Riva Care privacy statement

1. Introduction

The Riva Care limited liability company (hereinafter referred to as "Riva Care" or "we") is committed to respecting your privacy and attaches great importance to the protection of your personal data, which it processes as part of the management of the Riva Care medical Centre located in Boitsfort (Brussels) and the activities related to your "Riva Care check-up" carried out through the activities of the Riva Care website and tool.

For this reason, Riva Care undertakes to process your personal data lawfully, fairly and transparently in accordance with the applicable legal provisions on the subject, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, the "General Data Protection Regulation" or "GDPR") and the Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.

By means of this privacy statement, we wish to provide you with clear and comprehensive information, in accordance with Articles 13 and 14 of the GDPR, on how your personal data is processed by our services in the context of our various activities, whether as a "controller" or as a "processor" for a healthcare professional.

This privacy statement is available in Dutch, French and English. The French version in PDF format of this privacy statement will prevail in the event of any conflicts between the different versions.

For the purposes of this declaration, the following definitions shall apply:

• "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
• "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• "Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
• "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing (…);
• "Third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
• "Recipient": means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not (...);
• "Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

2. Personal data processed by Riva Care for its own purposes

This section covers the processing activities that Riva Care carries out for its own purposes as "controller".

2.1. Who is the controller of your personal data?

For all processing activities related to the management of the website and the physical management of the Riva Care medical Centre, the controller of your personal data is the limited liability company "Riva Care", whose company number is 1002.549.339 and whose registered office is at Avenue Franklin Roosevelt 108 Box 3, 1050 Brussels.

If you wish to contact us, you can write to us at the above address or send us an e-mail at contact@rivamedical.com.

2.2. What categories of personal data do we process as controller?

In the context of the services offered by Riva Care, the purposes of which are described below (cf. point 2.4.2.), Riva Care is likely to process the following categories of personal data:

• Personal identification data (surname, first name, address, phone number (mobile/fixed), e-mail address, etc.);
• Habits and lifestyle (smoking, alcohol consumption, sleep, nutritional regime, etc.) (*) ;
• Health data (any medical history, medication taken, etc.) (*)
• Professional identification data (job title, company name, professional e-mail address, professional phone number, etc.);
• Electronic identification data (IP addresses, cookies, connection times, operating system, browser version, etc.);
• Your preferences (choice of language, etc.) ;
• Information about your user/patient experience (such as feedback, ratings, opinions, etc.);
• Video image from the medical Centre's surveillance cameras;
• Information about your visit to the medical Centre (visitors' register, any information relating to use of the car park, etc.).

This data is processed in accordance with this statement and in compliance with the provisions of the General Data Protection Regulation (GDPR).

In all circumstances, Riva Care undertakes to collect and process your personal data only insofar as this is strictly necessary for the fulfilment of one of the purposes set out in this privacy statement.

Therefore, the provision of personal data on the various Riva Care media is generally mandatory. In some cases, however, certain personal data collected may be optional and need not necessarily be communicated to Riva Care. If this is the case, you will be informed whether the data collected is mandatory or optional.

In such cases, the failure to provide and/or the inaccuracy of the personal data on the various media could, where applicable, prevent you from continuing the Riva Care experience or from correctly executing its services.

The processing of "special categories of data" (also known as "sensitive data"), identified by an asterisk (*), is in principle prohibited. However, this prohibition in principle does not apply to Riva Care when you give your explicit consent to the processing of your data for one or more specific purposes (article 9.2, a) of the GDPR).

2.3. What are the sources of the personal data we process?

Riva Care may collect your personal data from the following sources:

• From yourself as a visitor to the website and/or the Riva Care medical Centre and as a user of Riva Care services;
• From partners and/or external service providers (external IT service providers);
• From third parties (particularly in the case of a recommendation from a friend or relative).

Riva Care may also collect personal data when you browse its website or use online services without you providing it to us. For more information, please consult our cookie policy available on our website.

2.4. On Which legal bases and for what purposes do we process your personal data ("why" we process your data)?

2.4.1. Legal basis :

Your personal data are mainly processed in accordance with the following legal bases:

• Because you have consented to the processing of your data for one or more specific purposes (Article 6, 1 (a) of the GDPR);
• Because the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (Article 6, 1 (b) of the GDPR) ;
• Because the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Article 6, 1 (f) of the GDPR) (for example: in the context of the use of the medical Centre's surveillance cameras, the processing of images is carried out on the basis of our legitimate interests in order to protect property and persons).

For each specific purpose for which we process your personal data, we will invoke only one legal basis.

2.4.2. Objectivess:

We collect and process your personal data for the purposes set out below:

• Creating and managing your Riva Care profile account;
• Manage access to your Riva Care accounts (user identification and authentication);
• Ensure an adequate level of protection and security for the Riva Care website and platform;
• Send marketing communications relating to the services offered by Riva Care;
• Analyse the user experience on our website;
• Collect feedback from users;
• Improve the promotion of Riva Care's services;
• Prevent, record or detect offences against people or property (surveillance cameras at the medical Centre);
• Manage any potential disputes.

2.5. How long is your data retained?

Riva Care is in the process of establishing precise rules for the retention period of personal data. This period varies according to the different purposes pursued by Riva Care and takes account of any legal obligations to retain certain of your data.

The retention periods are defined in such a way as to allow Riva Care to process your requests, to ensure the management and follow-up of these requests, and/or to carry out our mission, while respecting the principle of proportionality according to which personal data must not be kept longer than is necessary to achieve the purpose for which it was collected.

Once the retention rules have been determined, it is nevertheless made clear from the outset that all personal data may be stored for longer than the periods specified in the rules:

• either after obtaining your consent;
• or, in the form of archives, to meet any legal and regulatory obligations imposed on us, or during the statutory limitation or objection periods.
• or in the form of re-use for historical, statistical or research purposes.

2.6. Who receives your data? To whom is it shared?

Data will be communicated to the following persons or organisations solely for the purposes set out above:

• To you as the data subject;
• To Riva Care staff and related personnel;
• To Riva Care's partner healthcare professionals and/or those working out of the Riva Care medical Centre;
• To processors responsible for processing operations strictly defined by Riva Care (including the various IT service providers).

No personal data is transmitted to third parties who are not among the above-mentioned recipients or who do not fall within the scope of the legal framework indicated, without prejudice to their possible transmission to bodies entrusted with a mission of control or inspection pursuant to Belgian law, such as an investigating judge.

Riva Care will not disclose your personal data to third parties for direct marketing purposes under any circumstances.

2.7. Are data transmitted abroad?

2.7.1. Transfer of data within the European Economic Area

For the purposes of certain processing activities, certain data are transferred within the European Economic Area. Within the European Economic Area, your personal data benefit from the same level of protection.

2.7.2. Transfer of data outside the European Economic Area

For the purposes of certain processing activities, some of your personal data may be transferred outside the European Economic Area. We transfer and/or grant access to your personal data to a processor, service provider or third party located in non-member states of the European Economic Area only when:

• It is located in a country that ensures an adequate level of protection by virtue of an adequacy decision taken by the European Commission;
• Appropriate safeguards have been implemented in accordance with the GDPR, such as:
  • Signature of the standard contractual clauses adopted by the European Commission for the transfer of personal data to processors established in third countries (2010/87/EU); or
  • The use of approved binding corporate rules; or
  • Application of an approved code of conduct.

At present, the personal data that we transfer directly/indirectly outside the European Economic Area are those processed by various IT service providers (Riva Care's processors) located in the United States and operating in accordance with the adequacy decision for the United States (the “EU-US Data Privacy Framework”).

2.8. What are your rights under the GDPR?

As a data subject of the data processing carried out by Riva Care, you have a number of rights. These are listed below for your full information.

Right of access :

The right of access is the right you have to obtain, on request, information about the personal data Riva Care holds about you.

Right to rectification :

This is your right to request that inaccurate personal data be corrected as soon as possible. If you find that personal data is incomplete, you also have the right to request that it be completed.

Right to erasure

In certain cases, you have the right to request the deletion of your personal data. This is particularly the case if :

• the personal data are no longer necessary for the purposes for which they were collected or processed by the controller;
• the personal data have been unlawfully processed;
• the user withdraws his/her consent and there is no other legal ground for the processing;
• the user, the data subject, objects to the processing, but only in certain specific cases. The right to erasure does not exist in all situations.

Right to restriction of processing

In certain cases, you have the right to obtain from Riva Care, the controller, the restriction of the processing of your personal data, in accordance with the applicable data protection legislation. For example, where the accuracy of the personal data is disputed by the data subject, the processing of the data may be restricted for a period of time to allow the controller to verify the accuracy of the personal data.

Right to data portability

Where necessary, you also have the right to receive your personal data in a structured, commonly used and machine-readable format, in accordance with applicable data protection legislation. In all cases, the right to erasure of data remains applicable. This right only exists if the legitimate basis for the processing is based on Article 6, § 1, a) or Article 9, § 2, a) (consent) or Article 6, § 1, b) (performance of a contract) of the GDPR or if the processing is carried out by automated means.

Right not to be subject to a decision based solely on automated processing

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or which significantly affects you in a similar way. In other words, you have the right to request human intervention in the processing of your personal data. To this end, Riva Care undertakes to ensure that you will never be the subject of a decision based solely on automated processing, including profiling, producing legal effects concerning you or affecting you significantly in a similar way.

Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based Article 6, § 1, e) (task carried out in the public interest or in the exercise of official authority) or f) (legitimate interests) of the GDPR. In this case, Riva Care must cease processing the personal data, unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Right to withdraw his or her consent

Insofar as processing is based on consent, you have the right to withdraw your consent at any time, without this affecting the lawfulness of the processing based on consent carried out prior to the withdrawal of consent.

2.9. How can you assert your rights?

You can send your requests to exercise your rights by e-mail to privacy@rivamedical.com.

To ensure your privacy and security, we will - where appropriate - take the necessary steps to verify your identity before allowing you to consult, and possibly correct, any data.

2.10. What measures are taken to protect data?

Riva Care has put in place a number of appropriate technical and organisational security procedures, which it regularly reassesses and updates, in order to prevent the destruction, loss, falsification, modification, unauthorised access, accidental communication to third parties, as well as to ensure the security and correct use of the information collected for the purposes of the processing concerned.

To this end, access to your personal data is restricted to those who need to know it and who observe strict standards of confidentiality when processing your data.

To guarantee the security and confidentiality of the personal data collected, Riva Care has implemented the highest security standards and only works with processors who are also subject to these standards.

2.11. Who should you contact if you have any questions or complaints?

If you feel that we are not complying with one of our legal obligations, please contact us by e-mail at contact@rivamedical.com or by post at the above address.

If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority of the State in which you live or work or where the alleged infringement occurred.

Au cas où notre réponse ne vous donnerait pas satisfaction, vous avez le droit d’introduire une réclamation auprès de l’autorité de contrôle de l’État dans lequel vous résidez, vous travaillez ou du lieu où la violation prétendue s’est produite.

In Belgium, the supervisory authority is the Data Protection Authority (DPA).

Data Protection Authority
Rue de la Presse 35 1000 Bruxelles
Tél. : +32 (0)2 274 48 00
Fax : +32 (0)2 274 48 35
E-mail : contact@apd-gba.be
URL : https://www.dataprotectionauthority.be

To submit a complaint to the DPA, specific forms are available on the DPA website (https://www.dataprotectionauthority.be). These forms can be returned either by post to Rue de la Presse 35, 1000 Brussels or directly via the DPA website (https://www.dataprotectionauthority.be).

2.12. Changes to this privacy statement

We may amend this privacy statement at any time, in particular as a result of new personal data processing operations or changes in applicable legislation.

Any changes to this declaration come into force immediately. We therefore advise you to consult this page regularly.

3. Personal data that Riva Care processes on behalf of healthcare professionals and on their instructions

This section covers processing activities that Riva Care carries out as a "processor" on behalf of and on the basis of documented instructions from a healthcare professional.

3.1. Who is the controller of your personal data?

Riva Care may process personal data on behalf of and on the basis of documented instructions from health professionals, both for the personal data processing activities carried out at the Riva Care medical Centre and for the check-ups carried out via the app.

Riva Care acts as a processor within the meaning of data protection regulations and the controller of your personal data is the healthcare professional accompanying you on your Riva Care experience.

If you have any questions on this subject, please do not hesitate to send us an e-mail to contact@rivamedical.com.

3.2. What categories of personal data do we process as a processor for healthcare professionals?

As part of the services offered by Riva Care, the purposes of which are described below (see point 3.5), Riva Care may process, on behalf of and on the basis of documented instructions from healthcare professionals, the following categories of personal data:

• Personal identification data (surname, first name, address, phone number (mobile/fixed), e-mail address, etc.);
• Personal details (gender, age, date of birth, place of birth) ;
• Physical data (height, weight, neck/abdomen circumference, etc.) ;
• Habits and lifestyle (smoking, alcohol consumption, sleep, nutritional regime, etc.);
• Hobbies and interests (sporting activities, frequencies, etc.) ;
• Financial identification data (identification and bank account numbers, billing data) ;
• Identification data, other than the NISS, allocated by the government (VAT number, company number - note: mainly concerns companies that are natural persons);
• Health data (check-up results, medical report, diagnosis, treatment, test results, blood test, disability or infirmity, medical consultation, medical history, medication, medical appointments, oxygen saturation, etc.);
• Details of health insurance (mutual insurance, details of items covered, amounts reimbursed, reimbursement periods, reimbursement conditions, payments made or received, expiry date, status of contract);
• Professional activities ;
• Language preferences (languages spoken) ;
• National identification number ;
• Identity card number ;
• Arrival/departure times (Centre consultation register) ;
• Appointment history.

This data is processed in accordance with the documented instructions of the healthcare professionals for whom Riva Care acts as processor within the meaning of the GDPR.

3.3. Where does the personal data we process as a processor come from? What are the sources of the data?

The personal data that we process as a processor for healthcare professionals comes mainly from healthcare professionals acting as controller.

Some data also come from other sources. These may include the following sources:

• Yourself as a patient and user of Riva Care services;
• Partners and/or external service providers (in particular, partner laboratories for blood sampling or external IT service providers);
• Authentic public sources (in particular the national register when your file is created during your visit to the Riva Care medical Centre).

3.4. On what legal basis(s) do healthcare professionals generally process your data in Riva Care?

In general, healthcare professionals acting as "controllers" base their processing of your data on the following legal bases:

• Because you have given consent to the processing of your data for one or more specific purposes (Article 6, 1 (a) of the GDPR);
• Because the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (Article 6, 1 (b) of the GDPR) ;
• Because the processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6, 1 (c) of the GDPR);
• Because the processing is necessary to protect the vital interests of the data subject or of another natural person (Article 6, 1 (d) of the GDPR);
• Because the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Article 6, 1 (f) of the GDPR).

In addition, they generally benefit from one or more of the exceptions provided for in Article 9 of the GDPR (in particular Article 9. 2. h) of the GDPR and Article 9. 3 of the GDPR) for processing categories of personal data ("sensitive data" including, in particular, data relating to your health).

3.5. In the context of the services offered by Riva Care to healthcare professionals, what are the purposes pursued by healthcare professionals and implemented by Riva Care as a processor?

As part of the services it offers to healthcare professionals, Riva Care may process personal data about you as a patient of these healthcare professionals on their behalf and on the basis of their documented instructions. The purposes to be achieved are in particular those listed below.

• Create a therapeutic link for each patient using the eID card;
• Complete your medical file ;
• Manage the scheduling of medical appointments;
  • Schedule medical appointments;
  • Send emails confirming medical appointments or teleconsultations;
  • Send appointment reminders ;
• Manage the scheduling of blood tests with the partner laboratory;
• Send summary emails;
• Manage invoicing and the sending of digital invoices;
• Send prescriptions for blood tests;
• Manage reimbursements to patients' mutual insurance companies;
• Communicate the results of medical appointments;
• Organise, measure and make comprehensible the results of medical appointments;
• Contact a patient in a medical emergency ;
• Send personalised medical recommendations to patients (action plan);
• Send drug prescriptions directly to patients' eID cards;
• Manage any possible disputes;
• Produce reports for statistical and scientific research purposes.

3.6. How long will Riva Care keep your data?

Riva Care will store your data in accordance with the healthcare professional's documented instructions.

3.7. Who are the recipients of your data?

The data will be communicated to the following persons or bodies solely for the purposes set out above and on the basis of instructions from the controller:

• To you as the data subject ;
• To Riva Care staff and related personnel;
• To healthcare professionals with whom you have a therapeutic relationship.

3.8. What are your rights under the GDPR?

As a data subject, you have a number of rights. For information purposes only, these are listed in section 2.8 (see above).

3.9. How can you assert your rights?

You can exercise your rights by contacting the healthcare professional in charge of your file.

If you have any questions on this subject, please do not hesitate to send us an e-mail to privacy@rivamedical.com. We will do our best to help you exercise your rights.

3.10. Who should you contact if you have any questions or complaints?

If you believe that your doctor (healthcare professional) is in breach of one of his or her legal obligations, you have the right to lodge a complaint with the supervisory authority of the State in which you live or work or where the alleged breach occurred.

In Belgium, the supervisory authority is the Data Protection Authority (DPA).

Data Protection Authority
Rue de la Presse 35
1000 Bruxelles
Tél. : +32 (0)2 274 48 00
Fax : +32 (0)2 274 48 35
E-mail : contact@apd-gba.be
URL : https://www.dataprotectionauthority.be

To submit a complaint to the DPA, specific forms are available on the DPA website (https://www.dataprotectionauthority.be). These forms can be returned either by post to Rue de la Presse 35, 1000 Brussels or directly via the DPA website (https://www.dataprotectionauthority.be).

3.11. Changes to this privacy statement

We may amend this privacy statement at any time, in particular as a result of new personal data processing operations carried out on behalf of a data controller or changes in applicable legislation.

Any changes to this declaration come into force immediately. We therefore advise you to consult this page regularly.