PRIVACY POLICY FOR USERS
of the MicroPort Remote Monitoring System
At MicroPort CRM, we take particular care about the security, privacy and protection of your personal data. Therefore, we have implemented this specific Privacy Policy, where you will find which of your personal data is collected and used when dealing with our Remote Monitoring System (RMS) as a user.
Please note that we process your data in strict compliance with applicable privacy laws, in particular the EU General Data Protection Regulation (GDPR) and any other regional or local laws to which we may be subject.
This Privacy Policy does not address the processing of patient data but exclusively that of RMS users. You or a legal representative of your healthcare facility have entered into an RMS agreement with MicroPort (the “RMS Agreement”), which governs more broadly the terms of the RMS service and covers applicable data protection provisions related to your personal data and that of your patients.
1. Point of contact for data processing
According to Article 37 GDPR, we have designated a data protection officer at MicroPort CRM. You can contact MicroPort CRM’s DPO with your concerns regarding the processing of your personal data or to exercise your rights according to the GDPR and to this Policy at: DPO@crm.microport.com.
2. Your rights
As a user of our Remote Monitoring System (RMS), you are entitled to:
· Request and obtain information about your processed data, including a copy of such data, the purposes of such processing, possible recipients and estimated period for which the personal data will be kept (Article 15 GDPR);
· Revoke the consent given at any time, with immediate effect and unlimited validity (Article 7 para. 3 GDPR);
· Oppose to data processing which is performed based on a legitimate interest stated by you, on grounds relating to your particular situation or circumstances (Article 21 GDPR);
· Demand the rectification or completion of inaccurate or incomplete data (Article 16 GDPR);
· Demand the partial or complete erasure of your data (Article 17 GDPR), including when your data is no longer needed for the intended purpose, or you decided to withdraw your consent or have opposed data processing or in cases where your data has been unlawfully processed;
· Request the restriction of data, provided deletion is not possible or the deletion obligation is disputable (Article 18 GDPR);
· Data portability, that is, you may retrieve all of your data that you provided to us as a user of our RMS service, and we will ensure their transmission to other processors if applicable (Article 20 GDPR).
In addition, you have the right to file a complaint with a supervisory authority according to Article 77 GDPR. You can find details of the supervisory authority responsible for your EU country in the link below: https://edpb.europa.eu/about-edpb/about-edpb/members_en
In case of any doubt, please liaise with our DPO who will redirect you to the competent authority.
3. Data hosting and processing on the Website
If you visit our RMS Website, we automatically collect the data associated with and transmitted from your browser to our server. This also takes place if you only visit the home page without logging into your user account.
We use this basic data for the following purposes:
· Enable your visit to our Website;
· Detect, eliminate, and prevent errors, malfunctions, and possible misuse;
· Needs-based operation of our Website.
Once your account is created by your administrator, MicroPort CRM will have access to your personal data. Once you activate your account and you login to your account, MicroPort CRM will continue collecting your personal data in order to maintain full traceability of patient care, for all patients remotely followed in your Healthcare facility.
At this point, we take extensive security measures to safely host and protect personal information from loss, misuse, unauthorized access, disclosure, alteration or destruction. Access to your personal information is restricted to our employees, contractors and agents in charge of the processing of such personal information or maintenance of our services, who are bound by confidentiality agreements.
Therefore, we collect only the data you provide.
The Personal Data collected may therefore include:
· Identifying information: name, e-mail address, phone number;
· Data related to work life: company name, job title, professional e-mail address, professional phone number;
· Technical data: IP address, browser type and version, operating system used;
· Login details: functions used, the pages visited, the configurations selected, the timestamp of the visits and the terms searched
As part of the measures to protect your privacy at all times, the following measures are implemented:
· A unique username and password for each user;
· An automatic session log-out after a period of inactivity;
· The necessity to accept the RMS Terms of Use and this Privacy Policy;
· The necessity to confirm the patient consent to process its Personal Data.
We use personal data for the following purposes:
· Your name is used to track a patient history in which your actions (such as confirming findings) are stored;
· Your name and contact data are used to provide you useful information falling within the scope of our service provision;
· Exceptionally, your information from audit logs may be used for security and revision purposes.
We reserve the right to contact you in exceptional cases for purposes other than those mentioned above on a strictly necessary basis.
The legal basis for the processing of your data is to fulfill our contractual obligations in accordance with Article 6 para. 1(b) GDPR.
We undertake that:
· Data will be processed only for the purposes for which it was collected;
· Data will not be forwarded to third parties without clearly informing you about it or without your explicit prior consent as applicable;
· Data will be deleted once no longer needed for the above-mentioned purposes within the scope of the legal basis or no longer need to be retained.
For any further query on the hosting or processing of your data, please contact our DPO.
4. User interface and patients’ privacy
The user interface is hosted on the web and accessible from any computer. This environment requires that each user follow a few basic precautions.
Regarding access, login and password management, we strongly recommend that you:
· Log out of the Website when you leave your office;
· Do not share your username and password with other people, as they are strictly personal and confidential data;
· Do not set the computer to automatically remember the password and username on public or private workstations.
You also have the possibility to download information directly from the Website. As such, the patient reports and EGM reports can be exported as PDF reports, which are not encrypted. In that case, the data copied outside of the Website is no longer secured by the MicroPort remote monitoring solution. In order to protect patients’ privacy and to avoid any confidential data leaks or misuses, you must carefully handle patient data when exported outside of the Website.
As such, we strongly recommend that you:
· Do not download and/or print the reports in an unsecured place;
· Retrieve your print-outs immediately, when printing on a shared printer;
· Do not copy/paste patient information and medical information into an e-mail;
· Do not store any reports on a shared cloud or a platform accessible to others.
· If you need to transfer the document, do ensure it is encrypted.
For any further query on the user interface and the handling of patient data, please contact our DPO.
5. Cookies and privacy
In order to run our Website, we use cookies. Cookies are small text files or comparable storage technologies, which are stored by your browser on your terminal device and allow your browser to be recognized.
Once you visit our Website, your browser stores “session cookies” on your terminal device. These cookies are needed to help you log into your user account and are valid in each case until the end of the browser session. This means that, depending on your browser’s type and settings, the cookies are automatically removed after the end of the session or after the tab or browser is exited. The session cookies we use contain only a transaction ID. You can prevent the use of cookies by configuring your browser accordingly, but you will then be unable to log into your user account on our Website.
We also use another type of cookies called “persistent cookies”. These are optional cookies that allow, among other things, the unambiguous recognition of your browser and are automatically deleted by your browser approximately one year after the last visit to the Website. You can manually delete those cookies or prevent the storage of cookies by setting your browser accordingly. As a result, we will not recognize your browser when you revisit our Website.
Your cookie preferences are up to you. If you do not agree with this processing, you have the possibility to configure your browser such that the “Do Not Track” option is set. As a result, the above-mentioned data will not be collected and no cookies will be stored on your terminal device.
6. Data processing in the case of requests
If you wish to contact us, we will use the data you provide for the following purpose only: the processing of your request.
Depending on the content of your request, your data will be processed based on a relevant legal ground:
· In the case of contractual questions: Article 6 para. 1(b) GDPR;
· In the case of legal obligations: Article 6 para. 1(c) and Article 9 para 2(i) GDPR;
· In the case of a legitimate interest: Article 6 para. 1(f) GDPR.
The data you have shared with us may be forwarded for purposes of processing the request to the relevant department of MicroPort CRM or to the relevant sub processor as declared in our RMS Agreement but it will not be outsourced to any other third or external party. Once the request has been closed and your data is no longer needed for the above-mentioned purposes, your data will be deleted.
7. Place of data processing
If you live in the United States of America, your data will in general be processed in the United States, in the EU and in the UK.
If you live outside of the United States of America, your data will in general be processed in your country of residence, in the EU and in the UK.
When your data is processed outside of the European Union (so-called third countries), this will happen provided you have given your express consent for this or this is necessary for us to provide services to you or this is required by law (Article 49 GDPR) in which case, we will inform you about it.
We can process your data in third countries only if we have ensured that appropriate measures according to GDPR are in place to ensure an appropriate level of data protection.
8. Encryption of the data transmission
To ensure the confidentiality of your data at any time throughout transmission, we use state-of-the-art encryption methods, such as TLS1.2 /1.3 for data in transit for all secure Web pages and Web service APIs as well as SQL Transparent Data Encryption (TDE) AES 256 for data at rest.
9. Modification of the Policy
We may need to change this Policy to comply with regulatory, legal or technical developments. If necessary, we will change the « last update date » and indicate when changes were made.
Where necessary, we will inform you and / or seek your consent. We encourage you to check this page periodically for any changes or update to our Policy.
10. Your acceptance of this Policy
By activating your user account on our Website and benefitting from our online RMS services, you confirm that you provide your express and informed acceptance of this MicroPort CRM’s Privacy Policy for the MICROPORT REMOTE MONITORING SYSTEM.
Version: 1/2023
Last Update: July 01, 2023_______
* * *