Data Protection Policy

Data Protection Policy

Introduction

When you use our services, you’re trusting us with your information. At the Health Sciences Algorithms (HSA), we care greatly about your privacy. We understand this is a big responsibility and work hard to protect your information and put you in control. Our high standards and strong controls for information security allow us to protect your critical and sensitive personal data contained in our information systems. As such, we prevent your personal data from being compromised, altered, lost, destroyed, published or disclosed without proper authorization.

In order to protect the security and confidentiality of your data, we have developed our Data Protection Policy with the professional help and continuous support of our suppliers-Processors (see below). This Privacy Policy is meant to help you understand what information we collect, why we collect it, and how you can update, manage, export, and delete your information.

Effective May 25, 2018

Who has access?

Controller

The Controller of your data in the HSA databases is the Health Sciences Algorithms, Radvilų Dvaro St. 33-502, LT 48332, Lithuania, Tel. +37061234562, info@meduso.eu, registered in Lithuania under company number 305627497.

Processors

The HSA relies on the continuous support of the Processors as listed in Attachment (1). The HSA has agreements with these Processors (art. 28-29 GDPR Regulation) and is supervising that these Processors comply with the GDPR Regulations.

Third parties – Recipients

Neither the Controller, nor the Processor are involved in selling personal data of their users to third parties. In order to provide certain contractually agreed services in the context of the HSA applications, the Processor has recruited the third party services as listed in Attachment (2) as Recipients for the given purposes and may have to share personal data with such third parties.

These third parties are authorised to process personal data for the stated purposes and within the given limitations. In case of transfer of personal data to a third country, such access is only granted upon the adequacy decision of the Commission or the appropriate or suitable safeguards as specified in art. 45-46 GDPR Regulation.

Yourself (the Data Subject)

Each registered person can visualise his data by logging in on meduso.eu. You can update most of the user data in your account; for corrections of names however the Controller may ask for additional supporting documentation.

Commitments regarding partners of the HSA

All suppliers are thoroughly vetted before being engaged by the HSA for their services. Compliance with applicable data protection legislation (including GDPR compliance) is included in the vetting requirements for all such suppliers. The collaboration with suppliers and the conditions of that collaboration are annually reviewed, including continued compliance with any applicable legal and regulatory requirements. Collaboration may be ceased when a supplier no longer meets such requirements.

To the extent permitted by applicable law, the Controller or the Processor may also disclose your personal data to the following parties:
– Governmental/regulatory authorities and law enforcement agencies.
– (Internal/external) auditors.
– In response to subpoenas, court orders, or other legal, regulatory or judiciary process; to establish or exercise the legal rights of the Controller or the Processor; to defend against legal claims; or as otherwise required by law or binding order.
– When the Controller or the Processor believes it is necessary to investigate, prevent, or take action regarding illegal activities; to protect and defend the rights, property, or safety of Processors, their users, or others.
– In connection with a corporate transaction, such as divestiture, merger, consolidation, or asset sale, or in the unlikely event of bankruptcy.
– With affiliates of the Controller or the Processor.
– The Controller or the Processors may ONLY share aggregated or anonymous information with third parties, including partners, advertisers and investors.

What do we process and why?

Data is processed for the legal reason of the legitimate interests. During the design process of the applications, the Controller compiled a data inventory. We intend to acquire and process only the data that is strictly necessary for fulfilling the purposes described below.

Attachment (3) lists the information that can be collected (updated annualy), and their interests/purposes.

If you wish to consult the detailed data inventory or wish to acquire more information about the purpose of the data processing activities, please contact the DPO.

How long do we store personal data?

As required by applicable data protection legislation, the Controller strives to remove your personal data as soon as it is no longer necessary to accomplish the purpose for which it was originally collected. In view of this principle, the following retention periods apply (executed on an annual basis):

  • Courses and certificates data: anonymisation 10 years after the expiry date of a certain qualification (is kept: country, appraisal result, year of birth, profession).
  • Membership data: anonymisation 10 years after the last membership date (is kept: country, year of birth, profession)
  • Accounting data: information older than 10 years is deleted.
  • Personal data: anonymisation 10 years after last login (is kept: country, year of birth, profession, courses/certificates data (see above), membership data (see above)).
  • Support questions: removal 2 years after closing support ticket.
  • The data will be fully removed from the backups within 180 days after the backup.

How do we ensure security?

Security by design
The following security measures have been implemented to help protect personal data processed through our applications against unauthorized access, alteration, loss, or destruction (non-exhaustive list):
– All data is encrypted both at rest and in transit (check) between the service and your browser.
– Personal data is only accessible after logging in with a personal – unique username and password.
– Passwords are not visible and are neither communicated via email, nor accessible to any person, including Processor’s staff.
– All data is fully backed up.
– Actions in your personal data are logged with the identity of the person performing the action, the time stamp and the IP address.
– We do not provide export facilities of user data to recipients; only Course Centres are capable of producing an export of course participants of a certain course with the purpose of sending course information.

Personal data breach
In the case of a personal data breach that may be a risk to your rights and freedoms, the Controller shall also – within 72 hours after having become aware of it – notify the supervisory authority (Described in art. 55 GDPR Regulation).

In case of a high risk – and without prejudice to the provisions of art. 34, paragraph 3 GDPR Regulation – the Controller will notify you about such personal data breach, with information about the nature, the likely consequences and a contact point for further information.

What are your rights as a Data Subject?

Unless your request is reasonably deemed excessive or unfounded, you may exercise the
following rights in relation to your personal data processed through our applications:
– Request information concerning the processing of your personal data.
– Request the Controller to modify or correct your personal data if it is wrong.
– Have your personal data erased in certain circumstances as specified under applicable data protection legislation.
– Request the restriction of certain processing activities in certain circumstances as specified under applicable data protection legislation.
– Request a copy of all your data in possession of the Controller and the Processor in a standard format, as well as request for data portability.
– Withdraw your consent.
For a full review of your rights as Data Subject, please consult the General Data Protection Regulation.

You can easily exercise any of your rights by completing and submitting our online form.

The Controller reserves the right to charge a reasonable fee in case your request is deemed excessive at our sole discretion.

Modifying and correcting your personal data (rectification)

Meduso allows Data Subjects to manage the processed personal data themselves. If you are unable to complete the modifications or corrections to the data, then you can request the Controller to perform this action by submitting a request to meduso.eu.

Removing your personal data

The following procedure will be applied when a request for removal of data from the Data Subject is presented to the HSA:

Because of the irreversibility of such action, in order to request a removal of personal data, the Data Subject must submit such request by logging in on meduso.eu and include a copy of their ID/Passport for identification purposes. The Controller may send an email reply first to check the authenticity of the request.

The Controller will assess without undue delay the nature of the request and check which data need to be removed from which database in accordance with the GDPR requirements. 

If the personal data is present in the application, the Controller will remove the personal data from the database of the application/system and apply the anonymisation procedures within 30 calendar days following the personal data removal request. The Controller notifies (by email) the Data Subject about removal within 30 calendar days.  If the Controller cannot grant the request for removal, the DPO will notify the Data Subject about such decision and the motivation within 30 days following the data removal request.

All personal data that you have selected for deletion will be fully purged from the backups within 180 days. 

WARNING: removing personal data may lead to irreversibly losing any personal link or trace of membership, trainings, certificates or qualifications. The controller however will keep a printed record of the request of removal for reasons of proof and Controller’s liability. Such printed records will not be processed by automated means and neither in a filing system or with the intention to form part of a filing system, hence the GDPR regulation does not apply (Art. 2, paragraph 1 GDPR Regulation).

Apply restrictions of certain processing activities

A dedicated meduso.eu page in the Data Subject’s account gives the possibility to subscribe or unsubscribe individually from the different newsletters, groups and other communication types. Changes made by the Data Subject are applied within one week at the latest. 

Unsubscribing from emails containing news facts, event or services provided by the can alternatively be executed by using the unsubscribe button or hyperlink included in every newsletter or group email. 

However, when registered for a course and until the course is closed administratively, identity and contact details are shared with the Course Centre. As a Course Centre cannot run a course without the possibility to contact the participants, this permission is mandatory in order to register for a course.

Receive a copy of all your data – data portability

Attachment (1) lists how a Data Subject can create an overview of all available data in the Controller’s (Processor’s) systems.

The Data Subject can apply for an export in an electronic format of his personal data and qualifications, for data portability purposes. The Controller is not responsible for the format of this data in order to be uploaded in other systems.

Withdraw your consent

You have the right to withdraw your consent at any time. However, such withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

By accepting this privacy statement and furnishing personal data via meduso.eu, you expressly give consent to the Controller to process the data for the stated purposes. 

Only upon your individual consent, the Controller will pass on specific personal data to third parties. The foregoing also applies to processing of  personal data outside of the EU, both in countries or recognised and not recognised by the European Commission to offer adequate data protection. Where required, a data transfer agreement will be entered into, in accordance with the contractual clauses set out in EU Commission Decision C(2010)593 Standard Contractual Clauses (processors) for the purposes of Article 26(2) of Directive 95/46/EC).

Who can you contact?

If you have any questions about this privacy policy, or if you want to exercise any of the Data Subject rights stipulated above, please contact the Controller on info@meduso.eu.

List of Processors

ProcessorPurpose(s)Data copyContact
NavisionAccountingCustomers can ask for a copy of the invoices created.www.dynamics.microsoft.com/en-us/nav-overview
Zendesk ChatCustomer support systemYou can access the Support system via meduso.eu and ask (if you need) for a copy of the communication.www.zopim.com
MEDUSOCourse contentE-learningPersonal data databaseCourseadministrationWeb shopYou can print the available pages with collected data. Also you can create a printed report of personal data, qualifications and course history.www.meduso.eu 
MailgunUser mailingsMail addresses are stored according to the groups the DataSubject belongs.www.mailgun.com
PowerBIData Analysis ToolData is stored and used for statistical analysis of training parameters.powerbi.microsoft.com
JiraIssue tracking systemPersonal data might be temporary stored in Jira if necessary to improve Meduso.www.atlassian.com
G Suite E-mail client (Gmail)Office programs (Google Docs)Online storage (Google Drive)CalendarCommunication platform (Hangout)Communications and office documents with customer’s personal data are stored for 2 years.www.google.com
Microsoft OfficeOffice programsOffice documents with customer’s personal data are stored for 2 years.www.microsoft.com
SolinkVideo data for course evaluationVideo data is used to identify the person in the courses, course appraisal purposes and quality assurance.solinkcloud.com
Dahua Smart PSSVideo data for course evaluationVideo data is used to identify the person in the courses, course appraisal purposes and quality assurance.www.dahuasecurity.com

* any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

List of Recipients

To the following natural or legal persons, public authorities, agencies or other bodies, personal data is disclosed, whether a third party or not (art. 4, 9 GDPR Regulation).

RecipientsPurpose(s)Limitations
ERC (European Resuscitation Council)Quality Control of coursesAccess to individual accounts of their users.Access to course data within their country.No export tools.
AHA (American Heart Association)Quality Control of coursesAccess to individual accounts of their users.Access to course data within their country.No export tools.
American College of SurgeonsQuality Control of coursesAccess to individual accounts of their users.Access to course data within their country.No export tools.
ALSG (Advanced Life Support Group)Quality Control of coursesAccess to individual accounts of their users.Access to course data within their country.No export tools.
AAFP (American Academy of family physicians)Quality Control of coursesAccess to individual accounts of their users.Access to course data within their country.No export tools.
Course instructorsQuality control of coursesAccess to individual accounts of participants for the courses.Access to course data for their relevantcourse types. No export tools.
Course CentresAdministration ofcoursesAccess to personal data either bymandate of, or upon explicit (but mandatory) approval by the course participant.Export of address details on a courselevel is facilitated, in order to ship paper manuals (to the extent supported).
Course DirectorCertification of participantsAccess to personal data related to the Course Centre’s permissions of access.No export tools.

Information collected by the Controller for which interests

Data typeInterest/purposeMandatory
First name/SurnameUniquely identify personsYes
Additional names (First name – phonetic, Surname – phonetic, Middle name,Alternate name)Notification Templates for message personalizationNo
UsernameUniquely identify personsNo
Email addressCommunication with users (Data Subjects) FeedbackUnique identifierFor specific groups1
Email displayCommunication with users (Data Subjects)No2
Gender (sex)Statistical purposesNo
Date of birthAvoid double recordsYes
Personal numberUniquely identify personsNo
CountryStatistical purposesNo
County, Municipality, City/townStatistical purposesDelivery of goodsYes
AddressDelivery of goodsYes
Postal codeDelivery of goodsNo
Time zoneStatistical purposesTraining purposesNo
PhoneCommunication with users (Data Subjects) FeedbackUnique identifierYes
Mobile, Additional phone, Fax no., Web page,Work phoneCommunication with users (Data Subjects) Unique identifierNo
Organization, department, positionStatistical purposesNo
Job standing, Last job standingStatistical purposesNo
Education (Institution, Diploma no., Diploma specialty, Diploma issue date, Diploma serial no., License no., License issue date, License serial no.)Statistical purposesNo
User pictureIdentify the person in the coursesNo
List of interestsStatistical purposesNo
Aspirational position Statistical purposesNo
Skype IDStatistical purposesNo
PasswordLogin securityYes
New passwordLogin securityNo
Preferred languagePresenting information in a familiar languageNo
Membership historyStatistical purposes No
Courses historyCertificate justificationUser feedback and quality control ontrainingsYes
Course appraisal resultsCreation of CertificatesStatistical purposesYes1
Certificates statusCertificate justificationDelivery of certificates and recertificationYes
Registry of ordersComplete pending ordersProvide an overview of past orders as a service to the customersYes
Event place and historyVisualize events managed by the ControllerYes
Course Survey dataQuality control of coursesYes
Video dataIdentify the person in the courses Course appraisal purposes and quality assuranceTo ensure the chosen teaching method.Video surveillance allows you to evaluate the training process for a larger number of experts.Do not cause additional stress in training for participants.Trainers and instructors have the opportunity to monitor, evaluate and correct their actions.Yes

1Instructors, Instructor Candidates, Coordinators, Course Directors, Educators.

2Additionally the Data Subject can choose to share or not his e-mail with course members.