DRAFT Privacy Statement (19 July 2017)

Similar documents
PRIVACY STATEMENT FOR DATA COLLECTED FOR DATA COLLECTED VIA ON-LINE SURVEYS

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

Specific Privacy Statement EU Funding for promotion of agricultural products at SIAL Paris October 2018

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

PRIVACY STATEMENT August 2018

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

DATA PROTECTION A GUIDE FOR USERS

Data Processing Agreement

A Homeopath Registered Homeopath

CEM Benchmarking Privacy Policy

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Privacy Policy: itsme APP

European Platform on Rare Diseases Registration

Data Processing Agreement

Site Builder Privacy and Data Protection Policy

PS Mailing Services Ltd Data Protection Policy May 2018

- GDPR (General Data Protection Regulation) is the new Data Protection Regulation of the European Union;

Islam21c.com Data Protection and Privacy Policy

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

Platform Privacy Policy (Tier 2)

Rules governing staff access to and use of Parliament's system

How the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015

PRIVACY POLICY. 1. Introduction

PERSONAL DATA PROTECTION POLICY

Privacy Policy. Last updated on 31 May 2018

GDPR: A QUICK OVERVIEW

DATA PROCESSING AGREEMENT

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Wesley House data protection statement and privacy notice (short-course delegates)

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Data Processing Clauses

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

Data Processing Agreement DPA

FIRSTBEAT TECHNOLOGIES OY DESCRIPTION OF PERSONAL DATA PROCESSING FOR PARTNERS - FIRSTBEAT LIFESTYLE ASSESSMENT

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

GENERAL DATA PROTECTION REGULATION (GDPR)

the processing of personal data relating to him or her.

Privacy Policy CARGOWAYS Logistik & Transport GmbH

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

SETUP GUIDE PPP FOR PPP USERS PLANT PROTECTION PRODUCTS VERSION 0.4

INFORMATION TO BE GIVEN 2

Privacy Notice and Consent Form

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Motorola Mobility Binding Corporate Rules (BCRs)

BRIDGEWATER SURGERIES. Privacy Notice

Regulating Telemedicine: the

Haaga-Helia University of Applied Sciences Privacy Notice for Urkund Plagiarism Detection Software

Emergency Compliance DG Special Case DAMA INDIANA

ecare Vault, Inc. Privacy Policy

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Privacy policy SIdP website EU 2016/679

ehealth action in the EU

GDPR - Are you ready?

SETUP GUIDE FOR PPPAMS USERS PPPAMS PLANT PROTECTION PRODUCTS APPLICATION MANAGEMENT SYSTEM PPPAMS VERSION

SAFE-BioPharma RAS Privacy Policy

WEB PRIVACY POLICY. The company LEONARDI & C. SPA, registered address at 10/12/14 Via Henry Dunant, Sassuolo

Online Ad-hoc Privacy Notice

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

Data Protection and Privacy Policy PORTOBAY GROUP Version I

PRIVACY POLICY OF THE WEB SITE

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

POLICY. Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

Jefferies EMEA Privacy Notice

Data Protection Policy

DATA PROTECTION 1. INTRODUCTION 2. SCOPE

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

The Park Hotel Privacy Statement

Privacy Policy Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH 1. Definitions

DATA PROTECTION POLICY

Cognizant Careers Portal Privacy Policy ( Policy )

Wonde may collect personal information directly from You when You:

INFORMATION ON THE PROCESSING OF PERSONAL DATA. (to be inserted in the link at the bottom of the page "privacy policy")

ŠKODA IRELAND Privacy Statement

The General Data Protection Regulation

ŠKODA IRELAND Privacy Statement

Data Processor Agreement

GDPR RECRUITMENT POLICY

Public consultation on Counterfeit and Piracy Watch-List

Data Privacy Statement for myportal to go

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

Requirements for a Managed System

OSCE/ODIHR Election Expert Database. Privacy Statement

PRIVACY NOTICE STORM RECRUITMENT UNIT 11, 2 ND FLOOR CHARLESLAND CENTRE, GREYSTONES, CO. WICKLOW 1. INTRODUCTION

Identity of the controller: CHARVAT CTS a.s., ID No.: , with the registered office at Okrinek 53, Podebrady, Czech Republic, Postcode

Element Finance Solutions Ltd Data Protection Policy

GDPR Privacy Policy. The data protection policy of AlphaMed Press is based on the terms found in the GDPR.

PRIVACY POLICY BACKGROUND:

The Australian Privacy Act An overview of the Australian Privacy Principles (APPs) Author: Paul Green

INFORMATION TO BE GIVEN 2

What is cloud computing? The enterprise is liable as data controller. Various forms of cloud computing. Data controller

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

THE STUDENT HOTEL PRIVACY STATEMENT

Spectrum Wellness Privacy Statement

DIRECTORATE GENERAL MOBILITY AND TRANSPORT Units MOVE-E3 & SRD2. User Manual. Single European Sky Performance website

Privacy Policy. You may exercise your rights by sending a registered mail to the Privacy Data Controller.

Privacy Policy. Effective date: 21 May 2018

PRIVACY POLICY PRIVACY POLICY

Transcription:

DRAFT Privacy Statement (19 July 2017) European Reference Networks for Rare, Low Prevalence and Rare Diseases Clinical Patient Management System (CPMS) 1. What is the ERN Clinical Patient Management System? The Clinical Patient Management System (CPMS) is a web-based clinical software application developed by sub-contractors of the Commission with the objective to support the European Reference Networks (ERN) on rare, low prevalence and complex diseases. The ERNs are networks of healthcare providers working together virtually across national borders to diagnose and treat of patients with rare, low prevalence and complex diseases in Europe. The CPMS provides a secure electronic system managed by the Commission to authenticate the identity of the users and to authorise access for healthcare professionals of the ERN member hospitals to collaborate in the cross-border assessment of a patient file. This privacy statement covers solely the part of CPMS that concerns the processing of personal data for which the Commission is responsible, i.e. the authentication, authorisation, registration, storage, deletion and usage of the personal data of the CPMS users and guest users (i.e. the health professionals) to permit their access to the pseudonymised (no name, no address) patient file made available in the CPMS system. The local point of care specialist may be an existing CPMS user (from an ERN member hospital or treatment centre) or the local point of care specialist may be from an affiliated or non-member hospital or treatment centre (a guest user). Guest users may have more limited access rights, which are attributed by the ERN coordinators on a "need-to-do" basis. Neither the Commission, not its contractors and subcontractors, have access, at any stage of the processing and/or storage operations, to any patient data. The encrypted data is securely stored, on behalf of the Commission, by its subcontractor in Germany, solely to ensure the proper functioning of the CPMS platform. The patient s data is collected solely by the local specialist, i.e. the treating doctor, who must have obtained the explicit written consent of the patient to allow his or her pseudonymised data to be processed in the CPMS for diagnosis and treatment of his or her condition by an ERN, to be used in the rare disease database or for the patient to be contacted for use of his/her data for a specific research project. What is the applicable law?

All processing acts within the responsibility of the European Commission are governed by Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. The data controller of this specific processing operation is the European Commission. The European Reference Networks are set up under the Directive on Patient Rights in Cross-Border Healthcare 2011/24/EU and gives the Commission the mandate to support the ERNs' establishment, functioning and evaluation through the adoption of implementing measures. The Commission s Delegated Decision 2014/286/EU addresses the need for ERNs to have an efficient and secure exchange of health data and other patient information as well as personal data of the healthcare professionals for the successful functioning of the Networks. The Delegated Decision also defines the informed consent of the patient under the framework of the European Reference Networks to exchange his or his personal and health data between healthcare providers and members of a European Reference Network. All legal acts regarding the ERNs are available at http://ec.europa.eu/health/ern/policy_en. 3. Which data are processed by the Commission in the CPMS? The CPMS comprises two types of users, whose data is processed in the CPMS: CPMS users / guest users: healthcare professionals of ERN or affiliated / non- ERN member hospitals; Commission staff, for administrative and technical purposes (users managing access rights). The same personal data categories are collected for both users and guest users. The Commission s authentication and identity management service 1 provides a way for users of the CPMS to register for access to the CPMS. In a self-registration process, you are requested to create a user account using the EU-Login for the European institutions. The user's account is then authorised by using e-service tool, the SAAS2 authorisation service 2, which is under the responsibility of the Commission's Directorate General for Health and Food Safety. This tool is used to authorise a limited and identified population at ERN level acting with precise roles. Only authorised users are activated in the CPMS using this tool. 1 Notification to the DPO 839.4 (Identity and Access Management Service IAMS) 2 Notification to the DPO 2065.4 SAAS (SANTE Authorization Service)

Guest users (affiliated / non-member local point of care specialists), on the other hand, can be invited and authorised by the coordinator of a specific ERN to have a guest account in order to complete patient enrolment in the CPMS ring-fenced app. The EU-Login requests the user / guest user to provide the following personal data: username, first and last name, organisation details (healthcare provider name), professional e-mail address and country. Other optional data may also be stored in EU-Login. 3 The personal data of Commission staff responsible for the administrative and technical management (i.e. dealing with problems and security incidents) are included as users in the Commission database. The only personal data processed is the one collected by EU-Login. Their contact details are not published for the user community. Instead, a functional mailbox is used for facilitating contacts between users and administrators. No patient data is processed in the Commission authentication and identity management service, nor in the SAAS2 authorisation service. 4. What is the purpose of processing data in the CPMS? The Clinical Patient Management System (CPMS) is a Sofware as a Service (SaaS) that has the objective of supporting health professionals in the European Reference Networks to collaborate virtually in the diagnosis and treatment of patients with rare or low prevalence complex diseases or conditions across national borders in the European Union. The CPMS provides a web-based tool for the sharing and hosting of patient data with the explicit patient's consent and uses a secure electronic system the authentication and identity management service (EU Login) and the SAAS2 managed by the Commission to process personal data to authenticate and to authorise ERN users' access to the patient's files. The objective of the CPMS is to support ERN users to collaborate on the medical assessment of a patient file for treatment and diagnosis across national borders. 5. Who has access to the data? Authorised Commission staff or internal or external contractors only have access to such personal data of the authorised users that are strictly necessary to carry out its tasks for administration and technical support purposes related to the user authentication and identity management service used by the CPMS. The data subjects (the users / guest users) have access only to view and to directly modify (change, delete in EU Login or deactivate in the CPMS) their personal details. 3 http://ec.europa.eu/dpo-register/details.htm?id=42750.

In very specific situations (e.g. in order to ensure the exercise of patients' rights in the absence of a user/guest user), ERC coordinators may have access to users / guest users personal data. A service directory of ERN members is available to the authorised users / guest users who have access to the system, including information about name, organisation, country, area of specialisation. In this way, recipients of this data can build the most effective panels of relevant specialists to diagnose and care for patients. A notification of this processing operation was made to the Commission's Data Protection Officer and is available for consultation in the DPO register 4. 6. How long will your data be stored? A user's personal data in the CPMS is retained for as long as the user's account is active in the system. Certain user data categories (full name and specialisation), as well as any pseudonymised patient data imputed into the system, are also retained and visible in the CPMS after a user decides to deactivate its profile, for the purpose of ensuring the ongoing care of the patient and/or to contribute to the care and diagnosis of another patient. Guest users' accounts are active for 90 days from the date of registration, unless different requirements are needed, in which case a shorter or longer period can be set. Once the end date has been reached, the guest user account is deactivated and data is kept in exactly the same was as for users' accounts. Personal data recorded through the EU-Login system are retained for as long as necessary and will be stored for as long as the person is recorded as an active user and for a period of one year thereafter. Personal data recorded through SAAS2 are retained for as long as necessary. 7. Which security measures are in place against unauthorised access? The Commission ensures that the CPMS complies with the requirements applicable to all IT systems at EU level on security of Information Systems and its implementing rules as established by the Directorate of Security for this kind of servers and services 5. CPMS users' personal data are stored in both a database hosted at the European Commission Data Centre, with specific security protection measures (solely for EU Login and SAAS2 data), and in the CPMS (hosted in the Commission's subcontractor data centre in Germany, with implemented standards on secure processing), for all 4 http://ec.europa.eu/dpo-register/search.htm 5 http://eur-lex.europa.eu/legal-content/en/txt/pdf/?uri=celex:32017d0046&from=en

data. Only Commission authorized staff permitted to access to modify user data in the database through EU-Login and SAAS2. All data, including personal data, in electronic format are stored either on the servers of the European Commission or of its contractors or sub-contractors; the operations of which abide by the European Commission s security decision of 16 August 2006 [C(2006) 3602] concerning the security of information systems used by the European Commission. At the level of the CPMS, security measures applied include: Encryption: all patient data will be encrypted Secure transfer: HTTPS protocol will be used for secure transfer Authentication: EU Login only users authenticated have access Authorisation: SAAS only users authorised have access Hosting: user data is securely hosted. In addition, staff holding the roles described in section 5 above are bound by confidentiality, data protection and non-disclosure agreements under specific contractual arrangements. 8. Access to your personal data You can exercise your rights as a CPMS user (access, rectification, blocking, objection to processing and erasure) by contacting the data controller, explicitly stating your request, via the contact address below under point 10. Please note that, as a user or guest user, you are not able to delete your CPMS profile (including all associated personal data), but only to deactivate it. Your personal data, together with any patient's pseudonymised data that you have uploaded into the system, will still be visible for purposes of patient care and diagnosis, even after you deactivated your account. If, upon deactivation, you receive a request from a patient exercising his or her data subject rights (e.g. full or partial consent withdrawal), please contact your ERN coordinator. Personal user data collected via EU Login can be manually modified and deleted by the user. The systems consequently erase the user data. Alternatively, access revocation can be requested by the user to the respective data controller. User data and the complete user profile are erased manually by the SAAS2 Processor in the SAAS2 system. The contact information regarding the data controllers for both systems is available below under point 10. 9. Additional information A copy of the patient consent form for sharing data in the European Reference Networks for rare diseases and information on the patient's rights can be found

here: TO ADD LINK. This consent form is held by the patient's treating doctor at local level and is not uploaded into the CPMS system. A list of data protection authorities is available at the following address: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm Please be aware that in some cases national law may contain exceptions to the exercise of your rights as a data subject. In case of doubt, please contact your national data protection authority. 10. Contact The CPMS is managed by the European Commission's Directorate General for Health and Food Safety. The contact address is: European Commission Directorate Health Systems, Medical Products and Innovation B-1049 Brussels Belgium e-mail: sante-consult-b@ec.europa.eu If you have any questions or comments regarding SAAS2, or if you would like to exercise your rights as a data subject, please contact the controller, explicitly stating your request, at the following email address: SANTE-SAAS2@ec.europa.eu. If you have any questions or comments regarding EU Login / ECAS, or if you would like to exercise your rights as a data subject, please contact the controller directly, explicitly stating your request, at the following address: Director General Informatics DG (DG DIGIT) European Commission B1049 Brussels If you have remarks regarding the processing of your personal data under the Commission's responsibility you may contact the European Commission's Data Protection Officer at: data-protection-officer@ec.europa.eu. If you want to file a complaint regarding the processing of your personal data, please contact the European Data Protection Supervisor: European Data Protection Supervisor (EDPS) 60 Rue Wiertz B-1047 Brussels Belgium phone: +32 2 283 19 00 e-mail: edps@edps.europa.eu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback