Data Subjects Rights
As a ‘data subject’ you have a number of rights under the law with respect to our use of your personal data. This Policy sets out those rights, explains them in clear terms, and provides guidelines on how to exercise them.
1. Information About Us
Establishment Labs® S.A.
Coyol Free Zone, B15
Alajuela, Costa Rica
European Distribution Center Motiva BV
VAT BE 0881.512.541 RPM/RPR Antwerp
+32 3 432 41 70
2. What Does This Policy Cover?
Under data protection law, including key legislation such as the UK GDPR and Data Protection Act 2018 and any successor legislation, (collectively, “the Data Protection Legislation”) individuals have important rights designed to protect them and their personal data.
3. What Is Personal Data?
Personal data is defined by the Data Protection Legislation as ‘any information relating to a person who can be directly or indirectly identified by reference to an identifier’.
In simpler terms, personal data is any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers. The personal data that we use is set out in our Privacy Notice.
4. What Are My Rights? (Summary)
Data Protection Legislation sets out your key rights as a ‘data subject’ as follows:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object; and
- The right to object; and Rights in relation to automated decision-making and profiling.
5. The Right to Be Informed
You have the right to be informed about our collection and use of your personal data. The information we provide must include details of the purpose or purposes for which your data is used, how long we keep it, and who (if anyone) it will be shared with.
This important privacy information is provided in our Privacy Notice. Additional information about your rights is also provided here, in this Policy.
If we collect data directly from you, this privacy information will be provided at the time of collection. We will ask you to read our Privacy Notice and provide Consent to indicate that you have read it and accepted it when visiting our website or when registering for an account.
6. The Right of Access
This right, also known as ‘subject access’ gives you the right to obtain a copy of any personal data that we hold about you as well as other supporting information.
This right is designed to help you understand how and why we use your data, and to check that we are using it lawfully.
You can exercise this right by making a ‘subject access request’. A subject access request can be made orally or in writing. The more detail you can provide, the easier it will be for us to respond quickly. While there is no prescribed format for such requests, a Subject Access Request Form is available https://establishment-labs.privacy.saymine.io/Motiva for you to use when making a request or you may submit a request to email@example.com.
We are required by law to respond to a subject access request within one calendar month of receipt (or, where we request proof of identification or a fee (see below), within one calendar month of receipt of that). We may also need to ask you for further information to understand the scope and nature of your request, and if we do so, the time limit for our response will be paused until you provide the necessary clarification. In certain limited cases, such as where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.
There is not normally a fee payable for a subject access request. For ‘manifestly unfounded or excessive’ requests, however, we are permitted to charge a ‘reasonable fee’ that covers our costs. Alternatively, in some limited circumstances, we may be permitted to refuse your request.
7. The Right to Rectification
Under the Data Protection Legislation, you have the right to have inaccurate personal data corrected, or incomplete personal data completed.
As a ‘data controller’ we are to take all reasonable steps to ensure that personal data we hold is accurate and, where necessary, kept up to date. Your right to rectification is closely tied to this obligation.
You can exercise this right by contacting us and asking for your data to be rectified if you believe it is incorrect, out-of-date, or incomplete. You can also update your personal data held by us by logging into your account on our website and updating information.
8. The Right to Erasure
This right is also known as the ‘right to be forgotten’ and gives you the right to have your personal data deleted (or ‘otherwise disposed of’ if, for example, it is kept in paper records rather than electronically).
You can exercise this right by contacting us and asking for your data to be erased.
Please note that the right to erasure is not an absolute right and there are certain circumstances set out in the Data Protection Legislation in which the right does not apply. For example, we may not comply with your request to erase your personal data if we need it to comply with a legal obligation. If any of these circumstances apply, we will explain why your personal data cannot be erased when responding to your request for erasure.
9. The Right to Restrict Processing
You have the right to request the restriction or suppression of your personal data. In practice, this is an alternative to having your personal data erased. This means that you can limit the way in which we use your personal data, while still allowing us to retain it.
Please note that the right to restrict processing is not an absolute right and only applies in certain circumstances as follows:
- You have contested the accuracy of your personal data and we are verifying the accuracy of it;
- Your personal data has been processed unlawfully and you want us to restrict processing rather than erasing your personal data;
- we do not need the personal data any more, but you need us to keep it in order to establish, exercise, or defend a legal claim; or
- You have exercised your right to object (see Part 10, below), and we are considering whether our legitimate grounds for processing your personal data override your right to object to us using it.
When processing is restricted, we cannot do anything with your personal data other than store it unless we have your consent to do so or unless one of the following applies:
- we need to use your personal data in the establishment, exercise, or defence of legal claims;
- we need to use your personal data in order to protect the rights of another person; or
- Important public interest reasons justify using it.
You can exercise this right by contacting us and asking for the processing of your data to be restricted.
10. The Right to Data Portability
Where we are processing your personal data either with your consent or for the performance of a contract between us, and we are using automated means of processing (i.e. not using paper files), you have the right to obtain a copy of your personal data in a commonly-used format for use with another organisation. You can also request that we send your personal data directly to another organisation.
This right is designed to enable you to easily move, copy, or transfer your personal data from one organization’s IT system to another organization’s IT system in a safe and secure way, without affecting its usability.
Please note that this right only applies to personal data that you have provided to us. This includes information in your account or profile as well as data that we may obtain from your activities on our website, such as usage history and other factors such as location data. It does not include additional data that we may create based upon the data you have provided or to data that has been anonymised. In some cases, more personal data relating to you may be available under your right of access (see Part 6, above).
You can exercise this right by contacting us and asking either for a copy of your personal data for use with another organisation, or for your personal data to be transferred to that organisation.
11. The Right to Object
Where we are processing your personal data either on the basis of our ‘legitimate interests’ or in the performance of a task carried out in the public interest, you have the right to object to us processing your personal data.
You also have the absolute right to object to us using your personal data for direct marketing purposes.
If you object to us using your personal data for direct marketing purposes, your right to do so is absolute and we have no grounds on which to refuse.
If you object to us using your personal data either on the basis of our ‘legitimate interests’ or in the performance of a task carried out in the public interest, please note that your right to do so is not absolute. When making your request to exercise this right, you must give specific reasons for your objection based upon your particular situation. We can continue using your personal data if we can demonstrate ‘compelling legitimate grounds’ which override your interests, rights, and freedoms; or if the processing is necessary for the establishment, exercise, or defence of legal claims. Additional limitations apply if your personal data is being processed for research purposes.
You can exercise this right by contacting us and stating your objection to the processing of your personal data for the relevant purpose or purposes, providing an explanation if required (see previous paragraph).
12. Automated Decision-Making (Including Profiling)
We carry out certain automated decision-making (i.e. making a decision using automated means only, without any human involvement) using your personal data, as described in our Privacy Notice.
You have the right not to be subject to a decision based solely on automated processing, including profiling, where that decision produces legal or ‘similarly significant’ effects.
You have the right to challenge decisions made in this way and can:
- Request human intervention;
- Express your own point of view; and
- Obtain an explanation from us about the decision and challenge it.
You can exercise this right by contacting us and stating that you wish to ask about or challenge a decision made using your personal data by solely automated means, telling us which of the above (a, b, and/or c) you wish to do (see previous paragraph).
13. Exercising Your Rights
To exercise any of your rights as a data subject, please contact Data Protection Officer (“DPO”):
- Post: Establishment Labs® S.A., Coyol Free Zone, B15, Alajuela, Costa Rica
- Online Form: https://establishment-labs.privacy.saymine.io/Motiva
- Telephone: +506 2434-2400
When contacting us to exercise your rights, please be descriptive abouts which rights you are exercising as indicated above.
14. Acknowledgement and Response
We will always respond quickly to your request to exercise any of your rights in relation to your personal data. We will acknowledge receipt without undue delay and will provide a complete response to your request as quickly as possible. Normally, as stated above, this will be within one calendar month of receipt of your request. If additional time is required, we will contact you within the first calendar month to explain why the delay is necessary.
15. Your Right to Complain
If you have any cause for complaint about our use of your personal data, or about our handling of your request to exercise your rights under this Policy, you have the right to lodge a complaint with the supervisory authority in your region.
We would welcome the opportunity to resolve your concerns, however, so we encourage you to please contact us first using the details set out above in Part 13.
16. Changes to this Policy
We may change this Policy from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection. This Policy will also be reviewed regularly, at least annually.
Any changes will be made available on miafemtech.com. This Policy was last reviewed on 6 February 2023 and last updated on 6 February 2023.
- The information provided is for informational and educational purposes only, the content herein is not intended as a substitute for consultation with a physician. Motiva® Implants are not yet commercially available in the US and are undergoing clinical investigation pursuant to US Food and Drug Administration (FDA) regulations for investigational medical devices.
- The statements and opinions presented here are applicable to each individual. Results will vary and may not be representative of the experience of others. All statements are voluntarily provided and are not paid, nor were they provided with free products, services, or any benefits in exchange for said statements. The statements are representative of patient experience; the exact results and experience will be unique and individual to each patient.