Data Privacy Policy – Patients
1. Data Controller
The company E.C.H.O. (hereinafter “E-SENSIA”), whose registered office is located at 5 rue de Latran, 75005 Paris, acts as the data controller.
As part of its activities, you may provide E-SENSIA with personal data concerning you.
E-SENSIA commits, as data controller, to ensuring that the collection and processing of personal data comply with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act (Loi Informatique et Libertés).
This policy aims to provide clear, simple, and comprehensive information regarding how your personal data is collected, used, and your rights.
This policy applies to all patients.
2. Data Protection Officer (DPO)
We inform you that we have appointed a Data Protection Officer (“DPO”), whose contact details are as follows:
- e-mail : dpo@e-sensia.com.
This DPO is particularly responsible for advising, informing, and monitoring compliance with data protection regulations.
3. Key Principles of Data Processing
3.1 Transparency
For the sake of transparency, we take care to inform you of the data processing that concerns you.
3.2 Purpose and Lawfulness
When we process data, we do so for specific purposes: each data processing implemented pursues a legitimate, determined, and explicit purpose and is based on a legal basis (see table below).
3.3 Proportionality and Data Minimization
For each data processing implemented, we commit to collecting and using only adequate, relevant data limited to what is necessary for the purposes for which they are processed.
3.4 Accuracy
We ensure that data is kept up to date, if necessary, and implement processes allowing the erasure or rectification of inaccurate data.
4. Personal Data Processing by E-SENSIA
For the processing operations listed below, the purposes, types of data, legal bases, and retention periods are as follows :
| N° | WHY IS YOUR PERSONAL DATA USED? | WHAT PERSONAL DATA IS USED? | ON WHAT LEGAL BASIS IS YOUR PERSONAL DATA PROCESSED? | WHAT ARE YOUR RIGHTS OVER THIS DATA? | HOW LONG IS YOUR DATA KEPT? |
|---|---|---|---|---|---|
| 1 | Structuring of health databases |
|
Legitimate interest of E-SENSIA (GDPR Article 6.1.f) + scientific research (GDPR Article 9.2.h) | Access Rectification Erasure Restriction Objection |
Duration necessary for structuring the client's database |
| 2 | Training of AI algorithms |
|
Legitimate interest of E-SENSIA (GDPR Article 6.1.f) + scientific research (GDPR Article 9.2.j) | Access Rectification Erasure Restriction Objection |
Duration of the AI algorithms and medical devices development and training project |
| 3 | Management of pre-litigation or litigation |
|
Legitimate interest of E-SENSIA (GDPR Article 6.1.f) | Access Rectification Erasure Restriction Objection |
Until the amicable settlement of the dispute or, failing that, upon the statute of limitations of the corresponding legal action. |
| 4 | Management of data subject rights requests |
|
Legal obligation of E-SENSIA (GDPR Article 6.1.c) | Access Rectification Restriction |
3 years from the response to the rights request |
5. Data Recipients
To achieve the purposes described above and within the limits necessary for these purposes, the data collected by E-SENSIA may be transmitted to all or part of the following recipients:
| Internal | External |
|---|---|
|
Authorized E-SENSIA personnel:
Subject to a confidentiality obligation, and only within the scope of their duties. |
|
6. What does E-SENSIA do when acting as a data processor?
When E-SENSIA acts as a data processor, it processes personal data solely on behalf of and according to the instructions of its clients, who act as data controllers.
The purposes of the processing, the applicable legal bases, and the retention periods are determined by these data controllers.
This section aims to describe, in a general manner, the categories of processing that E-SENSIA may carry out on behalf of its clients.
| WHY IS YOUR PERSONAL DATA USED? | WHAT PERSONAL DATA IS USED? |
|---|---|
| In the context of medical regulation assistance, performing quality assurance services, structuring and operating E-SENSIA's tools on behalf of data controllers (callbot tool, regulation assistant tool) |
Calling patients:
Healthcare professionals:
|
7. E-SENSIA’s subcontractors
E-SENSIA chooses subcontractors or service providers who present guarantees in terms of quality, security, reliability, and resources to ensure the implementation of technical and organizational measures, including regarding processing security. The subcontractors and service providers commit to respecting confidentiality levels at least identical to those of E-SENSIA.
Contracts between E-SENSIA and its personal data subcontractors are implemented according to the subcontracting policy defined by the company in agreement with its DPO.
Personal data entrusted to our subcontractors is processed in accordance with the standard contractual clauses (“SCC”) of the European Commission inserted into subcontracting agreements and compliant with Article 28 of the GDPR.
E-SENSIA has the right to audit the compliance of its subcontractors, implemented according to its subcontractor audit procedure.
8. Your data rights
8.1 Description of your rights
We are particularly concerned about respecting the rights granted to you in the context of the personal data processing we implement, to guarantee fair and transparent processing given the specific circumstances and context in which your personal data is processed.
Depending on the chosen legal basis, you have the following rights regarding the protection of your personal data: right to information, access, rectification, erasure, restriction, objection, portability, withdrawal of your consent, lodging a complaint, and defining post-mortem directives. Their exercise conditions are detailed below.
8.1.1 Right of access
You have the right to obtain confirmation as to whether or not your personal data is being processed, and where that is the case, you have the right to request a copy of your data and certain information relating to the processing of your data.
8.1.2 Right to rectification of your data:
You have the right to ask us that your personal data be, as appropriate, rectified or completed if it is inaccurate, incomplete, ambiguous, or outdated.
8.1.3 Right to erasure of your data
You can ask us for the erasure of your personal data in the cases provided for by legislation and regulations, unless it is necessary to comply with E-SENSIA’s legal obligations, or to establish or exercise your rights.
8.1.4 Right to restriction of processing of your data
You may request the restriction of the processing of your personal data in the cases provided for by legislation and regulations.
8.1.5 Right to object to the processing of your data
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data whose legal basis is the legitimate interest pursued by the data controller.
In the event of the exercise of such a right of objection, we will ensure that we no longer process your personal data in the context of the relevant processing unless we can demonstrate that we have compelling legitimate grounds to maintain this processing. These grounds must override your interests, rights, and freedoms, or the processing must be justified for the establishment, exercise, or defense of legal claims.
8.1.6 Right to data portability
You have the right to the portability of your personal data. We draw your attention to the fact that this is not a general right. Indeed, not all data from all processing operations is portable, and this right only concerns automated processing, excluding manual or paper processing.
This right is furthermore limited to processing whose legal basis is your consent or the performance of pre-contractual measures or a contract.
8.1.7 Your right to lodge a complaint
You have the right to lodge a complaint with the CNIL (3 place de Fontenoy 75007 Paris) on French territory, without prejudice to any other administrative or judicial remedy.
8.1.8 Your right to define post-mortem directives
You have the possibility to define specific directives relating to the retention, erasure, and communication of your personal data after your death with our services according to the terms defined below.
These specific directives will only concern the processing we implement and will be limited to this perimeter alone.
8.2 Modalities for exercising your rights
All the rights listed above can be exercised at the following email address:
- e-mail : dpo@e-sensia.com.
9. Data security
E-SENSIA takes into account the nature of the personal data and the risks presented by the processing to implement appropriate technical, physical, and organizational measures aimed at preserving the security and confidentiality of personal data and preventing them from being distorted, damaged, or accessed by unauthorized third parties.
E-SENSIA also guarantees that its staff members and any other person who may process your personal data comply with the internal rules and procedures applicable in this area, and in particular the technical and organizational security measures implemented to protect your personal data.
In accordance with applicable regulations, your health data is hosted by a certified Health Data Hosting (HDS) provider, guaranteeing a high level of protection and security.
In the event of a personal data breach, E-SENSIA will inform you as well as the competent personal data protection authority if the conditions required by the personal data protection regulations are met.
10. Cross-border data flows
The different categories of data collected and processed cannot be transmitted to service providers located in countries outside the European Union.
11. Evolution
This policy may evolve depending on the legal and regulatory context and the doctrine of the CNIL. Therefore, we recommend that you consult it regularly.
12. Entry into force
This policy enters into force on the date it is posted online. The same applies to modifications.
| N° | VERSION | FULL NAME | DESCRIPTION | DATE |
|---|---|---|---|---|
| 1. | 1.1 | Cédric Thoma | Initial revision | Wed 8 April |