The purpose of the App is to facilitate and allow sharing of patients' information among healthcare staff (also related to data defined as "particular" by privacy legislation) to improve the effectiveness of care and interventions on patients themselves. The individual healthcare professional who uploads patient's data claims to have received consent for using data on the App's platform. Then, the individual healthcare professional operates as the controller of the treatment. The management of personal data implemented through the App, therefore, is within the scope of specialist telemedicine in which the health specialist and patient do not share the same place.
The management of the data by MEDICAL-NOTE Srl as Head of Personal Data Processing (following "Company"), will take place according the principles enshrined in the EU Regulation 679/2016 (General Data Protection Regulation - GDPR) as described in the official text available here: https://eur-lex.europa.eu/legal-content/IT/TXT/PDF/?uri=CELEX:32016R0679&from=IT. As indicated by the WP29 guidelines, 2013 (now called the European Data Protection Council - EDPB) and reiterated by GDPR, EU legislation applies whenever a party involved in the development, distribution and operation of applications is qualified responsible for processing and is in an EU state. The EU rule will also apply when using instruments located in the EU.
The App implements the https://ec.europa.eu/digital-single-market/en/privacy-code-conduct-mobile-health-apps document based on the guidelines "Privacy Code of Conduct on mobile health (mHealth) apps", developed in collaboration with the WP29/ European Data Protection Council – EDPB. Specifically, the principles of privacy-by-design, minimization, pseudonymization, data encryption, data deletion, data retention, transparency policies have been evaluated and applied in the following ways.
Below we want to share the main definitions used in privacy disclosure documents, so that the contents of the statements we produce are clear, with the utmost transparency.
Definitions - For the GDPR Regulation, it is understood to be:
1) 'personal data': any information concerning an identified or identifiable physical person ("engaged"); the person who can be identified, directly or indirectly, with particular reference to an identifier such as name, identification number, location data, an online identifier or one or more characteristic elements of its physical, physiological, genetic, psychic, economic, cultural or social identity;
2) 'treatment': any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or personal data sets, such as collection, registration, organization, structuring, retention, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, comparison or interconnection, limitation, deletion or destruction;
3) 'treatment limitation': the marking of personal data stored to limit its processing in the future;
4) 'profiling': any form of automated processing of personal data consisting of the use of such personal data to assess certain personal aspects relating to an individual, in particular to analyze or predict aspects regarding the professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements of that individual;
5) 'pseudonymization': the processing of personal data in such a way that personal data can no longer be attributed to a specific person without the use of additional information, provided that this additional information is stored separately and subject to technical and organizational measures to ensure that such personal data is not attributed to an identified or identifiable individual;
6) 'archive': any structured set of personal data accessible according to certain criteria, regardless of whether that set is centralized, decentralized or distributed functionally or geographically;
7) 'treatment holder': the individual or legal entity, public authority, service or other body which, individually or together with others, determines the purpose and means of processing personal data; When the purpose and means of such treatment are determined by EU or Member State law, the holder of the treatment or the specific criteria applicable to its designation may be determined by EU or Member State law;
8) 'responsible for processing': the individual or legal entity, public authority, service or other body that process personal data on behalf of the controller;
9) 'recipient': the individual or legal person, the public authority, the service or another body that receives communication of personal data, whether it is a third party. However, public authorities that may receive disclosure of personal data as part of a specific investigation under EU or Member State law are not considered recipients; The processing of such data by those public authorities complies with applicable data protection rules in accordance with the purpose of the treatment;
10) 'third party': the individual or legal entity, the public authority, the service or other body other than the person concerned, the controller, the person responsible for the treatment and those authorized to process personal data under the direct authority owner or manager;
11) 'consent of the person concerned': any manifestation of the free, specific, informed and unequivocal will of the person concerned, with which he expresses his consent, by unequivocal declaration or positive action, that the data personal issues involving him are being treated;
12) 'personal data breach': a security breach involving accidental or unlawful destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed;
13) 'genetic data': personal data relating to a person's hereditary or acquired genetic characteristics that provide unique information on the physiology or health of that individual, and which result from the analysis of a person's biological sample;
14) 'biometric data': personal data obtained from a specific technical treatment relating to the physical, physiological or behavioral characteristics of a physical person that allows or confirms their unique identification, such as facial image or typing data;
15) 'health data': personal data relating to a physical or mental health of a person, including the provision of health care services, which reveal information relating to his or her health;
16) 'main plant':
(a) regarding a treatment holder with establishments in more than one Member State, the place of his central administration in the Union, unless decisions on the purposes and means of processing personal data are taken in another establishment of the controller in the Union and that the latter plant has the power to order the execution of those decisions, in which case the plant that has taken such decisions is considered to be the main plant;
(b) concerning a treatment manager with plants in more than one Member State, the place where his central administration is based in the Union or, if the controller does not have a central administration in the Union, the plant the controller in the Union where the main treatment activities are conducted in the context of the activities of a processing facility to the extent that that manager is subject to specific obligations under the Regulation;
17) 'representative': the individual or legal entity established in the Union who, designated by the controller or the person responsible for the written treatment under Article 27, represents them regarding their respective obligations under the Regulation;
18) 'enterprise': the individual or legal person, irrespective of the legal form involved, who engages in economic activity, including companies of persons or associations that regularly engage in economic activity;
19) 'entrepreneurial group': a group consisting of a parent company and the companies it subsidiaries;
20) 'binding business rules': personal data protection policies enforced by a controller or responsible for the treatment established in the territory of a Member State on the transfer or complex of data transfers personal to a treatment holder or person responsible for treatment in one or more non-EU countries, within a business group or a group of businesses that does a joint economic activity;
21) 'control authority': the independent public authority set up by a Member State under Article 51;
22) 'the control authority concerned': a supervisory authority concerned with the processing of personal data as:
(a) the controller or the person responsible for the treatment is established on the territory of the Member State of that supervisory authority;
(b) those affected by the supervisory authority's Member State are or are likely to be substantially affected by the treatment; Or
(c) a complaint has been submitted to that supervisory authority;
23) 'cross-border treatment':
(a) the processing of personal data that takes place in the activities of establishments in more than one Member State of a treatment holder or controller in the Union where the treatment holder or the controller are established in more than one Member State; Or
(b) the processing of personal data that takes place within the activities of a single establishment of a treatment holder or responsible for processing in the Union, but which has a substantial impact on or likely affects in more than one Member State;
24) 'relevant and justified objection': an objection to the draft decision on whether there is a breach of this regulation, or whether the action predicted concerning the treatment holder or controller is following this regulation, which demonstrates the importance of the risks posed by the draft decision on the fundamental rights and freedoms of those concerned and, where applicable, the free movement of personal data within EU.
Purpose of treatment.
MEDICAL-NOTE Srl as Data Processing Manager informs you that to activate and manage the features of the App will carry out personal data treatments, including "particular" CD data, as they are suitable to disclose the state of health, where uploaded by the user (who operates as the Controller of the treatment) of the App, for the following purposes:
The use of the services offered by the App, which are listed below:
Anonymous multidisciplinary medical consultation, by sharing the patients' clinical data not identifiable by different subjects by the App user.
Or the exploration of a 3D model of the liver (or other internal organs) and the ability to insert and store points in the three-dimensional space of the model.
The treatment will be carried out by the Head of Treatment in automated electronic form, with methods and tools aimed to ensure maximum safety and confidentiality, by specially charged subjects in accordance with the current legislation. Personal data will be stored on the device on which the App is downloaded and used, on the application server managed by the Controller (located in EU Member States based on service contracts with specific security guarantees and whose list may be requested at the contact coordinates below), to follow up the services to be provided for the necessary time for the above purposes.
The "particular" cd data entered by the health specialist will remain associated with the patient only by the same specialist, while sharing with other specialists can be done with modalities guided by the App for the only data anonymized with identification code to patients, therefore not identifiable by third parties subject to the sharing of only clinical data entered by the controller of the treatment. Therefore, there is no sharing or distribution of clinical data with third parties.
The following entities are managed within the App:
- Patient Entity - Master data with patient identification data where uploaded by the App user.
- Folder Entity – Objects' container for diagnosis.
- Information entity of the 3D model for the patient associated with injury locations.
- Injury management for the 3D model.
- Media Attachments: Photos, videos made through the App.
The security measures activated by the Controller of treatment include the encryption of patient master data and attachments: the data passing from the App to the cloud server is encrypted through the HTTPS protocol (with a trusted encryption certificate issued by a certification authority), the passwords registered on the Database are encrypted through an internal system that makes them unreadable in clear. The pseudonymization of patients' master data is done by managing data on separate databases, as the two-sided, and accessible application databases are accessible with unshared credentials:
- Database (patients) only contains the patient's master data and their identification code
- Application database (folders, objects, documents) relates to the patient with only the identified code, but the personal identification data is absent.
The Treatment Holder user declares and guarantees: (i) not to reside or transfer the App to a country subject to embargo by the European Community or the U.S. or Canadian government, or that it has been designated by the U.S. or Canadian government as a "terrorist support" country; and (ii) not to be included in any of the "prescription lists" of unauthorized or restricted persons, including the Specially Designated Nationals And Blocked Persons List (SDN) published by the Treasury's Office of Foreign Assets Control ("OFAC") and available here https://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/default.aspx, or in the "Denied Persons List" of the https://www.bis.doc.gov/index.php/the-denied-persons-list U.S. Bureau of Industry and Security.
The Terms and Conditions of Use present are governed by the Italian law, excluding the rules on the International conflict of laws. If versions of these Terms and Conditions of Use are issued in another language, you acknowledge that the language versions are provided for pure indicative purpose and that the only binding version for the parties is the Italian version. For any dispute concerning the interpretation and application of these Terms and Conditions, the Forum of Pisa, in Italy, will be exclusively responsible.
If a part of this document is deemed invalid or unenforceable, that part will be interpreted in a manner consistent with the current law, to reflect, as closely as possible, the original intentions of the parties, while the remaining provisions will stay fully effective. Failure to enforce any right or provision of these Terms and Conditions by the manufacturer of the App will not constitute a waiver of this or other provisions. The provisions contained in these Terms and Conditions of Use are to be considered inexcusable.
COMMUNICATION AND DIFFUSION
Personal data whose processing is closely related to the management of App is not subject to dissemination. The data may be disclosed to (example and non-exhaustive list):
Individuals who provide services for app management and make it accessible from the cloud.
Authorities responsible for complying with legal obligations, if requested by the law.
Data retention and data breach.
Your in App data may be used for defense by the Person responsible for the judicial treatment or in the preparatory stages of its eventual establishment, from abuse in the use of the same or related services by the User's Name. By accepting the contents of this policy, you state that you are aware that the Controller may be required to disclose the data at the request of the public authorities, in the cases required by the current legislation. The data that will be entered in to the App will be retained for the period of use of the App by active users. Specific security measures have been taken to prevent data loss, unlawful or incorrect uses and unauthorized access.
The data will be processed until the end of the service, due to the closure of the user account or the expiration of the license period. If the Controller closes the account, the data on the cloud server and the device where the App was installed will be permanently deleted. Data on the cloud server will be completely deleted (including saves) within the periodic deletion period agreed in the SLA agreement with cloud storage and data management providers, no longer than 3 months.
Exercise of the rights of the person concerned.
Under the Applicable Regulations, the Controller informs that App users may exercise their rights as required by Art. 15 and Sept. Regulation 679/2016, by e-mail request at email@example.com.
The exercise of the rights to the Holders of treatment may take place based on the coordinates they include in their information, at the time of the collection of consents to the treatment.
Intellectual property rights and licensing terms.
If not otherwise arranged, all rights relating to the App, of whatever nature they may be, are the exclusive property of Medical-Note Srl. All copyrights and any other intellectual or industrial property rights or any other right of any kind, relating to the App, its content, the service provided with it, or in any other way related to it, are understood to be confidential and protected by national, European and international intellectual and/or industrial property standards. Violation of the resulting rights may, therefore, result in the application of criminal, civil or administrative penalties under the reference rules.
According to the current regulations, you are granted a limited license, rescindable, non-exclusive, non-transferable and non-licensable, subject to the right to download, install and use the App, and to view and store on your device (at your discretion, under your responsibility and where permitted by the application itself) the information and data with it conveyed. You can download, install and use the APP on any authorized device you own or in your legitimate availability solely for the uses allowed by the license of use, within the limits of the features immediately and directly made available by the application, and can back up your data obtained through the application under your responsibility.
In any case, you agree to use the App exclusively under and within the limits of the Terms and Conditions of Use and, in any case, agreeing with the current legal provisions.
External controller designation.
By activating an account, the health specialist using the App appoints (as the owner of the treatment), MEDICAL-NOTE Srl responsible for the external processing of the data ex art. 28 GDPR, who accepts the designation.
1. The processing of the data carried out by the Manager on behalf of the Holder will be carried out exclusively for the Agreement or subsequently agreed in writing between the Parties.
2. The Manager will put in place appropriate technical and organizational measures so that the treatment meets the GDPR requirements and ensures the rights' protection of the person concerned.
The treatments will be:
"common personals" / "identifiers" / "particulars" contained in the databases managed by MEDICAL-NOTE Srl.
4. The Manager is committed:
(a) to constantly verify and monitor that treatments are carried out lawfully, by the principle of necessity, for certain, explicit and legitimate purposes and in ways that are not incompatible with those purposes;
(b) to ensure the adoption of the security measures and minimum security measures referred to in articles. 31 and ss. of the Privacy Code;
c) under art. 30 of GDPR, keep a record of all categories of activities related to the treatment carried out on behalf of the holder;
(d) treat personal data only on the documented instruction of the controller, even in case of transferring personal data to a third country or an international organization, unless required by the EU or national law; in that case, the controller informs the controller about this legal obligation before treatment, unless the law prohibits such information for public interest reasons;
(e) delegate some of the obligations against you to one or more persons in charge of specific aspects of the treatment, in any case by closely supervising their activities and periodically verifying that they fulfil their duties following the written instructions given by the Holder. In any case, the Manager will ensure that persons authorized to process personal data have engaged in confidentiality or have an appropriate legal obligation of confidentiality;
(f) to take all measures required under Article 32 GDPR;
(h) to assist the Holder in ensuring compliance with the obligations of articles 32 to 36 GDPR, taking into account the nature of the treatment and the information available to the Manager;
(i) to delete or return, on owner's recommendation, all personal data after the service has been completed and delete existing copies, unless EU or Member State laws require data retention;
(j) to make available to the Holder all the necessary information to demonstrate compliance with the obligations of this article and will allow and contribute to the review activities, including inspections, carried out by the controller or another subject by these in charge. The Controller undertakes to inform the Controller of Treatment immediately if, in his opinion, an instruction violates this GDPR or other national or EU data protection requirements;
(k) to designate, in the cases provided for in art. 37 GDPR, a personal data protection officer.
5. The Manager may use other managers - for the execution of specific processing activities on behalf of the controller - with this written authorization, of general value, of the Holder. In that case, the other person responsible for the treatment will be subject to the same data protection obligations contained in this act through a contract or other legal act. It is understood that if the other person responsible for the treatment is unable to fulfil his data protection obligations, the Manager will retain full responsibility for the fulfilment of the other person's obligations. It is understood that MEDICAL-NOTE Srl will be fully responsible for the Holder, full compliance with the Applicable Privacy Regulations and the present instructions from third parties that use in the Agreement execution.
6. The Manager guarantees that he will process personal data exclusively to satisfy contractual obligations. In particular, the Manager guarantees that he will not disseminate or disclose such data, nor will he make it available, directly or indirectly, to third parties, unless necessary to comply with statutory obligations or stipulated by the Agreement.
7. The Manager also commits to:
(i) Process and manage personal data in accordance with:
with the conditions and forecasts referred to in this act; And
(ii) ensure the implementation and execution of all necessary technical and organizational measures to avoid unauthorized or illegal elaboration or loss, damage or accidental destruction of personal data;
(iii) do not withhold any copy, extract, or summary of personal data, except where required for the enforcement of the obligations under applicable law and the contract in place between the parties;
(iv) designate and identify for the Holder an individual within his organization authorized to respond to requests for information from the Guarantor or other national or foreign supervisory authorities;
(v) designate in writing those responsible for processing personal data that will materially carry out personal data processing operations;
(vi) designate at least one system administrator in writing, according to the measure adopted by the Personal Data Protection Authority on November 27, 2008, as well as comply with all requirements referred to in that measure or any further instructions of the Guarantor Authority in this matter;
(ci) written communication, without delay, and no later than 48 hours after the discovery of the problem, to the Holder so that the owner can have the appropriate measures to be taken in the event of a Data Breach.