Privacy Policy

 

1. Introduction

Your privacy is important to us!

Together with the partners participating in the CoroPrevention Consortium, we strive to fully comply with the EU General Data Protection Regulation (GDPR).

This mobile CoroPrevention app is only accessible and to be used by participants in the CoroPreventon Personalized Prevention Program. The mobile app will allow you to participate in the program and supports the shared decision making by reminding you on the agreed goals and medication intake. For this purpose, regular reporting of personal behavioral, medication and parameter information to your study nurse is needed. This is performed by completing the information in the app and during study visits. 

As manufacturer of the CoroPrevention Tool Suite app, at Tampere University, we make it our top priority to ensure the security and confidentiality of all our services, systems and the data that they contain. In order to do so, we have developed a powerful and effective information security management system, for which we received the ISO 27001:2013 certification.

Our high standards for information security allow us to protect the critical and sensitive information contained in our information systems from being compromised or used without authorization. Furthermore, they aid us in protecting your personal data against mistakes, accidents or malicious actions that would cause unauthorized publication, disclosure, alteration, loss or destruction of the data.

A wider privacy notice for the CoroPrevention program is available on the CoroPrevention website. In case of contradictions between this policy and the CoroPreventon Privacy Notice, the CoroPrevention Privacy Notice will supersede this privacy policy for the CoroPrevetion Mobile Application.

2. Who has access?

The CoroPrevention Personalized Prevention Program is conducted by the partners of the CoroPrevention consortium.

Only study site personnel will have access to the actual identity of the study participants. Data collected during the study will be stored pseudonymized(with a Subject ID) and encrypted, only allowing access to authorized individuals, part of the CoroPrevention consortium. All records that could identify the study subject beyond the Subject ID (e.g. the signed informed consent (IC) document) must be maintained in strict confidence by the investigator, except to the extent necessary to allow trial-related monitoring, audits and regulatory inspections.

The complete list of joint data controllers is available in the CoroPrevention Privacy Notice, published on the CoroPrevention website.

Third parties

UniWeb never sells or shares personal data to third parties, other than those listed above, involved in the CoroPrevention Program.

In order to provide certain services, UniWeb relies on third parties suppliers (e.g. centralized logging solution, data center hosting). As foreseen by UniWebs standard operating procedures, all suppliers are thoroughly vetted before acquiring their services. GDPR compliance is, of course, included in the requirements for all suppliers. UniWeb regularly reviews the collaboration with its suppliers and the conditions of that collaboration. Collaboration is seized when a supplier no longer meets the requirements defined by UniWeb’s Information Security Management System.

To the extent permitted by applicable law, your personal data may be disclosed to the following parties:

●      Governmental authorities

●      Auditors

3. What do we process and why?

UniWeb builds, maintains and hosts web applications and websites in accordance with the specifications provided by the Data Controller and CoroPrevention Consortium partners. The personal data that is processed by these applications and websites varies based on the different user roles and related purposes defined by the Data Controller.

The CoroPrevention applications and EDC system collect information, such as (non-exhaustive list):

-        Patient identifier (pseudonym)

-        Health, Medication and Exercising information

-        Nutrition and smoking information

-        Usage statistics in the application, including logging and connection information (e.g. browser, IP address).

Purpose of these processing activities can include (non-exhaustive list):

-        Health benefits and clinical investigation objectives in alignment with the investigation’s protocol

-        Authentication, patient safety and cybersecurity monitoring

-        Allowing the user to configure reminders and alarms

-        Optimising the functioning of the applications.

-        Fulfilling agreements with consortium partners with regards to consortium agreement and regulatory requirements.

 

A consortium level Data Protection Impact Assessment was performed to assess risk and implement mitigation actions.

If you wish to consult the inventory or wish the acquire more information about the purpose of the data processing activities, please contact your local study nurse.

4. Where do we store your personal data?

UniWeb has full control and ownership over the hardware used to store your personal data. Our production, staging and backup servers are located in Belgium at the secure data center from our hosting supplier who is ISO 27001:2013 and ISO 22301:2012 certified. Personal data remains on these servers, but may be exported at certain moments by the sponsor for study, safety and usage analysis purposes only. Logging information will be temporarily stored at the centralized logging provider, using a datacenter within the EU.

5. How long do we store personal data?

Default retention period

During the design process of all websites and web applications developed by UniWeb, a standard retention period and removal procedure is agreed upon with the Joint Data Controllers per the regulatory requirements, as described in the CoroPrevention Privacy Notice.

For customers of UniWeb, all personal data that was processed via our production servers in accordance with the contract will be purged from our systems shortly after contract expires. The data will also be fully removed from our backups within 180 days (or as specified in the contract).

As part of our standard operating procedures described by our information security management system, UniWeb regularly reviews the need to store information so that we do not store data longer than absolutely necessary.

Exceptions

Deviations from the default retention period might be required:

-        by law

-        at the explicit request from the Data Controller (for which the Data Controller has accepted full responsibility)

For more information about these exceptions, please contact your local study nurse or the CoroPrevention Privacy Notice published on the CoroPrevention website.

 

6. How do we ensure security?

As a company committed to building secure and performant mobile and web applications, the manufacturer, Tampere University continuously updates and improves the security measures implemented to help protect personal data and other information against unauthorized access, alteration, loss, or destruction. The following examples are just some of the security measures applied by UniWeb:

●      All data held by UniWeb is encrypted both at rest and in transit between our service and your browser or application.

●      All data is fully backed up.

●      Our services are subject to penetration tests and protected by Nessus scans.

●      Centralized logging solution for application performance monitoring and cybersecurity monitoring purposes.

●      Our services support advanced authentication, including the use of G-Suite, Office 365 account authentication and Duo Multi-Factor Authentication.

If an information security event should occur, UniWeb will deal with this promptly and adequately in accordance with the standard operating procedures described in it’s information security management system. Like our security measures, these procedures are regularly reviewed and updated to meet the ever changing challenges of information security.

All employees at UniWeb receive regular training with regards to security best practices and company procedures. The same level of commitment is expected from our suppliers, whose services are regularly reviewed (see: Third parties).

7. What are your rights as a Data Subject?

During the Informed Consent Process, your rights as data subject were explained and listed in the Informed Consent document.

Examples of these rights, but not limited to are:

●     request information concerning your personal data.

●     request a copy of all your data in a standard format.

You can easily exercise any of your rights by consulting the informed consent form or by contacting your study nurse.

8. How can you provide consent?

By furnishing her/his personal data via the mobile or web application and as explained in the informed consent process, the Data Subject expressly gives her/his consent to the joint Data Controllers to process the data for the stated purposes.

In case the Data Controller enters the personal data into the mobile or web application, the Data Controller is considered responsible for properly informing the Data Subject and acquiring his/her consent during the informed consent process. Failing to do so will constitute as a non-conformity, which will require UniWeb to take the appropriate actions as stipulated by the standard operating procedures in the information security management system. All expenses made by UniWeb to perform these corrective actions will be charged to the Data Controller.

If UniWeb or any of the CoroPrevention Consortium partners wishes to pass on specific personal data to third parties, additional consent will be requested from the user. The foregoing also applies to the processing of your personal data outside of the EU.

9. Who can you contact?

If you have any questions about this privacy policy, or if you want to exercise any of the Data Subject rights stipulated above, please contact your local study nurse.