top of page

Privacy Policy

Legal disclaimer

This privacy policy (hereinafter referred to as the "Privacy Policy") sets out the legal framework for the collection, use and processing by PERSONA, a company in the process of being incorporated (hereinafter referred to as the "Company"), of personal data relating to persons browsing or using the services offered by the Company (hereinafter referred to as the "Users") on the "Persona" platform accessible at www.persona.healthcare (hereinafter referred to as the "Platform") designed, developed and operated by the Company.

 

Under the terms of the Privacy Policy, the person responsible for processing personal data (the data controller) is the Company.

 

As data controller, the Company retains full control over the Personal Data and determines the object, nature, purposes, means and duration of the processing of the personal data collected.

 

The information collected in the context of the Privacy Policy is mandatory and necessary for the processing and provision of the services offered by the Company (hereinafter referred to as the "Services"). Failure to provide this information will prevent the proper functioning and supply of the Services offered.

 

The Company undertakes to comply with the regulations applicable to the protection of personal data and in particular the obligations arising from European Regulation no. 2016/679 on the protection of personal data (hereinafter referred to as the "GDPR").

 

The Company collects Personal Data only in accordance with the terms of this Privacy Policy and any reasonable and lawful instructions given by the User at any time.

Information collected

1.1 Throughout the use of the Platform and/or the Services, the Company may collect personal data (hereinafter referred to as "Personal Data") relating to Users, i.e. any information enabling the User to be identified directly or indirectly.

 

When placing an initial order or submitting a contact form on the Platform, the User expressly consents to the collection of his/her Personal Data within the limits of the processing strictly necessary for the proper functioning of the Platform and the Services.

 

1.2 Personal Data relating to Users is communicated directly by Users or indirectly when the Company collects it from third parties in accordance with the conditions required by the applicable regulations (commercial partners for example). This includes in particular Personal Data relating to the User's identity and in particular: surname, first name, e-mail address, telephone number, address and postcode, photograph. Personal Data may also be created by the Company as part of the provision of Services.

 

1.3 The Company (including its technical service providers) may also indirectly and automatically collect :

  • Data relating to the User's activity ;

  • Data relating to the User's browsing, in particular the IP address, the browser used, the browsing time, the operating system used, the language and the pages consulted;

  • Data relating to the use of the Platform by the User, including traffic data, the number of notifications, the number of visits, the number of data updates, the number of launches of the Platform and any other data or communication resource that the User uses when accessing the Platform.

 

1.4 The Company may also collect health data relating to Users. This data is considered to be particularly sensitive. In order to minimise the amount of personal data processed, the Company must ensure that it only collects and uses data that is relevant and necessary for its own medical and administrative management needs.

 

In principle, the following data are considered relevant for the purposes mentioned above:

  • The patient's identity and contact details (such as surname, first name, date of birth, postal address, e-mail address and telephone number);

  • The national health identifier (INS) for a patient's health or medico-social care;

  • Social security number and details of social insurance, pensions and provident schemes for billing and financial cover of healthcare costs;

  • Family situation (such as marital status, number of children) ;

  • Professional situation (such as occupation, working conditions),

  • Health (such as weight, height, medical history, medical diagnoses, therapy, prescribed treatments, nature of procedures performed, test results, biological, physiological and pathological information that may influence the patient's response to medical treatment, and any element that may characterise the patient's health and is considered relevant by the healthcare professional);

  • Information about daily routines, such as working hours, social activities, familiar surroundings, etc;

  • Information relating to lifestyle habits depending on the context, provided that it is collected with the patient's consent and that it is necessary for the diagnosis and care of the patient (such as information relating to dependency [alone, in an institution, independent, bedridden], assistance [domestic help, family], physical exercise [intensity, frequency, duration], diet and eating habits, leisure activities);

  • Functional traces (those which record the business actions of users or machines within the information system) and technical traces (those which record the "activity" of the software and hardware components used by the information system to provide the functions requested by a user or machine).

 

After ensuring the necessity and relevance of the Personal Data it uses, the Company must also check the quality of the data it processes throughout the life of the processing. In practice, this means that, in accordance with the regulations, the data must be kept up to date.

Uses of personal data collected

The Company uses, stores and processes Personal Data for the following purposes and on the following legal bases:

  • Access to the Platform and Services: The processing is necessary for the performance of the contract concluded between the User and the Company.

  • Contact request (contact form): The processing is necessary for the performance of the contract concluded between the User and the Company.

  • Processing User requests: The processing is necessary for the performance of the contract concluded between the User and the Company.

  • Provision of Services: The processing is necessary for the performance of the contract concluded between the User and the Company.

  • Publication of content on the Platform (comment form, publication of articles): The processing is necessary for the performance of the contract concluded between the User and the Company and for the purposes of the legitimate interests pursued by the Company.

  • Processing comments (moderation, spam detection): The processing is necessary for the performance of the contract concluded between the User and the Company and for the purposes of the legitimate interests pursued by the Company.

  • Fulfil the data controller's legal obligations: The processing is necessary for the Company to comply with its legal obligations

  • Response to any questions or complaints from Users - Support: The processing is necessary for the purposes of the legitimate interests pursued by the Company

  • Appointment management: The processing is necessary for the performance of the contract concluded between the User and the Company and for the purposes of the legitimate interests pursued by the Company.

  • Management of medical files and files required for patient follow-up: The processing is necessary for the performance of the contract concluded between the User and the Company and for the purposes of the legitimate interests pursued by the Company.

  • Communication between the professionals identified and the care structures involved in the care and coordination of the person concerned: The processing is necessary for the performance of the contract concluded between the User and the Company and for the purposes of the legitimate interests pursued by the Company.

  • Management of requests for access, portability, deletion, rectification and objection: The processing is necessary for the performance of the contract concluded between the User and the Company.

  • Management of disputes, unpaid bills and litigation: The processing is necessary for the performance of the contract concluded between the User and the Company.

  • Developing and improving the platform, creating an environment of trust: The processing is necessary for the purposes of the legitimate interests pursued by the Company

  • Commercial communications relating to the Company's services and products, similar to those already used by the User: The processing is necessary for the purposes of the legitimate interests pursued by the Company as it is in accordance with the reasonable expectations of the data subjects.

  • Marketing (communications and/or newsletters about the Company's activities, initiatives and commercial offers, market research and surveys to measure the quality of the services offered): Processing is carried out on the basis of Users' consent.

  • Audience measurement / Statistics: The processing is necessary for the purposes of the legitimate interests pursued by the Company

 

Personal Health Data may only be used in the direct interest of the patient, under the conditions determined by law, for the needs of public health and the obligations of health professionals.

 

Finally, the Company grants itself the right to examine, browse or analyse Personal Data, including communications exchanged between the Company and Users via the Platform or otherwise, in order to comply with its legal obligations and in particular for the purposes of fraud prevention, risk assessment, regulatory compliance and investigation.

Data storage

Personal Data is kept only for as long as is necessary to achieve the purpose for which the Company holds the data, to meet the needs of Users or to fulfil its legal obligations.

 

The Company applies the following criteria to determine how long it will keep Personal Data:

  • Access to and use of the Platform by the User - Provision of Services: Retention until the end of a period of 5 years from the end of the Services or inactivity and within the limits of legal requirements

  • Management of medical or paramedical files or practices: In the active database, for a period of 5 years from the last intervention in the patient's file, then, at the end of this period, in the form of an archive on a separate medium for 15 years, under conditions of security equivalent to those of the other data recorded in the Platform.

  • Compliance with legal obligations / legitimate interests: Retention for the duration of the relevant statutory limitation period (2, 5 or 10 years)

  • Marketing: Retention for up to 3 years after collection or last contact with the User

  • User request (Contact, assistance, exercising your rights): Retention for as long as necessary to process the request

  • Cookies: Retention for the duration of a session and for any period defined in accordance with applicable regulations

 

At the end of the periods or at the end of the User's use of the Services, the Personal Data will be destroyed, or the Company will make it anonymous. 

 

However, the Company may keep certain Personal Data collected on separate storage spaces in order to justify, if necessary, the full performance of its contractual or legal obligations. Data stored in this way will be limited to what is strictly necessary.

Sharing and disclosure of personal data

As part of the provision of its Services, the Company may communicate Personal Data to subcontractors who process the Data on behalf of the Company.

 

The Company declares :

  • Have given written instructions concerning the processing of Personal Data by the processor;

  • Ensuring, upstream and throughout the processing operation, that the obligations set out in the RGPD are met by the processor;

  • Supervising processing, including carrying out audits and inspections of the processor.

 

The Company undertakes to ensure that the subcontractor :

  • Processes Personal Data solely for the purpose(s) for which it is subcontracted;

  • Processes Personal Data in accordance with the Company's instructions;

  • Guarantees the confidentiality of the Personal Data processed;

  • Has undergone the necessary training in the protection of personal data;

  • Does not engage any sub-contractors without the Company's prior written authorisation

  • Take into account, with regard to its tools, products, applications or services, the principles of protection of Personal Data by design and protection of Personal Data by default;

  • Cooperates with the Company in the performance of its obligations, including when patients have requests concerning their Data;

  • Delete or return all Personal Data to the Company at the end of its assignment;

  • Make available to the Company all the information necessary to demonstrate compliance with the obligations or to enable audits to be carried out.

  • Informs the Company immediately if it considers that an instruction constitutes a breach of the European regulation on the protection of Personal Data or of any other provision of Union law or of the law of the Member States relating to the protection of Personal Data.

 

If a service provider is used to maintain the software and workstations managing the "patient files", the service provider will access the Personal Data in compliance with medical secrecy and data confidentiality. The Data must be protected by physical and logical means, such as encryption, to enable the technician to carry out his duties without being able to read the Data.

 

If the patient file management software is accessible remotely and is hosted by a service provider (generally the software publisher, an online appointment scheduling platform or a telemedicine platform) or if the storage of patient health data is entrusted to a service provider responsible for ensuring that it is kept on remote servers (for example, a backup or hotline service provider), this service provider must be an approved or certified host for the hosting, storage and retention of health data in accordance with the provisions of article L. 1111-8 of the French Public Health Code.

 

Personal Data may also be passed on to commercial partners who enable the Company to properly carry out the Services, their management, processing and payment under the contractual conditions signed between the partner and the Company, which may not derogate from the conditions of this Privacy Policy.

 

Only with the express consent of the User may the Company re-use Personal Data or pass it on to partner companies, in particular for the purposes of sending commercial information by e-mail.

 

The Company declares that it will receive from the subcontractor all the documentation necessary to demonstrate compliance with the obligations and to enable audits, including inspections, to be carried out by the Company or another auditor appointed by it, and to contribute to such audits.

 

The Company remains solely responsible to Users for the provision of Services entrusted to a Personal Data subcontractor.

4.1 The Company uses the services of Google and Wix direct partners, which acts as a host for Personal Data.

 

Pursuant to Decree no. 2011-219 of 25 February 2011 on the retention and communication of data identifying any person who has contributed to the creation of content posted online, the User is hereby informed that the Platform host is obliged to retain for a period of one year from the date of creation of the content, for each operation contributing to the creation of content:

  • The identifier of the connection at the origin of the communication ;

  • The identifier assigned by the information system to the content that is the subject of the operation;

  • The types of protocols used to connect to the service and transfer content;

  • The nature of the operation ;

  • The date and time of the operation ;

  • The identifier used by the originator of the transaction where this has been provided.

 

In the event of termination of the contract, the host must also retain for a period of one year from the date of termination of the contract the information provided at the time of subscription to a contract (order) by the User or at the time of creation of a customer space, namely :

  • When the customer area is created: the login for this connection;

  • Full name or company name ;

  • Associated postal addresses;

  • The pseudonyms used ;

  • Associated e-mail or account addresses ;

  • Telephone numbers ;

  • The most recently updated version of the password and the information needed to check or change it.

 

Lastly, where the contract (order) is subject to a charge, the Platform host must keep the following information relating to the payment for one year from the date of issue of the invoice or payment transaction, for each invoice or payment transaction:

  • The type of payment used;

  • Payment reference ;

  • The amount ;

  • The date and time of the transaction.

Safety

The Company must take all necessary precautions in relation to the risks presented by its processing to protect the security of Personal Data and, in particular, at the time of collection, during transmission and storage, to prevent it from being distorted, damaged or accessed by unauthorised third parties.

 

The Company ensures that the information systems, services and digital tools it uses comply with applicable regulations.

 

Personal Data is processed both on paper and electronically, by means of data collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction.

 

The Company ensures that Personal Data is adequately and appropriately secured and has taken the necessary precautions to preserve the security and confidentiality of the data and in particular to prevent it from being distorted, damaged or communicated to unauthorised persons.

 

Personal Data is protected in such a way as to minimise the risk of destruction, loss (including accidental loss), unauthorised access/use or use incompatible with the initial purpose of collection.

 

The Company will implement all the technical and organisational measures necessary to protect personal data and prevent unauthorised processing.

 

The Company has implemented measures to protect the security of Personal Data in accordance with its data security policy.

 

Where health data hosting is outsourced, IT service providers must be approved or certified for the hosting, storage and retention of health data in accordance with the provisions of Article L. 1111-8 of the French Public Health Code.

 

If the Company becomes aware of a breach of rights in connection with the processing of Personal Data, this breach will be notified to the CNIL within no more than seventy-two (72) hours of becoming aware of it.

 

Any violation relating to the processing of Personal Data will be notified by e-mail, within one (1) month, by the Company to the User concerned.

User rights

In all cases, Users have the following rights as data subjects, unless the limitations provided for by law apply:

 

  • Right of access: (a) Users may obtain confirmation of the existence or otherwise of their Personal Data, even if not yet recorded, and that such data is made available to them in an intelligible form; (b) obtain an indication and, where appropriate, a copy of the origin and category of the Personal Data; the logic applied in the event of processing carried out with the aid of electronic instruments; the purposes and methods of processing; the identification data of the owner and of those responsible for processing; the subjects or categories of subjects to whom the Personal Data may be communicated or who may become aware of it, particularly if they are recipients located in third countries or international organisations; if possible, the data retention period or the criteria used to determine this period; the existence of an automated decision-making process and, if this is the case, the logic used, its significance and the anticipated consequences for the data subject; the existence of adequate guarantees in the event of data being transferred to a third country or an international organisation.

 

  • Right of rectification: to obtain, without undue delay, the updating and rectification of inaccurate data or, where you have an interest, the integration of incomplete data;

 

  • Right to modify: revoke consent at any time, easily and without hindrance, using, if possible, the same channels as those used to give it;

 

  • Right to erasure: To obtain the erasure, transformation into anonymous form or blocking of data: a) processed unlawfully; b) which are no longer necessary for the purposes for which they were collected or subsequently processed; c) if the consent on which the processing is based is revoked and there is no other legal basis; d) in the event of opposition to the processing and if there is no overriding legitimate ground for continuing the processing; e) in the event of compliance with a legal obligation; f) in the case of data relating to minors.

The Data Controller may refuse erasure only in the event of: a) exercising the right to freedom of expression and information; b) complying with a legal obligation, performing a task in the public interest or exercising public authority; c) reasons of public health interest; d) archiving in the public interest, scientific or historical research or for statistical purposes; e) exercising a legal right.

 

  • Right of limitation: to obtain the limitation of processing in the event of: (a) contesting the accuracy of personal data; (b) unlawful processing by the Controller to prevent their erasure; (c) exercising a right of the Controller in a court of law; (d) verifying that the legitimate grounds of the Controller predominate over those of the data subject;

 

  • Right of portability: To receive, if processing is carried out by automatic means, without hindrance and in a structured, commonly used and readable format, the personal data of the data subject, in order to transmit them to another Controller or, if technically possible, to obtain direct transmission by the Controller to another Controller. The right to portability is limited to the data provided by the User concerned and applies on the basis of the User's prior consent. Upon request, the Company undertakes to transmit within 30 days, and in an open and readable format, any document used to collect Personal Data to the User in order to implement the right to portability. The cost of recovering the data shall be borne by the User making the request.

 

  • Right to object: to object, in whole or in part, on legitimate grounds relating to the particular situation of the data subject, to the processing of personal data concerning him or her.

 

  • Right to lodge a complaint with the data protection authority. In this case, if necessary, the Data Controller will inform third parties to whom personal data is communicated of the possibility of exercising the data subject's rights, except in specific cases (for example, when this proves impossible or involves a manifestly disproportionate use of means in relation to the protected right).

 

These rights may be exercised by contacting the Company or, where applicable, its Data Protection Officer (DPO) electronically at dpo@persona.healthcare.

 

These rights must be exercised by indicating the surname, first name, home address, e-mail address and telephone number of the User, as well as the subject of the request.

 

In accordance with current regulations, all requests must be signed and accompanied by a photocopy of an identity document bearing the User's signature, if the Company so requests.

 

If, after contacting us, you feel that your rights with regard to files and freedoms have not been respected, you can submit a complaint online to the CNIL or by post.

bottom of page