1 Privacy policy -LynxCare processor
1. Who we are?
LynxCare Clinical Informatics NV (“LynxCare”, “we”, “us” or “our”) is an information technology company which helps hospitals (“Clients”) across the globe improve patient outcomes and makes Real-World Data accessible for research by centralizing hospital and patient data in a segmented, clinical-grade data warehouse. LynxCare’s clinical data platform has the goal to provide the answers to complex clinical questions, helping doctors to gain insights in patient outcomes and perform medical research.
LynxCare Clinical Informatics NV is registered in the (Belgian) Crossroads Bank for Enterprises under number 0637.919.015 and has its registered office at Tiensevest 132, 3000 Leuven, Belgium.
2. How you can contact us
Any questions, complaints or comments about this Privacy Policy or the way we handle your personal data can be submitted to our Data Protection Officer (“DPO”) by sending an email to privacy@lynxcare.eu or by using the form at the bottom of this page.
3. General information about this Privacy Policy
• Scope - This Privacy Policy applies to all personal data processing activities executed by or for LynxCare, including all personal data collected on the LynxCare website. When LynxCare processes personal data on behalf of a Client, we recommend that you read the Client’s privacy policy for more information.
• Content - This Privacy Policy basically informs you about why and how we collect and process your personal data, who will have access to it, and which rights you have.
• Applicable data protection legislation - We understand that your privacy is very important. Therefore, we will process your personal data only in accordance with the applicable European and Belgian data protection law, which mainly includes the European General Data Protection Regulation of 27 April 2016 (“GDPR”) and the Belgian Act of 30 July 2018 on the processing of personal data.
• Governing law and jurisdiction - This Website and this Privacy Policy shall be governed by the laws of Belgium. Any disputes arising out of or in connection with this Website or this Privacy Policy shall be submitted to the competent Belgium courts.
• Data Protection Impact Assessment (“DPIA”) - You can request access to our DPIA summary through the following link.
• Updates - We may update this Privacy Policy from time to time, and it is the latest version that will always apply. We therefore recommend that you check this Privacy Policy regularly online.
4. The role of LynxCare when processing personal data
4.1. LynxCare acts as a processor
LynxCare helps Clients to process medical data – including personal data – in their custody, so the hospital, their doctors and other healthcare professionals can improve care, improve patient outcomes and participate in research.
In this scenario, we process personal data of patients on behalf of our Clients. The Client will be acting as controller and LynxCare works as their processor under their instructions. LynxCare may in turn engage third parties to act as its subprocessors to help with or perform certain data processing activities for the Client.
This means that the Client will be the main responsible for e.g., the lawful and transparent processing of the personal data (incl. obtaining informed consent if legally required), whereas LynxCare and its subprocessors will support the Client on the secure processing of this data in accordance with the Client’s instructions. When you exercise your rights against us/our subprocessors or when we register a data breach, we will report this to the Client and align with their instructions or refer you directly to the Client.
LynxCare takes its responsibilities as processor of (medical) data very seriously. That is why an additional GDPR Note has been added to the contract for each collaboration, in which the roles and responsibilities are extensively documented.
If you would like more information about this prior to a collaboration, you can always request this documentation via the form below.
Please note that the following sections will mainly focus on LynxCare’s role as a controller. For more information about when LynxCare acts as a processor, we recommend you to read the privacy policy of the Client acting as a controller for the data processing activity.
4.2. LynxCare acts as a controller
When we act as a controller, we determine the purposes and means of processing personal data. This typically occurs when we collect personal data directly from individuals or when we process personal data for our own business purposes.
As a data controller, we are responsible for ensuring that personal data is processed in compliance with applicable data protection laws and regulations.
LynxCare typically acts as a controller of the personal data collected and processed in the context of:
• the data processing activities and services provided on the LynxCare Website;
• managing our relations with clients, suppliers of products or services;
• processing applications and contacting applicants;
• managing and organising events; or
• marketing.
The following sections will provide more details on how we collect and process personal data as a controller.
5. What information do we collect?
By using this Website, your personal data may be collected and processed by us, this will be the case when you choose to provide us with this information yourself or by analysing your browsing behaviour on our Website. In addition, we may also collect information about you which we obtain from third parties, such as our vendors, suppliers, contractors and business partners.
5.1. Personal data provided by you
5.1.1. When you contact us
If you contact us via e-mail, contact forms or other means of communication, we may use your contact details, such as your name, e-mail address, telephone number or other relevant information, to respond to your request, question or comment.
We will only use your contact details to communicate with you and process your request. We may also store a copy of your communication for internal administrative purposes or to comply with legal obligations.
By contacting us, you consent to us using your contact details to contact you.
5.1.2. Special categories of personal data
Unless specifically requested or requested by us, please do not send or disclose to us sensitive personal data (also referred to as "special categories of personal data", e.g., data relating to racial or ethnic origin, political opinions, religion or philosophical beliefs, health or medical conditions, sex life or sexual orientation, criminal background, trade union membership, or biometric or genetic data).
If you send us data about you us sensitive data, please limit this to what is strictly necessary. We will only process this data on the basis of your explicit consent, the substantiation of a legal claim, or if necessary for reasons of substantial public interest or the provision of healthcare and always in accordance with applicable data protection law.
5.1.3. When you apply for a job
We collect personal data from you when you submit an application and other supporting materials to us during the recruitment and application process. We will generally process the following personal data during our recruitment and application process, including: basic information (e.g., your name (including name prefix or title), date of birth, gender, marital and family status, place of birth, residency, nationality, immigration status and work authorisation), contact information (e.g., your postal address, email address and phone number(s)), educational and experience information (e.g., education/academic history, CV, place of study, subject of study, years of study, records of qualifications and/or training, results, extracurricular interests and activities, language skills, personal statements, work experience), payment information and sometimes also health related information (as permitted or required by applicable law, for example where we need to know this information to make adjustments to our recruitment processes)
We will process your personal data for the purposes of recruitment and hiring, to identify and process your application, to communicate with you and to take steps at your request with a view to entering into a contract.
5.1.4. When you subscribe to our events, newsletter or participate in promotional offers
If you subscribe to our events, newsletter or other promotional e-mails, we may use your e-mail address to periodically send you information, offers and updates on our products, services or events.
We will not share your email address with third parties for direct marketing purposes without your express consent. You may unsubscribe from receiving such emails at any time by following the unsubscribe link included in the emails you receive from us or by contacting us via the form provided below.
5.2. Personal data relating to your browsing behaviour
The Website uses cookies. Cookies are small text files placed on your device, to help us analyse the use of our Website. The information generated by the cookie about your use of the Website also falls under the concept of personal data.
You can find more information about our use of cookies and other tracking technologies in our Cookie Policy.
5.3. Personal data provided by third parties
We may also collect information about you from third parties, such as our Clients, vendors, suppliers, contractors and other business partners. For example, we may use such third-party data to confirm contact or financial information, verify qualifications of healthcare providers and check references.
6. Why do we process your personal data?
We process your personal data for the purposes described below and on the following legal bases:
6.1. Legitimate interests
We process your personal data if this is necessary to pursue our legitimate interests as a company. In doing so, we always ensure that there is a fair balance between the legitimate interest and your rights to privacy. In this case, you can always exercise your right to object to such processing (see section 10 below).
This includes data processing operations carried out for the purpose of:
• having to be able to function as a business;
o managing our business and our relationship with you and our Clients;
o understanding our Clients’ or potential clients’ services to develop our services and offerings;
o professional networking purposes;
o testing, monitoring, evaluating, analysing and optimising our Website to improve the user experience and detect technical problems;
o understanding how our Website is used by collecting general statistical data (e.g., IP address, likely place of consultation, hour and day of consultation, which pages were visited) regarding the use of our services and the Website;
o taking note of and responding to your requests, questions and comments for evidence purposes, quality control, coaching and training of our staff;
• to promote our products and services, including sending updates, publications and details of events;
• identifying and considering appropriate applicants for appointment;
• conducting internal audits and research on our products, services and to improve communication with our customers; or
• exercising and defending our rights (e.g., in legal disputes) and compiling evidence.
6.2. Execution of agreement
We process some data because it is necessary in the context of the conclusion or performance of a contract. For example, when you visit our Website, we process certain personal data to allow us to draft an employment contract for a successful candidate or to allow you to use our Website or when the processing takes place in the context of providing the services you have requested (e.g., when you contact us to place an order for one of our products or services).
When you register for an event organised by LynxCare, we collect the personal data that is necessary for processing your registration for the event and to send you the proof of registration. At the event, we may use the data that are linked to your registration to the event to verify your identity as a fraud prevention measure and to confirm the authenticity of your proof of registration. To the extent this processing requires the processing of your personal data, we rely on the performance of our agreement.
6.3. Legal obligations
In certain cases, we may process your personal data based on a legal obligation. For example, based on tax and accounting legislation, we may be required to retain certain information.
6.4. Consent
In certain cases, we process your personal data on the legal basis of consent. This is in cases where that none of the previous legal bases can be used. You can withdraw your consent at any time (see Section 10 below).
For example, we will seek your consent for:
• sending our newsletter, you can unsubscribe from this at any time, this can be done on simple request by email or at the bottom of each email via the 'opt-out' choice;
• placing cookies or other tracking technologies on our Website to track your click and browsing behaviour (if not based on legitimate interests). For more information on Cookies, see our Cookie Policy; or
• You may also be asked for permission to process certain personal data in the context of certain promotional campaigns, providing feedback or if you use the contact form on our Website.
7. Disclosure to third parties and international data transfers
Within LynxCare, policies and contractual arrangements are in place to make sure that (i) access to personal data is limited to those persons who, due to their function, need to have access to it, and (ii) such persons respect the confidential nature of that personal data.
LynxCare does not allow the transfer of personal data to third parties except as provided below:
1. LynxCare will share personal data we process for Clients or for our own business activities with third parties that support us as our (sub)processors (like online platform partners, business/legal advisors, IT and website providers, HR and payroll service providers, payment providers, advertising agencies, recruitment agencies, insurance companies) insofar they need the personal data for their support. We have contractual arrangements in place with those third parties to make sure they respect the applicable European and Belgian data protection law. You can find a list of the subprocessors we use here, this list will be updated from time to time.
2. LynxCare may provide links to third-party websites which collect personal data like online identifiers and online behaviour as well. You should be aware that the owners and operators of such third-party websites might collect, use or transfer personal data under different terms and conditions than LynxCare. Upon linking to a third-party website, you should inform yourself of the privacy policies of such third-party websites.
3. LynxCare will share personal data with competent authorities who are authorised to request such information or to whom we have to disclose information, as required by law or as a result of legal proceedings or court proceedings.
4. LynxCare may share your personal data with third parties like legal advisors, debt collection agencies and competent courts if we determine that such disclosure is reasonably necessary to enforce our terms and conditions or to legally protect our other legitimate business interests.
5. In the event of a reorganisation, merger or sale, we may transfer all the personal data on our systems to the third party that acquires, becomes part of or absorbs LynxCare, and that continues the activities of LynxCare for which those personal data were lawfully processed. We may also share certain personal data with that third party beforehand insofar this fits the legitimate purpose of conducting a due diligence.
6. LynxCare may transfer your personal data to you or any other party you appoint, at your request (see ‘Your rights’ below) or with your consent.
All personal data is stored within the European Economic Area (EEA). LynxCare does currently not have the intention to transfer or give access to personal data to third parties located in countries outside the EEA. However, if this should change, LynxCare will update its Privacy Policy and ensure that the transfer complies with the applicable data protection laws and that appropriate safeguards are put in place.
8. Security of your Personal Data
It is of course important that all processed personal data is very well secured. This is an absolute priority for LynxCare. LynxCare implements technical and organizational measures to protect the confidentiality, integrity and availability of your personal data, and to prevent unwanted loss, misuse, alteration or destruction of said data, according to the nature of the processing, the risk and the available security means. That is why LynxCare has implemented the following standards within its organization:
• SO27001: ISO27001 is the worldwide standard for information security. The basis for this is the implementation of an information security management system, in which on the basis of a risk analysis is defined which technical and organizational measures the organization has taken with regard to information security. With the ISO27001 implementation, organizations show that they are taking the right management measures to secure data by ensuring the availability, integrity and confidentiality of this data.
• NEN7510: NEN 7510 is a standard developed by the Netherlands Standardization Institute for Information Security in the healthcare sector in the Netherlands. This standard describes measures that healthcare institutions and suppliers must take in order to deal adequately with patient data. These measures ensure that information security becomes a controlled process and relate to all manifestations in which patient data are recorded. The security requirements apply to the information within the healthcare institution, but also to the information that organizations exchange with each other. NEN7510 is an extension of the ISO27001 standard, which specifically focuses on how to protect medical data. Although this is a Dutch standard, LynxCare has chosen to implement this standard as well, in order to make the Information Security Management System (“ISMS”) even more secure.
Both standards have been implemented within the organization and LynxCare has been audited against these standards in order to obtain the certificate for them. The certificate is proof that a third party has verified the operation of the standard within the organization and that the ISMS meets all requirements. You may find an overview of our active certificates on our website.
9. Data retention period
In general, LynxCare does not process your personal data any longer than is necessary for the purposes outlined in this Privacy Policy. Your personal information will be retained in accordance with our data retention policy which categorises all of the information held by LynxCare and specifies the appropriate retention period for each category of data. Those periods are based on the requirements of applicable data protection laws and the purpose for which the information is collected and used, taking into account the legal and regulatory requirements to retain the information for a minimum period, limitation periods for taking legal action, good practice and LynxCare’s legitimate business purposes.
For personal data that we process as a processor on behalf of a Client, our Client will decide how long the personal data is processed, which will typically be no longer than the term of our contract with the Client, except if different statutory retention periods have been set, if you consent to this or if there is a strong legitimate interest (like filing a legal claim or defending against legal claims).
For the retention periods of data collected via cookies and other tracking technology on our website, please see our Cookie Policy.
10. Your data protection rights
If and to the extent provided under applicable European and Belgian data protection law (which contains various exemptions), you shall have the right:
• to obtain confirmation as to whether or not your personal data is being processed and, where that is the case, you shall have the right to obtain further information about such processing as well as the right to obtain a copy of your personal data (or in some cases have your personal data transferred to another controller);
• to obtain the rectification of inaccurate personal data and to have incomplete personal data completed;
• to object to the processing of your personal data (especially any processing for direct marketing purposes) if the processing was based on legitimate interests;
• to withdraw your consent if the processing was based on your consent (please note this will not affect the lawfulness of the processing that occurred before the withdrawal of consent);
• to obtain the erasure of personal data that is not/no longer lawfully processed; and
• to put the processing of personal data on hold (‘restriction’) in certain cases (e.g. while we are assessing whether we should indeed rectify or stop processing your personal data).
To exercise one of these rights, please send your request via sending an email to privacy@lynxcare.eu, the form below or via written post to LynxCare BV, Tiensevest 132, 3000 Leuven, Belgium. Please note that we may have to forward your request to the Client for whom we process your personal data, and that we or our Client has an obligation to check your identity through reasonable means. We may not be able to meet your request if we cannot identify you in our datasets. If we believe that we are not legally required to meet your request, we will explain this to you in our reply.
If you feel we have wrongfully denied your request, you shall have the right to lodge a complaint with the competent data protection authority. Contact details of the Belgian Data Protection Authority are:
Gegevensbeschermingsautoriteit
Drukpersstraat 35
1000 Brussel
contact@apd-gba.be
https://www.gegevensbeschermingsautoriteit.be/
11. External Links
This Privacy Policy does not apply to external links within this Website to websites operated by third parties. We have no control over the content of these third-party websites or how these websites process your personal data. When you visit other websites, we recommend that you always read their privacy policy.
12. Questions
If you have any further questions about our privacy policy or its implementation, please contact via the form here.