Version 1.0, April 2019
Interactive Studios classifies as a Processor under the General Data Protection Regulation (“GDPR”), because it processes Personal data on behalf of the Controller (healthcare provider). Interactive Studios shall only process Personal data on instructions from the Controller, and has – as a Processor - several obligations towards the Controller.
The Controller of Personal data has an obligation to inform data subjects by providing certain information. This information is usually provided by the Controller via a Privacy Statement. Interactive Studios is, as a Processor, therefore not obliged to create a Privacy Statement. However, Interactive Studios created this Privacy Statement for reasons of transparency and to show that we take your privacy seriously.
With this Privacy Statement, we inform users about the collection, storage and use of their Personal data in the Content Management System (“CMS”).
The CMS enables users to place and manage the content of the Patient Journey App. The Patient Journey App allows healthcare providers to educate, inform and activate patients with the right information at the right time. Hereby the link to the Privacy Statement of the Patient Journey App: https://patientjourneyapp.com/terms-of-service-and-privacy-policy.
This Privacy Statement is created by a Processor and is exclusively directed at the users of the CMS: healthcare providers or employees of Controllers. Any Privacy Statement of the Controller takes priority over this Privacy Statement.
This Privacy Statement outlines and explains the privacy practices used by Interactive Studios in order to protect your Personal data that is processed when using the CMS. The aim of this Privacy Statement is therefore to provide you with information on how and why your Personal data is processed, what Personal data is processed, and informing you on the rights you can exercise in relation to your Personal data.
In this Privacy Statement, “we”, “us”, “Processor” or “Interactive Studios”, means Interactive Studio B.V., established in Rosmalen (the Netherlands). Interactive Studios develops and manages websites, online software and mobile applications, including the CMS. This system is commissioned by healthcare providers, hereinafter referred to as “client(s)” or “Controller(s)”. Interactive Studios collects and processes Personal data relating to healthcare providers or employees of Controllers, hereinafter referred to as “you”, “your”, “Data subject” or “user”. These are the person(s) using the CMS. References to “Data” or “Personal data” means all personal information that you submit to Interactive Studios via the CMS.
In so far as terms with a capital letter are not defined separately in this Privacy Statement, the definitions as described in the GDPR apply.
3. Lawful grounds for processing
The Controllermust havea validlawfulbasis in order toprocessyour Personal data. Your Personal data is only processed for specified and lawful processing purposes, described in this Privacy Statement which may include the following:
- Necessary for the performance of a contract
The Personal data you submit in the CMS is necessary to place or manage the content in the context of the medical contract of treatment between you and / or the Controller and the patient.
4. Purpose of processing
The Personal data collected by us is used for the following purposes:
- Logging into your CMS account;
- Monitoring of the logging;
- Performing a medical contract of treatment between you and / or the Controller and the patient;
- Answering medical related questions of patients;
5. Personal data we collect
You may choose to provide us information about you by using CMS. The Personal data we may collect includes, but is not limited to:
- Your name;
- Your contact details, including your email address and possibly your telephone number (for 2-factor authentication);
- Your password;
- Questions and feedback that can be traced to you;
- Any other information that you may provide to us;
6. Retention period
Interactive Studios will retain your personal information only for as long as is necessary for the purposes set out in this Privacy Statement, which will be until the end of the agreed contract with the Controller or until your account is manually deleted by the Controller, unless certain circumstances require us to store the data longer. The Personal data may also be destroyed at the instruction of the Controller if the statutory retention deviates.
As a Processor, Interactive Studios will not remove data on its own initiative, unless Interactive Studios violates laws and regulations by not deleting this data. The removal of data will always be in consultation with the Controller.
7. Transfer to third parties
To ensure that the CMS works properly, third parties may be engaged. For example: for sending emails or text messages for 2-factor authentication and data storage. An overview of engaged third parties is shown below.
Sendgrid Sending emails
Denver, Colorado, USA
Certified under EU – U.S. Privacy Shield
Microsoft Azure Data storage, servers running the system Amsterdam, the Netherlands
Messagebird Sending SMS messages Amsterdam, the Netherlands
Interactive Studios may transfer Personal data to countries within the European Economic Area (hereinafter: ”EEA”). Where the transfer of Personal data of you to third parties outside the EEA is concerned, we will only transfer Personal data to these countries on instructions of the Controller, with prior written consent from the Controller or if the Controller of Processor has provided appropriate safeguards as defined in the GDPR.
8. Data breaches
In case of a Personal data breach, Interactive Studios shall notify the Controller without undue delay after becoming aware of a Personal data breach. The Controller is obliged to notify the Personal data breach, without undue delay, to the Supervisory authority.
9. Security measures
Interactive Studios takes appropriate technical and organizational measures to ensure an appropriate level of security and to protect your Personal data against loss or any kind of unlawful processing. As an organization, Interactive Studios is certified to both ISO 27001 (information security) and to ISO 9001 (quality management). Interactive Studios is also certified to NEN7510 (storage of medical data). There is a process in place for regularly testing the effectiveness of the security measures for ensuring the security of the processing.
The security measures taken with regard to the CMS include, amongst others:
- Encrypted transport of data;
- Encrypted storage of data;
- 2-factor authentication;
- Secure login to CMS;
- Authorization matrix for employees of Interactive Studios;
- Screening of employees of Interactive Studios;
- Obligation of confidentiality for employees of Interactive Studios;
10. Your rights
Interactive Studios supports the Controller(s) in its efforts to comply with the statutory provisions relating to Data subject rights.
You have the right:
- To be informed about the collection and use of your Personal data.
- Of access to your Personal data.
- To obtain from us the rectification of inaccurate Personal data about you.
- To erasure of your Personal data.
- To restrict processing of your Personal data.
- To move, copy or transfer your Personal data.
- To object to:
- processing based on legitimate interests (including profiling)
- direct marketing (including profiling)
- processing for purposes of scientific/historical research and statistics.
- Not to be subjected to a decision based solely on automated processing, including profiling.
- To lodge a complaint with the supervisory authority.
To exercise these rights or to receive more information, please use the contact details of the Controller.
Interactive Studios has taken the utmost care and attention to ensure that the information in this Privacy Statement is correct. However, errors and omissions may occur. Interactive Studios will not be liable for any loss due to errors or irregularities, nor for any damage caused by the use or dissemination of this Privacy Statement.
12. Changes to Privacy Statement
This Privacy Statement can be amended by Interactive Studios. You can find the latest version of the Privacy Statement in CMS. If you have any questions about this Privacy Statement, you can send an email to firstname.lastname@example.org or call +31 73 644 6069 on working days during office hours.
13. Identity of the Processor and contact details
Data protection officer e-mail: email@example.com