Live inventory

Mölnlycke will process the following categories of your personal data: 

a)    User identity linked to Service actions
b)    Role/title (e.g., OR staff, inventory staff, administrator)
c)    Activity and transaction data, including: 
•    picks/withdrawals (what, when, quantity)
•    restocking events
•    inventory counts
•    timestamps (e.g., last picked, last counted)
•    frequency of actions over time

(hereinafter referred to as “Personal Data”). 

Purpose
Mölnlycke will process your Personal Data for the following purpose and compatible secondary purposes, in accordance with applicable law:

• To prepare and provide datasets (via exports or API) for insights/analysis by us and your employer/third parties
• To enable aggregation and analysis of inventory and workflow data, including e.g.,:
  stock levels and movements
  picking and restocking patterns
  order and threshold behavior
• To support identification of inefficiencies, stock imbalances, and optimization opportunities, such as workflow bottlenecks and process improvements. 

Legal basis: We only process your Personal Data to the extent permitted or required in accordance with applicable data protection legislation. This means that we need to have a legal basis for the purpose of processing your Personal Data. The legal basis for our processing of your Personal Data is:

• Our legitimate interest (Article 6(1)(f) GDPR) in analyzing how you use the Service to generate insights. This includes understanding inventory and workflow patterns, identifying inefficiencies or imbalances (such as overstock or stockouts), and supporting improvements in inventory management and healthcare operations.

Retention period
We will store your Personal Data as described below:

We collect Personal Data from the following sources:
•    Extraction either via API or as an export file from the Service  
•    From system integration/configuration inputs, such as uploaded inventory data or integrations to other systems (if enabled)
•    From you directly (e.g., when performing scans, registering transactions, or using the dashboard)

Recipients
We will share your Personal Data with the following recipients:

Transfer 
Mölnlycke operates globally and therefore Personal Data may need to be transferred to countries outside of where the Personal Data was originally collected. As Mölnlycke is headquartered in Sweden, Personal Data will be processed within Sweden and other countries within the EU/EEA. For individuals residing in the United Kingdom and Switzerland, Personal Data may thus be transferred to and processed within the EU/EEA. 

Where required under applicable data protection laws and to safeguard your rights, we rely on the following so-called transfer mechanisms:

• Adequacy decisions. This means that the UK Government or the Swiss Federal Council (as applicable) has assessed and decided that your Personal Data will be subject to an adequate level of protection in the recipient country, essentially equivalent to that within the EU/EEA, UK, or Switzerland. You can access the European Commission’s list of adequacy decisions here.
• Standard contractual clauses (SCCs). These clauses function as a contract between Mölnlycke and the recipient, with the purpose of safeguarding your rights. Where required, these are adapted or supplemented to comply with applicable local laws (including UK and Swiss requirements). You may access the European Commission’s standard contractual clauses here. Please contact Mölnlycke’s DPO for further information.

In this section we describe your rights as a data subject. You can exercise them by contacting us, using the contact details above. Please note that not all rights listed below are absolute and there are exemptions which can be valid.

Right of access. You have the right upon request to get a copy of your Personal Data which we process and to get complementary information regarding our processing of your Personal Data, such as for what purposes the processing occurs, relevant categories of personal data and the recipients of such personal data.

Right to rectification. You have the right to have you Personal Data corrected (rectified) and/or complemented if it is wrong and/or incomplete.

Right to erasure. You have the right to request that we erase your Personal Data without undue delay in the following circumstances: (i) the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (ii) you object to our processing of Personal Data, and we do not have any overriding legitimate grounds for the processing; (iii) the processed Personal Data is unlawfully processed; or (iv) the processed Personal Data has to be erased for compliance with legal obligations.

Right to restriction. You have the right to restrict the processing of your Personal Data in the following circumstances: (i) you contest the accuracy of the Personal Data during a period enabling us to verify the accuracy of such Personal Data; (ii) the processing is unlawful, and you oppose erasure of the Personal Data and request restriction instead; (iii) the Personal Data is no longer needed for the purposes of the processing, but is necessary for the establishment, exercise or defence of legal claims; or (iv) you have objected to the processing of the Personal Data, pending the verification whether our legitimate grounds for our processing override your interests, rights and freedoms.

Right to object. You have the general right to object to our processing of your Personal Data when it is based on our legitimate interest. If you object and we believe that we may still process your Personal Data, we must demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Complaints to the supervisory authority. You may at any time file a complaint with the supervisory authority in Sweden, or with your local supervisory authority in the EU member state where you are located. The data protection authority in Sweden is ‘Integritetsskyddsmyndigheten’. You can find contact details to each local supervisory authority by visiting this link: https://edpb.europa.eu/about-edpb/about-edpb/members_en. If you are located in the United Kingdom, you may lodge a complaint with the Information Commissioner’s Office (ICO).
If you are located in Switzerland, you may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC). If you are located in Norway, you may lodge a complaint with Datatilsynet.
If you are located in Liechtenstein, you may lodge a complaint with the Datenschutzstelle.

Security measures. We have taken measures to ensure that your personal data is handled in a safe way. For example, access to systems where personal data is stored is limited to our employees and service providers who require it in the course of their duties. Such parties are informed of the importance of maintaining security and confidentiality in relation to the personal data we process. We maintain appropriate safeguards and security standards to protect your personal data against unauthorized access , disclosure or misuse. We also monitor our systems to discover vulnerabilities.

We may update this Privacy Notice from time to time to reflect changes in our practices or legal requirements. Any updates will be communicated directly through the Service.