- General Information
The company iHealthLabs Europe,a société par action simplifiée(simplified joint-stock company) with its head office located at 36 rue de Ponthieu, 75008 Paris, France (hereinafter referred to as "iHealth"), creates and develops connected healthcare products (hereinafter the "Products") and healthcare applications for health professionals and the individuals.
iHealth enables health professionals to capture and monitor certain patient-related data for greater reliability of measures made and time saving.
In this regard, iHealth provides a specific application:
- The iHealth CardioPro application, allowing the use of:
o the iHealth CardioMed connected ambulatory blood pressure monitor in order to take measurements at regular intervals for 24 h or 48 h, day and night. The blood pressure monitor data are transmitted to the application so that it can be tracked and analysed by the health professional.
o the iHealth CardioLab device. The blood pressure monitor data are transmitted to the application so that it can be tracked and analysed by the health professional.
(hereinafter referred to as the "Application")
This Application allows the collection and processing of certain personal data (hereinafter referred to as the "PersonalData") of their professional users (hereinafter referred to as the "Users") but also of the patients in their care (hereinafter referred to as the "Patients").
iHealth protects the Personal Data that it processes and hereby undertakes, in this regard, to comply with applicable regulations on the protection of personal data, and in particular the French Act of 6 January 1978, referred to as the "Loi Informatique et Libertés" (" French Data Protection Act"), as amended, and Regulation (EU) 2016/679 of 27 April 2016, referred to as the "GDPR" (hereinafter referred to as the "Applicable Regulations").
- Personal Data Processing
a) Processing of Users' Personal Data
- Purposes and legal basis of processing
For the purposes of creating the User’s account on the Application as a data controller, of identifying the User as an iHealth customer, of providing services associated with the Application and of managing their business relationship, iHealth is required to collect and process certain Personal Data of the User according to his/her use of the Application, namely:
- for the iHealth CardioPro Application: last name, first name, professional email address, business phone number, gender, title and professional mailing address.
- Retention Period of the Personal Data
iHealth shall keep the Personal Data for the duration of use of the Application by the User. iHealth retain the Personal Data for five (5) years after the User ceases to use the Application, in order to meet its legal obligations, notably in terms of prescription.
- Personal Data Security
iHealth processes the Personal Data collected in accordance with Applicable Regulations, and notably implements the appropriate safeguards to protect the confidentiality and integrity of the User's Personal Data. iHealth undertakes to take all useful and reasonable precautions to ensure the security of the Personal Data collected from the User and in particular to prevent them from being destroyed, lost or corrupted and to prevent access to them by unauthorised third parties.
The features of the Application are implemented in a secure environment ensuring the protection of all Personal Data and any potential communication with the User.
- User's Rights
Each User is hereby reminded that he/she has, in accordance with Applicable Regulations, the right to access, rectify and delete his/her Personal Data. The User also has the right to request the limitation of the processing of his/her Personal Data and to object to such processing, as well as the right to the portability of his/her Personal Data. Lastly, the User may file a complaint with the competent supervisory authority (the “CNIL” in France).
These rights may be exercised by sending a letter to: iHealthLabs Europe, 36 rue de Ponthieu – 75008 PARIS, or an email to the following email address: firstname.lastname@example.org, with a copy of the User's identity document. The User may also contact the iHealth Data Protection Officer (DPO), at the following email address: email@example.com.
- Disclosure of Personal Data
iHealth will not sell, trade, rent or transfer the User’s Personal Data in any other way, without the User’s consent, which will have been given after the User has received prior information, except for the cases listed below:
- Within iHealth: iHealth may share the User’s Personal Data within iHealth to ensure the proper functioning of the Applications and of the Products, and their related features;
- With third-party providers: iHealth may communicate the User’s Personal Data to third parties in or outside the European Union, in particular in the context of offers or joint services, as well as to help us operate the Applications and the Products;
- With iHealth’s distributors: iHealth may communicate the User’s Personal Data relating to his/her use of the Applications and/or the Products to the concerned distributor for accounting and commercial relationship management purposes;
- With third-party applications: iHealth provides connection options to third-party applications, which are partners of iHealth. Such partners may offer to synchronise the User's Personal Data with their applications. In such cases, iHealth has specific agreements with such partners allowing iHealth and the partners to access the Personal Data collected by their respective applications. Such access is subject to the User’s prior consent or his/her Institution’s consent. Such consent shall be specific, provided independently of any other consent that the User may have previously given.
- With third parties for legal reasons: in the event that iHealth would be required to comply with laws and regulations and / or lawful requests and orders or if permitted by law (that is, for the protection and the defence of rights, a situation that threatens life, health or safety, etc.).
b) Processing of Patients' Personal Data
The operation of the Application also implies the processing of Patients' Personal Data, in particular their identity, but also certain specific and sensitive data related to their health (pulse or blood pressure constants, medical history, etc.).
- User Status and Obligations
Such processing is carried out under the exclusive control of the User, who determines the purposes of the collection of Patients' Personal Data. Therefore, for such data processing, the User acts as the data controller, as defined in the Applicable Regulations.
The User undertakes to meet all of his/her obligations and to take into account the particularly sensitive nature of the health data he/she processes.
The User agrees, notably, to provide Patients with complete and clear information on the characteristics of the processing implemented, to remind them of their rights and to provide the means for them to exercise such rights. It should also be noted that the User is responsible for the management of any violations that may affect Patients' Personal Data and related notification procedures.
- iHealth Status and Obligations
iHealth provides the User with the tool required for the processing described above and provides him/her with a secure solution for hosting Patients' Personal Data. iHealth thus acts in the name and on behalf of the User, as a data processor, as defined by the Applicable Regulations.
iHealth undertakes to meet its obligations as a data processor, including the implementation of appropriate technical and organisational measures to secure the Personal Data.
iHealth hereby acknowledges that it shall only act on the documented instructions of the User data controller and that it shall notify him/her of any security breaches of which it may become aware.
Once the User ceases to use the Application, the User shall indicate to iHealth, which will comply with such indication, whether he/she wants the Patients' Personal Data to be destroyed or to be returned to him/her or to a third party, and in what format.
iHealth also hereby states that it keeps a record of all of the categories of processing activities performed on behalf of the User and that it shall provide the User with the necessary documentation to evidence its compliance with all of its obligations.
- Amendment of the Policy