PERSONAL DATA PROTECTION POLICY

Update 11/15/2021

1. GLOSSARY

« Personal Data » : Means any information relating to an identified or identifiable natural person.
« Recipient » : Refers to the department or company or organization that receives communication and can access your Personal Data.
« NOUVEAL » : Designates the company NOUVEAL E-SANTE SAS.
« Personal Data Protection Policy » et « Policy » : Means this Policy describing the measures taken for the processing, use and management of your Personal Data and your rights as a data subject.
« Person in charge of the treatment » : Refers to any natural or legal person, public authority, department or body that carries out the processing of your Personal Data and that alone or jointly with others, determines the purposes and means of the Processing.
« GDPR » : Means the General Data Protection Regulation (Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data).
« Treatment » : Refers to any operation or set of operations applied to your Personal Data.
« Violation of personal data » : Means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to your Personal Data.
« Subcontractor » : Refers to any natural or legal person, public authority, department or body that processes personal data on behalf of the Data Controller. It acts under the authority of the Data Controller and on the instructions of the latter.

2. PREAMBLE

NOUVEAL places the protection of personal data at the heart of its missions and the services it offers you. This Policy sets out the principles and guidelines for the protection of your Personal Data and aims to inform you about :

The Personal Data that NOUVEAL collects and the reasons for its collection,
How the Personal Information is used
Your rights on your Personal Data.

This Policy applies to the processing of Personal Data in the context of the provision of NOUVEAL services and products, excluding any partner sites. All operations involving your Personal Data are carried out in compliance with the regulations in force and in particular with the European regulations on the protection of personal data, the French law n°78-17 "Informatique, Fichiers et Libertés" of 6 January 1978 as amended and its application decrees.

3. HOW DOES NOUVEAL TAKE INTO ACCOUNT THE PROTECTION OF PERSONAL DATA?

NOUVEAL is committed to taking into account the protection of your Personal Data and your private life from the very beginning of the design of new products or services offered to you. To ensure security and guarantee the respect and proper exercise of your rights, measures are implemented to ensure the protection of your personal data.

4. HOW DOES NOUVEAL COLLECT YOUR PERSONAL DATA?

NOUVEAL undertakes to only collect data that is strictly necessary for the direct or indirect provision of the services subscribed to when they require the processing of customers' personal data.

In the event that you are asked for optional data, NOUVEAL will clearly inform you of the Personal Data that is essential for the performance of the subscribed service.

Personal Data is collected directly from you and is used only for the purposes for which you have been notified.

Personal data is used to offer you other services, only if you have agreed to receive commercial communications.

Certain data processed by NOUVEAL is collected indirectly from the following sources :

Either customers, specifying information on subscribers, beneficiaries, beneficiaries, contacts, recipients. These data are necessary for the execution of the subscribed services;
Or third parties.

In the event of indirect collection, NOUVEAL undertakes to inform individuals in accordance with the conditions set out in Article 14 of the GDPR.

Some services may be used by minors. In this case, minors must obtain the consent of their parents or legal representatives.

5. WHAT ARE THE PURPOSES OF THE PROCESSING CARRIED OUT BY THE NOUVEAL GROUP, THEIR LEGAL BASIS AND THE RETENTION PERIOD OF PERSONAL DATA?

Depending on the personal data processing implemented, NOUVEAL acts as a Data Controller or Subcontractor for its customers. When NOUVEAL acts as a Data Controller, the purposes of the processing carried out and the length of time the Personal Data is kept are set by NOUVEAL.

You can consult the purposes of the processing operations as well as their legal basis and the retention periods for personal data resulting from the processing operations carried out by NOUVEAL, in its capacity as Data Controller, by clicking on the following link: Processing of Personal Data implemented in the context of NOUVEAL's services and processing

Generally speaking, the purposes, the retention period and the legal basis differ according to the services and products concerned. At the end of the retention periods, the Personal Data are anonymized or permanently deleted

When NOUVEAL acts as a Subcontractor for its customers, the purposes of the processing and the length of time the Personal Data is kept are determined by the customer who is responsible for processing. In this context, NOUVEAL only acts on the instructions of the Data Controller. The processing operations for which NOUVEAL acts as a Subcontractor are specified in the table accessible by clicking on the following link : Processing for which NOUVEAL acts as a subcontractor

For any information on the retention periods for Personal Data processed by NOUVEAL as a subcontractor, we invite you to contact the healthcare establishment, which is responsible for processing, and which provided for the opening of your account on one of NOUVEAL's solutions for monitoring your health.

Healthcare facilities may be subject to legal obligations to retain Personal Data, on their own environments, for longer periods than those set forth in this Data Protection Policy.

6. TO WHICH SERVICES OR COMPANIES ARE YOUR PERSONAL DATA COMMUNICATED?

The personal data that you communicate to NOUVEAL may be transmitted to the following recipients :

The NOUVEAL departments authorized to access this information;
NOUVEAL's technical service providers, including its subcontractors, within the strict framework of the missions entrusted to them;
NOUVEAL's partners, after prior acceptance from you;
The contracting parties, the beneficiaries of services, the entitled beneficiaries or any third party designated by the clients or users of our services and/or products, by virtue of the contractual relationship;
Public bodies, legal auxiliaries, ministerial officers, lawyers, administrative or judicial authorities, in order to comply with any law or regulation in force, or to respond to any judicial or administrative request, in the context of respecting the legal obligations incumbent on NOUVEAL or to enable NOUVEAL to defend its rights and interests
Ombudsmen, supervisory authorities entitled to receive such data.

7. CAN YOUR PERSONAL DATA BE TRANSFERRED OUTSIDE THE EUROPEAN UNION?

The Personal Data processed by NOUVEAL is hosted within the European Union (EU) or the European Economic Area (EEA). However, for certain specific services, NOUVEAL may use subcontractors established outside the EU or the EEA (for example, in the United States). These subcontractors may have access to Personal Data that is strictly necessary for the performance of their tasks. In this case, in accordance with the regulations in force, NOUVEAL requires its subcontractors to provide appropriate guarantees, in particular the signing of standard contractual clauses by the European Commission or the adoption by the latter of Binding Corporate Rules.

8. IS YOUR PERSONAL DATA PROTECTED?

NOUVEAL is committed to taking all measures to ensure the security and confidentiality of Personal Data.

In particular, NOUVEAL implements all the technical and organisational measures required to guarantee the security and confidentiality of the Personal Data collected and processed and in particular to prevent it from being distorted, damaged or communicated to unauthorised third parties, by ensuring a level of security adapted to the risks associated with the processing and the nature of the personal data to be protected.

The treatments performed may be subject to audit.

Furthermore, in the event of a personal data breach, as defined in Article 4 of the GDPR, affecting your Personal Data (destruction, loss, alteration or disclosure), NOUVEAL undertakes to comply with the obligation to notify Personal Data breaches, notably to the CNIL.

9. WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA AND HOW TO EXERCISE THEM?

You have the right to access the personal data we hold about you;

This includes the right to ask us for additional information on:

the recipients and categories of recipients to whom your data has been transmitted
the purposes of the data processing
where possible, the length of time your data will be retained or, where this is not possible, the criteria for determining this length.

You have the right to have us correct inaccurate or incomplete personal data about you;
You may object to our use of your Personal Information at any time;
You have the right to be "forgotten" by us by exercising your right to erasure of your data;
You have the right to request the suspension of the processing of your Personal Data;
You may request that your Personal Data be recovered in a structured, commonly used and readable format in order to dispose of it and transmit it to another controller;
You have the ability to provide instructions regarding the disposition of your Personal Information after your death;
You may also withdraw your consent at any time, in cases where it has been requested. This will allow you to modify and/or withdraw your consents concerning commercial prospecting.

The user understands that the aforementioned rights may be tempered, if the legal basis for the processing so justifies, without impeding the principle of non-maleficence.

10. HOW TO CONTACT THE PERSONAL DATA PROTECTION OFFICER APPOINTED BY NOUVEAL?

You can contact the Data Protection Officer at the following address :

Madame la Déléguée à la Protection des Données
CP C703
9 rue du Colonel Pierre Avia
75015 PARIS

If you believe, after having contacted us, that your rights on your data are not respected, you can address a complaint to the Commission Nationale de l'Informatique et des Libertés (3 place de Fontenoy - TSA 80715 – 75334 Paris cedex 07 ; tél. : 01 53 73 22 22).

**PROCESSING OF PERSONAL DATA CARRIED OUT BY NOUVEAL, AS DATA CONTROLLER, FOR THE REALIZATION OF THE SERVICES OFFERED ON THE SITE https://www.nouveal.com/**
SERVICES	PURPOSE	LEGAL BASES	SHELF LIFE
Contact requests sent by users via the form « Contact » accessible in the menu and in the footer of the site https://www.nouveal.com/contact/	To allow site users to communicate with NOUVEAL. Manage user requests for information. Follow up on responses to contact requests. Communicate on NOUVEAL news. Elaborate statistics related to the service	Consent	Retention for 3 years after the last contact with NOUVEAL.
Contact requests sent by : - the professionals of the health institutions transmitted via the form « Tell us about your e-health projects » - or journalists via the "send an email" button accessible in the button « CONTACT » available on the site	To enable healthcare professionals and journalists to communicate with NOUVEAL and learn about its products and services. Manage requests for information from healthcare professionals and journalists Follow up on responses to contact requests. Communicate on NOUVEAL news. Elaborate statistics related to the service	Consent	Retention for 3 years after the last contact with NOUVEAL.
Subscribe to the Newsletter via the dedicated form on the website	Handle newsletter registration requests Manage subscriptions Send Newsletter Elaborate statistics related to the service	Consent Performance of the service (contract)	Storage of the necessary data for the duration of the subscription to the newsletter.
Recruiting Submit your application via the dedicated form available on https://www.nouveal.com/societe/#recrutement	To allow users to consult and apply for NOUVEAL job offers Allow users to submit a spontaneous application Process applications Communicate on NOUVEAL news. Contact the candidates	NOUVEAL's legitimate interest in recruiting candidates	Data retention for the duration of the recruitment process and 2 years from the last contact with the candidate

**OTHER PROCESSING OPERATIONS CARRIED OUT BY NOUVEAL, IN ITS CAPACITY AS DATA CONTROLLER, FOR THE PROVISION OF THESE SERVICES**
SERVICES	PURPOSE	LEGAL BASES	SHELF LIFE
Commercial prospecting by NOUVEAL	Carrying out commercial prospecting and marketing operations by electronic means, by mail or through a NOUVEAL employee (surveys, etc.)	Legitimate interest of NOUVEAL, with regard to prospecting: - by telephone; - by electronic means when it is intended for persons who are already customers and when the prospecting concerns products and services similar< br> to those already subscribed by these persons; Consent of the prospects/customers regarding electronic prospecting (SMS, email)	Retention for 3 years from the last contact or until consent is withdrawn
Management of commercial activities	The management of the operations necessary for the products or services subscribed to. Management of our commercial relations, including responses to contact requests received. Management of complaints to the customer service Management of the after-sales service; Management of newsletter subscriptions	Performance of the service (contract) Consent Legitimate interest (improving the quality of service)	Conservation for the entire duration of the contractual relationship, after which only the data necessary for pre-litigation or litigation purposes are archived until the acquisition of the legal prescription. The limitation period of common law in civil and commercial matters is five (5) years. The data is kept until the subscriber unsubscribes For the realization of satisfaction surveys: conservation during 1 year as from the survey. For the management of complaints: conservation during 13 months as from the date of reception of the complaint
Health vigilance management	To ensure the prevention, monitoring, evaluation and management of adverse health events	Legal obligation	Retention of data in the active database for as long as necessary to manage the adverse health event. Data retention in intermediate database 10 years after the end of the health event. Once the retention periods have expired, the data will be deleted or archived in an anonymized form for 25 years.
Post-Market Surveillance	Analyze relevant data on the quality, performance and safety of the medical device throughout its lifetime; Draw the appropriate conclusions; Define and apply any preventive or corrective measures, and ensure their follow-up.	Legal obligation	Retention of data from analytical documents (clinical evaluation, reports, surveillance report, periodic safety report) for 2 years after the last publication of the analytical documents. At the end of the retention period, the data is archived in an anonymized form for 25 years.
Official requests from public or judicial authorities empowered to do so	Management of responses to official requests from public or judicial authorities empowered to do so	Legal obligation	Retention for the duration of the procedure, plus the period of acquisition of the legal requirements. The limitation period of common law in civil and commercial matters is five (5) years from the end of the contract
Detection, prevention and fight against fraud and cybercrime	Identify user accounts with incidents or anomalies to notify them and possibly trigger suspension or closure procedures;	Legitimate interest (fight against counterfeiting, fight against fraud, fight against cybercrime, ...)	Retention for the duration of the qualification of an alert for fraud or cybercrime: 12 months from the date of the alert;
Detection, prevention and fight against fraud and cybercrime	Identify user accounts with incidents or anomalies to notify them and possibly trigger suspension or closure procedures;	Legitimate interest (fight against counterfeiting, fight against fraud, fight against cybercrime, ...)	Retention for the duration of the qualification of an alert for fraud or cybercrime: 12 months from the date of the alert; Alerts not qualified at the end of the twelve (12) month period are deleted. Qualified alerts are retained for a maximum of five (5) years after the fraud or cybercrime case is closed.
Management of requests to exercise rights	Processing your requests to exercise your rights	Legal obligation	Retention of data related to the processing of your requests for 5 years from the receipt of the request. Retention of supporting identity documents for one year.

**PROCESSING FOR WHICH NOUVEAL ACTS AS A SUBCONTRACTOR (Solutions E-fitback, ONCO’nect, Covidom, Léa Santé)**
SERVICES	PURPOSE	LEGAL BASES	SHELF LIFE
Creation of a User account on the Solutions implemented by the healthcare facility (patients, employees of the healthcare facility)	Allow the authentication of Users who access the services subscribed to by the health establishment clients within the framework of the provision of the remote medical monitoring Solution	Execution of the contract concluded with the Client (Health Care Facility) Consent of the persons collected by the health establishment subscribing the service	Retention of data necessary for the management of the account until the account is deleted
Provision of a Remote Medical Monitoring Solution and Services (management of the remote monitoring of patients who have subscribed to the service offered by their health establishment as part of the monitoring of their care pathway)	Enable health care institutions to offer their patients and implement a remote medical monitoring system Allow patients to benefit from follow-up by their health care facility	Execution of the contract concluded with the Client (Health Care Facility) Patient consent collected on behalf of the health establishment, responsible for processing, which implements the remote medical monitoring solution	Defined by the health care facility : Duration of the patient's course of care with the health care facility + retention period specific to health care institutions in accordance with the regulations applicable to them
Management of the care pathways of patients in health care institutions according to the health protocols defined by the latter	Integrate the health protocols defined by the health establishment into the solution Enable healthcare institutions to collect information from their patients as part of the health protocol set up via the subscribed remote monitoring system Allow Users to have access to remote monitoring information according to the health protocols implemented by the health facility	Execution of the contract concluded with the Client (Health Care Facility) Patient consent collected on behalf of the healthcare facility implementing the Remote Medical Monitoring Solution	Defined by the health care facility : Duration of the patient's course of care with the health care facility + retention period specific to health care institutions in accordance with the regulations applicable to them
Management of support requests from healthcare institutions on the operation of the Solutions	Handle technical anomalies reported by customers Implementation of diagnostics and necessary corrective actions	Execution of the contract concluded with the Client (Health Care Facility)	Retention of data for the duration of the contract concluded with the Customer
Support for healthcare institutions in the event of complaints and requests to exercise the rights of users of the Solutions (patients, employees of the healthcare institution) (Health care institutions manage their patients' complaints and requests to exercise their rights as data controllers)	Provide assistance to healthcare facility clients to enable them to respond to : any claim and request to exercise rights by their users any request for information from supervisory authorities and personal data protection authorities	Execution of the contract concluded with the Client (Health Care Facility)	Retention of data relating to the processing of requests for assistance from the institution, in the context of a dispute, for 5 years from the receipt of the request.
Conducting surveys on behalf of the client healthcare institution (example: satisfaction survey, survey on the use of the Solution, quality of the remote monitoring set up...)	Carrying out surveys at the request of and on behalf of the client health institution responsible for processing	Execution of the contract concluded with the Client (Health Care Facility) Legitimate interest of the health care institution Patient consent collected as part of the survey	Retention for 1 year from the date of the investigation.
Clinical studies and research conducted by the client healthcare facility using data collected as part of the Remote Monitoring Solution implemented by the healthcare facility	Provide assistance to the health care institution in the context of the research protocol implemented	Execution of the contract concluded with the Client (Health Care Facility) Patient consent obtained by the health care institution, responsible for the treatment, within the framework of the study/research protocol set up by it	Defined by the health care institution: Retention period specific to health care institutions in accordance with the regulations applicable to them for clinical research