Privacy policy of Emmy app (patient section) and www.sestraemmy.sk
Your privacy is very important to us. This Privacy Policy (hereinafter referred to as”Principles') aim to inform in a transparent manner about the processing of your personal data in connection with the operation of the patient part of the Emmy web application accessible at https://moja.emmy.sk/ (hereinafter referred to as ”Application“) and the websites accessible at www.emmy.sk (hereinafter referred to as ”Web“). The Principles form an integral part of the Terms of Use of the patient section of the Application (hereinafter referred to as ”Terms and Conditions“).
1. Role in processing
1.1. Our company Emmy Medical s.r.o., ID: 06785247, with registered office in Levohradecká nam. 1066, 252 63 Solutions (hereinafter referred to as “Emmy” or ”Mijn“) may be in relation to the processing of your personal data by the controller or processor. The role of Emma always depends on the purpose of the processing.
1.2. Emmy is primarily the administrator in connection with the management of your patient user account in the Application (hereinafter referred to as the ”User account“), the operation of the Application and the Website interface, with regard to the handling of your requests in the Application (hereinafter referred to as ”Requirements“), including the appointment of a personal visit and related communications, the administrator shall always be the chosen healthcare provider (hereinafter referred to as the provider “PZS“). Emmy then acts for PZS in the role of a processor who processes the data under the responsibility of PZS.
1.3. Emmy is in no way a controller in relation to your sensitive health data processed in the Application. This is always only your chosen PZS with whom you communicate.
1.4.As a registered user of the Application (hereinafter referred to as ”User“) you can easily determine which PZS is the controller of personal data in relation to your Requests visible in the Application. The selected PZS is always clearly identified in the Application interface.
2. Emmy as administrator
As a controller, Emmy may process your personal data for the purposes listed below. No automated decision-making, including profiling, takes place during these processing operations.
Emmy is an administrator for the following purposes:
2.1. Managing a User Account in the Application
This purpose also includes linking to selected PZs (transferring data for the purpose of User verification), sending notifications to the Application about changes in the status of your Requests, sending information regarding the contractual relationship and providing support services in relation to the User Account. The legal basis for the processing in question is a contract or its performance (Article 6 (1) (b) GDPR).
The categories of personal data concerned may be:
identification data (e.g. name, surname, date of birth, number of insured person, gender), contact details (e.g. email, phone, address), logins, settings and activity data of the User Account(e.g. time data, PZS prefixes, notifications received, IP address), details of the contractual relationship (for example, its beginning), the content of the communication (about support).
As a rule, the source of the data is directly you, while only some auxiliary data can be collected automatically. The provision of identification and contact data is a contractual requirement and, therefore, if this data is not provided, it is not possible to create a User Account. We need the number of the insured person (birth number) in order to transfer it to the PZS in order to verify the User.
For this purpose, the data will be processed for the duration of our contractual relationship, and subsequently some data may be further processed on the basis of our legitimate interests (Article 6 (1) (f) GDPR) for the protection of rights and property, up to the statutory limitation periods.
2.2. Ensuring the operation of the Application and the Web and improving them
This includes ensuring the security, availability and performance of the Application and the Web, as well as their further development. The legal basis for this processing is Emma's legitimate interests in providing quality services (Article 6 (1) (f) GDPR).
The categories of personal data concerned may be:
identification data (e.g. first name, last name), contact details (e.g. e-mail), usage data (e.g. number of visits, time data, IP address, location, device), feedback.
The source of the data is primarily their automatic collection (logging), for which we can also use third-party tools (e.g. Google Analytics), but we may also use the data you provide to us to collect feedback.
The data will be processed for this purpose for the period necessary to fulfill it (generally 6-14 months). If necessary, this data may also be used on the basis of our legitimate interests (Article 6 (1) (f) GDPR) to defend rights and property.
2.3. Sending news and other announcements
This purpose includes the sending of newsletters and other communications, the sending of which does not fall under the other processing purpose specified in this Policy, to the Users of the Application. The legal basis for the processing in question is Emma's legitimate interests in maintaining contact with the customer (Article 6 (1) (f) GDPR).
The categories of personal data concerned are:
identification data (e.g. first name, last name), contact details (e.g. e-mail, telephone).
The source of the data is directly you, which is the data entered when creating a User Account.
For this purpose, the data will be processed until you refuse to send a notification (by unsubscribing) or object to this processing, but for the duration of our contractual relationship at the latest.
2.4. Reaction to questions
This includes handling your questions or requests in the event that you are not a User of the Application and do not wish to become one. The legal basis for the processing in question is your consent expressed together with the sending of the relevant question or request (Article 6 (1) (a) GDPR).
The categories of personal data concerned are:
identification data (e.g. first name, last name), contact details (e.g. e-mail, telephone), the content of communication.
The source of the data is directly you, which is data provided by you completely voluntarily.
The data will be processed for this purpose for the period necessary to fulfill it.
2.5. Fulfillment of legal obligations
This includes the processing of data to comply with our legal obligations — e.g. responding to a data breach, responding to the exercise of rights, etc. The legal basis for such processing is the fulfilment of Emma's legal obligation (Article 6 (1) (c) GDPR).
The categories of personal data concerned are:
identification data (e.g. first name, last name), contact details (e.g. e-mail, telephone), details of the contractual relationship, other data necessary to fulfil the relevant obligation.
The source of the data may be directly you or it may be data collected automatically.
For this purpose, the data will be processed for the period necessary to comply with the relevant legal obligation or directly established by law.
3. PZS as administrator and Emmy as processor
In relation to most of your personal data processed within the Application, Emmy acts as a processor. For the general purpose of processing set out below, the controllers are directly elected by you.
The respective PZS, as the controller, is responsible for having a legal basis for the processing and for providing you with all information about the data processing carried out through the Application. Given that each PSO has the possibility to influence the scope of the data processed, the period of their retention and the precise purpose of the processing, the information referred to in this Article 3 is of a general and informative nature only, and its accuracy and completeness is not guaranteed.
PZS generally use the Application to process your data for the following purpose:
3.1. Organization of the provision of health care and communication of data to patients
This includes maintaining a patient directory, verifying your identity as an Application User and receiving your Requests, or establishing Requests by PZS. Further, it includes the processing of registered Requests, including ordering personal visits and carrying out related communications, i.e. sending messages to the Application or reminders to your contacts.
The legal basis may be the negotiation of the contract or its performance (Article 6 (1) (b) GDPR), or the fulfilment of a legal obligation of the PZS (Article 6 (1) (c) GDPR). Sensitive health data are then, as a rule, processed by PZS on the legal basis for the provision of health care pursuant to Article 9 (2) (h) GDPR or, where applicable, express consent pursuant to Article 9 (a) GDPR, if the PSO has been granted.
The categories of personal data concerned may be:
identification data(e.g. name, surname, date of birth) contact details (e.g. e-mail, telephone, address), Data relating to the Request(e.g. health data, PPS order data, employment data), insurance data(e.g. type, health insurance company, number of the insured person) data on registration with PZS(including, for example, language of communication).
The source of the data is directly you or it may be data collected in the provision of health care, including data from state registers or registers of health insurance companies. The recipients of the data are employees of PZS and Emma (primarily as a processor).
For this purpose, the data will be processed by PZS in the Application for the period necessary to fulfill the purpose of the processing. PZS, as administrator, is entitled to delete all data from the Application at any time. The data will also be deleted from the Application in the event of termination of the contractual relationship between Emmy and PZS.
In connection with the processing of these data, based on the legitimate interest of the PZS in assessing the effectiveness of the use of the Application (Article 6 (1) (f)), anonymous aggregated statistics describing the use of the Application by patients may be generated.
3.2. Sending news and other announcements
Based on its legitimate interest in high patient awareness (Article 6 (1) (f) GDPR), PZS may make use of them Identifying(name and surname) and contact details (e.g. e-mail or telephone) for the purpose of sending newsletters and other information communications, including notifications of interest in the performance offered, provided that the regulation on sending commercial communications (if applicable) is complied with. The recipients of the data are employees of PZS and Emma (as the processor). In the event of an epidemic outbreak of a serious infectious disease (e.g. COVID-19), other legal bases (e.g. Article 6 (1) (e) ad) of the GDPR apply for the use of the above data for the purpose of sending a notification of interest in vaccination covered by the health insurance policy. In addition, the use of additional data referred to in Article 3.1, including sensitive data on state of health (based on Article 9 (2) (i) GDPR). The regulation on the sending of commercial communications does not apply in this case. The subsequent implementation of the vaccination may also be associated with special reporting obligations to the PZS (based on Article 6 (1) (c) GDPR), when other recipients of the data are mainly public authorities (e.g. MZ, health insurance companies).
In connection with the use of processing IT services, data may be transferred to a third country (USA) to a limited extent for this purpose, in which case appropriate safeguards are provided through so-called standard contractual clauses and binding corporate rules.
4. Recipients and data transmission
4.1. Your personal data, processed by Emmy as administrator, may be disclosed to the persons involved in the processing to the extent strictly necessary. These are Emma's employees and our carefully selected processors, in particular those involved in the maintenance and support of the Application, IT service providers or identity verification, whose current list can be found at the end of this document. Emmy contractually ensures that all its employees and persons authorised to process data on behalf of other processors are bound by the obligation of confidentiality.
4.2.Your personal data processed by Emmy as administrator may be further disclosed to your chosen PZS (in particular for the purpose of verifying the User), to the extent necessary also by our advisers bound by the obligation of confidentiality (e.g. lawyer), and to the extent provided by law then also by public authorities.
4.3. You can rest assured that we will not sell your personal information to anyone and that we will not disclose it to third parties other than as described in this policy.
4.4.All personal data is stored on servers in the data center of our processor Amazon Web Services EMEA SARL (hereinafter “AWS”) located in the EU. The transfer of your data to third countries (generally the USA) can only take place to a limited extent (e.g. in connection with the use of the Website or the use of tools such as Google Analytics), in which case appropriate guarantees are always provided, through so-called standard contractual clauses, a copy of which you can request.
5. Security
5.1. We really care about the security of your data, which is why we emphasize strict security measures when processing them, whether in the role of administrator or processor.
5.2. All data exchanged between you and PZS is encrypted during transmission. Our trained employees will only access your data when necessary and in accordance with this Policy, and only a minimum number of designated employees are entitled to access, who are additionally bound by a duty of confidentiality.
5.3. AWS, which Emmy uses as an IT infrastructure provider, holds ISO 27001, ISO 27017, and ISO 27018 security certifications. We use Amazon Cognito services to secure all access to Emma. AWS services are used by banking, financial, and healthcare providers around the world. For more information about AWS datacenter security (in English), see you.
6. Cookies
6.1.The application uses cookies as described in the cookie policy, which is available here.
7. Commercial Notice
7.1. In the event that we want to send you a commercial notification, we will first give you the option to decline the sending. Unless you reject it, Emmy will be entitled to use your contacts (email, telephone) to send messages that are in the nature of commercial communications. The processing of your personal data in this case is described in Article 2.3. You can then opt out of receiving notifications in the manner indicated in each individual notification, for example via an unsubscribe link.
7.2.You can rest assured that we will not abuse your contact options and that we will never send you advertising messages about third party products or services.
8. Your rights
In relation to the processing of personal data, you have the following rights whenever the conditions established by law are met. You can exercise your rights against Emmy as administrator through our Data Protection Officer, whose contact details can be found in Article 9. Please note that with regard to processing where you are the controller of the PPC (see Article 3), you must exercise your rights directly with the respective PPC, whose contact can be found in the Application interface.
The data subject shall have the following rights:
8.1.The right to access personal data, i.e. the right to request confirmation as to whether your data is being processed and, if so, to obtain information about the processing in question or a copy of the processed data;
8.2.The right to request the correction of inaccurate or incomplete data;
8.3.The right to request the immediate erasure of the processed data, if one of the reasons provided for by law is given;
8.4. The right to request a temporary restriction of the processing of personal data, if one of the reasons provided for by law is given;
8.5.The right to object to the processing of data on the legal basis of legitimate interests or for direct marketing purposes;
8.6.The right to withdraw consent to the processing of personal data at any time;
8.7.The right to the portability of personal data, i.e. the right to request the processed data in a structured, machine-readable format, provided that the conditions are in accordance with the legislation.
9. Contact
9.1. If you have any questions regarding the exercise of your rights or any questions regarding the processing of personal data, you can contact our Data Protection Officer by e-mail poverenec@emmy.sk, or contact us in writing at the address of the registered office of the company. If the subject has a complaint regarding the processing of personal data, he has the right to contact the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic, more information can be found at www.dataprotection.gov.sk
List of personal data processors
- Amazon Web Services EMEA SARL, Czech Branch, ID: 09049266, with registered office Sokolovská 689/115, 186 00 Prague
- Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA, 94043, USA
- Formagrid Inc. (AirTable), 799 Market Street Fl 8, San Francisco, CA 94103, USA
- Solitea, a.s. (provozovatel service IdoKlad), IČO 01572377, with registered office Drobný 555/49, Ponava, 60200 Brno
- SENDINBLUE, 7 rue de Madrid, 75008 Paris, France
- Vocalls Inc s.r.o., IČO 06413421, with registered office Rostovská 314/14, Vršovice, 101 00 Praha 10
- Zendesk Inc., 989 Market Street, San Francisco, CA 94103, USA
Versjon 1.1
Effectiveness from 1. 1. 2023
Download the document here.