1    Privacy policy -LynxCare processor

Date of last revision: 23/11/2020

1.1    Processor of medical data

LynxCare helps hospitals to process medical data – including personal data - in their custody, so the hospital, their doctors and other healthcare professionals can improve care, improve patient outcomes and participate in research.

On behalf of these hospitals, LynxCare processes the (health) personal data. In these cases, LynxCare will always act as "processor". LynxCare itself is not a controller in the processing of these personal data, because it only processes the personal data on behalf of the hospital, according to the order statement of the hospital. The hospital will always act as the controller. The controller is at all times the party that determines what will happen with the data, LynxCare only works on behalf of this party. The goal of the data processing is either improving care for patients, quality control of healthcare delivery and/or research. The hospital, as a controller, is responsible to inform patients about the data processing and/or gather required consents.

LynxCare takes its responsibilities as processor of (medical) data very seriously. That is why an additional GDPR note has been added to the contract for each collaboration, in which the roles and responsibilities are extensively documented.

If you would like more information about this prior to a collaboration, you can always request this documentation via the form below.

1.2    Security

It is of course important that all processed personal data is very well secured. This is an absolute priority for LynxCare. That is why LynxCare has implemented the following standards within the organization:

• SO27001: ISO27001 is the worldwide standard for information security. The basis for this is the implementation of an information security management system, in which on the basis of a risk analysis is defined which technical and organizational measures the organization has taken with regard to information security. With the ISO27001 implementation, organizations show that they are taking the right management measures to secure data by ensuring the availability, integrity and confidentiality of this data.
• NEN7510: NEN 7510 is a standard developed by the Netherlands Standardization Institute for Information Security in the healthcare sector in the Netherlands. This standard describes measures that healthcare institutions and suppliers must take in order to deal adequately with patient data. These measures ensure that information security becomes a controlled process and relate to all manifestations in which patient data are recorded. The security requirements apply to the information within the healthcare institution, but also to the information that organizations exchange with each other. NEN7510 is an extension of the ISO27001 standard, which specifically focuses on how to protect medical data. Although this is a Dutch standard, LynxCare has chosen to implement this standard as well, in order to make the Information Security Management System even more secure.

Both standards have been implemented within the organization and LynxCare will soon be audited against these standards in order to obtain the certificate for them. The certificate is proof that a third party has verified the operation of the standard within the organization and that the ISMS meets all requirements.

2    Privacy policy -LynxCare controller

Date of last revision: 23/11/2020

2.1    Introduction

LynxCare is committed to protect your privacy and takes its responsibilities regarding your rights and the security of customer personal information very seriously.

2.2    Data controller

LynxCare Clinical Informatics, hereafter: “LynxCare”, ”we” or “us”
Tiensevest 132
3000 Leuven
Belgium
+32 472 683 742

2.3    Data protection officer

LynxCare respects and protects your privacy. We appreciate the trust you place in our company. All your personal data is treated with the greatest care and confidentiality. We did appoint a DPO within LynxCare.

You can always contact this Privacy Officer to ask questions or exercise your rights by sending an e-mail using the form at the bottom of this page.

2.4    Scope

Note: Please note as stated above that LynxCare in a client relationship operates as a processor. In other words, for all tasks that LynxCare performs for hospitals, LynxCare is purely a processor.

This privacy notice applies to all data processing activities executed by LynxCare and all personal data collected by LynxCare on the LynxCare website. This concerns: customer data, details of prospects, applicants, subscribers to the newsletter, suppliers, and participants of events.

2.5    What information do we collect, and with what purpose?

We will always process personal information based on a legal obligation, contract, or given consent.

LynxCare collects three types of personal data:

1.    Identification information‍

Purposes:

• To communicate with you, our customer, supplier, applicant or prospect;
• To deliver our services;
• To sell you a product or service;
• To send you a newsletter;
• To ask for your feedback;
• To keep you posted about events we organize and you might be interested in;
• To contact you for a job interview when you apply for a job at LynxCare.

2.    Professional and employment data‍

Purpose:

• To know which company you work for, so we know better how we can offer you any professional help
• To know your professional history and competences when you apply for a job at LynxCare

2.6    Disclosure to third parties

LynxCare websites may provide links to third-party websites. LynxCare does not make any representations or warranties with respect to such third-party websites. You should be aware that the owners and operators of such third-party websites might collect, use or transfer Personal Data under different terms and conditions than LynxCare. Upon linking to a third-party website, you should inform yourself of the privacy policies of such third-party websites.

2.7    Security of your Personal Data

LynxCare protects the confidentiality, integrity and availability of your Personal Data. We use various technological and procedural security measures to protect your Personal Data from loss, misuse, alteration or destruction.

As mentioned above, LynxCare takes the security of personal data very seriously. The management system discussed above applies to the entire organization, for both the data LynxCare is processor for and Controller for. For more information see 1.2 Security.

2.8    Data retention period

We do not process your Personal Data any longer than is necessary for the purposes outlined in this Policy. We keep your data as long as you’re an active contact (customer, lead,…) and actively delete your data three years after once you become an inactive contact, met except for data for which statutory retention periods have been set.

2.9    Data Transfer

We only transfer data towards the following categories of processors and third parties:

• Governments
• HR processors
• Finance processors

All personal data is stored within de EEA.

2.10  Your rights

If and to the extent provided under applicable Belgian and European law, you shall have the right:

• to obtain from LynxCare confirmation as to whether or not your Personal Data is being processed and, where that is the case, you shall have the right to access such Personal Data being processed;
• to obtain from LynxCare, without undue delay, the rectification of inaccurate Personal Data and to have incomplete Personal Data completed;
• to obtain from LynxCare the erasure of Personal Data;
• to obtain from LynxCare the restriction of processing your Personal Data;
• to receive the Personal Data in a structured and commonly used, machine-readable format and have such Personal Data transmitted;
• to object to the processing of your Personal Data and to object at any time to the processing of your Personal Data for direct marketing purposes.

To exercise one of these rights, send an email using the formPlease note that there will always be a check to prove your identity.

Additionally, you shall have the right to lodge a complaint with the authorized supervisory if the processing of your Personal Data infringes applicable law. Contact details of the Belgian Data Protection Authority are:

GBA –Drukpersstraat 35, 1000 Brussel
contact@apd-gba.be
https://www.gegevensbeschermingsautoriteit.be/

2.11  Modifications to this Policy

We reserve the right to modify this Policy at any time. This Notice is effective as of September 2020 (the “Effective Date”).

Notification of important updates will be sent to you by mail.

2.12  Questions

If you have any further questions about our privacy policy or its implementation, please contact us using the form below:

‍