6 April 2021
Privacy Statement of SurgAccord B.V.
SurgAccord B.V. (“SurgAccord”) operates a digital platform that facilitates doctor-patient communication for medical interventions in a secure, clear and informative manner. To provide our services to patients and healthcare providers, we process personal data. This personal data is provided to us by you, the patient, when you register for our service, contact us, fill in questionnaires etc.
During the processing of personal data SurgAccord works conform to the requirements of applicable data protection legislation, such as the General Data Protection Regulation. This means we:
clearly specify our purposes before we process personal data, by using this privacy statement;
limit our collection of personal data to only the personal data needed for legitimate purposes;
ask your prior explicit permission to process your personal data in cases where your permission is required;
take appropriate security measures to protect your personal data and we demand the same from parties who process personal data on our behalf;
respect your right to access, correct or delete your personal data held by us.
In this privacy statement, we will explain what kind of personal data we collect and for which purposes within our services. We recommend that you read it carefully. If you have any questions regarding the processing of personal data, you can find our contact information at the end of this privacy statement.
Basis for processing your personal data
Your personal data shall only be processed on one or more of the following lawful bases:
You have given consent to the processing of your personal data for one or more specific purposes;
Processing of your personal data is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;
Processing is necessary for compliance with a legal obligation to which the we are subject;
Processing is necessary in order to protect your or another person’s vital interests;
Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party (such as preventing fraud), solely to the limited extent in which our legitimate interest overrides your fundamental rights and freedoms.
Purpose of processing your personal data
SurgAccord is a digital platform that enables healthcare providers to communicate with their patients in a secure, clear and informative manner. Your personal data may be processed for one or more of the following purposes:
to provide you with clear communication for your medical intervention;
to obtain your informed consent for your medical intervention;
to gather essential information about your personal health before your medical intervention through patient questionnaires (PROMs);
To receive feedback about the provided health care (PREMs);
To provide a digital infrastructure for data collection and data management for improvement of quality of care and research purposes;
For the realization and performance of a treatment contract between you and the healthcare provider;
To offer you our services and information, tailored to your preference;
To enable you to interact with our services via our app and/or website;
To process your request, feedback or report;
To analyze and optimize our site and services;
To comply with applicable laws and regulations;
To prevent fraud or misuse of our services;
To cooperate with law enforcement and government agencies.
Except for the parties necessary to deliver our services, we do not under any circumstance provide your personal data to other companies or organisations than your healthcare provider, unless we are required to do so by law or we have your explicit consent.
Special purposes of processing your personal data
Processing your personal data for improving our services
With your specific consent we process the answers from your questionnaire to improve our healthcare and services. This may include personal data, which we solely process to the extent necessary for this purpose.
Processing your pseudo anonymized and aggregated data for scientific research
With your consent we pseudo anonymize and aggregate data from your questionnaire and make that data available for scientific research. For example, we can create data sets in respect of a certain type of medical intervention, which enables us to inform patients and/or healthcare providers about certain patterns and to compare the health status of a patient against the average revalidation process. We only process data. The patient and/or the healthcare provider remains the exclusive owner of the data. The respective healthcare provider is also allowed to use the data obtained through the platform in a pseudo anonymized way for research purposes and related presentations and to share the such data with other researchers or healthcare providers he or she collaborates with. Furthermore, in the future the respective healthcare provider can consult the patient's electronic patient file to access additional medical data and for research and/or quality purposes. The patient can also be contacted by the respective healthcare provider for possible future additional questionnaires and/or research projects.
Types of personal data we process
Below you will find more information about the types of personal data we process through what part of our services.
Registration
& access
To use our
services and access our portal you need to register beforehand. You
will have to provide some information about yourself and choose a
username and password for the account that we will set up for you.
For this purpose, we use your name and address details, phone number,
email address, gender, birth date, personal identification number at
the health institution. We do this on the basis of your consent. We
store this information for 15
years after you closed your account. We will retain this data so that
you do not have to re-enter it every time you visit our website and
in order to contact you in connection with your use of the platform.
Within our portal, you can access a management environment where you
can set, specify and change settings. We will keep track of your
activities for proof.
Questionnaires
As
part of our services we enable your healthcare provider to make
questionnaires available to gather more (personal) information about
you. The main purpose of these questionnaires is to obtain essential
information regarding your medical intervention. The information you
provide in these questionnaires might contain personal information,
such as name, social security
number, age, weight, length, race, health conditions, medical
history, health status, medications and other personal or health
related information.
Contact
form
You can use our
contact form to ask questions or make any request. For this purpose,
we use your email address and each patient is assigned a unique user
number for communication purposes with the healthcare provider. We
store this information until we are sure that you are satisfied with
our response and for 15 years thereafter. This way we can easily
access the information in case you have any following questions and
train our customer service to improve even more.
Data retention
We only retain your personal data for as long as necessary for the purposes mentioned in this privacy statement. We do not process more personal data than necessary and strive to delete personal data as soon as the purpose for its original collection has expired.
Cookies
Our
online service makes use of cookies. Cookies are small files in which
we can store information, so that you do not have to fill in that
information again. We can also use them to see whether you are
visiting us again. The first time you visit our online service, we
will show you a notification explaining our cookies and ask for your
permission for the use of these cookies. You can disable the use of
cookies through your browser settings, but some parts of our website
may not work properly as a result of that.
Google
Analytics
We may use
Google Analytics to track visitors on our website and to get reports
about how visitors use the website. We accepted the data processing
agreement from Google. We do not allow
Google to use information obtained by Analytics for other Google
services, and we anonymize the IP-adresses.
Security
We
take security measures to reduce misuse of and unauthorized access to
personal data. We take the following measures in particular:
Access to personal data requires 2 factor authentication consisting of username/password login and OTP (one time password) token.
Data is being stored on a password protected database with limited access which resides on an encrypted disk.
We have selected a cloud provider (Google Cloud) that takes measures to protect access to the systems in which the personal data is stored.
We make use of secure connections (Secure Sockets Layer or SSL) to encrypt all information between you and our website when entering your personal data.
We keep logs of all requests for personal data (we have a security audit log system in place that logs all actions in the platform).
We are ISO 27001/NEN 7510 certified.
Data
protection officer
We
have appointed a so-called data
protection officer. This
person is responsible for privacy matters within our organisation.
Our data protection officer is available by email
([email protected]) for all your questions and requests.
Changes
to this privacy statement
We
reserve the right to modify this privacy statement. We recommend that
you consult this statement on a regular basis, so that you remain
informed of any changes.
Your
rights regarding your data
You
can always contact us if you have any questions regarding our privacy
policy or wish to review, modify or delete your personal data or
execute any other rights under applicable data protection
legislation. You have the following rights, among others:
Right of access: you have the right to see what kind of personal data we process about you;
Right of rectification: you have the right to rectify any personal data we have processed about you, if this information is (partially) wrong;
Right to complain: you have the right to file a complaint against the processing of your personal data by us;
Right to be forgotten: you can file a request with us to remove any personal data we have processed about you;
Right to data portability: if technically possible, you have the right to ask us to transfer your processed personal data to a third party;
Right to restriction of processing: you can file a request with us to (temporarily) restrict the processing of your personal data.
If you exercise any of the rights mentioned above, we might ask to identify yourself to confirm it is your personal data. We will usually respond to your request within one month. This term can be extended if the request is proven to be complex or tied to a specific right. You will be notified about a possible extension of this term.
Privacy
complaints
If you
want to file a complaint about our use of personal data, please send
an email with the details of your complaint to
[email protected]. We will look into and respond to any
complaint we receive. Please do
not send any questions or complaints regarding your medical
intervention to this email address! You need to contact your
healthcare provider directly for these kind of matters.
If you think that we are not helping you in the right way, you have the right to file a complaint at the authority. For The Netherlands, this is the Autoriteit Persoonsgegevens.
Contact
information
SurgAccord
B.V.
Concertgebouwplein 21
1071 GD Amsterdam
Should you have any questions or complaints regarding your medical intervention, the information requested in the questionnaires and/or the required permission (informed consent) for your medical intervention, please contact your healthcare provider directly.