Privacy Policy for Users
of the Istel Care System
Date: 21.09.2022 r.
Table of contents:
I. Definitions
Terms used in this document have the following meanings:
II. Introduction
Having regard to the security of personal data and the privacy of the Istel System Users, DIAGNOSIS S.A. based in Białystok would like to inform you about the most important rules regarding the processing of your personal data.
The information contained in this document includes, in particular, an explanation of which personal data are collected by DIAGNOSIS S.A and how and for what purposes these data are used, how long they are stored and how they are protected. Moreover, this document contains information on whether and to whom DIAGNOSIS S.A may disclose the data of the Istel System Users as well as what the rights the Users have in connection with the processing of their personal data by DIAGNOSIS S.A.
The Istel System was created as a tool enabling Users to improve the processes related to access to information collected on measuring devices, such as glucometers, blood pressure monitors and thermometers. This information includes recorded results of blood sugar, blood pressure or temperature measurements. The Istel System allows for the synchronisation of the results of the measurements made, sharing the results of these measurements and other data included in the individual User account with other Users who are members of the Medical Staff (Doctors, Nurses), including Medical Facilities. In addition, the Istel System also allows Doctor Users to contact Patient Users in order to provide teleconsultations. In the case of using the teleconsultation functionality, personal data and information disclosed during its course by Users (Patients) is sent to other Users (Doctors). The platform via which teleconsultations are provided is made available by ClickMeeting Sp. z o.o.. Whenever the Users use the teleconsultation functionality, they should read the Privacy Policy and the Terms of Use of the Provider. These document are available at: https://clickmeeting.com/pl/legal.
In order to take full advantage of the functionalities offered by the Istel Care System, it is recommended to use both the Istel Care App and the Istel Health App, but it is not obligatory.
The Istel Care System simplifies the management of the results of the measurements made by the Users who are Patients, but it is not a substitute for professional medical advice. The Istel Care System also is not a medical device, it is not used to detect and diagnose diseases, and the information contained therein cannot be treated as professional medical advice or recommendations of any therapy, in particular the Istel Care System is not a substitute for diagnostic testing performed by a physician or other qualified healthcare professional. The Istel Care System only enables the visualisation of the results of measurements made with the use of measuring devices, however, they shall each time be interpreted by a physician or other qualified healthcare professional.
The Istel Care System is not intended for minors.
Please read this document in its entirety before you start using the Istel Care System.
By creating an account in the Istel Care App, you accept the conditions set out in this Privacy Policy.
III. Purposes of data processing
The Administrator, independently or with the participation of Related Entities, may process the data of the Istel Care System Users for the following purposes:
3.1 to perform the contract concluded with the User with respect to enabling the User to use the functionality of the Istel Care System;
3.2 to enable the User who is a Patient to provide - with his or her consent - information concerning him or her (including personal data) to other Istel Care System Users selected by the Patient, e.g. members of the Medical Staff;
3.3 to provide technical support to the Istel Care System Users;
3.4 to communicate with Users, to handle inquiries and notifications made by the Istel Care System Users, to provide them with the most important information regarding the terms of use of the Istel Care System, such as updating the purposes of processing their data, changes to the Policy, etc.;
3.5 to verify the identity of Users in order to prevent unauthorised persons from accessing the User’s account;
3.6 to present the Administrator’s products or offers, if the User has given his or her consent thereto;
3.7 for analytical and statistical purposes related to the use of the Istel Care System by Users, including the functions used by the Users or the manner in which they use the Istel Care System;
3.8 to test and improve the Istel Care System, to introduce new functionalities or elements and for its further development;
3.9 to pursue claims or protect against possible claims of Users related to the use of the Istel Care System and to handle complaints, if any.
IV. Method of obtaining data by the Administrator and the scope of data
The Administrator obtains the User data from the following sources:
4.1 Directly from Users
Creating an account and using the Istel Care App requires the processing of the personal data of Users to the extent that allows verification of their identity and contact with them. These data include, in particular, identification data such as the first name and surname and contact details in the form of a telephone number or an e-mail address. Using the functionality of the Istel Care System may also require the processing of other data, including information about the state of health of the Users who are Patients. This information may include, in particular, data such as gender, age, height and weight of the User, as well as data about his or her health, e.g. type of diabetes, or the results of measurements of blood sugar levels. The Administrator does not process other special category data regarding Users; therefore please do not provide them while using the Istel Care System, in particular when filling in the diary available in the Istel Care App.
If you do not consent to the processing of health data by DIAGNOSIS S.A., please do not create an account in the Istel Care App.
If you provide any data of a third party via the Istel Care System, this means that that person has consented to the processing of his or her data for the purposes of this Policy.
4.2 From Related Entities
The Administrator may also obtain User data from other entities. This applies in particular to the data of Users who are members of the Medical Staff. Data of such Users may be obtained by the Administrator from its Related Entities. These data include among other identification data such as professional licence number, contact details, e.g. telephone number or address of the facility where the User who is a member of the Medical Staff is employed.
4.3 Automatically in connection with your use of the Istel Care System.
The Istel Care System may automatically collect information about Users and the ways in which they use the offered functionalities. This information relates in particular to the type of device used by you, individual designation of such device, e.g. its IMEI number or MAC address, and may also include information about the operating system of your device and the software version number, IP address, and name of the web browser used by you. In addition - in the case of mobile devices - the Administrator receives information about the type of platform used by you (iOS, Android) and the system version.
V.Grounds for data processing
Personal data of Users using the functionality of the Istel Care System are processed on the following legal grounds:
5.1 Article 6(1)(a) of the Regulation, that is the consent freely given by the User for the use of his or her personal data for one or more specific purposes, e.g. contact details provided by the User so that he or she can be presented with the Administrator’s products or offers;
5.2. Article 6(1)(b) of the Regulation, to the extent necessary for the performance of a contract. Upon the acceptance of the Regulations, a contract is concluded between the User and the Administrator for the use of the Istel Care System on the terms and conditions specified in the Regulations available at https://istelcare.pl/app/regulations/doctor. For the proper performance of this contract, it is necessary, for example, to process User data in connection with the creation and registration of an account in the Istel Care App;
5.3. Article 6(1)(f) of the Regulation, for the purposes of the legitimate interests pursued by the Administrator, System User or Related Entities. These interests include, in particular the possibility to undertake analytical and statistical activities related to the use of the Istel Care System by Users, as well as testing and improving the operation of the Istel Care System by introducing new functionalities or elements necessary for its further development. The legitimate interests may also consist in enabling the verification of compliance by the Users with the provisions of this Privacy Policy, defence against possible claims or pursuance of claims, as well as preventing and counteracting unlawful activities;
5.4 9(2)(a) of the Regulation, i.e. a voluntary consent to the processing by DIAGNOSIS S.A. of data on the health of Patient Users who use the Istel System. The voluntary consent of the Patient referred to above is also the basis for sharing information about his/her health with other Users of the Istel System (Medical Staff, Medical Facilities) also while using the teleconsultation functionality. In this situation, the above Users of the Istel System receiving personal data of the Patients become their separate controllers and independently of the Controller, they are responsible for the proper protection of these data in accordance with applicable regulations. We would like to point out that the data of Patients who have agreed to share information about them via the Istel System with a few individual members of the Medical Staff, e.g. Doctors of several different specialisations, may be visible to all these persons.
In order to obtain detailed information on the rules of personal data protection applied by Users who received the Patient’s consent to share his or her data via the Istel Care System, please contact these entities directly.
Please note that the consent referred to in points 5.1 and 5.4 is entirely voluntary and Users who have given such consent may withdraw it at any time. Detailed information on how to withdraw consent is available in Section 8 of the Policy – User rights.
VI. Recipients of User data
The Administrator may share User data with Related Entities, if it is legally permitted or necessary to achieve a given purpose of processing. Recipients may include, in particular, entities responsible for creating and improving the Istel Care System, providing its Users with technical assistance in solving problems, as well as responsible for making modifications to the Istel Care System, as well as testing and improving it. Recipients of User data - to the extent specified – may also include providers of solutions used by the Istel Care System. e.g. the platform via which Users use the teleconsultation functionality. These entities may process User data only at the express request and with the consent of the Administrator. They must also follow the Administrator’s instructions and apply all appropriate measures to protect the confidentiality and security of the personal data of Users.
Notwithstanding the foregoing, the Administrator may disclose the personal data of Users also to authorised state entities, if the obligation to disclose them arises from the provisions of generally applicable law.
The personal data of Users may also be disclosed to the appropriate authorities when it is necessary to disclose them in order to protect the legitimate interests of the Administrator, User or another entity e.g. the need to comply with the provisions of this Privacy Policy, defend against any claims or pursue claims, as well as prevent and counteract unlawful activities.
VII. Data storage period or the criteria for determining this period
User data will be stored by the Administrator or its Related Entities only for the period necessary to achieve the goals referred to in Section 3 Purposes of data processing. Due to the fact that data are used for various purposes, the following storage criteria have been established:
7.1 the period during which relations with Users are maintained, including, for example, the period of using the Istel Care System by Users;
7.2 the period necessary to pursue the legitimate interests of the Administrator or Related Entities, e.g. to improve the functionality of the Istel Care System for statistical or analytical purposes or in connection with the limitation period for User claims. For example, User data, to the extent necessary to use the Istel Care App, are stored for a period of 2 years from the date of the last User activity. Section 8 User rights shows how Users can delete their account in the Istel Care App.
After the User deletes his or her account, all the data enabling his or her identification are also deleted. However, the Administrator may retain analytical information about the User. It is not possible to assign specific data to a specific User, and thus identify him or her on the basis of such information. The information in question is stored for a period of 3 years from the date of deletion of the account by the User and is used only for analytical or statistical purposes.
VIII. User rights
In connection with the processing of the personal data of Users by the Administrator, the Users have the following rights.
8.1. Right of access. At any time, Users have the right to obtain from the Administrator confirmation as to whether or not their personal data are being processed, and where that is the case, access these data and obtain information about the purposes of the processing, the categories of data being processed, recipients, data storage periods, their rights related to the processing of data by the Administrator, and may also request a copy of their personal data undergoing processing.
8.2 Right to rectification. Users have the right to obtain rectification/updating of inaccurate or out-of-date data. Users also have the right to have incomplete personal data completed. These rights can be exercised directly from the Istel Care App. In the event that for a certain reason it is not possible for Users to exercise the aforementioned rights by themselves, they can notify the Administrator who will update their data in the scope specified. Notification must be made in writing – including, by electronic means - using the contact details provided below in Section 11 Contact details.
8.3 Right to erasure. The Istel Care System Users have the right to obtain from the Administrator the immediate erasure of any personal data concerning them, and the Administrator is obligated to erase personal data without undue delay where one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject has withdrawn consent on which the processing is based in accordance with Article 6(1)(a) or Article 9(2)(a) of the Regulation, and where there is no other legal ground for the processing; the data subject objects to the processing of his or her personal data and there are no overriding legitimate grounds for the processing; the personal data have been unlawfully processed; the personal data have to be erased for compliance with a legal obligation provided for in Union or Member State law to which the Administrator is subject.
8.4 Right to restriction of processing. Users have the right to obtain from the Administrator restriction of processing of their data where one of the following applies: the accuracy of the personal data is contested by them, for a period enabling the Administrator to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the Administrator no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; the data subject has objected to processing pursuant to Article 21(1) of the Regulation pending the verification whether the legitimate grounds of the Administrator override those of the data subject.
8.5 Right to data portability. Users have the right to receive the personal data concerning them, which they have provided to the Administrator, in a structured, commonly used and machine-readable format and have the right to request the Administrator to transmit those data to another entity (Administrator), where: the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the Regulation or on a contract pursuant to Article 6(1)(b) of the Regulation, and the processing is carried out by automated means. In this case, the Administrator may request the User for additional information in order to verify his or her identity and for security purposes, before disclosing the requested data to another entity.
8.6 Right to object. Users have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on Article 6(1)(e) or Article 6(1)(f) of the Regulation. The Administrator shall no longer process the personal data unless the Administrator demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Users or for the establishment, exercise or defence of legal claims.
8.7 Right to withdraw consent. Where processing is based on the consent expressed by the User, the User has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In order to withdraw consent, Users may contact the Administrator using the contact details provided below. In each case, they will receive information on how to withdraw their consent. At the same time, we would like to point out that the withdrawal of consent will only result in discontinuation of the processing of personal data to which this withdrawal relates. Consent to the processing of User data may also be withdrawn by using the option Delete account in the Istel Care App. Where the account is deleted all the consents previously expressed by the User will be withdrawn, in particular the consent to the processing of data regarding the health of the User who is a Patient. Users who are Patients may also withdraw their consent for sharing their data with the selected members of the Medical Staff at any time by selecting the appropriate option in the Istel Care App. After deleting the account in the Istel Care App and any associated personal data, Users will no longer have access to the account and the deletion of the account may be irreversible. Therefore, Users will not be able to reactivate their account or recover personal data, including health information. It may be advisable to download and save all the necessary information before deleting the account or requesting the Administrator to do so. If the Users have shared their data with another authorised User, e.g. a physician or other member of the Medical Staff, after the account has been deleted, these persons will not be able to view these data via the Istel Care System, including, in particular information about the results of the measurements taken. Please note that after the User deletes the account in the Istel Care App, the Administrator may keep certain information subject to appropriate safeguards, e.g. anonymisation, and that the Administrator may be required to keep certain User data, if this obligation results from generally applicable laws.
8.8 Right to lodge a complaint with a supervisory authority. Users have the right to lodge a complaint with a supervisory authority, if they consider that the processing of data relating to them infringes the applicable laws. In Poland, this authority is the President of the Personal Data Protection Office. Users may exercise their rights in connection with the processing of their personal data by the Administrator by contacting the Administrator via e-mail at: inspektor@diagnosis.pl, as well as traditional mail: DIAGNOSIS S.A, with registered office in Białystok 15-113, ul. Gen. W.Andersa 38 A
IX. Data protection
To ensure the security of the personal data of Users, the Administrator implements appropriate technical and organisational measures to maintain the confidentiality, integrity and availability of the personal data undergoing processing. In particular, the Administrator adheres to established procedures and applies security measures adequate to the scope of the processed data, including data encryption methods. We also take all reasonable steps to ensure that the personal data of Users are processed in a manner consistent with this Privacy Policy and only by the persons authorised to do so.
The Administrator reminds you that also you should take care of the security of your data, for instance, by preventing unauthorised persons from accessing your account in the Istel Care App. It is recommended to create a strong access password consisting of uppercase and lowercase letters, symbols or numbers and not to use the password to access the account in the Istel Care App to other accounts owned by you, e.g. e-mail. You should keep the password to access the account secret and not disclose it to third parties. The Administrator is not responsible for the loss, theft or disclosure of the password or access to the account in the Istel Care App by unauthorised persons, if these events were due to reasons attributable to User. If you have any suspicion of a breach of the security of your account in the Istel Care App, please contact the Administrator immediately via e-mail at: inspektor@diagnosis.pl
We would also like to remind you that the transmission of any information - including, in particular, personal data - via the Internet is not 100% secure. Although the Administrator makes every effort to ensure proper protection of the personal data of Users, the Administrator is not able to guarantee the complete security of information transmitted to the Istel Care System. Data are transmitted at the User’s risk.
X. Final provisions
The Administrator would like to point out that this Policy applies only to the Istel Care System. The Administrator is not responsible for the practices of third parties related to the protection of personal data, in particular the entities whose services may be made available through the Istel Care System, e.g. in the form of references to websites (links). It is recommended that Users of such websites or services should each time read the data protection policies implemented by these third parties.
This Policy may be periodically updated. If such updates are important for Users, they may be requested to read them in order to be able to continue using the Istel Care System.
XI. Contact details
If you have any questions related to the processing of User data in connection with the use of the Istel Care System, please contact the Administrator. Direct contact with the Administrator is possible via e-mail at inspector@diagnosis.pl or by traditional mail sent to: DIAGNOSIS S.A, with registered office in Białystok 15-113, ul. Gen. W. Andersa 38 A. The Administrator has also appointed a Data Protection Officer whom you can contact via e-mail at inspector@diagnosis.pl in all matters relating to the processing of personal data in connection with the use of the Istel Care System.