REHUB PLATFORM PRIVACY DOCUMENTS FOR PROFESSIONALS
BIO-SENSING SOLUTIONS, S.L. (DYCARE), respects current legislation on personal data protection, user privacy and the secrecy and security of personal data. All data processed through our REHUB platform shall be processed in accordance with the principles of lawfulness, loyalty and transparency, purpose limitation and retention period, data minimisation, accuracy, integrity and confidentiality, among others, as well as respecting the other obligations and guarantees established in Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27th April 2016, adopting the necessary technical and organisational measures to prevent the loss, misuse, alteration, unauthorised access and theft of the personal data provided, taking into account the state of technology, the nature of the data and the risks to which they are exposed.
If you are a Self-Employed Professional, it is important that before contracting with DyCare, you read the following documentation regarding how we process your data and whereby you contract us to process your patient data.
Professionals who contract the ReHub Platform directly with DYCARE.
If you are an Employed Professional, we hereby inform you that we act as Data Processor for your Establishment. Please contact your establishment for more information.
Professionals or employees serving as part of the medical staff of a mutual insurance company, clinic, hospital or other establishment with which DyCare has a service agreement to provide access to the ReHub Platform to its professionals, employees and patients ("Establishment").
Data controller and contact details
You can contact us by email: email@example.com or by post by sending a letter to:
Bio-Sensing Solutions, S.L,
Av. Meridiana 354 - 2CD,
In order to provide you with the requested service, DYCARE shall enter into appropriate contracts with the Establishment to ensure that your data is processed for the purpose for which it is collected and treated with the strictest confidentiality and security.
Purposes and legal basis for processing
We shall process your personal data:
- We shall process all your personal data obtained during registration for the purpose of fulfilling our contractual obligations in connection with the provision of services related to the DYCARE ReHub platform. The data we process are: identification data, contact details and professional data such as your qualifications and experience.
- Based on DYCARE's legitimate interests, to analyse and improve our products and services; to process anonymous data sets for our research and development activities; to ensure the quality of assistance provided to users; to manage relationships with Self-Employed Professionals; to manage and monitor our activities internally; to manage possible cases of loss and/or destruction of data and unauthorised access; to collect and process anonymised information relating to the devices used for the Service offered by DYCARE in order to collect useful information about users' use of the service; and, where appropriate, to exercise our rights of action and defence in court.
- To comply with any other obligation arising from applicable regulations or from an order of the authorities, including accounting and tax obligations, as well as those relating to the guarantee of the products sold.
- Your basic personal data, such as identification data or contact details.
- Professional data such as qualifications and experience
- Data related to the use of the ReHub Platform (connection hours, patients assigned, resources used, exercises assigned, therapy times, patient satisfaction,...).
- Images: recordings of rehabilitation exercises. You and your Patients shall have access to the recordings, unless you give separate consent to share them with third parties.
Categories of recipients who have access to your personal data
DyCare does not transfer or disclose any data, except in the following particular cases in which case you expressly authorise the disclosure of data as necessary for the execution of the contracted service:
- Patients who are monitored under your supervision; in this case you shall only have access to their basic identification data and their professional references.
- In order to provide services strictly necessary for the development of our activity we need to use services and tools from third-party companies, therefore we share your data with:
- Other subjects to whom it is compulsory to disclose data under current legislation. In such cases, DYCARE shall only disclose data that are strictly necessary in accordance with the principle of proportionality and minimisation of processing.
International data transfers
As a general rule, we do not carry out international transfers of data, except as provided for in the previous paragraph. Where we exceptionally decide that it is necessary to transfer your data to third parties residing outside the territory of the European Union or in Countries that do not guarantee an adequate level of privacy protection, we shall do so subject to appropriate contractual safeguards provided by the third party, on the basis of Standard Contractual Clauses approved by the European Commission. We also undertake to comply, as far as possible, with the requirements imposed by the security regulations of third countries with regard to international data transfers.
Data retention period
In compliance with the principle of limitation of the storage period, the data collected shall be processed solely and exclusively for the time necessary and for the purposes for which they were collected at any given time.
Your personal data shall be processed for as long as your account on the ReHub platform is active. After this time, the data shall be stored for the period established by the regulations exclusively for the fulfilment of the legally established and applicable obligations.
We undertake to delete your data from our databases after the above retention period has expired and to instruct the processing companies whose services we use to delete any information about you that they may hold from their databases.
Data subjects’ rights
You have the right to know what personal data we process. In particular, you have the right of access, rectification, deletion and portability of the data, as well as the right to limit the processing and to object to the processing when the conditions for this are met. In addition, if the processing is carried out for marketing purposes or is based on our legitimate interest, you can object at any time. For more information about the processing of your personal data or to exercise your rights, you can contact us by email at firstname.lastname@example.org or write to us by post by sending a letter to the attention of the Data Protection Officer at:
Bio-Sensing Solutions S.L
Av. Meridiana 354 - 2CD
Below is a brief explanation of your rights in relation to the processing of your personal data.
- The right of access allows you to obtain confirmation of whether DYCARE is processing your personal data and, if necessary, allows you to access the said data and information relating thereto;
- The right of rectification allows you to request the modification of any personal data that is inaccurate without undue delay and, taking into account the purposes of the processing, the integration of incomplete personal data;
- The right of deletion allows you to request the deletion of your personal data without undue delay (e.g. when your personal data are no longer necessary for the purposes for which they were collected), subject to the exceptions provided for in the applicable law (e.g. when the retention of your data is necessary for compliance with the legal obligations applicable to the data controller);
- The right to data portability allows you, under certain circumstances provided for in the applicable regulations, to receive in a structured, commonly used and machine-readable format the personal data you have provided to DYCARE. It may transfer this data to another data controller, provided that this right is recognised under the applicable legislation, and except in cases where it may infringe the rights and freedoms of third parties;
- The right to limitation of processing allows you, in certain circumstances provided for in the applicable regulations, to limit the processing of your personal data. In such cases, DYCARE may further process your data only in certain cases, for example to exercise the right of defence or to protect the rights of another natural or legal person;
- The right to object to processing allows you, in certain circumstances provided for by the applicable law, to object to the processing of your personal data, unless there are overriding legitimate grounds, rights or freedoms that allow DYCARE to continue processing the data;
If there are reasons related to your particular situation, you have the right to object at any time to the processing of your personal data that is based on a legitimate interest of DYCARE or a third party. In such cases, DYCARE shall stop the processing, unless there are compelling legitimate grounds to continue to process it.
In addition, you have the right to file a complaint at any time with the Data Protection Supervisory Authority if you believe that you have not received a satisfactory response from DYCARE regarding your rights or if you believe that your rights have been violated:
Spanish Data Protection Agency
Address: Calle Jorge Juan, 6, 28001 Madrid
Telephone no.: +34 901 100 099 / +34 91 266 35 17
We remind you that, when the personal data contained in your ReHub account are shared with other subjects that process them as autonomous controllers (e.g. clinics, medical centres), you must exercise your rights directly against these controllers, following the instructions provided in the privacy policies of the latter.
DYCARE reserves the right to revise this Data Protection Policy by publishing the most current version in the relevant section of the ReHub platform.
DATA PROCESSOR AGREEMENT
The Self-Employed Professional and Bio-Sensing Solutions S.L., with registered address at Av. Meridiana 354 - 2CD, CP-08027, Barcelona (hereinafter referred to as DYCARE) are bound by a contractual relationship for the provision of the ReHub Platform services (the "Service").
Self-Employed Professionals provide telerehabilitation services to their patients through the ReHub Platform.
That for the provision of the Service, DyCare (acting as "Data Processor") must have access to and process personal data of patients under the responsibility of the Self-Employed Professional (as "Data Controller"), whereby DyCare assumes the functions and obligations that Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27th April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, stipulates for data processors.
Both parties acknowledge that they respect the current personal data protection legislation, the privacy of data subjects ("Data Subjects") and the secrecy and security of personal data, respecting the principles of lawfulness, loyalty and transparency, purpose limitation and retention period, data minimisation, accuracy, integrity and confidentiality, among others, as well as respecting the other obligations and guarantees established in Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27th April 2016, and Spanish Organic Law 3/2018, of 5th December, on the Protection of Personal Data and guarantee of digital rights, adopting the necessary technical and organisational measures to prevent the loss, misuse, alteration, unauthorised access and theft of the personal data they process, taking into account the state of technology, the nature of the data and the risks to which they are exposed.
That, in compliance with Article 28 of the GDPR, both parties freely and spontaneously agree to regulate this access and processing of personal data by means of this Data Processor Agreement (hereinafter the "Agreement"), in accordance with the following:
- Access by Dycare to the personal data of the Data Subject that is necessary to provide the telerehabilitation services through the ReHub Platform to the Data Subject shall not be considered a disclosure of data under Article 33 of the Spanish Organic Law on Data Protection and shall act as Data Processor with regard to the data for which the Self-Employed Professional is the Data Controller, pursuant to the legal provisions and the provisions of this Data Processor Agreement (in this clause, “DyCare” and "Data Processor" are used interchangeably).
- Purpose of data processing. By virtue of these clauses, DyCare is hereby authorised as Data Processor to process on behalf of the Self-Employed Professional, Data Controller, (hereinafter referred to as the "Data Controller") the personal data of the Data Subject necessary to provide the telerehabilitation services through the ReHub Platform.
- Identification of the information affected The Data Controller provides the Data Processor with the information available on the computer equipment that supports the data processing carried out by the Data Controller. In particular, the information necessary to find new clients for the Data Controller.
- The Data Processor Agreement shall have the same duration as the contract for the provision of Services between DyCare and the Self-Employed Professional. Upon termination of the Data Processor Agreement, the Data Processor must return to the Data Controller, or transfer to another processor designated by the Data Controller or, as the case may be, by the Data Subject, the personal data processed and delete any copies held by the Data Controller.
However, they may (a) keep the data for the minimum time necessary for the sole purpose of finalising the services in progress; (b) keep the data blocked for the minimum time necessary for the sole purpose of attending to possible liabilities that may arise from the Data Processor Agreement, destroying it securely and definitively at the end of this period; (c) keep the data pseudo-anonymised for statistical purposes and to improve the Service; (d) keep the data necessary for legal imperatives.
- Data Processors’ Obligations. The Data Processor and all its staff undertake to: (a) Use the personal data to which it has access as a result of the provision of the Services solely for the purpose of providing the telerehabilitation services through the ReHub Platform to the Data Subjects ("Purpose"); (b) Process the data in accordance with the instructions of the Data Controller; (c) Not to disclose or disseminate the data to third parties, except with the express authorisation of the Data Controller or in the cases permitted by law; (d) To maintain the duty of secrecy with regard to the personal data to which it has access by virtue of this contract, even after termination of the Data Processor Agreement; (e) to ensure the necessary training in personal data protection for the persons authorised to process personal data and to ensure that they undertake, expressly and in writing, to respect confidentiality and to comply with the relevant security measures, of which the Data Processor shall inform them accordingly; (f) The Data Controller shall notify the Data Controller, without undue delay and via the email address indicated by the Data Controller, of any breaches of the security of the personal data under their responsibility of which they become aware, along with all relevant information to document and report the incident. It shall also notify any failure it has suffered in its information processing and management systems that may jeopardise the security of the personal data processed, their integrity or availability, as well as any possible breach of confidentiality resulting from the disclosure to third parties of the data and information accessed during the performance of the contract; (g) Make available to the Data Controller all information necessary to demonstrate compliance with its obligations, as well as to allow and contribute to the performance of audits or inspections carried out by the Data Controller or an auditor authorised by the latter; (h) Assist the Data Controller in implementing the security measures necessary to guarantee the confidentiality, integrity, availability and permanent resilience of the processing systems and services in accordance with the level of risk detected; (i) The Data Processor shall not retain personal data relating to the processing carried out unless it is strictly necessary for the purpose or in accordance with the terms and conditions of this Agreement and only for the minimum time necessary.
- Data Controllers’ Obligations. It is the responsibility of the Data Controller to: (a) Ensure that all data that are shared with the Data Processor have been obtained lawfully and with the appropriate consent; (b) Have a Data Protection Officer, if legally required; (c) Provide the Data Processor with access to the data on the servers where they are located necessary for the Purpose; (d) Provide the necessary support to the Data Processor for compliance with the data protection regulations in relation to the Purpose; (e) Ensure, prior to and throughout the processing, compliance with the data protection regulations.