Privacy & cookie policy
Last updated: 12 May 2026
1. Introduction
Naslund Medical AB, company registration number 556676-5557 (hereinafter referred to as “Naslund Medical”, “we”, “us”, “our”) is the data controller for the processing of your personal data and is responsible for ensuring that your personal data is processed in accordance with applicable data protection legislation.
Naslund Medical is a privately owned Swedish company with subsidiaries in the USA, the United Kingdom and France, and distributors globally. Naslund Medical specializes in innovative medical device products for improved management and care of cancer patients. Naslund Medical’s main product, Gold Anchor, enables faster and more precise radiation therapy, improves patient safety and ensures correct guidance during surgical procedures.
In this privacy notice, you will find information about how Naslund Medical processes personal data about you if you belong to any of the categories described in section 2 below. If you have any questions about our processing of your personal data, please contact us using the contact details set out in Section 9 below.
2. Persons covered by this notice and the personal data we process
2.1 Whose personal data we process
We process personal data about individuals who are in contact with us and our business, including:
- Representatives/contact persons of our customers or potential customers (prospects).
- Representatives/contact persons of companies that provide us with their products and/or services (service provider/supplier and potential service provider/supplier).
- Individuals who work for us as consultants.
- Individuals who participate in surveys and who provide feedback regarding our products.
- Individuals who otherwise contact us or visit our website.
2.2 What categories of personal data do we collect?
Below we describe the categories of personal data we collect. Section 3 contains information about what we use the personal data for and the reasons for such usage.
| Category | Examples |
|---|---|
| Contact details | Name, email address, telephone number, address and other contact details. |
| Company information | Company name and information about your role/title in the company. |
| Correspondence and documentation | Email correspondence, documentation, feedback, meeting notes, customer service and information that you voluntarily share with us in connection with surveys. |
| Technical and security-related data | IP address, browser type and limited device information, collected for security purposes (e.g. spam protection via reCAPTCHA) and to manage cookie consent preferences. |
| Transaction data | Invoice information, invoices, information about completed orders, payments, complaints and refunds to the extent it can be linked to you as an individual. |
| Qualification information (applicable to consultants) | Education, work experience and references, project information, registered time, information about fees, absences. |
| Data on our social media accounts | Identity data (name, username), content data (comments, messages) and interaction data when you communicate with us through our social media channels. |
| Complaint and incident data | Customer data, product data or patient-related information within the scope of quality or incident follow-up. |
3. Why we process personal data
Below you can read about what Naslund Medical uses your personal data for (the purpose), what types of personal data we use for each purpose, the legal basis on which the processing is based, and the retention period for the processing. Each subsection also indicates whether we received the information directly from you or from another source.
3.1 Communication with potential supplier/service provider and prospects
Purpose: The processing of personal data is necessary to be able to respond to enquiries and handle matters from potential service providers and/or potential customers.
Data: From you: Contact details, company information as well as correspondence and documentation.
Legal basis: The legal basis for our processing is our legitimate interest in taking actions before entering into an agreement with a potential service provider and/or potential customers (Article 6(1)(f) GDPR). In this balancing of interests, Naslund Medical has assessed that we have a legitimate interest in ensuring and documenting the relationship between you and Naslund Medical, that the processing is necessary to achieve the purpose, and that our interest outweighs your right not to have your data processed for this purpose. Please contact us if you would like to know more about how we balance your interests against ours — see the contact details in Section 9.
Retention period: Personal data will generally be retained for the duration of the business relationship or ongoing dialogue with the relevant supplier, service provider or prospect, unless longer retention is required to comply with applicable legal, accounting or regulatory obligations. Personal data collected in accordance with EU Regulation 2017/745 on medical devices (the “MDR Regulation”) is retained for as long as required, which is generally 15 years for implants after the relevant product has ceased to be made available.
3.2 Social media
Purpose: The processing of personal data is necessary to communicate with you and respond to questions, comments or messages that you send to us through our social media channels.
Data: From you: Data on our social media accounts.
Legal basis: The legal basis for our processing is our legitimate interest in being able to communicate with and respond to enquiries from individuals who contact us via social media (Article 6(1)(f) GDPR). In this balancing of interests, Naslund Medical has assessed that we have a legitimate interest in maintaining a dialogue with you via social media, that the processing is necessary to achieve the purpose, and that our interest outweighs your right not to have your data processed for this purpose. Please contact us if you would like to know more about how we balance your interests against ours — see the contact details in Section 9.
Retention period: We will retain your personal data for as long as necessary for the relevant communication or business purpose and for 12 months thereafter, unless the data needs to be retained for a longer period to comply with applicable laws and regulations. Please note that the provider of the relevant social media platform processes the personal data in accordance with its own data protection information. We refer to each platform’s privacy notice for more information about their processing.
3.3 Contractual obligations towards supplier/service provider, customer and consultant
Purpose: The processing of personal data is necessary to enter into agreements with a service provider, customer and/or consultant and to manage the relationship and fulfil the terms of the agreement (such as paying for services used, providing customer service, delivering a product/service or charging for a product/service), as well as to create, issue and store documents relating to the relationship.
Data: From you: Contact details, company information, qualification information (consultants only), as well as correspondence and documentation.
Legal basis: The legal basis for our processing is our legitimate interest in entering into an agreement with the service provider/customer/consultant and fulfilling the terms of such an agreement (Article 6(1)(f) GDPR). In this balancing of interests, Naslund Medical has assessed that we have a legitimate interest in managing and ensuring our relationships between you and Naslund Medical, that the processing is necessary to achieve the purpose, and that our interest outweighs your right not to have your data processed for this purpose. Please contact us if you would like to know more about how we balance your interests against ours — see the contact details in Section 9.
Retention period: We will retain your personal data for as long as necessary for the relevant communication or business purpose or retained for the duration of the business relationship or as required by applicable accounting and legal or regulatory obligations. Certain data arising from the contractual relationship needs to be retained for at least seven years respectively to fulfil legal obligations related to tax and accounting. Personal data collected in accordance with the MDR Regulation is retained for as long as required, which is generally 15 years for implants after the relevant product has ceased to be made available.
3.4 Keeping our CRM system correct and up to date
Purpose: The processing of personal data within the CRM system is necessary to manage, develop and follow up customer and business relationships, and to manage data in connection with the dispatch of product samples in accordance with the MDR Regulation. The processing enables structured communication, administration of customer contacts, initiation and follow-up of business opportunities, and analysis and improvement of sales and customer processes.
Data: From you and publicly available sources: Contact details, company information as well as correspondence and documentation.
Legal basis: The legal basis for our processing is our legitimate interest in having correct and relevant information about you as a contact person, for the company you represent, to facilitate our business operations (Article 6(1)(f) GDPR). In this balancing of interests, Naslund Medical has assessed that the processing is necessary to achieve the purpose, and that our interest outweighs your right not to have your data processed for this purpose. Please contact us if you would like to know more about how we balance your interests against ours — see the contact details in Section 9.
Retention period: We regularly check whether registered contact persons are still relevant to the current business relationship or business purpose. Data about contact persons who are no longer current is anonymised or deleted after we become aware of the change. However, personal data collected in accordance with the MDR Regulation is retained for as long as required, which is generally 15 years for implants after the relevant product has ceased to be made available.
3.5 Access to internal systems and premises for consultants
Purpose: The processing of personal data is necessary to grant consultants who work on-site with us authorisation to our internal systems and programmes and to give them access to our premises.
Data: From you: Contact details and company information.
Legal basis: The legal basis for our processing is our legitimate interest in being able to give you access to the systems, programmes and premises that you need access to in order to carry out your assignment (Article 6(1)(f) GDPR). In this balancing of interests, Naslund Medical has assessed that we have a legitimate interest in giving consultants access to our systems and premises, that the processing is necessary to achieve the purpose, and that our interest outweighs your right not to have your data processed for this purpose. Please contact us if you would like to know more about how we balance your interests against ours — see the contact details in Section 9.
Retention period: We will retain your personal data for as long as you are carrying out the consultancy assignment for us or for as long as necessary for the relevant communication or business purpose. Certain system access and activity records may be retained for a longer period where necessary for security, traceability, audit or troubleshooting purposes, or to comply with applicable legal or regulatory obligations.
3.6 When you visit our website
Purpose: To provide, operate, maintain, improve, customise and expand our website, we use cookies and other similar tracking technologies. For information about how we use cookies and other tracking technologies, see our separate cookie statement.
Data: From you: Depending on your cookie settings, we will process statistical data and data for analysis about the website visitor.
Legal basis: The legal basis for our processing of personal data collected via cookies is your consent (Article 6(1)(a) GDPR).
Retention period: For further information about retention periods, please see our cookie statement on our website.
3.7 Marketing and information
Purpose: The processing of personal data is necessary in order for us to send you relevant updates, campaigns, news and information about us and our business, events and products including via email where applicable.
Data: From you and publicly available sources: Contact details, company information, correspondence and documentation, as well as information about your wish to subscribe/unsubscribe.
Legal basis: The legal basis for our processing of personal data is, as a starting point, your consent (Article 6(1)(a) GDPR). In cases where we have not obtained your consent in advance, the legal basis for the processing is our legitimate interest (Article 6(1)(f) GDPR) in being able to market our products and services, provide relevant information, and create, maintain and develop business relationships. In this balancing of interests, we have assessed that our interest in marketing outweighs your interest in the data not being processed for the purpose. You have the right at any time to object to processing for marketing purposes by contacting us using the contact details in Section 9.
Retention period: We retain your personal data until you unsubscribe from email or direct marketing from us, or during the period required to process your request (subscription to newsletters and events), or until you object to the processing.
3.8 Development of products and services based on your feedback and your participation in our surveys
Purpose: The processing of personal data is necessary to continuously improve and further develop our products and services, analyse your feedback and your participation in our surveys, and the views and suggestions we receive from you in connection with our business relationship. The processing enables us to identify areas for improvement, adapt our offering to needs and ensure that our products and services are of high quality, as well as to monitor, follow up, act and report in accordance with the MDR Regulation.
Data: From you: Contact details, company information, correspondence, documentation (your feedback) as well as the information you voluntarily provide in the surveys you respond to.
Legal basis: The legal basis for our processing is our legitimate interest in reviewing and analysing your feedback and your responses in our surveys and developing our products and services based on this (Article 6(1)(f) GDPR). In this balancing of interests, Naslund Medical has assessed that we have a legitimate interest in developing and improving our products, that the processing is necessary to achieve the purpose, and that our interest outweighs your right not to have your data processed for this purpose. Please contact us if you would like to know more about how we balance your interests against ours — see the contact details in Section 9. For data associated to processing of data due to the MDR Regulation, the legal basis for our processing is to fulfil legal obligations (Article 6(1)(c) GDPR). Any health information provided in feedback and surveys is processed based on the public interest in the field of public health of ensuring high quality and safety standards for medical devices (Article 9(2)(i) GDPR).
Retention period: We will retain your personal data for the entire period required under the MDR Regulation, which is generally 15 years for implants after the relevant product has ceased to be made available.
3.9 Complaints and incident reporting
Purpose: The processing of personal data is necessary to follow up, investigate and act regarding complaints and incidents, prepare mandatory reports and report incidents to the Swedish Medical Products Agency or supervisory authorities in other countries where incidents have occurred.
Data: From you, a distributor forwarding information, or another party reporting an incident: Contact details, company information, correspondence and documentation, information about the incident or complaint, and other information provided in the complaint or incident reporting.
Legal basis: The legal basis for our processing is to fulfil legal obligations under the European MDR Regulation (Article 6(1)(c) GDPR), and our legitimate interest in fulfilling the terms of an agreement with your employer (Article 6(1)(f) GDPR). In this balancing of interests, Naslund Medical has assessed that the processing is necessary to achieve the purpose, and that our interest outweighs your right not to have your data processed for this purpose. Please contact us if you would like to know more about how we balance your interests against ours — see the contact details in Section 9. Any processing of health data is carried out based on the public interest in the field of public health of ensuring high quality and safety standards for medical devices (Article 9(2)(i) GDPR).
Retention period: We will retain your personal data for as long as required under the MDR Regulation, which is generally 15 years for implants after the relevant product has ceased to be made available.
3.10 Processing to comply with laws, legal obligations and voluntary commitments
3.10.1 To fulfil legal obligations
| Purpose – legal obligation (Article 6(1)(c) GDPR) | Categories of personal data | Retention period |
|---|---|---|
| Manage and respond to data subject rights requests | Contact details and information stated in your request and additional information required to fulfil your request | Up to one year from the date your request has been fulfilled. |
| Accounting | Transaction data, such as information about completed orders, payments, complaints and refunds | At least until the end of the seventh year after the end of the financial year in which the transaction took place. Longer retention may occur due to regulatory or legal claims. |
| Regulatory compliance (MDR) — including traceability, post-market surveillance, complaints, vigilance reporting and quality management | Contact details, company information, correspondence, documentation, product-related data, and any information necessary for regulatory reporting (including, where applicable, incident-related information) | For as long as required under applicable medical device regulations, typically 15 years for implantable devices after the last product has been placed on the market. |
3.10.2 Claims and complaints
Purpose: The processing of personal data is necessary to administer, investigate and respond to claims and complaints.
Data: From you: Contact details and other information that you provide us with regarding your claim or complaint.
Legal basis: The legal basis for the processing is our legitimate interest in administering your claim or complaint (Article 6(1)(f) GDPR). In this balancing of interests, Naslund Medical has assessed that we have a legitimate interest in administering, investigating and responding to claims and complaints, that the processing is necessary to achieve the purpose, and that our interest outweighs your right not to have your data processed for this purpose. Please contact us if you would like to know more about how we balance your interests against ours — see the contact details in Section 9.
Retention period: We will retain your personal data during the period we investigate and administer your claim or complaint or for as long as required under applicable medical device regulations, typically 15 years for implantable devices after the last product has been placed on the market.
3.10.3 Disputes
Purpose: The processing of personal data is necessary to establish, exercise or defend a legal claim, in order to protect our and our subsidiaries’ legal rights.
Data: The categories of personal data relating to you that are necessary having regard to the dispute and the parties involved.
Legal basis: The legal basis is our legitimate interest in protecting our or our subsidiaries’ interests in the event of a dispute (Article 6(1)(f) GDPR). In this balancing of interests, Naslund Medical has assessed that we have an interest in defending ourselves in a dispute, that the processing is necessary to achieve the purpose, and that our interest outweighs your right not to have your data processed for this purpose. Please contact us if you would like to know more about how we balance your interests against ours — see the contact details in Section 9.
Retention period: We retain your personal data for as long as the dispute is ongoing and for ten years thereafter.
4. Our collection of your personal data
4.1 How we collect personal data
We primarily collect your personal data directly from you (including from your device) when you communicate or otherwise interact with us — for example through an order, personal contact, at trade fairs, a request for quotation, when you start a newsletter subscription, visit our website or respond to a survey.
In certain cases, we may also collect your personal data from other sources, namely when we collect it from publicly available sources/registers (for example if you are the designated contact person for a company we wish to get in touch with). We may also collect it from the company where you are employed and through online searches.
4.2 If you do not provide your personal data to us
When we process your personal data, we do so, among other things, to fulfil legal or contractual obligations. If you do not provide the personal data we request, it may mean that we cannot enter into an agreement with the company you represent or fulfil our obligations under an agreement or law towards that company. If you have any doubts or concerns about providing certain personal data, please contact us (see Section 9 below) for further information.
5. Who we share your personal data with
We may need to share your personal data with others to provide our services and to comply with laws and regulations. This includes, among others:
5.1 IT service providers
IT service providers handle necessary operations, technical support and maintenance of our IT solutions as well as internally used systems, platforms and hosting services.
Purpose and legal basis: Naslund Medical needs to access services and functionality from other companies that Naslund Medical cannot itself provide. Naslund Medical has a legitimate interest in being able to access these services and functions (Article 6(1)(f) GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your data processed for this purpose. If you would like more information about how the assessment has been made, you can always contact us — see contact details in Section 9.
5.2 Banking and payment service providers
Banking and payment service providers handle our payment transactions.
Purpose and legal basis: Naslund Medical needs to access these services from other companies that Naslund Medical cannot itself provide. Naslund Medical has a legitimate interest in being able to access these services and functions (Article 6(1)(f) GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your data processed for this purpose. If you would like more information about how the assessment has been made, you can always contact us — see contact details in Section 9.
5.3 Companies within the group
Purpose and legal basis: Naslund Medical has a legitimate interest in sharing information about the business with companies within the group (Article 6(1)(f) GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your data processed for this purpose. If you would like more information about how the assessment has been made, you can always contact us — see contact details in Section 9.
5.4 Distributors and suppliers
Purpose and legal basis: Naslund Medical has a legitimate interest in sharing data with distributors and suppliers to the extent necessary for such parties to comply with agreements with us and/or end customers (Article 6(1)(f) GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your data processed for this purpose. If you would like more information about how the assessment has been made, you can always contact us — see contact details in Section 9.
5.5 External advisors and consultants
External advisors and consultants assist us in various areas of our business — for example lawyers/legal counsel, auditors and other consultants.
Purpose and legal basis: Naslund Medical has a legitimate interest in being able to receive these advisory functions in various areas in order to conduct an efficient and proper business. We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your data processed for this purpose. If you would like more information about how the assessment has been made, you can always contact us — see contact details in Section 9.
5.6 Potential buyers
In the event of a merger, acquisition or sale of all or part of our assets.
Purpose and legal basis: Naslund Medical has a legitimate interest in being able to carry out these transactions (Article 6(1)(f) GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your data processed for this purpose. If you would like more information about how the assessment has been made, you can always contact us — see contact details in Section 9.
5.7 Authorities
Authorities due to legal requirements or in the event of a request (for example the Swedish Medical Products Agency).
Purpose and legal basis: Sharing of personal data with authorities is made when we are legally obliged to do so, or in certain cases if you have instructed us to do so, if it is required to administer tax deductions or to prevent crime. Depending on the authority and the purpose, the legal bases are the obligation to comply with law (Article 6(1)(c) GDPR), that Naslund Medical has a legitimate interest in being able to protect itself against crime and comply with legislation (Article 6(1)(f) GDPR), or based on the public interest in the field of public health of ensuring high quality and safety standards for medical devices (Article 9(2)(i) GDPR).
6. Transfer of personal data outside the EU/EEA
We strive to process your personal data within the EU/EEA area. In certain situations, however, your data may be processed outside the EU/EEA. We always ensure that your personal data has a high level of protection, even when the personal data is processed outside the EU/EEA.
Naslund Medical has subsidiaries in two countries outside the EU/EEA to which your personal data may be transferred. For the United Kingdom, the European Commission has decided on an adequate level of protection. For transfers to the USA, the EU standard contractual clauses for third country transfers shall apply (Article 46 GDPR).
Naslund Medical also has distributors and suppliers in countries outside the EU/EEA to which your personal data may be transferred. In most cases, these parties are based in a country that the European Commission has assessed as offering an adequate level of protection either through the Commission’s formal decision or through a mechanism such as the Data Privacy Framework (DPF) (Article 45 GDPR). If not, we will enter into the EU standard contractual clauses. In addition, we take further technical and organisational security measures when needed.
7. Your rights
7.1 Right of access
You have the right to know whether or not we process personal data about you. If we do, you also have the right to obtain information about which personal data we process and why we do so. Furthermore, you have the right to receive a copy of all personal data we hold about you. If you are interested in any specific information, please specify this in your request. For example, you can indicate whether you are interested in a specific type of information, such as the specific contact details we hold about you, or whether you want information from a certain time period.
7.2 Right to rectification
If the personal data we hold about you is incorrect, you have the right to have the personal data rectified. You also have the right to supplement incomplete personal data, including by providing supplementary information. When we have rectified or supplemented your personal data, we will inform those with whom we have shared your personal data (where applicable) of the update, unless this is impossible or unreasonably burdensome. Upon your request, we will also tell you which recipients we have shared your personal data with. If you request to have data rectified, you also have the right to request that we restrict our processing during the time we investigate the matter.
7.3 Right to erasure (right to be forgotten)
In certain cases, you have the right to request that your personal data is erased, for example:
- If the personal data is no longer necessary for the purposes for which it was collected or otherwise processed; or
- When the personal data has been unlawfully processed.
If we erase the personal data at your request, we will also inform those with whom we have shared your personal data (where applicable), unless this is impossible or unreasonably burdensome. Upon your request, we will also tell you who we have shared your personal data with.
7.4 Right to request restriction
Restriction means that the personal data is marked so that in the future it may only be used for certain limited purposes. The right to restriction applies:
- When you consider that the personal data is incorrect/incomplete and you have requested rectification. In this case, you can also request that we restrict our processing while we investigate whether the personal data is correct/complete or not.
- If the processing is unlawful but you do not want the personal data to be erased.
- When you have objected to the processing, during the time we verify our legitimate grounds.
- When we no longer need the personal data for the purposes for which we collected it, but you need it to establish, exercise or defend legal claims.
Even if you have requested that we restrict our processing of your personal data, we have the right to use it for storage, to exercise or defend legal claims, or to protect the rights of another person. We may also use the personal data for reasons of important public interest. We will notify you before the restriction ceases to apply.
If we restrict the processing of your personal data, we will also inform those with whom we have shared your personal data (where applicable), unless this is impossible or unreasonably burdensome. Upon your request, we will also tell you which recipients we have shared your personal data with.
7.5 Right to object
You have the right to object to processing that is based on our legitimate interest (Article 6(1)(f) GDPR). If you object to the use, we will, based on your situation, evaluate whether our interests in using the personal data outweigh your interests in the personal data not being used for this purpose. If we cannot state compelling legitimate grounds that outweigh yours, we will stop using the personal data you object to — provided we do not need to use the data to establish, exercise or defend legal claims. If you object to the use, you also have the right to request that we restrict our use during the time we investigate the matter.
You always have the right to object to and unsubscribe from direct marketing that is based on our legitimate interest.
7.6 Right to data portability
If the processing is based on your consent or an agreement between us, you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and to transfer it to another data controller (“data portability”). Please note that we rarely use any of these legal bases to justify our processing.
7.7 Right to withdraw consent
You have the right to withdraw your consent to a certain processing at any time. Your withdrawal will not affect processing that has already been carried out. Please note that we rarely use consent to justify our processing.
7.8 How to exercise your rights and the right to complain
If you wish to exercise any of your rights, you can contact us using the contact details in Section 9.
If you have any objections or complaints about how we process your personal data, please contact us and we will do our best to help you. You also have the right to submit a complaint with the supervisory authority where you live, work or where you believe a violation has occurred. In Sweden, the supervisory authority is the Swedish Authority for Privacy Protection (IMY):
Integritetsskyddsmyndigheten Box 8114, 104 20 Stockholm imy@imy.se
8. Children’s privacy
We do not knowingly collect personal data from individuals under the age of 13. If you suspect that your child has provided personal data to us, or that such data has reached us by other means, please contact us using our contact details in Section 9 in order for us to take appropriate measures.
9. Contact details
If you have any questions about this privacy notice and how your personal data is processed, please use the contact details below.
| Telephone |
+46 70 799 27 23 +46 70 610 54 11 |
| Address |
Naslund Medical AB Åvägen 40B 141 30 Huddinge, Sverige |
| privacy@goldanchormarker.com |
10. Changes to this privacy notice
We reserve the right to amend this privacy notice from time to time. We will inform you of any changes by publishing the updated privacy notice on our website. If we make any material changes, we will send you a notification via email.
Document reference: POL-004-A