This privacy notice outlines how We collect and process personal data as part of your use of the PMcardio Digitize Web Platform (the “Services”) and provides further information relating to compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”).
Please see also the Terms and Conditions of PMcardio Digitize (the “T&C”) and the General Privacy Notice which outlines the general data protection practices and further uses of personal data by POWERFUL MEDICAL available here.
Capitalised terms have the meaning defined in ToU, unless this Privacy Notice provides otherwise.
- Responsibility
- We, POWERFUL MEDICAL s. r. o., with registered seat at Bratislavská 81/37, 931 01 Šamorín, ID No. 50 948 431, registered with the commercial register maintained by the District Court Trnava, section Sro, file No. 46781/T (“POWERFUL MEDICAL”, “We” or “Us”) in general process personal data on behalf of the Customer in order to provide to the Customer the Services. In this regard, We act as a data processor and the Customer acts as data controller. Please see section 2.2(a) of this Privacy Notice for further detail.
- There are additional activities, where We are the data controller. In particular, the use of personal data for administration of the PMcardio Digitize Web Platform, its use and further research. Please see section 2.2(b) to (d) of this Privacy Notice for further detail.
- Terms of Processing of Personal Data
- How Do We Collect Data
- We develop and operate the PMcardio Digitize Web Platform. The PMcardio Digitize Web Platform is an AI-powered assistant, which digitizes ECG recordings.
- Within the PMcardio Digitize Web Platform the User scans ECG recordings of individuals selected by the User uploads the image to our severs, where our AI algorithms digitize the ECG recording.
- More details about the functionality can be found here: https://www.powerfulmedical.com/pmcardio-digitize
- Processing Particulars
We process personal data for the following purposes:- Operation of the PMcardio Digitize Web Platform – ECG digitization.
- Roles: In relation to this purpose, POWERFUL MEDICAL acts as
- a processor and the Customer acts as a controller. As such, the Customer is accountable for ensuring the provision of appropriate information to the underlying data subject and evidencing the right legal basis (e.g. consent or legal obligation to process personal data).
- a controller if the user is not in the position of a health care professional or researcher and uploads his own ECG.
- Legal basis: We process personal data on the basis of a data processing agreement concluded between Us and the Customer under Article 28 of the GDPR. The applicable contract is the ToU which also contains data processing addendum.
- Data subjects: Such individuals as the Customer determines – User´s patients or volunteers and Users.
- Categories of data: E-mail and password of Users, as well as data provided by the User relating to patients or volunteers, in particular ECG image.
- Retention period: Personal data will be retained in line with Customer’s instructions as the data controller. Deletion will be undertaken upon request by the Customer as the data controller. When We act as a controller data is kept in de-identified form for such time as needed to achieve the purpose.
- Roles: In relation to this purpose, POWERFUL MEDICAL acts as
- Research to further improve the existing technologies – using provided ECG and related health data to improve the used technologies. All of the used data is de-identified and does not allow for identification of the patent.
- Roles: POWERFUL MEDICAL acts as a controller.
- Legal basis: Legitimate interest of the controller under Article 6(1)(f) and Article 9(2)(j) of the GDPR consisting in research of artificial intelligence. The processing is necessary for further development of the PMcardio Digitize Web Platform, its algorithm and software.
- Data subjects: Individuals whose data has been uploaded by the User.
- Categories of data: de-identified data of patients (data which does not allow an identification of the underlying individual) such as ECG image.
- Retention period: Data is kept in de-identified form for such time as needed to achieve the purpose.
- Administration of the PMcardio Digitize Web Platform and PMcardio Digitize Web Platform – setting up User account, overall system administration, compliance with regulatory requirements, defense against legal claims.
- Roles: POWERFUL MEDICAL acts as a controller.
- Legal basis: The processing is necessary for the performance of a contract to which the data subject is a party under Article 6(1)(b) of the GDPR, or processing is necessary for the purpose of legitimate interest under Article 6(1)(f) of the GDPR of the controller consisting in performance of contractual obligations, regulatory requirements and defense against legal claims. The applicable contract is the ToU which is concluded between Us and the Customer.
- Data subjects: The Customer and User.
- Categories of data: contact details, billing and transactional information.
- Retention period: Data is kept until (i) Customer’s account in the PMcardio Digitize Web Platform is deleted; (ii) mandatory retention periods are satisfied (e. g. accounting); (iii) in case of other regulatory, legal requirements or litigation, kept until resolution of such requirements or litigation.
- Operation of the PMcardio Digitize Web Platform – ECG digitization.
- Transfer to Third Countries
- We store and process personal data within the European Economic Area (the “EEA”) or within countries recognized by the European Commission as providing adequate level of protection of personal data. We may, however, transfer personal data to countries outside the EEA in the following circumstances:
- If the User resides, is based or operates the PMcardio Digitize Web Platform from a country outside of the EEA, the Personal Data from such use will be transferred to the EEA;
- In the limited circumstances where We use subprocessors who are located outside of the EEA; and
- If We share personal data to other recipients strictly as necessary and in accordance with the ToU or the Privacy Notice.
- Any transfer of personal data outside of the EEA is undertaken in compliance with the GDPR, in particular Chapter V of the GDPR and subject to the conclusion of Standard Contractual Clauses.
- If you reside, are based or operate the PMcardio Digitize Web Platform from a country outside of the EEA, the Personal Data from such use will be transferred to the EEA.
- We store and process personal data within the European Economic Area (the “EEA”) or within countries recognized by the European Commission as providing adequate level of protection of personal data. We may, however, transfer personal data to countries outside the EEA in the following circumstances:
- Recipients
- We will not provide personal data to any third party other than (i) as necessary to perform activities outlined in the ToU, including our suppliers acting as subprocessors, who provide services to us, such as authentication, customer support; (ii) in accordance with the documented instructions of the Customer; (iii) within entities affiliated to Us by common control, management or ownership, (iv) as part of a merger, acquisition, investment by a third party or change of corporate structure of Powerful Medical, or (v) as required to comply with the GDPR or other laws to which We are subject, in which case We shall (to the extent permitted by law) inform the Customer of that legal requirement before processing personal data.
- No Automated Decision-Making System, Profiling
- The PMcardio Digitize Web Platform accesses algorithms in the backend, which then process and digitalize the ECG scan and other relevant data. Although this process is automated, no decision is made by an automated decision-making system. Any and all decisions about or related to the data subject must be made by the User personally.
- Obligation to Provide Personal Data
- Provision of any personal data is not an obligation and the data subject may freely refuse. However, failure to provide personal data would result in the impossibility to use the PMcardio Digitize Web Platform and benefit from it.
- Retention
- The Company will retain data for as long as identified in section 2.2 “Processing Particulars”. After such time, or where relevant upon request, we will delete the relevant data without undue delay. Please note that although the secure and complete erasure from our back-ups may not be immediate, we will ensure that it is done as soon as technically feasible.
- Analytics
We may use third-party Service providers to monitor and analyze the use of our Service.- Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.
- You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js and dc.js) from sharing information with Google Analytics about visits activity.
- For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy.
- How Do We Collect Data
- Rights of Data Subjects
- As a data subject, you have a number of rights listed below. Please note the following important information:
- Where We act as a processor (Section 2.2(a) above), any request shall be addressed to the User – as a controller, they are responsible to respond to any requests. We will provide our assistance to ensure your rights are fulfilled.
- For any de-identified information (Section 2.2(b) above), We will not hold any directly identifiable data and it will be technically impossible to link the data to any individual. We may therefore not be in a position to identify you as a data subject about whom We would hold personal data.
- Data subjects have the following rights (subject to the rules contained in the GDPR and other applicable legislation):
- Right to access: Data subjects have the right to request a copy of their personal data.
- Right to rectification: Data subjects have the right to request to correct any inaccurate information.
- Right to erasure: Data subjects have the right to request erasure of their personal data, under certain conditions.
- Right to restrict processing: Data subjects have the right to request restriction of processing of their personal data, under certain conditions.
- Right to object to processing: Data subjects have the right to object to processing of their personal data, under certain conditions. This applies in particular for processing under Section 2.2(b) and 2.2(c).
- Right to portability: Data subjects have the right to request transfer of their personal data to another organization, or directly to them, under certain conditions.
- Right to file a complaint with the relevant authority: Data subjects have the right to file a complaint with the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava, Slovak Republic, statny.dozor@pdp.gov.sk; or, for data subjects located in the United Kingdom, with the Information Commissioner’s Office of the United Kingdom.
In order to exercise their rights, data subjects can contact our Data Protection Officer at dpo@powerfulmedical.com.