POLICY ON CONFIDENTIALITY AND PROTECTION OF PERSONAL DATA FOR THE COMPANIES SIVAN INNOVATION AND SIVAN FRANCE
1. PROTECTION OF YOUR PERSONAL DATA
2. WHAT COMMITMENTS HAVE SIVAN INNOVATION AND SIVAN France MADE WITH REGARD TO
PROTECTION OF PERSONAL DATA?
4. WHAT WILL THE DATA THAT IS LIKELY TO BE COLLECTED BY SIVAN INNOVATION and SIVAN France BE USED FOR?
5. HOW LONG WILL YOUR DATA BE KEPT FOR?
6. WHO IS LIKELY TO ACCESS YOUR PERSONAL DATA?
7. HOW TO EXERCISE YOUR RIGHTS
8. USER-FRIENDLINESS OF THE SERVICES OF SIVAN INNOVATION AND SIVAN France ONLINE, ON SOCIAL MEDIA AND ON YOUR MOBILE DEVICES
9. IT SECURITY
1 PROTECTION OF YOUR PERSONAL DATA
SIVAN INNOVATION, as a manufacturer of software, web applications and mobile applications, and SIVAN France, as a representative of the manufacturer in Europe for software, web applications and mobile applications, are data controllers or data processors, and are therefore liable to collect and process personal data relating to you (your personal data).
SIVAN INNOVATION and SIVAN France consider it extremely important to comply with the rules on protecting the privacy of users of their products and visitors to their websites. All processing of personal data, whether in connection with visits to websites or in connection with the use of software, web applications and mobile applications, complies with the applicable local regulations relating to protection of personal data and in particular the provisions of the “data processing and liberties” law No. 78-17 of 6 January 1978 as amended and the General Data Protection Regulation (Regulation (EU) 2016/679) or “GDPR”, which will be referred to collectively in this document as “the Regulations”.
In order to ensure compliance with these rules, SIVAN INNOVATION and SIVAN France have appointed a joint data protection officer, who is the preferred contact for the French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés, CNIL). SIVAN INNOVATION and SIVAN France are also putting in place appropriate internal procedures to raise awareness among employees and ensure compliance with these rules within their organisations.
This policy applies as soon as you log in to or navigate on websites, software or applications of SIVAN INNOVATION.
In connection with the use of web applications (such as the MOOVCARE® applications), SIVAN INNOVATION and SIVAN France are solely data controllers for personal data of healthcare professionals: for registering the administrator account that will manage the user accounts for each healthcare establishment, and for general use of the applications by healthcare professionals.
Referring physicians (the physicians prescribing the application(s)) or healthcare centres, if applicable, are data controllers for their patients. SIVAN INNOVATION and SIVAN France then act as data processors in this case.
In the specific case in which an application or web application is made available for conducting a clinical trial, the data controller is the sponsor of the trial. If the sponsor of the trial is not SIVAN INNOVATION or SIVAN France, SIVAN INNOVATION and SIVAN France then act as data processors in this case.
In connection with the use of mobile applications, SIVAN INNOVATION and SIVAN France are data controllers for personal data of users of these applications that do not provide telecommunications services.
SIVAN INNOVATION and SIVAN France are also data controllers for personal data when it is processed in the following ways:
● commercial management of professionals for development of applications, web applications and software;
● commercial management of visitors to websites who complete the online contact form;
● processing of complaints, medical devices vigilance file and requests for technical support from users of their web applications, if applicable.
2 WHAT COMMITMENTS HAVE SIVAN INNOVATION AND SIVAN France MADE WITH REGARD TO PROTECTION OF PERSONAL DATA?
SIVAN INNOVATION and SIVAN France undertake to guarantee a high level of protection for the personal data of users of the software, applications and websites, and of any other person whose personal data they process.
In connection with the operation of the healthcare software and applications that are published, all of the personal data used is hosted by the company ATE, a web host certified to standard ISO 27001:2013 for hosting health data, the contact details for which are specified below.
SIVAN INNOVATION and SIVAN France undertake to comply with the regulations that apply to all processing of personal data that takes place. More specifically, SIVAN INNOVATION and SIVAN France undertake to comply with the following principles:
● Your personal data will be processed lawfully, fairly and in a transparent manner (lawfulness, fairness, transparency).
● Your personal data will be collected for specified, explicit and legitimate purposes, and will not be further processed in a way that is incompatible with these purposes (purpose limitation).
● Your personal data that is stored will be adequate, relevant and limited to what is necessary for the purposes for which it is processed (data minimisation).
● Your personal data will be accurate and kept up to date and every reasonable step will be taken to ensure that data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (accuracy).
SIVAN INNOVATION and SIVAN France shall implement appropriate technical and organisational measures to ensure a level of security that is suited to the risk inherent in their processing operations, meet regulatory requirements and protect the rights and the data of data subjects from the conception of processing operations.
Furthermore, SIVAN INNOVATION and SIVAN France shall contractually impose the same level of protection of personal data on their subcontractors (service providers, suppliers, etc.).
Finally, SIVAN INNOVATION and SIVAN France undertake to comply with any other principle that is necessary with respect to the applicable regulations regarding protection of personal data, and more specifically regarding the rights conferred on data subjects, the periods for which personal data is kept and obligations relating to the cross-border transfer of personal data.
3 WHAT WILL THE DATA THAT IS LIKELY TO BE COLLECTED BY SIVAN INNOVATION and SIVAN France BE USED FOR?
1. Methods of data collection
a. The software and web applications developed by SIVAN INNOVATION and SIVAN FRANCE enable medical monitoring of chronic diseases. In order to do this, identifying data, particularly the email addresses and telephone numbers recorded, are used to authenticate the user and to organise communication between a healthcare professional and a patient. Log-in data is strictly personal and confidential (particularly the password). Administrative data relating to the patient is also collected by the physician for the medical record: date of birth, gender, the disease for which the web application has been prescribed, possibly treatment and dosage, the stage of the disease, postal address and a landline telephone number in case there are problems making contact any other way, the contact details of a relative if applicable to provide assistance with monitoring if the relative consents to it. Data relating to the organisation of communications, such as the choice of a date and time for sending out automatic questionnaires, is parameterisable. In order to organise the reimbursement of costs for this type of application if applicable, the patient's social security number may be requested. The patient may decide to add a photograph to his/her interface. This photograph will be visible only to the medical team. Each questionnaire that is sent out is recorded and appears on the dashboard of the medical team (date and contents). The responses to questionnaires are analysed by algorithms that allow alerts to be sent, if desired, to the physician who prescribed the web application or the physician's medical team if applicable. These can be accessed solely by nursing and administrative staff at the healthcare establishment. Health data (disease, treatment, dosage) is regarded as sensitive data and additional security is provided to ensure that this data is communicated to only a limited number of persons: only the referring physician or, in his/her absence, one of the designated physicians can access this data. The physician's assistant may access only an overview of this sensitive data.
When a web application is used in connection with a clinical trial, the patient's surname and forename are not collected and are replaced by a pseudonym (randomisation number). Authentication and communication between the healthcare professional and the patient take place only via an email address.
b. Service associated with the use of these software programs and web applications for monitoring chronic diseases.
Personal data (often an email address) is collected during contact with SIVAN's technical support, for the purposes of recording complaints or rectifying a technical problem together with the user. This service is available to healthcare professionals using the software or to patients suffering from chronic diseases who have been prescribed the web application by the referring physician. Requests submitted via email, or telephone calls, are liable to be recorded (you will be informed of this before being connected by telephone). If you are a patient and you contact this service, your consent will be obtained before your telephone conversation if health data will be discussed (this will generally only concern which application was prescribed). Your consent will also be requested verbally by the technician at the beginning of the conversation for regulatory purposes.
When software or web applications of this type are set up within a healthcare establishment, professional users are provided with information in order to show how the software and applications work and demonstrate their functionality, depending on user profiles. Attendance sheets and questionnaires are kept for regulatory purposes and to improve the content of this type of training, depending on the regulatory period that applies.
c. Collection and processing of data in connection with the use of mobile applications, for example in order to
screen for diseases linked to tobacco use and provide information to the general public.
Personal data is collected via mobile applications, which can be downloaded from stores. A mobile application such as SMOKECHECK® collects personal health information in order to determine the profile of a high-risk smoker and to inform him/her of the clinical symptoms that should act as a warning and invite him/her to consult his/her treating physician.
Within the context of our other professional relations, you may communicate your personal data to us via other means, particularly on our websites, during the use of our applications, when you post comments on our social media pages, when you contact SIVAN INNOVATION or SIVAN France in any way or when you send us your personal data in any other way.
2. Purposes of processing and legal basis
APPLICATIONS AND WEB APPLICATIONS
As a patient user, your data will be used solely with your consent for the following purposes:
● Using software and applications;
● Managing your requests and/or complaints when you contact technical support;
● Conducting clinical trials, if applicable;
● Exploiting the data generated in the course of implementing applications and after anonymisation, for the purposes of studies, research/development or statistics, for SIVAN INNOVATION's own needs or those of partners, or at the request of national or international health authorities.
As a healthcare professional, your data will be used mainly for the purposes of using software and applications, for technical support, statistical studies, satisfaction surveys, commercial management and management of your requests and/or complaints.
As a user of mobile applications such as SMOKECHECK®, your health data will be used solely for the performance of the service provided by the application (SMOKECHECK® provides information on symptoms and screening). Demographic data will be collected for statistical purposes. An identifier (telephone number and/or email address) will be collected in order to authenticate you and thus to ensure that the person who is downloading the application is actually the person who owns the licence to it.
As a visitor to our websites, you may be asked to provide us with your contact details if you wish to contact us (name, telephone number, email address, message) or subscribe to our newsletter (email).
Other than cases in which your consent has been obtained (use of our applications for medical purposes), processing of your personal data for the various purposes above is necessary in particular:
● To ensure the performance of applications and software (secure identification and management of your accounts),
● To fulfil a legal obligation (e.g. traceability of the use of medical devices),
● To respond to your requests for technical support and/or complaints,
● To manage our commercial relations,
● To recruit staff for our teams, if you contact us via the contact form,
● To offer you new services or products or invite you to a conference or as part of supplier-client relations or dealings with prospective clients.
4 HOW LONG WILL YOUR DATA BE KEPT FOR?
SIVAN INNOVATION and SIVAN France undertake to store your personal data or arrange for it to be stored by another party for a period not exceeding the period that is necessary for the purposes for which the data is processed. Furthermore, SIVAN INNOVATION and SIVAN France shall store your personal data or arrange for it to be stored by another party in accordance with the retention periods required by the applicable laws that are in force.
These retention periods are defined in accordance with the purposes of the processing carried out by SIVAN INNOVATION and SIVAN France and in particular take into account the applicable legal provisions that require a specific retention period for certain categories of data, any periods of limitation that apply and the CNIL's recommendations regarding certain categories of data processing (for example, Deliberation No. 2016-264 of 21 July 2016 amending a simplified standard concerning automated processing of personal data relating to the management of customers and prospective customers (NS-048), storage of cookies for 13 months in accordance with the CNIL's recommendation, maintenance of regulatory traceability for medical devices amended to 10 years, etc.).
5 WHO IS LIKELY TO ACCESS YOUR PERSONAL DATA?
1. Recipients of your data
In the course of the use of software and web applications dedicated to chronic diseases that have CE marking and are used as indicated, the sole recipient of patients' personal data is the medical team.
In the course of the use of software and web applications under clinical investigation, the clinical research team (investigators, clinical research associates) is the recipient of clinical data. The study sponsor also has limited access to it, but only in a pseudonymised form.
In connection with the mobile application SMOKECHECK®, SIVAN INNOVATION and SIVAN France are the recipients of your data. However, this data will be used only for research and statistical purposes and will be pseudonymised before being aggregated. The raw data will not be communicated to any third party at any time.
The certified web host for health data that is used to host all the personal data obtained through the use of software and applications is the company AVENIR TELEMATIQUE SA (ATE), with capital of €60,000, whose head office is located at 21 avenue de la Créativité, 59650 VILLENEUVE D’ASCQ, entered in the Trade and Companies Register of LILLE MÉTROPOLE under the number 347 607 764.
Tel.: (+33) 03 28 80 03 00
Fax: (+33) 03 28 80 03 10
Legal representative: Mr Maxence Rousseau, Chairman
Data collected in connection with technical support will be stored on our CRM servers located in Europe. This data may be communicated to authorised staff of SIVAN INNOVATION and SIVAN France.
Data collected on SIVAN INNOVATION's websites may be communicated to authorised staff of SIVAN INNOVATION and SIVAN France, their partners or providers of related services in connection with the fulfilment of all or part of the aforementioned services. We would like to remind you that in this regard, SIVAN INNOVATION and SIVAN France ask their service providers to implement strict measures relating to confidentiality and protection of this data.
2. Transfer of data outside the European union
The technical support service provided by SIVAN INNOVATION and SIVAN France, as well as technical, development, operating, sales and marketing services, may be established outside the European union, in Israel, at SIVAN INNOVATION Ltd. Israel is recognised by the European union as a country that has an adequate level of protection.
This data is transferred to ensure the performance of the applications and software (secure identification and management of the accounts of healthcare establishments), to fulfil a legal obligation (traceability of the use of medical devices by the manufacturer), to respond to your requests for technical support and/or complaints, to manage commercial relations, to recruit staff for our teams if you contact us via the contact form on the institution's site, to offer you new services or products, to invite you to a conference, or as part of supplier-client relations or dealings with prospective clients.
Some of the service providers we use for our websites may also be based outside the European union. If this is the case, we will strive to ensure that strict measures are put in place with respect to data protection and security, for example by working with companies that adhere to the EU Privacy Shield.
6 HOW TO EXERCISE YOUR RIGHTS
In accordance with the applicable regulations relating to protection of personal data, you may, at any time, exercise your right to access, rectify, delete or transfer data concerning you, as well as your right to limit or object to the processing of your personal data.
Within the specific context of clinical trials, these rights of limitation and objection may be applied to data only from the point in time at which you exercised them and correspond to the withdrawal of consent to the use of the application.
As a patient user of web applications and software, you may exercise your right to withdraw consent at any time. This will automatically stop you from receiving health questionnaires, whether or not you are enrolled in a clinical trial. The healthcare staff will be informed and will then be able to contact you to arrange further follow-ups.
As a user of mobile applications such as SMOKECHECK®, you can exercise your right to withdraw your consent at any time by contacting our DPO at the address below.
If you have subscribed to our newsletter, you can unsubscribe at any time by clicking on the link “se désinscrire/unsubscribe” at the bottom of the email you have received or in the newsletter itself.
Furthermore, you have the legal right to provide instructions about what is to happen to your personal data after your death.
You can exercise these rights by writing to the address below:
Délégué à la Protection des Données / Data Protection Officer
6 rue Paul Baudry
In this context, we would kindly ask you to enclose with your request the information required in order to identify you (surname, forename, email address) and any other information that is necessary in order to confirm your identity.
In the specific case of patients who are users of web applications, where SIVAN INNOVATION and SIVAN France are not data controllers but instead are data processors, these rights may be exercised by contacting the referring physician or data protection officer at the healthcare centre directly if applicable, or the health data web host, or even the sponsor of the clinical trial if applicable. By using the web applications and software as a patient, you have also been informed that, after the anonymisation of the health data generated in connection with the implementation of the web applications in a process that complies with the applicable data protection regulations, SIVAN INNOVATION may exploit this data for the purposes of studies, research/development or statistics, for its own needs or those of partners or at the request of national or international health authorities.
You also have a right of recourse against the French Data Protection Authority in the event of violation of the applicable regulations relating to protection of Personal Data and in particular of the Regulation:
Telephone: 01 53 73 22 22
3 Place de Fontenoy
75334 PARIS CEDEX 07
You also have the right to object to the processing of your personal data for marketing purposes. Where the law requires it, your data will be used for electronic marketing only after your explicit agreement has been obtained.
Collection of certain personal data is essential to enable access to certain services (technical support for software and applications, for example) or facilities (particularly the use of web applications). Naturally, you may exercise your right to object to the collection and processing of this data, but this step may make it impossible for you to benefit from these services or facilities.
7 USER-FRIENDLINESS OF THE SERVICES OF SIVAN INNOVATION AND SIVAN France ONLINE, ON SOCIAL MEDIA AND ON YOUR MOBILE DEVICES
No cookies are used in the applications and web applications developed by SIVAN INNOVATION.
SIVAN INNOVATION and SIVAN France are constantly striving to improve their electronic services in order to make it easier for visitors to these websites to access them.
In order to improve the quality of the services offered on the websites and ensure that they meet your expectations, SIVAN INNOVATION may use “cookies”, text files that serve to identify your terminal when you connect to one of our services.
Installing a cookie or tracker on your terminal (PC, tablet, smartphone, etc.) allows SIVAN INNOVATION to collect information and personal data. Depending on your choice of settings on your terminal, cookies allow you in particular:
● to use the main functions of the website of SIVAN INNOVATION,
● to optimise this website and detect any technical problems,
● to compile statistics for the purposes of managing traffic and using the various components that make up
SIVAN INNOVATION's website (sections visited, route taken by the user), allowing the ergonomics of the site to be improved,
● to share information on social media (LinkedIn, Twitter, Facebook).
SIVAN INNOVATION invites you to consult the privacy policies of these social networks in order to take note of the purposes for which data is used, particularly with regard to advertising, and the navigation data that they may collect:
In particular, these protection policies must allow you to exercise your own choices with regard to these social networks, particularly by choosing the settings for your user accounts for each of these networks.
As part of statistical analyses of navigation on SIVAN's websites (in order to find out which pages are viewed most often, how internet users navigate the sites, the time spent on each page, etc.), it is possible that your IP address may be collected or that you may be identified via a unique number. We then use a third-party company for analysis of this data (Google). It has its own information on its confidentiality policy, which can be consulted here: https://policies.google.com/privacy?hl=en and https://support.google.com/analytics/answer/6004245.. These third-party cookies allow Google to recognise your computer both when you visit SIVAN's websites and when you visit other websites. As Google is a company whose parent company is based in the USA, the data collected may be transferred to that country. This data transfer is subject to protection measures that are covered by the EU Privacy Shield, with which Google complies.
SIVAN INNOVATION and SIVAN France may store the data analysed in the form of statistical reports.
A functional cookie linked to pop-ups used on the websites is installed. This cookie allows us to register your click when you have decided to close the pop-up, so that we do not show it to you again when you connect to the site in future. The various cookies installed by SIVAN INNOVATION have a maximum lifespan of 13 months.
You have the option to adjust your settings regarding cookies at any time. The cookie will be installed on your computer workstation, smartphone or tablet by default, but your browser settings will allow you to choose at any time, simply and free of charge, whether or not to accept the registration of cookies on your computer, in accordance with the conditions below:
For Microsoft Internet Explorer:
Choose the “Tools” menu, then “Internet Options”
Click on the tab “Confidentiality” > “Settings” > “Advanced”
select the level you want using the cursor
For Mozilla Firefox:
Choose the menu “Preferences” > “Tools/Options/Confidentiality history”
Click on the option “Privacy”
For Chrome and Safari:
Choose the menu “Edition” / “Chrome” / “Safari” > “Preferences”
Click on the option “Confidentiality and security” / “Confidentiality”
Cookies are not the only way to recognise or track visitors to a website. We may use other similar technologies from time to time, such as tags (sometimes referred to as "tracking pixels" or "invisible gifs"). These are tiny graphics files that contain a unique identifier that allows us to recognise when someone has visited a website. This may be used by third parties, particularly when you click on the icons for social networks (see their own cookies policy above).
8 IT SECURITY
Ensuring that the personal data you entrust to us is kept secure and confidential is at the heart of the activities of SIVAN INNOVATION and SIVAN France. We therefore take all useful technical and organisational steps, in view of the nature, scope and context of the personal data that you communicate to us and the risks involved in processing it, to maintain the security of your personal data and in particular to prevent any destruction, loss, alteration, disclosure, interference or unauthorised accessing of this data, whether accidental or illegal. We have therefore implemented measures both as a data controller and as a data processor:
● Hosting of data from mobile applications, web applications and software programs that collect health data with a health data hosting service certified by a certification body for provision of hosting services for personal health data collected via applications supplied by its clients and used for medical monitoring purposes. This service includes a function that gives the patient direct access to the hosted applications.
● Password policy: authentication with unique access requiring an identifier and a “robust” personal password consisting of several characters,
● Presence of a confidentiality clause for employees of SIVAN INNOVATION and SIVAN France,
● Protection of workstations and servers with anti-virus software, installation of firewalls, etc.
● Measures aimed at ensuring confidentiality: control of physical access to the premises of SIVAN INNOVATION and SIVAN France. Strict access control measures have also been implemented at our certified health data hosting service (ISO 27001:2013 information security management systems - for hosting of health data) and our subcontractors, which are certified to ISO 27001:2013. Controls on data access, instructions to keep data separate, pseudonymisation with hash value process.
● Measures aimed at ensuring the integrity of data, particularly during data transfer (data transmission via secure data networks (HTTPS), the confidentiality and integrity of data (encoding of data flows and strong authentication during connections), hosting service certified to ISO 27001:2013.
● Measures aimed at ensuring the availability and capacity of applications. These include security controls (to ensure that personal data is protected against accidental loss or destruction. These measures are implemented both at the certified health data hosting service and at our main suppliers) and measures to ensure rapid recovery of the availability of data and accessibility of data in the event of a physical or technical incident (particularly by relying on our suppliers' certification).
● Implementation of measures relating to regular evaluation of security in data processing (procedures for managing data protection and, in the event of data violation, conducting of risk analyses to assess the performance and security of applications and software programs regarded as medical devices (in accordance with ISO 14971:2012), conducting of PIAs when necessary using the tool PIA v2.0 CNIL).
The security and confidentiality of personal data depend on good practice by everyone. For this reason, we ask you not to communicate your passwords to any third parties, to routinely log out from your profile and to close your browser window at the end of your session, particularly if you are accessing the internet from a shared workstation. This will prevent other users from accessing your personal information.
We strongly advise you not to distribute to any third parties or post on social media any document issued by SIVAN INNOVATION or SIVAN France containing your personal data.
Finally, SIVAN INNOVATION and SIVAN France have put in place a procedure for managing security flaws that enables us to effectively detect any violations of personal data, to notify the relevant authorities of these violations immediately and to warn you if this violation is liable to affect your personal data.
For any further questions about this policy or the way in which SIVAN INNOVATION and SIVAN France process your personal data, please contact our data protection officer via email at: email@example.com.
SIVAN INNOVATION and SIVAN France reserve the right to adapt this policy on the protection of personal data and ask you to consult it regularly. SIVAN INNOVATION and SIVAN France undertake to inform you of any changes or additions in the event of significant amendments. They will also endeavour to point out the impact that these amendments will have.
Date of publication of the confidentiality policy: September 2019
This document has been validated prior to its distribution by the data protection officer at SIVAN INNOVATION and SIVAN France. It will be reviewed at least once a year.