4ID PRIVACY POLICY

Last updated [29-06-2021]

1. INTRODUCTION

IPOPI, the International Patient Organisation for Primary Immunodeficiencies (hereinafter “IPOPI”, “we”), is the association of national patient organisations dedicated to improving awareness, access to early diagnosis and optimal treatments for primary immunodeficiency (PID). We have created the 4ID app (hereinafter “App”)  to help you manage and monitor your health. When you, as a data subject (“you”, a “user”), make use of the App, we process certain personal data about you. We have therefore drawn up this privacy policy (“Privacy Policy”) to inform you on how and why we process your personal data. Prior to using the App, we ask you to carefully read and accept this Privacy Policy, which forms an integral part of the Terms and Conditions of Use.

Your privacy is of utmost importance to us and we will always process your personal data in accordance with this Privacy Policy and all applicable data protection laws and regulations. If you have any questions about the processing of your personal data by IPOPI, you can contact us by making use of the contact information found below.

 

2. DATA CONTROLLER

IPOPI, the owner of this App, is the controller of the personal data processing activities taking place in the context of the App. You can find us at:

IPOPI, Avenue Louise/Louizalaan 367, BE-1050 Brussels, Belgium

Email: 4ID@ipopi.org
Phone: +351 21 407 5720

 

3. HOW AND WHY DO WE COLLECT PERSONAL DATA ABOUT YOU?

3. 1 Personal identification data

We collect and process personal data that you provide to us when you register for an account and further use the App. This personal information includes, but is not limited to, date of birth, country, email address, gender… We do this so you can identify yourself and use the App in a convenient manner. We also use your email address to inform you about service updates. The legal basis for processing this type of personal data is our legitimate interest in making the App available to you.

3.2 Device and user data

When you use the App, the App automatically collects certain data about the device you use. It concerns data such as your IP address, your operating system version, device type and system performance. We also use certain tracking technologies such as cookies, beacons, tags and scripts to ensure full functionality of the App, to remember you so you do not have to repeatedly enter the same information and to gather information about our users on how they interact with the App. For these purposes, we also partner up with third parties, such as Google Firebase Analytics. This is a tool that helps us get a better understanding on how you use the App and that aids in improving performance of the App to give you a better user experience.

We base the processing of data that we need to ensure full functionality of the App on our legitimate interest in providing you with a fully operative App. We will ask for your consent for any processing activities relating to device data that are not strictly needed to ensure the functionality of the App.

3.3 Data concerning your health and other information

While using the App, you can choose to provide certain information about your health. You are not obliged to submit any health-related personal data, but doing so may help you get the most benefit out of the App. This personal data can include doctor appointments, information on your symptoms and how you feel, information about your medication and your medical background. This information is used to provide you with an overview of your health status, symptoms, medicines, treatments, vaccinations, appointments and hospitalization, to send you notifications and to help the medical emergency team in the event of an intervention.

Personal data concerning your health and other information that you decide to enter into the App will only be processed based upon your consent, which can be withdrawn at any time.

 

4. FURTHER PROCESSING

Generally, we will only process your personal data for the purposes as described above. However, IPOPI is also involved in supporting research initiatives to learn more about PID and PID treatment options. From time to time, the personal data that the App has collected about you, can help us with disease awareness and further research regarding PID and patients affected by PID. We will only use the personal data the App collects about you for further processing in compliance with all applicable data protection laws. To this effect, we will make sure that the secondary processing is compatible with the purposes for which the personal data was initially collected and/or we will make sure to ask for consent. Additionally, we will make sure to take appropriate measures, such as anonymization and pseudonymization, to safeguard your personal data. We will keep this Privacy Policy updated to inform you about any further processing for which we use your personal data.

Further, we also process certain personal data about you to prevent fraud, to comply with a legal obligation or for the establishment, exercise, or defense of legal claims.


5. WITH WHOM DO WE SHARE YOUR PERSONAL DATA? 

To ensure full performance of the App, we make use of third party processors that provide for example cloud services and technical support. Any time we engage a third party processor, we will make sure to enter into appropriate contractual agreements with such third party, including a data processing agreement to ascertain that your personal data is protected. Accordingly, we make use of a health data hosting (HDS) certified hosting service to make the App available.

We also partner up with other third parties, such as Google Firebase Analytics. We advise you to also review the privacy policies of such third party partner.

If we share your personal data with a third party that is located outside the EEA in a country that does not offer adequate protection, as set forth by the European Commission, we will introduce additional safeguards to ensure that your personal data is sufficiently protected outside the EEA. To the extent possible, we will also pseudonymize or anonymize your data.

Lastly, you are able to export and share certain personal data about you through the App with a recipient of your choice. Please note that if you choose to do so, you are responsible for the transfer of your personal data to such recipient and that the transfer of information via unencrypted email is never entirely secure.

 

6. HOW LONG DO WE STORE YOUR PERSONAL DATA? 

We retain your personal data for as long as we have a relationship with you and/or, in any case, only for the time needed to achieve the purposes as set out above (including during the time needed for further processing if any further processing purposes apply). If we notice that your account has been inactive for over one year, we can delete your account and the personal data that is connected to your account. We will inform you of the deletion of your account by email beforehand and you will be given the opportunity to object to such deletion.

 

7. SECURITY AND CONFIDENTIALITY 

We have taken appropriate technical and organizational measures to protect your personal data in the App against unauthorized access or loss or any unlawful processing. We have also made sure that any of our employees, contractors, service providers and other third parties that have access to your personal data are bound by obligations of confidentiality and that they will only receive access to your personal data insofar as is needed to achieve the purposes as are set out above.

Please note that any transfer of information over the internet is never one hundred percent secure and that there are measures you can take to secure your personal data, such as using a sufficiently strong password and keeping your password safe. If you suspect that someone may have accessed your account without authorization, please inform us immediately so we can help eliminate or mitigate the risk.

 

8. YOUR RIGHTS

8.1 Your rights in relation to your personal data

You have the following rights in relation to the personal data that we collect, process and store concerning you:

(a) Right to access: You have the right to obtain confirmation from us if, and to which extent, we process personal data about you. Unless it adversely affects the rights and freedoms of others, you can obtain a copy of the personal data we hold about you upon your request.

(b) Right to rectification: Without undue delay, you have the right to rectify any incorrect or incomplete information we have concerning you.

(c) Right to erasure: In some instances, you will have the right to have the personal data we have about you deleted. This right to be forgotten applies if:

(i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(ii) you withdraw your consent on which the processing is based and where there is no other legal ground for the processing;
(iii) you object to the processing and/or there are no overriding legitimate grounds for the processing;
(iv) the personal data have been unlawfully processed;
(v) the personal data have to be erased for compliance with a legal obligation; or
(vi) the personal data have been collected in relation to the offer of information society services;
The right to erasure will not apply if processing is necessary:
(vii) for exercising the right of freedom of expression and information;
(viii) for compliance with a legal obligation;
(ix) for reasons of public interest in the area of public health;
(x) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(xi) for the establishment, exercise or defence of legal claims.

The right to erasure will not apply if processing is necessary:

(vii) for exercising the right of freedom of expression and information;
(viii) for compliance with a legal obligation;
(ix) for reasons of public interest in the area of public health;
(x) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(xi) for the establishment, exercise or defence of legal claims.

(d) Right to restrict processing: You also have the right to request restriction of the processing of your personal data in the event that

(i) you contest the accuracy of the personal data. The restriction of processing will apply for a period enabling IPOPI to verify the accuracy of the personal data;

(ii) the processing is unlawful and you object to the deletion of the personal data and request instead the restriction of the use of the personal data;

(iii) IPOPI no longer needs the personal data for the purposes of processing as set out above, but you need it for the assertion, exercise or defence of legal claims; or

(iv) you have objected to the processing as long as it is not yet clear whether the legitimate grounds of IPOPI override your interests.

If processing of personal data has been restricted on your request, we will only store your personal data, unless you have consented to the processing of your personal data, processing is necessary for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

(e) Right to object: You have the right to object at any time, on grounds relating to your specific situation, to the processing of your personal data by IPOPI if such processing is based on the legitimate interests pursued by IPOPI. We will then no longer process your personal data, unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

(f) Right to data portability: If the processing of your personal data is carried out by automated means and based on your consent, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format and you also have the right to transmit such data to another controller.

(g) Automated individual decision-making, including profiling: Lastly, you also have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly affects you, unless, the decision is necessary for entering into, or performance of, a contract between IPOPI and you, is authorised by applicable law, which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or the decision is based on your explicit consent.

8.2 How to exercise your rights?

If you want to exercise your rights or if you have question or query about the processing of your personal data by IPOPI, you can contact us by email at [4ID@ipopi.org].

8.3 Right to lodge a complaint

If you believe that the processing of personal data by IPOPI infringes applicable data protection laws, you have the right to lodge a complaint with a supervisory authority. You can find the contact information of the supervisory authority in the country where you live on the website of such supervisory authority.