Data protection and compliance

Data Privacy

EU General Data Protection Regulation and local legislation

Oviva strictly follows the General Data Protection Regulation (“GDPR”), the Swiss Federal Data Protection Act („FDAP“) and similar privacy laws. GDPR is the most comprehensive data protection law in the world which regulates the use of personal data of EU residents and provides individuals rights to exercise better control over their data. The GDPR does not only apply to European organisations such as Oviva and its entities, it extends to any organisation worldwide that aims its products and services at EU residents. 

Above all GDPR requires us to be transparent and accountable for our use of personal data and sensitive patient data. We need to be able to demonstrate compliance with various legal requirements meant to protect our patients. Oviva’s goal is to ensure that all personally identifiable information such as health data is protected by means of strong technical and organisational measures.

As part of our internal data protection management, some of our control measures include:

• Ongoing data protection awareness trainings for all Oviva staff
• Regular exchange with and reviews by the Data Protection Team and Management
• Regular independent data protection audits (most recently in 2021 by an external consulting firm)
• Third party risk management as part of our review process of new data processing agreements
• PDCA based implementation and review of all security and control measures
• Evidence based documentation as part of GDPR’s accountability requirement

Data Protection Officer

To ensure that we maintain a high level of compliance we work with external data protection officers that advise and implement robust procedures with us and make sure that we are always in compliance with regulatory and legislative changes. So no matter where you are located, we have experts on the ground. 

Contractual Framework

We take the security of your data seriously and expect the same from our subcontractors. That is why we make sure that all of our subcontractors are bound to the same standard that we maintain. We achieve this by concluding standard data processing agreements (DPA) that clearly define how your data has to be safeguarded and strictly limit the purpose for processing this data. 

There is no general requirement for personal data to stay in the EU, yet transfers outside of the European Economic Area are restricted and will always receive further analysis by our Data Protection Team. When necessary, we ensure that transfers of Data are subject to additional security controls and rely on a standardized contractual framework provided by the European Commission (“standard contractual clauses“).

Audits

We walk the talk – our external partners help us to commit to our standards by conducting yearly voluntary audits. At the end of an audit, outcomes are analysed and improvements implemented. Keeping data safe is an ongoing commitment and not a one time effort. 

Information Commissioners’ Office (ICO)

Oviva is registered with the Information Commissioners’ Office (ICO), which is an independent body committed to uphold information rights in the public interest and data privacy for individuals in the UK.

More information

Medical Device Regulation

CE Marking

The European Union (EU) requires mandatory conformity labelling for certain products i.e. medical devices sold inside the European Economic Area (EEA), which is known as the Conformitè Europenne (CE) Mark.

Oviva’s device bears the CE marking, which is a symbol indicating that it:

1. complies with the requirements of relevant European product directives;
2. satisfies all requirements set forth in the applicable, recognised, and harmonised performance and safety standards in Europe; and
3. is appropriate for its intended use and will not jeopardise people’s safety.

More information