), signals (ECG, 3D mapping), consequences of the event for the patient (e.g. death, injury, medical treatment, prolongation of the procedure etc.);
Data related to the users of the device concerned, as well as to the contacts/representatives of the institution: full name (first and last name), professional telephone number (or personal number if provided by the user), type of user profile (department, operator, hospital administrator, other), function or job title, employer or establishment, professional contact details (other than telephone numbers), places of practice of the user, User's login ID, dates and time of the user's login and logout during the relevant procedure, date and time of the procedure, as well as its status and procedure number, actions performed;
Data related to the reporting of the event: date, time and context of the event, name and position of the person who submitted the report, detailed description of the event (free field), messages exchanged, name of the relevant clinical study if relevant, information on the deletion or inactivation of the user's status, information related to the installation of the system (date, time, location), Installation ID (assigned during installation and for each product procedure), procedure number assigned.
What are the uses we make of this data? What are our objectives?
As a data controller, we may process your data for several purposes (also known as "purposes"):
Purpose n°1: To receive reports and the data contained therein.
Purpose n°2: To analyze the reports to determine whether they correspond to a case of health vigilance within the meaning of the Regulation (EU 2017/745).
Purpose n°3: To analyze the data to confirm the traceability of the impacted device.
Purpose n°4: To analyze the case of vigilance and cross-check it with similar data and cases recorded in the last 6 months in order to determine if the event has already taken place and take the necessary actions.
Purpose n°5: To implement a search for cause (investigation).
Purpose n°6: To inform the user about the cause of the problem.
Purpose n°7: If necessary: to update technical documentation.
Purpose n°8: If necessary: to implement a technical or organizational solution (problem solving).
Purpose n°9: If necessary, to notify the competent authorities of the case of health vigilance.
What are the legal basis for our processing?
The processing is carried out in order to enable Volta Medical to meet its regulatory obligations (in particular Regulation (EU) 2017/745, Article 10 paragraphs 9.i and 9.k, Annex III paragraph 1.1).
How long do we keep your data?
For all purposes, the data collected is kept for 10 years from the date on which the last device concerned is placed on the market (cf. point 10.5 of Annex XI to Regulation (EU) 2017/745 of 5 April 2017 –with reference to Annexes II and III of the said Regulation.
Who are the data recipients?
The data is accessible only to Volta Medical's duly authorized departments when it is necessary for the performance of their missions. It may also be communicated (i) to Volta Medical's subcontractors specifically authorized to implement all or part of the processing necessary for the management of health vigilance cases, (ii) to authorized third parties who are not processors in terms of personal data (such as legal advisers or consultants), (iii) as well as to the competent authorities when their communication is required in order to enable Volta Medical to comply with its legal or regulatory obligations, or to enable it to defend itself or assert its rights.
Are the collection and processing of your data mandatory?
The collection of data is mandatory and is necessary to enable Volta Medical to comply with its regulatory obligations in terms of health vigilance of the medical devices it places on the market.
How do we collect your data?
The data necessary for the management of cases of health vigilance cases is collected either directly from the persons concerned (in particular with regard to data related to reports that may be made by the persons concerned), or indirectly from the healthcare personnel concerned.
Do we transfer your Data outside the EU ?
We may transfer data to a country outside the European Union in the course of our activities. In this case, we take all appropriate measures to ensure compliance with the regulations applicable in the European Union. You can obtain a copy of these guarantees from our Data Protection Officer whose contact details can be found in the "Contact" tab of Volta Medical's General Data Protection Policy.
Does the processing implement an automated decision?
No automated decision-making procedures, including profiling, that would produce legal effects with regard to data subjects or that would be likely to significantly affect them in a similar way shall be implemented.
Can we change this Policy?
We may modify the content of this Policy at any time, in line with the evolution of our activities and/or in order to comply with our legal obligations. If we make any changes, they will be made on the pages relating to this Policy on our website and we recommend that you refer to them each time you visit. However, in the event of substantial changes to the characteristics of the processing, we draw your attention to this by publishing a warning on our website.