(Effective date April 13, 2018)
Personal Data We Process
Purposes Legal basis
Data Retention Period
Personal Data collected by us will be processed for the time strictly necessary to achieve the purposes referred to in above. In particular: a) Personal Data collected through the Platform will be deleted or anonymized for statistical purposes after your cancellation request and/or your account deletion; b) Personal Data needed for the provision of our newsletter service will be processed until you decide to unsubscribe. Security Measures Taken for Your Personal Data Safeguard We use appropriate measures to protect the security of your Personal Data. These measures vary based on the sensitivity of the information that we collect, process and store and the current state of technology. Please note that no service is completely secure. So, while we strive to protect your data, we cannot guarantee that unauthorized access, hacking, data loss or a data breach will never occur. Notwithstanding the preceding, we operate with the aim of mitigating the risks associated with processing your Personal Data through several measures, including the following. Data Minimisation. We only ever obtain, retain, process and share Personal Data that is essential to carry out our services and legal obligations: only that which is relevant and necessary is collected. In particular, by way of example, our electronic collections (i.e., via the Platform, etc.), have only fields that are relevant to the purpose of collection and subsequent processing, while the physical collection (i.e., face-to-face contacts, phone calls, etc.) is supported using scripts and internal forms using predefined fields. Pseudonymisation. Whenever possible, we utilise pseudonymisation to record and store Personal Data in a way that ensures that such data can no longer be attributed to a specific data subject without the use of separate additional information (i.e., personal identifiers) which are protected with encryption, partitioning and other technical and operational measures of risk reduction and data protection. Encryption. Although we use encryption (i.e., using a secret key to make Personal Data indecipherable unless decryption of the dataset is carried out using such assigned key) as a form of pseudonymisation, we also utilise it as a secondary risk prevention measure for securing the Personal Data that we process. In particular, we utilise encryption via secret key for transferring Personal Data and/or special category of information to any external party and provide the secret key in a separate format. Notwithstanding the preceding, you are always entitled to freely choose at any moment, in the Platform’s preferences and settings, to receive and access encrypted messages and/or questionnaires from the Platform, either directly via an email sent to your mail inbox (containing plain text and/or links to be accessed without login) or indirectly in the Platform’s dashboard, that requires a previous mandatory login to the Platform and, therefore, it is more secure and set as default setting in the Platform. You will be always able to change your choice by accessing the Platform’s settings and preferences. Access restriction. We use company-wide restriction methods for restricting access into the foundation of our processes, systems and structure, in order to ensure that only those with authorisation and/or a relevant purpose, have access to Personal Data. Special category data is restricted at all levels and can only be accessed by the authorized Awell personnel and the designated care teams dealing with the patient’s care. No hard copy data. We never store any Personal Data in hard copy format.
Recipients of Your Personal Data
Third-party service providers or consultants. We may share your Personal Data with third-party service providers or consultants who need access to such data to perform their work on our behalf (e.g., sharing data with our storage provider for the purposes of storing your data on our behalf, etc.). These third-party service providers are limited to only accessing or using this data to provide services to us and must provide reasonable assurances that they will appropriately safeguard the data. In particular, we use information audits to identify, categorise and record all Personal Data that is processed outside our company, so that the information, processing activity, processor and legal basis are all recorded, reviewed and easily accessible. Such external processing includes (but is not limited to): a) IT Systems and Services b) Communication Services c) Email Services d) Project Management Tools e) Customer Relations Management f) Support Tools Aggregated or de-identified data. We might share data with third parties if that data has been de-identified or aggregated in a way that does not directly identify you. Third parties required by laws or authorities. We may disclose your data to a third party: a) if we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request (including to meet national security or law enforcement requirements); b) to enforce our agreements and policies; c) to protect the security or integrity of our services and products; d) to protect ourselves, our other customers, or the public from harm or illegal activities; e) to respond to an emergency which we believe in good faith requires us to disclose data to assist in preventing a death or serious bodily injury. If we are required by law to disclose any of your Personal Data, then we will use reasonable efforts to provide you with notice of that disclosure requirement, unless we are prohibited from doing so by statute, subpoena or court or administrative order. Further, we object to requests that we do not believe were issued properly. Where Your Personal Data Are Processed and May Be Transferred Personal Data will be processed in Ireland and Belgium. If a transfer of any of such Personal Data out of the European Economic Area is necessary to achieve the purposes mentioned in this policy, we will acquire your previous consent, after having informed you about any appropriate or suitable safeguard implemented by us or about the existence of an adequacy decision by the European Commission.
Right of access. You are always entitled to receive confirmation as to whether or not your Personal Data are being processed and, where that is the case, access and receive copy of such Personal Data in an intelligible form. Furthermore, you are also entitled to receive information concerning: the purposes of the processing; the categories of Personal Data concerned; the recipients (or categories thereof) to whom the Personal Data have been or will be disclosed; where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from us rectification or erasure of personal data or restriction of processing of your Personal Data or to object to such processing; the right to lodge a complaint with a supervisory authority; the source of the Personal Data; the existence of automated decision-making; where Personal Data are transferred to a third country or to an international organization, the appropriate safeguards relating to the transfer. Right to withdraw consent. You are always entitled to withdraw, at any time, your consent to the processing of your Personal Data, both on legitimate grounds (even though they are relevant to the purpose of the collection) and if the processing is carried out for direct marketing purpose. The preceding will not affect the lawfulness of processing based on consent before the withdrawal. Right to rectification, erasure and restriction. You are always entitled to obtain from us, without undue delay: the rectification or integration of your Personal Data that are inaccurate or incomplete; the erasure of your Personal Data that have been processed unlawfully or whose retention is unnecessary for the Purposes; the restriction of processing, in case you challenge either the accuracy of your Personal data or the lawfulness of the processing, or in case we no longer need the Personal Data for the Purposes, but they are required by you for the establishment, exercise or defense of a legal claim. Right to data portability. You have the right to receive your Personal Data in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller without hindrance from us, where technically feasible. Right to lodge a complaint before an European supervisory authority. In any case, pursuant to the Applicable Law, you have the right to lodge a complaint with the relevant Supervisory Authority, if he believes that the processing of your Personal Data is against the Applicable Law. Such relevant Supervisory Authority is the Commission for the Protection of Privacy, Rue de la Presse 35, 1000 Brussels (Belgium), Telephone: +32 (0)2 274 48 00, Fax: +32 (0)2 274 48 35, Email: email@example.com.
How to Contact Us
Contacts – Awell Data Protection Officer. Requests to exercise your rights above as well as any information request regarding the processing of your Personal Data must be sent to our Data Protection Officer, AWELL HEALTH, Alsembergsesteenweg 837, 1180 Brussels, Belgium, email: firstname.lastname@example.org. What we do when we receive an access request. Any access request is passed to our Data Protection Officer as soon as received and a record of the request is noted The following steps will be put in place: Identification. We will use all reasonable measures to verify the identity of the individual making the access request, especially where the request is made using online services. In particular, where we are unable to utilise the request information to ensure that we can verify the data subject identity, we may contact the individual making the access request to provide evidence of his/her identity prior to actioning any request. If a third party, relative or representative is requesting the information on behalf of an individual, we will verify their authority to act on such behalf and may again contact the data subjects to confirm their identity and authorisation prior to acting the access request. Information gathering. If the individual making the access request have provided enough information in the access request to collate the Personal Data held about him/her, we will gather the data ensuring that the information required is provided in an acceptable format. If we do not have enough information to locate the records regarding the interested individual, we may contact the latter for further details. Information Provision. Once we have collated all of the Personal Data held about an individual, we will send this to him/her in writing (or in a commonly used electronic form, if requested). The information will be in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Where the request is made by electronic means, we provide the information in a commonly used electronic format, unless an alternative format is requested. Fees and Timeframes. Any access request is always completed within one month; however, where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months. If this is the case, we will write to the individual within one month and keep him/her informed of the delay and the reasons. Our reply to any access request is provided free of charge, but further copies requested by the individual may incur a charge to cover administrative costs.
Amendments to This Policy