PERSONAL DATA PROTECTION POLICY

DEEPLINK MEDICAL builds strong and lasting relationships with its stakeholders based on mutual trust: ensuring the security and confidentiality of its stakeholders’ personal data is an absolute priority for DEEPLINK MEDICAL.

DEEPLINK MEDICAL states that stakeholders refers collectively to the healthcare professional, the healthcare institution and the patient.

DEEPLINK MEDICAL complies with all the French and European regulations and legislation relating to the protection of personal data.

DEEPLINK MEDICAL also complies with the ethical rules established by the professional bodies representing the medical and paramedical professions active within its service.

DEEPLINK MEDICAL applies an extremely strict policy to guarantee the protection of its stakeholders’ personal health data:

Each stakeholder remains in control of its data. DEEPLINK MEDICAL does not make free use of it.
The data is processed in a transparent, confidential and secure manner.
DEEPLINK MEDICAL is committed to the continuous protection of its users’ data, in accordance with the amended French Data Protection Act of 6 January 1978 (hereinafter “LIL”) and the General Data Protection Regulation (EU) of 27 April 2016 (hereinafter “GDPR”).
DEEPLINK MEDICAL has a team dedicated to the protection of personal data, consisting of an Information Security Manager and DPO (Data Protection Officer registered with the CNIL), a Technical Director and specialised engineers.
Users’ personal health data is hosted by a host that has received HDS (Health Data Hosting) certification, validated by the Asip Santé (Agency for Shared Health Information Systems).

PURPOSE OF THIS POLICY

With this policy, DEEPLINK MEDICAL wishes to inform you of how we protect your personal data that is processed through our solution.

This policy describes how DEEPLINK MEDICAL and the healthcare professionals and institutions that subscribe to its services process the personal data of patients during their medical treatment.
Some of the User’s Personal Data must be considered as personal health data, and this is hereinafter referred to as “Personal Health Data”.

This Policy may be modified, supplemented or updated in order to comply with any legal, regulatory, jurisprudential or technical developments. However, the User’s Personal Data will always be processed in accordance with the policy in force at the time of collection, unless a mandatory legal requirement provides otherwise and is retroactive.

This policy is an integral part of the General Terms and Conditions of Use of the solution.

IDENTITY AND CONTACT DETAILS OF DATA CONTROLLERS

Legal reminder: The controller is, within the meaning of the GDPR, the person who determines the means and purposes of the processing. The processor is a person processing personal data on behalf of the controller. It acts under the authority of and on the instructions of the controller.

The person responsible for the processing of Personal Data is:

1. For Personal Health Data collected (i) by the patient when preparing his or her appointment via the patient questionnaire (ii) by the Healthcare Professional or institution in the solution. Each health professional or institution is considered to be a data controller. DEEPLINK MEDICAL is a data processor: it acts on the specific instructions of each Health Professional or institution.

2. For Personal Data collected in the context of (a) the creation of the personal account of health professionals: DEEPLINK MEDICAL, represented by Charles JOURNE, President, located at 22 rue Seguin, 69002 Lyon, France, registered in Lyon under number 803 476 761.

Whether acting as a data controller or a processor, DEEPLINK MEDICAL takes the appropriate measures to ensure the protection and confidentiality of the personal information it holds or processes in compliance with the GDPR. For more information on the services offered by DEEPLINK MEDICAL, please refer to the General Terms and Conditions of Use of our solution.

DATA COLLECTION & ORIGIN

All patient data is collected from the patient, or from the Healthcare Professional or institution.

DEEPLINK MEDICAL undertakes to obtain the consent of its stakeholders and/or to allow them to object to the use of their data for certain purposes, whenever necessary.

When using the solution, stakeholders are informed of the purposes for which their data is being collected via the various online data collection forms.

PURPOSE OF THE DATA COLLECTED

1. Need for collection

During medical treatment, the patient shares certain Personal Data. If the patient does not wish to provide the information requested, it may not be possible to provide treatment for the patient via our solution.

2. Goals

The legal basis for the collection of your Personal Data is:

The legitimate interest of the health professional or institution in ensuring the best quality of medical care for its patients
DEEPLINK MEDICAL’s legitimate interest in ensuring the best quality of its services, in providing Healthcare Professionals or Institutions with the best possible monitoring of their activities, and in improving the operation of its solution
DEEPLINK MEDICAL’s legitimate interest in producing statistical data relating to the impact of DEEPLINK MEDICAL on the activity of Healthcare Professionals or Institutions in order to communicate about its solution and improve its services
DEEPLINK MEDICAL’s legitimate interest in carrying out optional satisfaction surveys on its services in order to make improvements
The consent of its Users and patients when required by the regulations in force

The data is mainly processed for:

Defining a request for a radiological examination
Reporting a request for a radiological examination
Transferring images
Interpreting a radiological examination
Archiving an examination
Caching, tracking, copying, displaying, storing, hosting personal data
Consolidating an anonymised database to build a statistical database
Building a database to enable the production and analysis of studies for research and evaluation purposes
Sending appointment reminders
Preparing for the examination: e.g. Contraindication to the examination, CI to the injection
Specifying the context of the examination (more information on the reason for the examination, possible history, etc.): e.g. patient questionnaire for lumbar spine CT/MRI
Facilitating the use of ITIS and the performance of the examination thanks to the data pre-filled by the patient: for example, if the patient enters the CI at the examination, the radiographer only has to verify this

TYPES OF DATA PROCESSED

DEEPLINK MEDICAL may process, as a processor:

The patient’s contact details (and those of their legal guardian if necessary) in order to send the appointment reminder and/or questionnaire
Information related to the preparation of the exam: e.g. CI to examination/ CI injection
Information about the context of the examination: e.g. reason for the examination/ pain intensity/ history/ etc.
Identification data: surname, first name, DOB, gender, IPP, RPPS etc
Health data: clinical context, type of examination, creatinine levels, etc.

NON-DISCLOSURE OF PERSONAL DATA

Stakeholders’ Personal Data will not be passed on to commercial or advertising entities.

Stakeholders’ Personal Data may be processed by data processors (service providers), in full compliance with the above principle, exclusively in order to achieve the purposes of this policy.

Furthermore, in order to comply with the provisions of the Public Health Code concerning Personal Health Data, DEEPLINK MEDICAL uses Health Data Hosting companies (known as “HDS”) that have been certified or approved by the Asip santé.

DEEPLINK MEDICAL also makes use of the services provided by a number of specialised (mailing) companies, a list of which can be made available to the data subjects on request sent to dpo@deeplink-medical.com.
No Personal Health Information is provided to them. If these companies use servers outside the European Union, we have entered into specific contracts with them and using standard contractual clauses established by the European Commission to govern and secure the transfer of your data to these providers.

DATA RETENTION PERIOD

We will only store your data for as long as is necessary for the purposes it will be used for, in accordance with legal requirements.

USER RIGHTS

Whenever DEEPLINK MEDICAL processes Personal Data, DEEPLINK MEDICAL takes all reasonable steps to ensure that the Personal Data is accurate and relevant to the purposes for which DEEPLINK MEDICAL is processing it.

In accordance with the European regulations in force, data subjects have the following rights:

right of access (article 15 GDPR) and correction (article 16 GDPR), update, completeness of Users’ data
the right to lock or delete Users’ personal data (article 17 GDPR) if it is inaccurate, incomplete, ambiguous, out of date, or its collection, use, communication or storage is prohibited
right to withdraw consent at any time (article 13-2c GDPR)
right to restrict data processing (article 18 GDPR)
right to object to the processing of data (article 21 GDPR)
the right to portability of data provided by data subjects, where such data is subject to automated processing based on their consent or on a contract (Article 20 GDPR)

If stakeholders wish to know how DEEPLINK MEDICAL uses their Personal Data, ask to correct it or object to its processing, the User may contact DEEPLINK MEDICAL in writing at the following address: DEEPLINK MEDICAL DEEPLINK MEDICAL or by email at dpo@deeplink-medical.com. In this case, the User or patient must indicate the Personal Data that he/she would like DEEPLINK MEDICAL to correct, update or delete, identifying him/herself precisely with a copy of an identity document (identity card or passport). Requests for deletion of Personal Data shall be subject to the obligations imposed on DEEPLINK MEDICAL by law, in particular with regard to the retention or archiving of documents.

SECURITY

DEEPLINK MEDICAL implements all technical and organisational measures to ensure the security of the processing of personal data and the confidentiality of Personal Data.

In this respect, DEEPLINK MEDICAL takes all the necessary precautions, with regard to the nature of the data and the risks presented by the processing, in order to preserve the security of the data and, in particular, to prevent it from being distorted, damaged or accessed by unauthorised third parties (physical protection of the premises, authentication procedures with personal and secure access via confidential identifiers and passwords, logging of connections, encryption of certain data, etc.).

CONTACT US – DPO CONTACT DETAILS

If the User or patient has any questions or complaints regarding DEEPLINK MEDICAL’s compliance with this Policy, or if the User or patient wishes to provide DEEPLINK MEDICAL with recommendations or comments to improve the quality of this Policy, the User or patient may contact DEEPLINK MEDICAL in writing at the following address DEEPLINK MEDICAL or dpo@deeplink-medical.com.