TERMS OF USE
OF ECHOPEN O1®, ECHOPEN ON® AND ECHOPEN XP®
VERSION 3
Please read carefully these terms of use of the echOpen O1® ultrasound imaging probe, the echOpen On® application, and the echOpen XP® application before use. By using them, you acknowledge that these terms of use and the T&Cs (as defined in Article 1.3 below) constitute a legally binding instrument that you undertake to comply with in all of its provisions.
1. GENERAL
1.1. The company echOpen Factory, a simplified joint stock company incorporated under the laws of France whose head office is located at 1 place du Parvis de Notre-Dame, 75004 Paris France, and registered with the Paris trade and companies register under number 882 017 346 (hereinafter after “echOpen”, “us” and “our”), develops innovative ultrasound imaging tools.
1.2. The echOpen imaging device is composed of:
- the echOpen On® application, a digital medical device which is designed, operated and updated by echOpen and which is accessible on the AppStore and PlayStore (“echOpen On®”),
- a portable tri-frequency ultrasound imaging probe echOpen O1®, a medical device developed and manufactured by echOpen, which is connected to the customer’s/practitioner's smartphone (hereinafter “you” and “your”) via the echOpen On® application to provide you with improved diagnostic conditions (the “Probe”) (echOpen On® and echOpen O1® will be hereinafter referred to as collectively the “Devices”);
- additional and optional functionalities of echOpen On® for the storage of images collected with the Probe;
- the echOpen XP® application, which is designed, operated and updated by echOpen and which is accessible on the AppStore and PlayStore (“echOpen XP®”) (the functionalities of echOpen On® for the storage of images collected with the Probe and echOpen XP® are hereinafter referred to as collectively the “Digital Services”).
1.3. These terms of use (the “Terms of Use”) govern the access to and the use of the Devices and, where applicable, the Digital Services.
1.4. By using the Devices and, where applicable, the Digital Services, you confirm that you accept these Terms of Use without reservation and in their entirety and that you undertake to comply with them. You shall not access to or use the Devices or Digital Services if you do not accept the Terms of Use and the T&Cs or if you do not meet the conditions contained therein or any requirements imposed by Applicable Laws.
2. DEFINITIONS
2.1. “Competent Authority” means any competent supranational, national or local agency, authority, department, inspectorate, minister, ministry official, parliament, public or statutory person (whether autonomous or not) of any government agencies of any country responsible for the supervision of public health and safety, and for the supervision of your professional practice, or otherwise having jurisdiction with respect to the content of the Agreement.
2.2. “T&Cs” designates the terms and conditions of sale of the Probe and echOpen On® and/or of subscription to use all or part of the Digital Services, accessible at the following addresse https://assets.echopen.com/support/o1/ts/en
2.3. “Agreement” means the T&Cs and the Terms of Use, including their appendices.
2.4. “Devices” means the echOpen O1® probe and the echOpen On® application (excluding its functionality of storage of the images collected with the Probe).
2.5 “Intellectual Property Rights” means all patents, patent applications, copyright and related works, whether registered or not, rights (including trade secret rights) in know-how, whether or not such rights are patentable or protectable by copyright, trademarks and service marks, trade names and domain names, design rights, computer software rights, database rights and data rights, specifications, inventions, processes, data, improvements and developments, all other intellectual property rights, as well as all registrations and applications for registration of the aforementioned rights.
2.6. “FAQ” means the drop-down menu which provides instructions and answers to recurring questions noted by echOpen to access and use all of the products developed and marketed by echOpen, and which is accessible on the echOpen website.
2.7. “Confidential Information” means all information disclosed or provided by one party to the other party under this Agreement, including information relating to the disclosing party's research, development, data and results, products, inventions, works of authorship, trade secrets, processes, designs, formulas, patents, patent applications and licenses, business, marketing, sales, strategies, programs and commercial performance, including costs and prices, suppliers, manufacturers, customers, market data, staff and any other confidential or proprietary information relating to the performance of the aforementioned party’s obligations under the Agreement. In addition, each party's pre-existing Intellectual Property Rights shall be deemed Confidential Information.
2.8. “Applicable Laws” means all laws, regulations, policies, ethical rules, codes, guidelines and all other rules in force at the time you access and use the Devices and Digital Services, pertaining to the respective parties, to the activities contemplated by the Terms of Use and more generally to the content of the Agreement, including, but not limited, to those relating to personal data and the ethical rules you are subject to.
2.9. “Subscription Period” means the period defined in Article 2.11 of the T&Cs during which you are authorized to access and use the Digital Services in return for payment of the Subscription Price and are subject to compliance with the terms of the Agreement.
2.10. “Price” means the Purchase Price and the Subscription Price that you must pay to echOpen in accordance with the T&Cs.
2.11. “Registry” means, when applicable, the database of healthcare professionals in which you must be registered to be authorized to lawfully practice your professional activity in accordance with Applicable Laws.
2.12. “Digital Services” means the functionalities of storage of images collected with the Probe of echOpen On®, and echOpen XP®.
2.13. “Subscription Price” means the price that you must pay to echOpen in accordance with Article 4 of the T&Cs to access and use the Digital Services during the Subscription Period.
2.14. “Purchase Price” means the purchase price of the Devices that you must pay to echOpen in accordance with Article 4 of the T&Cs.
3. LICENCE
3.1. In consideration of the payment of the Price, we hereby grant you:
(i) ownership of the Probe, which you may associate with one or more individual access accounts to echOpen On® and the Digital Services;
(ii) for the duration of the Agreement, a limited, terminable, personal, non-transferable and non-exclusive license to use and access echOpen On®, subject to compliance with the terms of the Agreement and Applicable Laws. You acknowledge and agree that subscriptions to echOpen On® must be taken out on an individual basis, and you undertake that no person other than you will use your echOpen On® access codes; and
(iii) for the Subscription Period, a limited, terminable, personal, non-transferable and non-exclusive license to use and access the Digital Services, subject to compliance with the terms of the Agreement and Applicable Laws. You acknowledge and agree that subscriptions to the Digital Services must be taken out on an individual basis. Consequently, you undertake that no person other than you will use your access codes to the Digital Services that you have subscribed to.
3.2. Nothing in this Agreement grants you any Intellectual Property Rights in or relating to the Devices and Digital Services, including, without limitation, in or relating to the source code of echOpen On® and the Digital Services.
4. USE OF THE PRODUCTS
4.1. Following your purchase of the Devices and your subscription to the Digital Services, according to the terms of the General Terms and Conditions, we will activate your personal access code to access echOpen On® and the Digital Services.
4.2. You guarantee that:
i. You are (a) a healthcare professional authorized to perform ultrasound examinations in the country in which you practice, listed with the Registry when applicable, or (b) a student studying to become a healthcare professional and authorized as such to perform ultrasound examinations in the country in which you are studying, where appropriate under the supervision of a healthcare professional referred to above; and
ii. You comply with all the requirements arising out from the Applicable Laws, in particular the obligation to be covered by professional liability insurance for the exercise for which you will use the echOpen products.
4.3. Your use of the Devices must be restricted to strictly professional purposes and, with respect to the echOpen On® application and the Digital Services, must be limited to personal use. Consequently, you are prohibited from providing and authorizing the use of your access accounts to echOpen On® and the Digital Services to any person other than yourself.
4.4. The Probe (echOpen O1®) is a class IIa medical device intended for point-of-care ultrasound (POCUS) of adult patients to enable ultrasound imaging of organs and tissues of the human body. The echOpen On® application (excluding its functionality of storage of images collected with the Probe) is a class IIa medical device intended to monitor and present the output information of the dedicated ultrasound Probe in order to fulfill its intended use. Your use of the Devices must always comply with their purposes as described in the instructions for use, and aims at complementing your current working methods and offering you an improvement in your conditions of diagnosis which is carried out under your sole responsibility. You acknowledge that the use of the Devices does not replace or independently provide medical advice, treatment or diagnosis that you provide to your patients. It is your responsibility to ensure your safety and that of your patients, and to ensure that your use of the Devices complies with all Applicable Laws, where necessary the FAQ, and the Agreement.
4.5. Your use of the Devices and Digital Services must comply with the requirements provided for in the Agreement, the user instructions and, where necessary, the FAQ. You shall not in particular (i) sublicense, assign or otherwise transfer or share, in whole or in part, the benefit of the licenses granted pursuant to Article 3.1 of the Terms of Use, (ii) reproduce, by any means, in whole or in part, the Devices and the Digital Services, (iii) decompile, disassemble, reverse engineering of the object code or any source code of echOpen On® and echOpen XP®, or directly or indirectly permit third parties to do so, (iv) correct, directly or indirectly, any malfunction of the Devices or Digital Services without the prior written consent of echOpen, (v) lend, rent, sell or provide access, directly or indirectly, to the Devices and Digital Services to a third party in any manner whatsoever, except under the conditions provided for in the Agreement, (vi) distribute or sell the Probe, free of charge or not, or use it to train third parties without the prior written consent of echOpen, (vii) adapt, modify, convert or improve the Devices or Digital Services in whole or in part, (viii) use the Devices and Digital Services in any manner whatsoever for the purposes of design, production, distribution or marketing of a similar, equivalent or substitute product, (ix) use the Devices or Digital Services in any way that is likely to harm the reputation of echOpen, its image trademark or any other right associated with the Devices or the Digital Services, (x) use the Devices or the Digital Services in any manner that is likely to harm patients, (xi) misuse echOpen On® or the Digital Services by knowingly introducing viruses, horses of Trojan horse, worms, logic bombs, or other material which is malicious or technologically harmful, (xii) attempt to gain unauthorized access to echOpen On® or the Digital Services, the server on which echOpen On® or the Digital Services are stored or any server, computer or database connected to echOpen On® or the Digital Services.
4.6. In the event you fail to comply with any of the obligations provided for in this Article 4, your right to use the Devices and the Digital Services will cease immediately and echOpen will have the right to immediately terminate the Agreement in accordance with Article 8.2.2 of the T&Cs.
4.7. You must ensure that your Internet network and computerized systems comply with the specifications provided by echOpen and/or applicable industry standards for access to products and services of this nature. You are responsible for the installation and maintenance of the connection between your computer systems, the Devices and the Digital Services, and for any problems, delays, failures and any other loss or damage relating to your network connection and/or to your computer systems.
4.8. You are responsible for configuring your computer systems, electronic devices, computer programs, virus protection software and any other platforms necessary to use the Probe, echOpen On® and the Digital Services.
5. ACCESS TO ECHOPEN ON® AND DIGITAL SERVICES
5.1. EchOpen will use its best efforts to ensure that access to echOpen On® and the Digital Services is provided continuously and will not be interrupted by any event under our control.
5.2. Any maintenance or update of echOpen On® and/or the Digital Services will be notified in advance by echOpen, within a reasonable time and by any means allowing you to be reasonably informed. EchOpen will use its best efforts to minimize interruption to the use of echOpen On® and/or the Digital Services during this period.
5.3. We will notify you in writing (including by email) of any event other than those covered by Article 5.2, that may have a material impact on your access and use of echOpen On® and/or of the Digital Services, by providing you with sufficiently detailed information to allow you to reasonably understand the situation, the downtime of echOpen On® and/or the Digital Services and the implementation of any alternative or recovery system activities.
5.4. Upon your request or the request of any Competent Authority, we will provide you, your auditors or any Competent Authority, with such information, documents or records relating to the Devices or Digital Services as may reasonably be requested for monitoring purposes by any Competent Authority.
5.5. You must immediately inform echOpen of any control, audit or inspection concerning the Devices and/or Digital Services by a Competent Authority of which you become aware. Any response to a Competent Authority regarding the Devices and/or Digital Services must be prepared in accordance with echOpen's instructions and subject to the prior written approval (including by email) of echOpen. You undertake to cooperate with any Competent Authority and to implement all measures aimed at complying with the conclusions of the Competent Authority and remedying non-compliances identified by the latter.
6. DURATION AND TERMINATION
The duration of the Agreement and the termination terms are provided for in Article 8 of the T&Cs.
7. INTELLECTUAL PROPERTY
7.1. We exclusively own all Intellectual Property Rights in the Probe, echOpen On® and echOpen XP®, and in any additional module or any new version thereof. You acknowledge that you have no rights in, or to, the Devices and Digital Services, and in particular no Intellectual Property Rights, other than the right of ownership in the Probe and the right to use echOpen On® and the Digital Services in accordance with the terms and limitations of the Agreement
7.2. We warrant that we hold and will continue to hold throughout the duration of the Agreement all rights necessary for the use of the Devices and Digital Services, and for the performance of our obligations under the Agreement.
8. DATA PRIVACY
8.1. In the course of performance of the Agreement, the parties must comply with all Applicable Laws regarding the protection of data privacy. You acknowledge that, under the Applicable Laws, you are the data controller and echOpen is a processor with regard to the processing of the patient's personal data generated as part of the use of the echOpen On® application, under the conditions provided for in Appendix 1. This means that, in this context, echOpen will only follow your instructions and will not, as a principle, use the patient's personal data for its own account.
8.2. Notwithstanding the foregoing, as part of research or to improve our services, products or algorithms, echOpen will be required to re-use certain patient’s personal data for its own account. EchOpen will therefore act as the data controller in this context and will comply with Applicable Laws. Appendix 2 of these Terms of Use describes the framework applicable to the re-use of certain data, which will be carried out in accordance with the reference methodology MR-004 (Deliberation no. 2018-155 of May 3, 2018). Your acceptance of these Terms of Use implies your full agreement to provide assistance in accordance with Appendix 2, so that echOpen can comply with the obligations arising therefrom.
8.3. You must never share personal data relating to your patients on the echOpen XP® application. Otherwise, you may be held liable to echOpen and your patients.
8.4 EchOpen collects and processes your personal data for the management of our commercial relationship and acts for this limited purpose as a data controller, under the conditions provided for in Appendix 3 of these Terms of Use.
9. MISCELLANEOUS
9.1. The Terms of Use and the T&Cs constitute the entire Agreement concluded between the parties relating to the subject matter hereof and supersede any and all prior oral or written agreement or arrangement.
9.2. In order to be binding upon the parties, any amendment or modification to this Agreement must be in writing and signed by both parties.
9.3. Nothing in the Agreement shall be construed as creating an employment relationship, a joint venture or a partnership between the parties. The relationship between echOpen and you is solely that of seller and buyer, and of licensor and licensee. Neither party is a partner, agent, joint venture or representative of the other party.
9.4. If one or more provision of this Agreement is found to be invalid, illegal or unenforceable, in whole or in part, for any reason whatsoever, all other provisions of the Agreement shall remain valid and enforceable.
9.5. Each party undertakes, at its own expense, to subscribe and maintain appropriate insurance in sufficient amount to cover its liability under the Agreement. Upon request of a party, the other party undertakes to provide written proof of the insurance thus contracted as soon as possible.
9.6. The Agreement is concluded intuitu personae and you may not transfer it, in whole or in part, to a third party without the prior written consent of echOpen.
9.7. Any dispute, disagreement or claim arising out of or relating to the Agreement, including concerning the validity and interpretation of the Agreement and non-contractual disputes and claims, shall be governed by and construed in accordance with the laws of France.
1. Subject
1.1. The purpose of this appendix is to define the conditions under which the processor (i.e. echOpen) undertakes to carry out, on behalf of the data controller (i.e. the practitioner), the processing of personal data defined below.
1.2. In the context of their contractual relationship, the parties undertake to comply with the regulations applicable to the processing of personal data and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, which is applicable from 25 May 2018 (hereinafter the "General Data Protection Regulation" or "GDPR").
2. Description of the processing being outsourced
2.1. The processor is authorised to process, on behalf of the data controller, the personal data necessary for the provision of the following service(s): use of and access to the echOpen On® application (including the storage of health data).
2.2. The nature of the operations performed on the personal data is as follows: collection, recording, organisation, structuring, storage and consultation.
2.3. The purpose(s) of the processing is the use of the echOpen On® application (the storage of the patient's personal data and the resolution of any technical problems when using the echOpen On® application).
2.4. The personal data processed is mainly patient data:
● Personal data (identification): Last name, first name, date of birth, personal identification number (or PIN). In this respect, and in application of the principle of data minimisation, echOpen recommends practitioners to limit the personal data collected, and in particular, not to enter the patient's PIN in the free field when recording images or video.
● Health data (sensitive data cf. art 9 of the GDPR): in the form of images and/or in the form of video (known as ultrasound loops or sequences)
● Other data: metadata including technical setting data, as well as the device number number of the device used and the date of data collection.
Concerning users (practitioners and/or health students) :
● Personal data (Identification): Title, surname, first name, professional e-mail address
● Other personal data (account data) : UID (technical identifier assigned when creation of the "echopen" account), e-mail identifier, password
● Other personal data (professional contact details) : Registry number, medical specialization, qualifications, postal telephone number, serial number of the medical device purchased by the user, etc.
The categories of people concerned are practitioners and patients of the practitioner.
3. Obligations of the processor towards the data controller
3.1. The processor undertakes to :
i. Process personal data solely for the purpose(s) for which it is outsourced.
ii. To process the personal data in accordance with the documented instructions of the data controller (in particular in the event of technical problems and/or the need to repair/upgrade the echOpen On® application), and to retain them for the period indicated by the data controller, i.e. 20 years from the last visit for care, unless Union law or the law of the Member State requires personal data to be retained for a different period.
iii. If the processor considers that an instruction infringes the GDPR or any other EU or Member State legal provision on data protection, it must immediately inform the data controller.
iv. In addition, where the processor is obliged to transfer personal data to a third country or an international organisation by virtue of Union law or the law of the Member State to which it is subject, the processor shall inform the data controller of this legal obligation prior to processing, unless the law concerned prohibits such information on important public interest grounds.
v. To guarantee the confidentiality of personal data processed hereunder.
vi. Ensure that the persons authorised to process personal data hereunder :
● have undertaken to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;
● receive appropriate training in the protection of personal data.
vii. To take into account, at the level of its tools, products, the echOpen On® application or services, the principles of data protection from the design stage and by default.
3.2. The processor is authorised by the data controller to use the services of GPL Expert, an outsourced CISO [and OVH, an approved health data host, for the storage of health data] (hereinafter the "subsequent data processor" or "sub-processor"). In the event of recourse to other sub-processors at a later date, the processor must obtain the specific prior written authorisation of the data controller.
3.3. The sub-processor shall comply with the obligations set out herein on behalf of and in accordance with the instructions of the data controller. It is the responsibility of the initial processor to ensure that the sub-processor presents the same sufficient guarantees regarding the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the GDPR and applicable data protection law. If the sub-processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the data controller for the performance by the sub-processor of its obligations.
3.4. As far as possible, the processor must assist the data controller in fulfilling its obligation to respond to requests to exercise the rights of data subjects.
3.5. The processor shall notify the data controller of any personal data breach within 24 hours of becoming aware of it by sending an email to dpo@echopen.com. This notification shall be accompanied by any useful documentation to enable the data controller, if necessary, to notify this breach to the competent supervisory authority.
3.6. Where necessary, the processor may assist the data controller in carrying out a data protection impact assessment and with regards to the prior consultation with the supervisory authority.
3.7. The processor undertakes to implement measures guaranteeing a level of security appropriate to the risk, in particular secure authentication and data encryption on smartphones and in communications. More generally, the processor shall implement means to guarantee the confidentiality, integrity, availability and constant resilience of the processing systems and services, as well as means to restore the availability of and access to personal data within appropriate timeframes in the event of a physical or technical incident, a procedure to regularly test, analyse and evaluate the effectiveness of the technical and organisational measures to ensure the security of the processing.
3.8. On completion of the services relating to the processing of such data or, at the latest, within three months of termination of the Agreement in accordance with article 8 of these Terms of Use, the processor undertakes to destroy all personal data with written confirmation of such destruction. The return must be accompanied by the destruction of all existing copies in the processor’s information systems, unless Union law or the law of the Member State requires the personal data to be retained. Once destroyed, the processor must justify the destruction in writing.
3.9. The processor shall provide the data controller with the name and contact details of its Data Protection Officer (DPO), if it has appointed one in accordance with Article 37 of the GDPR.
3.10. The processor declares to keep a written record of all categories of processing activities carried out on behalf of the data controller, in accordance with Article 30 of the GDPR, including:
3.10.1. the name and contact details of the data controller on whose behalf it is acting, of any processors and, where applicable, of the data protection officer;
3.10.2. categories of processing carried out on behalf of the data controller ;
3.10.3. where applicable, transfers of personal data to a third country or to an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, documents attesting to the existence of appropriate safeguards; and
3.10.4. as far as possible, a general description of technical and organisational security measures
3.11. The processor shall make available to the data controller the documentation necessary to demonstrate compliance with all its obligations and to allow audits, including inspections, to be carried out by the controller or another auditor appointed by the controller, and to contribute to such audits.
Appendix 2 - Use of patient personal data generated as part of a research project
In the context of the performance of these Terms of Use, the practitioner is the data controller and echOpen is a processor with regard to the processing of the patient's personal data generated in the context of the use of the echOpen On application.
As such, echOpen may not use the patient's personal data for its own account.
However, under certain conditions, further processing by the processor is permitted. The processor then becomes data controller for this new processing.
echOpen intends to re-use certain personal data in the context of research not involving the human person and in the context of studies or evaluations in the field of health, in accordance with Deliberation No. 2018-155 of 3 May 2018 approving the reference methodology of the same name ("MR-004").
The Parties have therefore agreed as follows.
Considering Article 5.(b) of the GDPR and also (i) whether there is a link between the purposes for which the personal data were collected and the purposes of the envisaged further processing; (ii) the context in which the personal data were collected, in particular as regards the relationship between the data subjects and the data controller; (iii) the nature of the personal data, in particular whether the processing involves sensitive data or personal data relating to criminal convictions and offences; (iv) the possible consequences of the envisaged further processing for the data subjects; and (v) the existence of appropriate safeguards, which may include encryption or pseudonymisation; The practitioner authorises the re-use by echOpen of the patient's personal data for the purposes of research projects not involving the human person or as part of studies or evaluations in the field of health.
Within the framework of this relationship alone, the practitioner will act as a processor and will undertake to carry out, on behalf of the data controller (i.e. echOpen), the processing of personal data defined below.
3.1. The processor may process, on behalf of the data controller, personal data necessary for carrying out research, studies and evaluations in the health sector which do not meet the definition of research involving the human person as defined in article L. 1121-1 of the CSP and which are of public interest.
3.2. The nature of the operations carried out on the personal data is as follows: holding, collection and/or transmission of data and/or biological samples used in the context of research, study or evaluation.
3.3. The purpose of the processing is to carry out research, studies and evaluations in the health sector which do not meet the definition of research involving the human person as defined in article L. 1121-1 of the CSP and which are in the public interest.
3.4. The personal data relating to the persons included in the research which may be processed are those listed in Article 2.2.3 "Nature of personal data" of the MR-004.
echOpen undertakes to collect or process only personal data that is strictly necessary and relevant to the objectives of the research. Consequently, each category of personal data may only be processed if their processing is scientifically justified in the research protocol.
3.5. The categories of persons concerned are the practitioner's patients.
4.1. The processor undertakes to :
● have undertaken to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;
● receive appropriate training in the protection of personal data.
4.2. The processor may not use another processor (hereinafter the "subsequent data processor" or "the sub-processor") to carry out specific processing activities unless it informs the data controller in writing and obtains its consent. This information must clearly indicate the processing activities being subcontracted, the identity and contact details of the sub-processor and the dates of the processing agreement.
4.3. The sub-processor shall comply with the obligations set out herein on behalf of and in accordance with the instructions of the data controller. It is the responsibility of the initial processor to ensure that the sub-processor presents the same sufficient guarantees regarding the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the GDPR and applicable data protection law. If the sub-processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the data controller for the performance by the sub-processor of its obligations.
4.4. At the time of personal data collection, the processor must provide its patients with information relating to the data processing that it carries out for the purposes of further processing on behalf of echOpen. The wording and format of the information is agreed with echOpen prior to data collection and sent to the processor in an appendix.
As far as possible, the processor must help the data controller to fulfil its obligation to respond to requests to exercise the rights of data subjects.
4.5. The processor shall notify the data controller of any personal data breach within 24 hours of becoming aware of it by sending an email to dpo@echopen.com. This notification shall be accompanied by any useful documentation to enable the data controller, if necessary, to notify this breach to the competent supervisory authority.
4.6. Where necessary, the processor shall assist the data controller in carrying out a data protection impact assessment and with regards to the prior consultation with the supervisory authority.
4.7. The processor undertakes to implement the following security measures, using the tools provided by echOpen, guaranteeing a level of security appropriate to the risk, including, inter alia, the pseudonymisation and encryption of personal data, the means to guarantee the constant confidentiality, integrity, availability and resilience of the processing systems and services, the means to restore the availability of and access to personal data within an appropriate timeframe in the event of a physical or technical incident, a procedure to regularly test, analyse and evaluate the effectiveness of the technical and organisational measures to ensure the security of processing.
In particular, the data processor undertakes to assist in ensuring that the data subjects can only be identified, in the databases containing personal health data created for the purposes of the research by the data controller, by means of a serial number or alphanumeric code, established in accordance with MR-004, and to the exclusion of any directly identifying personal data.
4.8. Upon completion of the services relating to the processing of such data, the processor undertakes to destroy all personal data in its possession relating to the subcontracted services, with written confirmation of such destruction.
4.9. The processor shall inform the data controller of the name and contact details of its Data Protection Officer (DPO), if it has appointed one in accordance with Article 37 of the GDPR.
4.10. The processor declares to keep a written record of all categories of processing activities carried out on behalf of the data controller, in accordance with Article 30 of the GDPR, including:
- the name and contact details of the data controller on whose behalf it is acting, of any processors and, where applicable, of the data protection officer;
- the categories of processing carried out on behalf of the data controller;
- as far as possible, a general description of the technical and organisational security measures.
4.11. The processor shall make available to the data controller the documentation necessary to demonstrate compliance with all its obligations and to enable and assist with audits, including inspections, by the controller or another auditor appointed by the controller.
Appendix 3 – Data Privacy Policy
The purpose of this data privacy policy (the "Policy") is to inform users (i.e., practitioners, hereinafter "you", "your" and "users") of the Digital Services offered by echOpen Factory (located at 1 place du Parvis de Notre-Dame, 75004 Paris, hereinafter "echOpen", "we", "us" and "our") of the way in which we collect and process their personal data.
By "personal data", we mean information about you that could identify you, directly or indirectly, in the context of using the Digital Services, such as your name and contact details.
Under EU data protection legislation, echOpen is considered to be the " data controller" of the personal data collected about you for the purposes listed below. This means that it is up to echOpen to decide how it processes and retains your personal data. If, after reading this Policy, you have any further questions about the way in which echOpen collects and processes your data, please contact us at the following address: dpo@echopen.com.
What information do we collect about you and how do we use it?
The categories of personal data that we may collect, store and use are set out in the table below and, in each case, we have specified the purposes for which we use them and the "lawful basis" for processing them.
Personal data categories
|
For what purpose |
Lawful basis |
Personal data (Identification): Title, surname, first name, professional e-mail address |
Contacting the user for relationship management purposes (e.g. CRM, customer service, billing, etc.) Making sure the user is authorised to access the Digital Services. |
Necessary for the performance of the T&Cs (Terms and Conditions of Sale) Legitimate interests of echOpen (i.e. management of the commercial relationship) |
Other personal data (account data) : UID - technical identifier assigned when the account is created -, e-mail identifier, password |
Making sure the user is authorised to access the Digital Services and benefit from hosting, maintenance and support services. |
Necessary for the performance of the T&Cs Legitimate interests of echOpen (i.e. ensuring that authorised persons have access to the service) |
Other personal data (professional contact details): Registry number, specialization, qualifications, postal address, professional telephone number, serial number of the medical device the user purchased |
Making sure the user is entitled to access the Digital Services and benefit from hosting, maintenance and support services. |
Necessary for the performance of the T&Cs Legitimate interests of echOpen (i.e. ensuring that authorised persons have access to the service) |
My echOpen account creation details: surname, first name, profession (medical specialization), e-mail address, if applicable, profile photo, description and password.
|
Account creation via My echOpen, profile editing, authentication.
Use of all echOpen XP functions.
Contacting the user for relationship management purposes (e.g. CRM, customer service, billing, etc.) |
Necessary for the performance of the T&Cs Legitimate interests of echOpen (i.e. ensuring that authorised persons have access to the service) |
echOpen XP application user activity: tracking of user activity, including courses downloaded, quiz answers, progress in a course, answers given to proofreading quizzes, identity of stories viewed, posts liked, users followed and users who follow them. |
Use of all echOpen XP functions.
|
echOpen's legitimate interests (i.e. ensuring that its users benefit from its services)
|
echOpen XP user activity: answers to quizzes, progress in a training course, answers to proofreading quizzes. |
Carrying out research, studies and evaluations in the field of healthcare that do not meet the definition of research involving the human person as defined in article L. 1121-1 of the CSP and that are in the public interest. |
Public interest of echOpen |
Other personal data (account data): UID - technical identifier assigned when the account is created -, speciality, qualifications and department of the professional postal address, serial number of the medical device that the user has purchased. |
Carrying out research, studies and evaluations in the field of healthcare that do not meet the definition of research involving the human person as defined in article L. 1121-1 of the CSP and that are in the public interest. |
Public interest of echOpen |
If you do not provide your identification data, you will not be able to access the Digital Services.
If you do not provide the aforementioned professional data for the management of the commercial relationship, echOpen will not be able to manage the relationship correctly.
How do we collect this information?
In general, we collect your personal data when you enter it voluntarily in response to invitations/forms placed at various points on our Digital Services.
We also collect your e-mail address from the e-mails you send us.
With whom will personal data be shared?
We take all necessary measures to ensure the security and confidentiality of the personal data collected. In addition, only a limited number of authorised persons, by virtue of their activities within EchOpen, may access your data.
We may share your personal data with third parties, for example as part of a possible sale or restructuring of our business, or where it is necessary for reasons of legitimate interest (for example sharing information with a service provider to help us improve our services). We may also share your personal data with a regulatory body or to comply with the law.
We require all third parties (including service providers) to respect the security of your personal data and to process it in accordance with the law.
We may transfer the personal data we collect about you to countries outside the European Economic Area (EEA) that do not have the same data protection legislation standards as the EEA.
Where this is the case, we will put in place (or require a processor to put in place) appropriate safeguards such as the EEA approved standard contractual clauses to ensure that your personal data is processed in a way that complies with the applicable regulations.
How long do we keep your information?
We keep your personal data only for as long as is necessary for the purposes for which we collected it, and in particular for the duration of the Agreement (extended by the applicable appeal periods and the mandatory retention period) in the case of data collected for the performance of the Agreement or for customer relationship management.
As a general rule, we will retain information relevant to our relationship with you for 3 years from the date of our last contact.
We may, in certain circumstances, anonymise your personal data so that it can no longer be used to identify you, in which case we may use this information (in particular for statistical purposes) for an unlimited period of time.
As soon as we no longer need your personal data for the purposes for which it was collected, we will destroy it securely in accordance with the applicable laws and regulations.
Your rights regarding your personal data
It is important that the personal data we hold about you is accurate and up to date. Please inform us of any changes to your personal data during the course of your relationship with us.
You have rights as an individual which you can exercise in relation to the information we hold about you in certain circumstances.
You have the right to:
- request access to your personal data and ask for certain information relating to its processing;
- request rectification of your personal data;
- request the deletion of your personal data;
- request that the processing of your personal data be restricted;
- object to the processing of your personal data;
- request the transfer of your personal data to a third party.
If you wish to exercise any of these rights, please contact us at the following address: dpo@echopen.com.
You also have the right to lodge a complaint at any time with the competent supervisory authority. In France, this is the CNIL, located at 3, place de Fontenoy, 75007 Paris.
Fees
In general, you will not be charged a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. In these circumstances, we may also refuse to comply with the request.
Information we may need
We may need to ask you for specific information to help us confirm your identity and ensure your right of access to data (or so that you are able to exercise one of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to anyone not authorised to receive it.
Security
We take the necessary technical and organisational security measures to protect the data we manage, in particular against the risks of manipulation, loss, destruction and access by unauthorised persons. We are constantly improving our security measures in line with technological developments. However, no electronic transmission or storage of information can be guaranteed to be secure. You should therefore always exercise caution when transmitting information over the Internet.
Changes
We will generally inform all users of any significant changes to this Policy via our Digital Services.