This new version of the "Volta Medical Personal Data Protection Policy" introduces various additions and modifications, the main ones of which are listed below. This policy is effective July 2nd, 2026.
In order to benefit from complete information on the characteristics of the processing we carry out, as well as on your rights and the methods of exercising them, we also invite you to read Volta Medical's General Personal Protection Policy.
The purpose of this Privacy Policy is to inform you of the processing of personal data implemented as part of the Volta Medical Group's Professional Whistleblowing System, which includes Volta Medical France (Substrate HD SAS) and Volta Medical Inc. (hereinafter "Volta Medical US").
Thus, when the report concerns Volta Medical US, its employees and/or external persons in relation to this entity, Volta Medical US and Volta Medical France act as joint Data Controllers.
The personal data that may be processed in the context of whistleblowing are the following:
As a data controller, or as a joint data controller, we may process your data for the following main purpose: to collect and manage professional whistleblowing in order to remedy it and to preserve the rights of the Volta Medical Group.
Purpose n°1: To receive, process and store any report that reveals or reports a violation of legal rules (whether French, European, international or foreign),
Purpose n°2: To receive, process and store any report that reveals or reports a violation of the ethical rules of the Volta Medical group,
Purpose n°3: To carry out the necessary verifications, investigations and analyses,
Purpose n°4: Define and implement the follow-up to be given to reports, including appropriate actions against the persons concerned,
Purpose n°5: To ensure the protection of the persons concerned,
Purpose n°6: To exercise or defend the rights of the Volta Medical group in court,
Purpose n°7: Comply with our obligations in terms of information to competent authorities (and their intermediaries), including foreign authorities where applicable,
Purpose n°8: Carry out internal and/or external audits of the Volta Medical Group's compliance processes,
Purpose n°9: Ensure access to and traceability of stakeholders' actions within the framework of the whistleblowing system,
Purpose n°10: De-identify or anonymize personal data and compile statistics, in compliance with applicable regulations.
The legal basis for the processing depends on the purpose of the intended processing.
The legal basis for the processing carried out (i) to receive, process and store any report that reveals or reports a violation of legal rules, (ii) to carry out verifications, investigations and analyses in the event of an offence or suspected offence and (iii) to protect the data subjects and to report the facts to the relevant authorities, is compliance with a legal obligation.
The legal basis for the processing carried out (i) to receive, process and store any report that reveals or reports a violation of the ethical rules of the Volta Medical Group, (ii) to carry out verifications, investigations and analyses in the event of ethical breaches, (iii) to exercise or defend legal claims, to carry out internal and/or external audits of compliance processes, (iv) to ensure access to and traceability of the actions of stakeholders in the whistleblowing system, (v) to anonymize, de-identify and establish statistics, is the legitimate interest of the data controller without prejudice the interests, rights and fundamental freedoms of the data subjects.
When we process sensitive personal data within the meaning of the GDPR (e.g. when we process data that reveals a person's ethnic or allegedly racial origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, data concerning health or data concerning a person's sex life or sexual orientation), we do so on the basis of the important public interest. Depending on the stage of the procedure related to the report in question, it may also be processed on the basis of the exception provided for in Article 9.2.f of the GDPR (processing necessary for the establishment, exercise or defense of legal claims).
In the case of data relating to offences, convictions and security measures, the processing of this data is carried out in order to enable the data controller to prepare, exercise and/or monitor legal action as a victim, accused person, etc. (for itself or on its behalf when the processing is carried out by a third party) in accordance with Article 46.3e of the French law n°78-17 of 6 January 1978, known as the "Data Protection Act".
For the purposes of receiving, processing and storing reports that reveal or report a violation of legal rules or an ethical breach:
For the purpose of ensuring the protection of individuals in accordance with the applicable regulations, the data is kept for the time necessary to implement their protection. They are then kept for 6 years (duration of the statute of limitations) and remain accessible to a limited number of authorised persons. They are then de-identified with restricted access or anonymized.
In the context of the exercise or defence of legal claims (including in the event of transmission to foreign authorities), the data will be stored for as long as necessary for the preparation, conduct and follow-up of the proceedings (including in the context of an action involving a foreign authority). They are then kept until all avenues of appeal have been exhausted, or a final decision has been made.
For the purpose of carrying out internal and/or external audits of the Volta Medical Group's compliance processes, the data is kept for the duration of the audits (it is specified that the data of reports and alerts are not processed within the framework of this purpose). At the end of the audits, the data is kept for 6 years with access to a limited number of people.
For the purpose of ensuring access to and traceability of the actions of stakeholders within the framework of the whistleblowing system, the data is kept for the entire duration of the processing of the reports and then the alerts until the final report. They are then kept for 6 years and remain accessible to a limited number of authorized persons. At the end of this period, the data is deleted. For the purpose of de-identifying or anonymizing personal data, the data is kept for the time necessary for these operations. Anonymized or de-identified data is then kept for an unlimited period.
In order to supervise, facilitate and secure the issuance of reports, Volta Medical relies on the "EQS Integrity Line" software (hereinafter the "Platform"), published by the company EQS Group. This Platform makes it possible to make reports relating to the activities of the Volta Medical group, while guaranteeing the confidentiality of the information transmitted. In this context, the EQS Group acts as a processor within the meaning of the applicable regulations on the protection of personal data and is therefore the recipient of the data.
In addition, depending on the stage of processing the report, the recipients are a) the persons in charge of evaluating the report within Volta Medical France and, if the report is accepted, b) the authorized persons within the entity concerned (in particular those in charge of the investigation, its supervision, the directors of the entities for sensitive cases, staff in charge of setting up whistleblower protection, staff in charge of implementing disciplinary measures or legal/judicial actions) and possibly c) the lawyers of the entities concerned, d) their experts and forensic service providers, and e) the competent judicial or administrative authorities (including foreign authorities where applicable).
As the data is encrypted in transit and at rest within the EQS Platform, EQS Group employees only have access to the data contained on the EQS Platform (including the data contained in reports) in a way that makes it incomprehensible to them.
If the reported facts relate to the activities of Volta Medical US and the report is accepted, the author of the report must agree that his identity and the reported facts will be brought to the attention of Volta Medical US, failing which Volta Medical US will not be the recipient.
In addition to the specific recipients designated in this "Privacy Policy applicable to processing carried out in the context of professional whistleblowing", in the event of the exercise or defense of legal rights by one or more entities of the Volta Medical group, other persons/entities may be recipients of the data, they are listed in the Privacy Policy applicable to the management of disputes.
Reporting is voluntary. However, failure to report breaches of the code of conduct or violations of the law may in some cases constitute professional misconduct for which disciplinary sanctions are possible for Volta's staff and contractual non-performance for companies under contract with one of the Group's entities.
The use of the EQS reporting platform entails the automatic and therefore mandatory collection of certain data, namely: log and logging data automatically generated by the EQS® reporting platform (in particular when submitting or following up on a report).
In addition, the fact that a report has been made, regardless of the means used to make the report, makes it mandatory to provide additional information to establish or not a breach of the Code of Conduct (e.g. information relating to the behavior or professional activity of the person involved, browsing data, metadata, etc.). The nature of the data collected in the context of reports depends on the content and nature of the report, so an exhaustive list cannot be drawn up in advance.
In general, personal data is collected directly from the person who made the report, or from any person who may be involved in the report.
However, and when necessary for the processing or verification of the report, some data may be collected indirectly from authorized third parties, such as administrations, public bodies, service providers or other partner entities, and only when such collection is authorized by law. Given the possible diversity of situations and alerts, it is not possible to exhaustively establish all the sources of collection likely to be mobilized. These will depend on the nature of the alert, its content and the needs strictly necessary for its investigation.
Your personal data is not intended to be processed outside the European Union. However, for reports involving Volta Medical US, a transfer outside the European Union may take place. This is governed by appropriate safeguards as provided for in Article 46 of the GDPR. In addition, in the context of a possible legal or regulatory obligation to report to foreign authorities, any transfers are based on Article 49.1.e of the GDPR (transfer necessary for the establishment, exercise or defense of legal claims).
No automated decision-making procedures (including profiling) that would produce legal effects with regard to data subjects or that would be likely to significantly affect them in a similar way shall be implemented.
We may change the content of this Policy at any time as our business evolves and/or in order to comply with our legal obligations, in particular.
If we make any changes, they will be made on the pages relating to this Policy on our website and we recommend that you refer to them each time you visit. However, in the event of substantial changes to the characteristics of the processing, we will draw your attention by publishing a warning on our website.