Privacy Policy
The company RDS (hereinafter referred to as “RDS” or “We”) takes your privacy very seriously and respects the information you entrust to us. This information is protected by law and is not intended to be communicated to third parties outside the scope and for the reasons mentioned in this Privacy and Personal Data Protection Policy.
This Privacy and Personal Data Protection Policy aims to inform you about the nature of the information concerning you that we will collect and use in the context of your visit to the Site and/or your use of the Services.
RDS reserves the right to modify this Privacy and Personal Data Protection Policy at any time. Therefore, you are invited to consult it regularly to be aware of any possible changes. Any new use of the Site and/or the Solution and/or communication of information to RDS after the posting of a new version of this Privacy and Personal Data Protection Policy will constitute acceptance of this latest version.
The term “Services” refers indistinctly to the RDS website (“the Site”) and the services offered by the MultiSense® solution (“the Solution”), a medical telemonitoring device for use in hospital and outpatient settings, at home. Its use requires the collection, recording, and transmission of data automatically and by the physician monitoring the Patient equipped with the MultiSense® Solution. The Patient is telemonitored by the medical team in charge.
“Users” means the health professionals of the Solution, having the right to use the Solution as part of the contractual relationship binding them to RDS individually or through the contract concluded with RDS by the structure in which they practice. The term refers indifferently to professionals and, if applicable, the structure within which they practice.
“Patients” means all persons cared for using the Solution at the decision of the medical team.
By “Visitor”, we mean any natural person who browses the Site, without creating or logging into a User Account.
Identity of the data controllers
The data controller, within the meaning of the GDPR, is the person who determines the means and purposes of the processing. The processor is a person processing personal data on behalf of the data controller. They act under the authority of the data controller and on their instructions.
Depending on the Personal Data processed, RDS may act as Data Controller or Processor on behalf of the Users.
RDS is the Data Controller of the Personal Data of Users collected in the context of the creation and management of the User Account, their navigation on the Site, Complaints and requests for rights (Processing and management of Users’/Patients’ data protection rights requests – Processing and management of Users’ complaints), Marketing communications, Securing and improving the Services related to the internet site and the Solution, usage statistics of the solution (excluding health data).
RDS is a processor with regard to the processing carried out to provide the services offered by the MultiSense® solution, in the context of the care of Patients provided by the Users.
Whether as a data controller or processor, RDS takes measures to ensure the protection and confidentiality of the personal data it processes in compliance with the provisions of the GDPR and applicable regulations.
Purposes and legal bases
The information about you collected through the Site and/or the Solution by RDS as Data Controller aims to provide the Services and is more particularly likely to be used for the following purposes:
– Create your user account;
– Respond to your requests and communicate with you regarding the Services;
– Analyze and improve the user experience on the Site and the Solution;
– Prevent and detect fraud, secure the Site and the information contained in our systems.
Furthermore, some personal data related to Patients is reused by RDS as Data Controller in pseudonymized form for research or medical-technical purposes or, after anonymization, for monitoring and improving the performance of the MultiSense® Solution. Depending on the project concerned, the Patient’s consent may be requested.
Depending on the case, the use of information related to Patients and professional Users:
– Is necessary for the execution of the contract for the provision of Services;
– Is necessary for the legitimate interests pursued by RDS.
Otherwise, specific consent may be requested from the Patient.
Their consent is free and can be withdrawn at any time. If they refuse to give their consent to the reuse processing of your data, the care they receive elsewhere within the care structure will not be affected.
Categories of information collected on the Site
Information provided when filling out a contact form
The information collected concerning people who wish to contact us using the contact form located at the bottom of the website is information related to their identity (Name, First name) and their contact data (e-mail).
This information is necessary for RDS to respond to these people.
Categories of information collected for the operation of the Solution
Information provided by the structure within which the User practices
The information concerning professionals is provided to us by the structure within which they practice and which is contractually linked to RDS. It includes their identity (Name, First name, coordinates of the legal structure within which they practice), and their contact data (professional email).
This information is necessary for us to provide you with the Services.
Information collected automatically in the Solution
Some information may be collected automatically during your use of the Solution. This includes:
– connection data (such as your IP (Internet Protocol) address, the date and time of your request, how you used the Solution and cookie-related data) transmitted by your Internet browser or mobile application and automatically recorded on our servers;
– a cookie linked to your authentication in the Solution and similar technologies for tracking and recording log files.
Prohibited information on the Site
In accordance with the law, it is prohibited to collect or process personal data that directly or indirectly reveal racial or ethnic origins, political, philosophical or religious opinions, or trade union membership of individuals, or that relate to their health or sexual life.
Apart from information related to your health that you entrust to us in the context of specific consent related to the use of the Solution and which we need to provide you with the Services, if the information you transmit to us on the Site via the contact form constitutes such data, we reserve the right to take appropriate measures, including the deletion of such data.
Recipients of the information
The information concerning you will be used by RDS and its service providers Coreye, Health Data Host (for the solution) and O2switch (for the internet site) subject to strict contractual obligations related to the confidentiality and security of personal data, in compliance with applicable regulations.
We may also be subject to a merger, acquisition, recovery or judicial liquidation, dissolution, reorganization, or other similar transaction, or a procedure that would involve the transfer of information described in this Privacy and Personal Data Protection Policy.
Finally, and as mentioned above, we may be required to communicate information about you in the context of our legal and/or regulatory obligations to disclose to which we would be subject by order of a legitimate administrative or judicial authority, or to protect our rights or the rights of third parties. This may include exchanging information with other companies and other organizations for fraud protection or identity theft.
Retention of personal data
Personal data concerning Users of the site
This personal data is kept by RDS for a maximum period of two years after using the contact form.
Personal data concerning Users of the Solution
This personal data is kept by RDS for a maximum period of two years after the closure of the user account.
Beyond this period, the information may be stored outside of the Services by the Users, in the context of managing your medical file and, if necessary, continuing a follow-up with you. In this case, all processing carried out is done without any intervention or responsibility of RDS, in any capacity whatsoever.
Security
RDS has implemented technical and organizational measures, adapted according to the degree of sensitivity of the personal data collected (whether through the website or the Solution), to ensure the integrity and confidentiality of your personal data and to protect it against any malicious intrusion, loss, alteration, or disclosure to unauthorized third parties. In particular, RDS uses encryption and/or pseudonymization techniques for your personal data whenever possible, useful, or necessary;
Health data is hosted with an HDS certified health data host, in accordance with Article L. 1111-8 of the Public Health Code. If you wish to have additional information, you can contact RDS by sending an email to dpo@rdsdiag.com.
When you have chosen a password that allows you to access your account, you are responsible for maintaining the confidentiality of this password. We advise you not to share your password with anyone. We will not be responsible for unauthorized operations carried out using your name and password unless it is demonstrated that this disclosure of the password results from our negligence or a third party for whom we are personally responsible.
In accordance with applicable regulations, RDS will notify any breach of personal data as soon as it becomes aware of it, under the conditions defined by the applicable regulations.
Transfer of Personal Data outside the European Union
Our Services related to health data are provided via European hosting located in France, and the data is stored within the European Union.
For the needs of the Services, personal data collected and processed for the purposes described above may be transferred to companies located in countries outside the European Union, particularly the United States.
In this case, the transfers of personal data are governed by an international data transfer agreement established in accordance with the standard contractual clauses of the data controller to processor established by the European Commission and currently in force. You can obtain a copy of the clauses by sending an email to dpo@rdsdiag.com.
Furthermore, when the legislation of the third country does not offer protection equivalent to that offered by the Personal Data Regulation, We ensure the implementation of additional measures to guarantee a level of protection of your personal data essentially equivalent to that provided in the European Union and to ensure the effective nature of this protection.
Rights of Users and Patients
RDS strives to keep the data accurate and up to date. If the information concerning you changes, it is your responsibility to let us know.
Moreover, you have the following rights, under the conditions defined by applicable regulations and under the control of the CNIL:
– request access to the data concerning you, their correction or deletion (rights of access, correction, and deletion);
– withdraw the consent(s) you previously provided for the use of data related to your health; in which case we will no longer be able to provide you with certain Services;
– oppose, subject to a legitimate reason, the processing of your data and/or request its limitation (rights of opposition and limitation of processing);
– set directives regarding the conservation, deletion, and communication of your data after your death (rights of individuals in case of death);
– request to receive the personal data concerning you that you have provided, in order to transfer them to another data controller (right to data portability).
To exercise these rights, please send us an email at the following address: dpo@rdsdiag.com. To ensure that we do not communicate the information entrusted to us to people other than those concerned by this information, proof of identity may be requested.
For all questions related to your medical care, please address directly to the medical team in charge of your follow-up.
You can also access and modify the data concerning you on your user account at any time (in the Solution).
In the event of a request for deletion of the data concerning you and/or closure of your account, we may nevertheless keep them in our archives as indicated in the “Data Retention” paragraph above.
As the information concerning you is necessary for the provision of the Services, any request for deletion of your data may result in the termination of the Services.
You also have the possibility to file a complaint with the CNIL.