Legal

GDPR Compliance

How Orquideas Etereas, Unipessoal LDA (ORVIDA) operationalises the EU General Data Protection Regulation across every stage of our medical device distribution service.

Last updated: 17 April 2026

1. Our GDPR Commitment

ORVIDA — trading name of Orquideas Etereas, Unipessoal LDA — is committed to processing personal data fairly, lawfully and transparently in line with Regulation (EU) 2016/679 ("GDPR"), Portuguese Law 58/2019 and Spanish LOPDGDD. This page summarises how we operationalise that commitment for customers and partners in Portugal and Spain. It complements, but does not replace, our full Privacy Policy.

Our GDPR framework is built on seven principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. These principles are reflected in our written policies, our supplier contracts and our day-to-day operations.

2. Lawful Basis Summary

Every processing activity at ORVIDA is mapped to a specific lawful basis under Article 6 GDPR. The table below summarises the main cases.

ActivityLawful basisNotes
Account creation and credential verificationContract / Legitimate interestRequired to ship prescription medical devices.
Order processing, invoicing, deliveryContractNecessary to fulfil the purchase agreement.
Tax and accounting recordsLegal obligationPortuguese CIT Code and Spanish tax rules.
Medical device traceabilityLegal obligationEU MDR 2017/745 Articles 10 & 25.
Transactional communicationsContract / Legitimate interestOrder updates, safety notices.
Marketing newslettersConsentOpt-in; single-click unsubscribe.
Website analytics (when enabled)ConsentLoaded only after consent.
Fraud prevention and IT securityLegitimate interestDocumented balancing test on file.

3. Data Subject Rights

You can exercise the following rights at any time, free of charge:

  • Right of access (Art. 15): obtain a copy of your data.
  • Right to rectification (Art. 16): correct inaccurate data.
  • Right to erasure (Art. 17): delete your data, subject to the retention obligations in our Privacy Policy.
  • Right to restriction (Art. 18): limit processing during a dispute.
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interest, including direct marketing.
  • Right to withdraw consent (Art. 7): at any time, without prejudice to processing that took place before.
  • Right not to be subject to automated decision-making (Art. 22): we do not use automated decision-making.
  • Right to lodge a complaint (Art. 77): with the Portuguese CNPD or the Spanish AEPD.

Requests should be sent to info@orvida.eu with the subject line "GDPR request". We respond within 30 days; complex requests may be extended by a further 60 days with notice.

4. Data Protection Officer

We have not formally appointed a Data Protection Officer (DPO) because our processing activities do not meet the mandatory thresholds set by Article 37 GDPR. Nevertheless, we maintain a designated privacy contact who performs DPO-equivalent duties:

  • Privacy contact: info@orvida.eu (subject: "Privacy" or "DPO")
  • Escalation: the Managing Director of Orquideas Etereas, Unipessoal LDA.

Should our activities expand in a way that triggers Article 37 — for example, large-scale processing of special categories or systematic monitoring — we will appoint a formal DPO and update this page.

5. Processing Register Summary

We maintain a written record of processing activities (Article 30 GDPR). The summary below shows the main records; the full register is available to supervisory authorities on request.

Customer accounts

  • Data categories: identification, contact, professional credentials.
  • Purposes: account management, credential verification, ordering.
  • Recipients: internal commercial team, payment processors, shipping partners.
  • Retention: active account + 5 years or 10 years for linked invoices.

Orders and invoicing

  • Data categories: transactional, financial, shipping details.
  • Purposes: fulfilment, accounting, tax compliance.
  • Recipients: accountant, payment processors, shipping partners, tax authority when required.
  • Retention: 10 years.

Pharmacovigilance

  • Data categories: lot numbers, clinic receiving the product, adverse-event reports.
  • Purposes: regulatory traceability under EU MDR 2017/745.
  • Recipients: manufacturer (pseudonymised), competent authorities (INFARMED, AEMPS).
  • Retention: at least 10 years.

Marketing

  • Data categories: contact data, consent record.
  • Purposes: newsletters, product updates, training invitations.
  • Recipients: email service provider.
  • Retention: until consent is withdrawn, plus 2 years audit log.

Website analytics and security logs

  • Data categories: IP address, browser, pages viewed, error logs.
  • Purposes: site improvement, fraud prevention, incident response.
  • Recipients: hosting provider, IT security provider.
  • Retention: up to 14 months for analytics; up to 90 days for security logs.

6. Data Breach Protocol

We have a written incident-response procedure that aligns with Articles 33 and 34 GDPR:

  1. Detection: staff are trained to escalate any suspected breach to the privacy contact within 24 hours.
  2. Containment: affected systems are isolated, credentials rotated, backups validated.
  3. Assessment: nature, scope, categories and number of data subjects affected are documented. A risk rating is assigned.
  4. Notification to CNPD: when the breach is likely to result in a risk to individuals' rights and freedoms, we notify the CNPD within 72 hours of awareness.
  5. Notification to data subjects: when the breach is likely to result in a high risk, affected data subjects are notified without undue delay in clear language.
  6. Remediation and lessons learned: a post-incident review updates controls and the processing register.

7. Supplier and Processor Agreements

Every third party that processes personal data on our behalf signs a data processing agreement (Article 28 GDPR) that:

  • Lists the categories of data, purposes and duration of processing.
  • Requires appropriate technical and organisational measures.
  • Prohibits sub-processing without prior written approval.
  • Requires cooperation with audits, data subject requests and breach notification within 24 hours.
  • Imposes return or deletion of data at the end of the engagement.

Current key processors include our accountants, hosting provider, email provider (Google Workspace), payment processors (Stripe, Revolut, SIBS MB Way) and courier partners.

8. Cross-Border Transfers

We prefer EEA-hosted processors. Where a transfer outside the EEA is unavoidable we rely on:

  • Standard Contractual Clauses (2021): Module 1 (controller-to-controller) for the vigilance flow to Hangzhou Techderm; Module 2 (controller-to-processor) for processors outside the EEA.
  • Transfer Impact Assessment: documented review of local law, supplementary technical measures (encryption, pseudonymisation) and practical enforceability of data subject rights.
  • EU-US Data Privacy Framework: relied upon for Stripe and Google Workspace where applicable.

We do not rely on derogations (Article 49 GDPR) for routine transfers.

9. Training and Accountability

Accountability (Article 5(2) GDPR) is the backbone of our programme. We maintain:

  • A written privacy policy, internal privacy standard and cookie policy.
  • A register of processing activities, a register of consents, a register of data subject requests.
  • A data protection impact assessment (DPIA) procedure; DPIAs are carried out before any new activity likely to result in a high risk.
  • Annual privacy training for everyone who handles customer data.
  • Periodic internal audits aligned with our ISO 13485 quality-management approach.

10. Supervisory Authorities

If you believe your rights have been infringed you can complain to:

  • CNPD (Portugal): www.cnpd.pt — Av. D. Carlos I, 134, 1200-651 Lisboa.
  • AEPD (Spain): www.aepd.es — C/ Jorge Juan, 6, 28001 Madrid.
  • EDPB: edpb.europa.eu for guidance applicable across the EEA.

We would appreciate the chance to resolve any concern first; please contact us at info@orvida.eu.

11. Certifications Alignment

Although GDPR is not a certifiable standard, several of the controls we rely on are inherited from frameworks we do operate against:

  • ISO 13485 (Medical Devices QMS): document control, training records, CAPA, supplier qualification, change control — all of which support data-protection accountability.
  • ISO 9001 (Quality Management): management review and internal audit cycles.
  • Alignment with ISO 27001 principles: we operate an information security baseline informed by ISO 27001 Annex A, even where full certification is not in place.

This convergence means that a single management system supports both medical device compliance and data protection — reducing duplication and increasing reliability.

12. How to Exercise Your Rights

The quickest way to reach us is:

  1. Email info@orvida.eu with the subject "GDPR request" and describe what you need (access, rectification, erasure, objection, etc.).
  2. Include enough information for us to identify you and — where necessary — a copy of a government-issued ID (we redact and delete identification copies after verification).
  3. If you prefer postal contact: Orquideas Etereas, Unipessoal LDA — Privacy, Lisbon, Portugal.

We will acknowledge receipt within five business days and complete the request within 30 days. If the request is complex or voluminous we may extend the deadline by a further 60 days and will explain why.

Effective date: 17 April 2026.

Questions about your data?

Contact our Data Protection Officer or write to our team — we respond within 72 hours.

Email our DPO