PRIVACY POLICY
Data Collection and Use:
Help Me Doctor S.R.L. collects personal information, including name, contact details, medical history, and other relevant data, for the purpose of providing medical opinions on the Platform.
Personal data is collected with the user's consent and may include sensitive health information necessary for medical opinions.
Personal data will only be used in accordance with applicable data protection laws and for the purposes specified in this Privacy Policy.
Data Retention:
Help Me Doctor S.R.L. retains user personal data for a period necessary to fulfill the purposes outlined in this Privacy Policy and as required by applicable laws
The retention period may exceed 20 years, as mandated by the present law, to meet legal and regulatory obligations.
Data Sharing:
Help Me Doctor S.R.L. shares personal data with medical professionals on the Platform to facilitate the provision of medical opinions.
Personal data will not be shared with third parties without the user's explicit consent, except as required by law.
Third-party service providers may have access to personal data for purposes such as hosting, maintenance, and support. These providers are bound by contractual obligations to protect the confidentiality and security of personal data.
Data Security:
Help Me Doctor S.R.L. takes appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction.
These measures include encryption, secure storage, access controls, and regular security assessments.
Despite these measures, Help Me Doctor S.R.L. cannot guarantee the absolute security of personal data transmitted through the internet.
User Rights:
Users have the right to access, rectify, or delete their personal data held by Help Me Doctor S.R.L. by contacting the medical office of the platform at ask@helpme.doctor.
Users also have the right to object to the processing of their personal data, restrict its processing, or request data portability.
Users have the right to withdraw their consent to the processing of personal data at any time.
Help Me Doctor S.R.L. will respond to user requests regarding their rights within the timeframes and requirements specified by applicable data protection laws.
Users have the right to access, rectify, or delete their personal data held by Help Me Doctor S.R.L. by contacting our support team.
Automated Decision-Making and Profiling:
Help Me Doctor S.R.L. may use automated decision-making or profiling techniques to improve the Platform's performance and tailor the medical opinions to user needs.
Users have the right to request information about the logic involved in any automated decision-making process and its potential consequences.
Communication and Marketing:
Help Me Doctor S.R.L. may communicate with users regarding updates, changes to the Platform, or relevant healthcare information.
Users may choose to opt-out of receiving marketing communications by following the instructions provided in the communication or by contacting our support team.
Personal Data: The platform takes the privacy of patients' personal data very seriously.
The platform collects and processes personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
The platform's privacy policy explains how the platform collects, uses, and discloses patients' personal data. By using the platform's services, patients acknowledge and agree to the terms of the platform's privacy policy. The platform encourages patients to review the privacy policy carefully and contact the platform's customer support team with any questions or concerns.
Patients have the right to access, rectify, and erase their personal data processed by the platform, as well as the right to restrict or object to the processing of their personal data in certain circumstances. Patients also have the right to receive a copy of their personal data processed by the platform in a structured, commonly used, and machine-readable format. Patients may exercise their rights by sending a written request to the platform's customer support team at [insert email address].
International Data Transfers: The platform may transfer patients' personal data to countries outside the European Economic Area (EEA) or the United States,
which may not have the same data protection laws as patients' country of residence.
The platform takes steps to ensure that any such international data transfers are made in compliance with applicable data protection laws.
The platform relies on the following legal mechanisms for transferring personal data outside of the EEA or the United States:
Standard Contractual Clauses: The platform may use standard contractual clauses approved by the European Commission to ensure that any international data transfers comply with EU data protection laws.
Privacy Shield: The platform may rely on the EU-US Privacy Shield framework for transfers of personal data from the EU to the United States. The platform ensures that any recipients of personal data in the United States have self-certified under the Privacy Shield framework.
Consent: The platform may obtain patients' explicit consent to transfer their personal data outside of the EEA or the United States.
By using the platform's services, patients acknowledge and agree to the transfer of their personal data to countries outside of the EEA or the United States.
Patients may contact the platform's customer support team at [info@helme.doctor] for more information on the legal mechanisms used
by the platform to ensure compliance with applicable data protection laws.
Your Rights: Patients have certain rights with respect to their personal data processed by the platform. These rights include:
Right to access: Patients have the right to obtain confirmation as to whether or not their personal data is being processed by the platform, and to obtain access to their personal data and certain information about how it is being processed.
Right to rectification: Patients have the right to request that the platform correct any inaccuracies or errors in their personal data.
Right to erasure: Patients have the right to request that the platform erase their personal data in certain circumstances, such as where the personal data is no longer necessary for the purposes for which it was collected or processed.
Right to restrict processing: Patients have the right to request that the platform restrict the processing of their personal data in certain circumstances, such as where the accuracy of the personal data is contested by the patient.
Right to data portability: Patients have the right to receive a copy of their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
Right to object: Patients have the right to object to the processing of their personal data in certain circumstances, such as where the processing is based on the platform's legitimate interests.
Patients may exercise these rights by sending a written request to the platform's customer support team at [ask@helpme.doctor) ].
The platform will respond to such requests in accordance with applicable data protection laws.
Updates to the Policy:
The platform may update this privacy policy from time to time to reflect changes in its practices, or for other operational, legal, or regulatory reasons.
Any changes to this policy will be posted on the platform's website, and patients will be notified of any material changes to this policy.
Patients should check the platform's website periodically for updates to this policy.
By continuing to use the platform's services after any changes to this policy, patients acknowledge and agree to be bound by the updated policy.
If patients do not agree with any changes to this policy, they should stop using the platform's services.
Please note that this Privacy Policy is subject to periodic review and may be updated to reflect changes in legal or regulatory requirements. Users will be notified of any material changes to the Privacy Policy through the Platform or other appropriate means.
COOKIE POLICY
Cookies:
The Platform uses cookies, which are small text files stored on the user's device, to enhance the user experience and collect information about website usage.
Cookies are essential for the proper functioning of the Platform and help provide personalized features and improved performance.
Cookies are small text files stored on the user's device and can be disabled or deleted through the browser settings.
Types of Cookies:
Functional Cookies: These cookies are necessary for the operation of the Platform and enable users to navigate the site, access secure areas, and use essential features.
Analytical Cookies: These cookies collect anonymous information about website usage, such as the number of visitors, pages visited, and the source of traffic. This data helps us understand and improve the performance and usability of the Platform.
Third-Party Cookies: The Platform may use third-party cookies, such as those from advertising or analytics providers, to enhance user experience, deliver targeted advertisements, or gather usage statistics. These cookies are subject to the respective third parties' privacy policies.
Consent:
By using the Platform, you consent to the use of cookies as described in this Cookie Policy.
Users have the option to manage cookie preferences through their browser settings or by using the cookie consent banner provided on the Platform.
Please note that disabling or blocking certain cookies may affect the functionality and performance of the Platform.
Tracking Technologies:
In addition to cookies, Help Me Doctor S.R.L. may use other tracking technologies, such as web beacons or pixel tags, to gather information about user interactions with the Platform and emails.
These technologies help us measure the effectiveness of our communications, improve the Platform, and provide a more personalized experience.
Third-Party Cookies:
Help Me Doctor S.R.L. may engage third-party service providers who may set cookies on the user's device when accessing the Platform.
These third-party cookies may be used for various purposes, such as targeted advertising, analytics, or social media integration. c. Users should review the respective privacy policies of these third parties to understand their data collection and processing practices.
Cookie Settings:
Users have the option to manage cookie preferences through their browser settings, which allow them to accept or reject cookies or delete existing cookies.
The Platform's cookie consent banner provides options for users to manage their cookie preferences.
The platform uses cookies to enhance the user experience and to collect information about how patients interact with the platform.
Cookies are small text files that are placed on a patient's device when they visit the platform.
The platform may use both session cookies (which expire when the patient closes their browser) and persistent cookies (which remain on the patient's device until they expire or are deleted).
The platform uses cookies for the following purposes:
Authentication: The platform uses cookies to verify patients' identity when they log in to the platform.
Preferences: The platform uses cookies to remember patients' preferences and settings, such as language preferences and notification settings.
Analytics: The platform uses cookies to collect information about how patients interact with the platform, such as which pages are visited most frequently and which features are used most often. The platform uses this information to improve the platform's functionality and to understand how patients use the platform.
Advertising: The platform may use cookies to collect information about patients' browsing history and to deliver targeted advertising to patients on the platform or on other websites.
Patients may disable cookies in their browser settings, but doing so may limit their ability to use certain features of the platform.
By continuing to use the platform's services, patients acknowledge and agree to the use of cookies as described in this policy.
DIGITAL POLICY AND NOTICE MANAGEMENT
Notice Management:
Help Me Doctor S.R.L. maintains a digital policy and notice management system to ensure compliance with applicable data protection laws,
including the General Data Protection Regulation (GDPR).
The system includes processes and procedures for managing user notices, consent, and communication related to the processing of personal data.
User Notices:
Help Me Doctor S.R.L. provides users with clear and transparent notices regarding the collection, processing, and purpose of personal data.
Users are informed about their rights, including the right to access, rectify, or delete personal data, and how to exercise these rights.
Notices are provided during the registration process, on the Platform's website, and through communication channels, such as email or notifications
Consent Management :
Help Me Doctor S.R.L. obtains explicit consent from users for the processing of their personal data, where required by law.
Users have the option to provide or withdraw consent through the Platform's settings or by contacting our support team.
The consent management system keeps records of user consents and allows users to review and modify their consent preferences.
Communication:
Help Me Doctor S.R.L. communicates with users regarding updates, changes to the Platform, or any other relevant information related to their use of the services.
Communication may be through email, notifications within the Platform, or other means specified by the user.
Users have the option to opt out of non-essential communications, such as marketing or promotional messages, through the provided unsubscribe mechanisms.
User Requests and Rights:
Help Me Doctor S.R.L. has established processes to handle user requests related to their rights under the GDPR, such as access, rectification, erasure, restriction, or data portability.
Users can exercise their rights by contacting the medical office of the platform at ask@helpme.doctor or through the designated user request channels.
Help Me Doctor S.R.L. will respond to user requests within the timeframes and requirements specified by applicable data protection laws.
Data Protection Officer (DPO):
Help Me Doctor S.R.L. has designated a Data Protection Officer (DPO) who is responsible for overseeing the company's data protection activities and ensuring compliance with data protection laws and regulations.
The DPO serves as a point of contact for users and supervisory authorities regarding privacy-related matters.
Please note that this Digital Policy and Notice Management section outlines the company's commitment to managing user notices, consent, and communication in accordance with applicable data protection laws. It is essential to continuously monitor and update these processes to ensure ongoing compliance.
DATA MAPPING
Data Inventory:
Help Me Doctor S.R.L. maintains a comprehensive data inventory that includes all personal data processed on the Platform.
The data inventory includes the types of personal data collected, the purposes of processing, and any third parties involved in the processing.
Examples of personal data collected may include user contact information, medical history, and communication records.
Data Flow:
Help Me Doctor S.R.L. maps the flow of personal data throughout the Platform, from collection to storage and sharing.
The data flow mapping identifies the entities involved, the purposes of processing, and the mechanisms in place to ensure data protection.
Data flow may include user data entered during registration, data shared with medical professionals, and data stored for record-keeping purposes.
Data Retention:
Help Me Doctor S.R.L. establishes data retention periods in accordance with legal requirements and the purposes for which the data is processed.
The data mapping includes information on how long personal data is retained and the criteria used to determine retention periods.
For example, user data may be retained for the duration of the user's account and for a longer period to meet legal obligations.
Third-Party Service Providers:
Help Me Doctor S.R.L. engages specific third-party service providers or sub-processors to assist in the processing of personal data.
These third parties may include providers of hosting, maintenance, translation services, avatars provider, payment agency, or invoice delivery systems.
The data mapping identifies the third parties involved and their role in processing personal data.
Help Me Doctor S.R.L. ensures that these third parties are compliant with applicable data protection laws and have appropriate safeguards in place.
International Data Transfers:
Help Me Doctor S.R.L. may transfer personal data to countries outside the European Economic Area (EEA) for processing or storage purposes.
The data mapping includes details of such data transfers, the countries involved, and the legal mechanisms used to ensure adequate protection, such as standard contractual clauses or other lawful mechanisms.
Security Measures:
Help Me Doctor S.R.L. implements appropriate technical and organizational security measures to protect personal data.
The data mapping includes details of the security measures in place, such as encryption, access controls, and regular security assessments.
These measures aim to prevent unauthorized access, disclosure, alteration, or destruction of personal data.
Please note that the Data Mapping section is intended to provide an overview of how personal data is processed and flows within the Help Me Doctor S.R.L. platform. It is crucial to regularly review and update the data mapping to ensure it accurately reflects the company's data processing activities and compliance with applicable data protection laws.
ETHICAL POLICY
Professional Conduct:
Help Me Doctor S.R.L. is committed to upholding high ethical standards in the provision of medical opinions and the operation of the Platform and adheres to high ethical standards in the provision of medical opinions and the operation of the Platform.
Medical professionals on the Platform are expected to maintain professional conduct, including respecting patient confidentiality and providing accurate and unbiased medical advice.
All users, including medical professionals, are expected to adhere to the following ethical guidelines:
i. Professionalism: Maintain professionalism in all interactions and communications with users, demonstrating respect, empathy, and cultural sensitivity.
ii. Confidentiality: Respect and protect the privacy and confidentiality of user information, ensuring compliance with applicable laws and regulations.
iii. Integrity: Provide accurate, reliable, and unbiased medical opinions based on the information provided by users, avoiding conflicts of interest and maintaining independence.
iv. Informed Consent: Obtain informed consent from users before providing medical opinions, ensuring they have a clear understanding of the purpose, potential risks, and limitations.
v. Non-Discrimination: Treat all users with fairness, without discrimination based on race, ethnicity, gender, religion, disability, or any other protected characteristic.
vi. Data Protection: Handle personal data in accordance with applicable data protection laws and ensure appropriate security measures are in place to safeguard user information.
vii. Continuous Professional Development: Engage in ongoing education and professional development to stay updated with medical advancements and best practices.
viii. Advertising and Promotions: Refrain from making false or misleading claims in advertising or promotions and adhere to applicable advertising regulations.
ix. Reporting Obligations: Report any suspected unethical conduct or violations of the ethical code to the appropriate authorities within the platform.
Patient Rights:
Help Me Doctor S.R.L. respects and upholds the rights of patients, including the right to privacy, confidentiality, and informed decision-making.
Patient data is handled with strict confidentiality and in compliance with applicable data protection laws.
Quality Assurance:
Help Me Doctor S.R.L. is committed to ensuring the quality and accuracy of the medical opinions provided on the Platform.
Quality assurance measures include the following:
i. Verification Process: Medical professionals applying to provide opinions on the Platform undergo a rigorous verification process that includes verification of their medical license, professional insurance, and CV.
ii. Peer Review: Encourage peer review and collaboration among medical professionals to ensure the accuracy and reliability of medical opinions.
iii. User Feedback: Solicit and consider user feedback to continuously improve the quality of services and address any concerns or issues raised.
iv. Continuous Improvement: Regularly review and update the ethical code and quality assurance processes to align with industry best practices and regulatory requirements.
Conflict of Interest:
Help Me Doctor S.R.L. has policies and procedures in place to identify and manage conflicts of interest among medical professionals on the Platform.
Medical professionals are required to disclose any conflicts of interest that may impact the objectivity of their medical opinions.
Continuous Improvement:
Help Me Doctor S.R.L. regularly reviews and updates its ethical policies to ensure alignment with industry best practices and regulatory requirements.
Feedback from users and medical professionals is taken into account for the continuous improvement of ethical practices on the Platform.
Please note that this Ethical Policy and the included ethical code are intended to guide the behavior and conduct of all users on the Help Me Doctor S.R.L. platform. It is essential for all users to familiarize themselves with and adhere to the ethical guidelines outlined in this policy.
Please note that the provided legal dressing is a general outline and should be customized to fit your specific requirements and reviewed by legal professionals to ensure compliance with applicable laws and regulations in Europe and the USA.
SAFETY AND REGULATORY COMPLIANT
1. Security Measures: Help Me Doctor S.R.L. adopts all the security measures required by industry standards and current legislation, including but not limited to:
• Adoption of ISO-IEC 27001:2017 requirements for information security management.
• Compliance with the National Cybersecurity Framework and the Prime Ministerial Decree of 29 September 2015, n. 178.
• Implementation of the security measures envisaged by Article 32 of the GDPR.
• Compliance with Article 2 septies of Legislative Decree 196/2003 (Privacy Code).
Verification of the Software Code: Help Me Doctor S.R.L. performs the following checks to ensure the security of the software code used on the platform:
Verification of the functional safety of the portal software code.
Verification of the static security of the portal software code.
Verification of the functional safety of the translation software code.
Verification of the static security of the translation software code.
Verification of the functional safety of the vocalization software code.
Verification of the static security of the speech software code.
Security Features of AWS Servers: Help Me Doctor S.R.L. Evaluate and adopt the following security features for the AWS servers you use:
Evaluation of AWS service characteristics (such as TIER, SLA, RTO, RPO, etc.).
Encryption of data in transit and at rest.
Pseudonymization of personal health data.
Dual factor user authentication for server access.
Regulatory Compliance: Help Me Doctor S.R.L. fulfills all the obligations established by the Italian and European legislation on the protection of personal data (Legislative Decree 196/2003, as reformed by Legislative Decree 1010/2018 and EU Reg. 2016/679 - GDPR), including but not limited to:
Analysis of the treatments carried out by the platform.
Drafting of records relating to treatments.
Drafting of the information necessary for the identified treatments.
Verification of the applicable privacy legislation.
Drafting of co-ownership and/or liability agreements with partners and stakeholders.
Carrying out Data Protection Impact Assessments (DPIA) for processing operations that require such an assessment.
Possible prior consultation with the Guarantor, if necessary for treatments with "high" residual risks that cannot be mitigated.
Appointment of the Data Protection Officer (RPD-DPO) compliant with the requirements of the GDPR.
Creation of a corporate security policy
Creation of a procedure for the periodic verification of all the documentation indicated above to ensure that it is updated and compliant with current regulations.
Creation of a process for handling and responding to data breaches, including notification to relevant authorities and affected users, in accordance with GDPR requirements.
Creation of a procedure to respond promptly and appropriately to user requests regarding their data protection rights, such as access, rectification, cancellation, limitation of processing, data portability and objection to processing.
Established a process for periodically reviewing all internal procedures to ensure they are up-to-date and in line with best practices and regulatory requirements.
Identification and provision of appropriate training for all data processors to ensure proper data handling and awareness of data protection regulations.
It is emphasized that compliance with regulations and safety measures is a priority for Help Me Doctor S.R.L. and that the company is committed to keeping its policies and procedures constantly updated to adapt to regulatory changes and industry best practices.
Security Assessment:
Conducting a vulnerability assessment to identify potential weaknesses in the personal data management system and processes.
Execution of penetration tests to check the system's resistance to external attacks and to identify any security holes.
Implementation of corrective and preventive measures based on the findings of the security assessment and penetration tests.
Disaster Recovery Plan:
Develop a disaster recovery plan to ensure continuity of operations in the event of catastrophic events or significant service disruptions.
The plan includes procedures for restoring data, repairing systems, communicating with users, and restoring platform functionality.
Business Continuity Plan:
Developing a business continuity plan to ensure continuity of business operations in the event of non-catastrophic outages or minor incidents.
The plan includes procedures for business recovery, resource management, internal and external communication, and situation monitoring.
Records and Documentation:
Help Me Doctor S.R.L. draws up and maintains detailed records of the processing of personal data carried out on the platform, as required by data protection legislation.
The documentation includes information on the purposes of the processing, the categories of personal data processed, the legal bases for the processing, the recipients of the data and the security measures implemented.
Review of Procedures:
Help Me Doctor S.R.L. has established a procedure for the periodic review of all internal procedures, including those relating to security and data protection.
Periodic review of procedures allows you to verify their effectiveness, to make any improvements and to ensure that they are aligned with current regulations and best practices.
Training and Awareness:
Help Me Doctor S.R.L. provides adequate training to all persons in charge of processing personal data on the platform.
Training includes data protection awareness, procedures to follow to ensure information security, and compliance with privacy regulations.
Response to Data Breaches:
Help Me Doctor S.R.L. has developed a procedure to promptly and adequately manage data breaches, in compliance with the provisions of the GDPR.
The procedure provides for the identification, assessment and notification of data breaches to the competent authorities and to the users concerned, as well as the corrective measures to mitigate the effects of the data breach.
It should be noted that Help Me Doctor S.R.L. undertakes to comply with all Italian and European regulations on the protection of personal data. The company implements all the necessary measures to ensure the security and privacy of its users' personal data.
In conclusion,
Help Me Doctor S.R.L. undertakes to strictly comply with personal data protection regulations, including the GDPR, Italian national laws and industry standards.
The company takes appropriate security measures to protect your personal data, including encryption, data pseudonymization, two-factor authentication and vulnerability assessment.
Furthermore, Help Me Doctor S.R.L. has created internal policies and procedures, such as the Code of Ethics, to ensure the quality, accuracy and ethics of the medical opinions provided on the platform.
Physicians participating in the platform must adhere to these ethical guidelines and meet licensing and professional insurance requirements.
The company has implemented a robust information management system and has designated a Data Protection Officer (RPD-DPO) to oversee data protection matters and ensure regulatory compliance.
Help Me Doctor S.R.L. is committed to maintaining constant regulatory monitoring and continuously improving its policies, procedures and security measures to protect user privacy and ensure the quality of the medical opinions provided on the platform.
It should be noted that Help Me Doctor S.R.L. adopts all the necessary measures to ensure the security of personal data and compliance with applicable data protection regulations. The company is committed to carrying out periodic assessments and continuously improving its security policies, procedures and measures to adapt to changes in the regulatory and technological environment.
Appendix 1
HELP ME DOCTOR
LEGAL ISSUES
PREFACE
In recent years, there has been a growing trend towards telehealth and paid online health services in many parts of the world. The reasons behind this trend include:
Accessibility: Online health services can be more convenient for people who live in remote areas or who have difficulty reaching traditional health care facilities.
Flexibility: Online health services allow people to see a doctor or get medical advice from home or other convenient locations, reducing the need for commuting or long waits.
Confidentiality: Some people may prefer the privacy afforded by online health services, especially when dealing with sensitive or embarrassing health issues.
Specialties: Paid online health services may offer access to doctors who specialize in certain health areas or issues, which may not be readily available locally.
Second Opinion: People may seek out paid online counseling services to get a second opinion or to deepen their understanding of a particular condition or treatment.
However, it is important to note that paid online health services must be carefully evaluated for quality, reliability, and compliance with local privacy and medical practice regulations. Before using these services, it is advisable to do in-depth research, read the curricula and skills of the doctors on the platform, even if they have already been selected for their high scientific and reputational level, the reviews and consider the recommendations of reliable healthcare professionals.
TO INCLUDE AS PRE-REQUIREMENTS
Familiarity with the GDPR: Make sure you understand the key requirements and principles of the General Data Protection Regulation (GDPR). The GDPR establishes specific rules for the protection of personal data within the European Union (EU).( https://www.itgovernance.eu/it-it/gdpr-testo-completo)
Assess your current compliance: Carry out a comprehensive assessment of your data protection-related platform and processes. Identify any gaps or areas where you may not be compliant with GDPR provisions. TO BE COMPLETED AFTER CHECK WITH POOJA
Engage a Data Protection Officer (DPO): If your organization meets the requirements for the appointment of a Data Protection Officer (DPO) under the GDPR, consider hiring or appointing an expert to support you in the compliance process and in data protection management. Carlo Bulletti ( mail to carlobulletti@gmail.com ask@helpme.doctor
Implement security measures: Make sure you have adequate technical and organizational security measures in place to protect your users' personal data. This could include:
data encryption: YES ( Pooja)
controlled access: YES
adequate staff training YES and
implementation of data management policies YES.
Document your practices: Keep track of the measures you have implemented to protect personal data, such as your privacy policy, privacy policy and consents obtained from users. c
Select a certification body: Research and select a recognized certification body that can assess your GDPR compliance and issue certification. Make sure the certification body is accredited by a competent authority and has experience in GDPR certification. This is discretional and not mandatory by law: it will be submitted after beginning of the activity ( 1 year)
Submit your certification request: Contact the selected certification body and submit your certification request. Specific information and documents will be needed to assess your compliance, so be sure to provide all requested information. This is discretional and not mandatory by law: it will be submitted after beginning of the activity ( 1 year)
Evaluation and audit: The certification body will conduct a thorough evaluation of your data protection practices and processes. This could include a field inspection, document review and systems audit. YES
Certification issue: If the certification body confirms that your platform is GDPR compliant, they will issue the compliance certification. Periodic monitoring or updating of certification over time may be required. YES.
Users or customers: Users or customers using your platform may require confirmation that your organization is GDPR compliant as part of their privacy and data security assessments. YES.
Business Partners: If you work with other organizations or service providers that process or access your users' personal data, they may require you to certify to demonstrate your compliance and ensure proper data handling. YES.
Supervisory authorities: Data protection supervisory authorities in each EU country may request documentation on GDPR compliance during their monitoring and inspection activities. YES.
Remember that GDPR compliance certification is a voluntary process.
As based in Italy, your platform for issuing international medical opinions is subject to various obligations to protect sensitive data in compliance with the GDPR and other relevant regulations. Some of the key obligations include:
Designation of a Data Protection Officer (RPD or DPO): If your organization processes personal data on a large scale or deals with special categories of sensitive data, you may be obliged to designate a DPO or DPO. This figure is responsible for overseeing data protection within the organization. YES.
Adoption of appropriate technical and organizational measures: You must implement appropriate security measures to protect personal data from loss, unauthorized access, disclosure or alteration. These measures may include data encryption, pseudonymisation, access controls, access monitoring and data backups. YES.
Compliance with GDPR principles: You must ensure that personal data is processed in accordance with the fundamental principles of the GDPR, including lawfulness, purpose limitation, data minimization, accuracy, retention limitation, integrity and confidentiality. YES.
Adoption of a privacy policy: You should have a clear and easily accessible privacy policy that describes how your personal data is collected, used, stored and protected. Your privacy policy should be informative and transparent. YES.
Data breach notification obligations: If a personal data breach occurs which could result in a risk to the rights and freedoms of data subjects, you may be required to notify the competent supervisory authority and, in some cases, also to interested parties. YES.
To request GDPR compliance certification from the Italian National Unification Body (UNI), you can contact the body directly and request information on the certification procedure. You can visit their official website to get more details about the requirements, fees and documents needed to start the certification process
RPD (Data Protection Officer) and DPO (Data Protection Officer) refer to the same figure
The legal responsibility for compliance with the GDPR rules lies with the organization itself, in particular with the data controller. The data controller is the one who determines the purposes and means of processing personal data. In your international medical opinion platform, the data controller could be the organization itself or the legal entity that manages the platform.
The DPO or DPO is responsible for ensuring the organization's compliance with the GDPR, by monitoring data processing activities, providing data protection advice and acting as a point of contact for privacy-related matters. However, it is important to emphasize that the ultimate responsibility for legal compliance with the GDPR rules lies with the organization as a whole
These solutions can help your organization manage data protection tasks, such as consent management, privacy impact assessment (DPIA), data subject request management, data breach management, and more. However, it is important to note that the use of such solutions does not automatically guarantee complete compliance or legal indemnity from every problem of non-compliance.
GDPR compliance requires a holistic approach involving not only the use of software and tools, but also the review and adjustment of
business processes
staff training
implementation of security measures and
continuous monitoring.
Compliance is the responsibility of the organization itself and depends on various factors, including the nature of the business operations, the type of personal data processed and the specific circumstances.
Appendx 2
DATA MANAGEMENT POLICY
Purpose
The purpose of this data management policy is to outline the principles and guidelines for the collection, storage, access, use, sharing, and disposal of personal sensitive and ultrasensitive medical data within our platform. This policy aims to ensure the privacy, security, and ethical handling of the data, as well as compliance with relevant laws and regulations.
Scope
This policy applies to all employees, contractors, and third-party vendors who have access to personal sensitive and ultrasensitive medical data within our platform. It covers data collected from users, healthcare providers, and any other relevant stakeholders.
Data Collection and Storage
Data Collection
We collect personal sensitive and ultrasensitive medical data only with explicit consent from the individuals or as required by law.
Data collection is limited to the minimum necessary for the intended purpose.
We provide clear and transparent information to individuals about the types of data collected, the purpose of collection, and how the data will be used.
Data Storage
Personal sensitive and ultrasensitive medical data should be stored securely in accordance with industry best practices and applicable regulations.
Data should be encrypted both at rest and during transit.
Access to data should be restricted to authorized personnel only.
Regular backups of the data should be performed to ensure data integrity and availability.
Data Access and Use
Access Control
Access to personal sensitive and ultrasensitive medical data should be limited to authorized personnel on a need-to-know basis.
Access privileges should be granted based on job responsibilities and documented roles and should be reviewed regularly.
Strong authentication mechanisms (e.g., unique usernames, strong passwords, two-factor authentication) should be implemented to protect against unauthorized access.
Use of Data
Personal sensitive and ultrasensitive medical data should be used solely for the purpose for which it was collected.
Data should be used in a manner consistent with applicable laws and regulations, including data protection and privacy requirements.
Any secondary use or data sharing should be based on explicit consent or legal obligations, and individuals should be informed about such use or sharing.
Data Sharing and Disclosure
Data sharing with third parties should be limited and subject to appropriate data protection agreements or contracts.
Any data disclosure to third parties should be based on valid legal grounds, such as consent, legal obligations, or legitimate interests.
Prior approval should be obtained from the data owner or relevant authorities before disclosing data, unless required by law.
Data Retention and Disposal
Personal sensitive and ultrasensitive medical data should be retained only for as long as necessary to fulfill the purpose for which it was collected or as required by law.
Retention periods should be determined based on legal requirements and industry best practices.
Disposal of data should be conducted securely to prevent unauthorized access or unintended disclosures.
Data Breach Response
In the event of a data breach or unauthorized access, the incident should be reported promptly to the appropriate authorities and affected individuals, as required by applicable laws and regulations.
A comprehensive incident response plan should be in place to address data breaches, including steps for containment, assessment, and mitigation of the incident.
Compliance and Auditing
Regular audits and assessments should be conducted to ensure compliance with this data management policy and relevant laws and regulations.
Compliance with privacy laws, data protection regulations, and other applicable standards should be regularly reviewed and documented.
Training and Awareness
All personnel with access to personal sensitive and ultrasensitive medical data should receive comprehensive training on data management policies, privacy practices, and security protocols.
Regular refresher training should be provided to ensure that employees stay updated on evolving best practices and regulations.
Awareness campaigns should be conducted to promote a culture of data privacy and security among employees.
Accountability and Governance
A designated data protection officer or privacy officer should be responsible for overseeing data management practices and ensuring compliance with this policy and relevant laws.
Clear roles and responsibilities should be assigned to individuals involved in data management processes.
Regular assessments and audits should be conducted to evaluate the effectiveness of data management practices and identify areas for improvement.
Policy Review and Updates
This data management policy should be reviewed periodically to ensure its continued relevance and effectiveness.
Updates should be made in response to changes in laws, regulations, industry standards, or organizational requirements.
Stakeholders, including employees, healthcare providers, and users, should be notified of any significant updates to the policy.
Enforcement and Consequences
Non-compliance with this data management policy may result in disciplinary action, up to and including termination of employment or contractual agreements.
Any breaches of confidentiality, data misuse, or unauthorized access should be treated as serious offenses and subject to appropriate legal action.
Please note that this data management policy serves as a starting point and should be customized and reviewed by other experts in data protection to ensure compliance with applicable laws and regulations in our jurisdiction.
REGULATORY COMPLIANCE CHECKLIST
the. ISO-IEC 27001:2017 requirements, National Cybersecurity Framework, DPCM 29 September 2015, n. 178, art. 32 GDPR, Art. 2 septies Legislative Decree 196/2003
Data Collection and Storage Requirements:
Obtain explicit consent from individuals for collecting their personal sensitive and ultrasensitive medical data.
Collect and store only the minimum necessary data for the intended purpose.
Store personal sensitive and ultrasensitive medical data securely using encryption at rest and during transit.
Implement access controls to restrict data access to authorized personnel only.
Perform regular data backups to ensure data integrity and availability.
Describe your disaster plan
Technical requirement verifications :
Check portal software code functional safety
Check portal software code static security
Verify functional safety of translation software code
Verify static security of translation software code
Verification of functional safety of vocalization software code
Verify static security of speech software code
Features assessment (TIER, SLA, RTO, RPO, etc.), AWS servers
Data encryption
Pseudonymization of personal health data
Dual factor user authentication
Access Control and User Authentication:
Implement strong access control mechanisms to limit data access to authorized personnel on a need-to-know basis.
Grant access privileges based on job responsibilities and documented roles.
Enforce strong authentication measures, such as unique usernames, strong passwords, and two-factor authentication, to prevent unauthorized access.
Use and Purpose Limitation:
Use personal sensitive and ultrasensitive medical data solely for the purpose for which it was collected.
Adhere to applicable laws and regulations regarding data use, including data protection and privacy requirements.
Obtain explicit consent or have a legal basis before using or sharing data for secondary purposes.
Inform individuals about any secondary use or data sharing and provide opt-out options where applicable.
Data Sharing and Disclosure:
Limit data sharing with third parties and establish appropriate data protection agreements or contracts.
Obtain valid legal grounds, such as consent, legal obligations, or legitimate interests, before disclosing personal sensitive and ultrasensitive medical data to third parties.
Seek approval from data owners or relevant authorities before disclosing data unless required by law.
Data Retention and Disposal:
Retain personal sensitive and ultrasensitive medical data only for as long as necessary to fulfill the purpose for which it was collected or as required by law.
Determine retention periods based on legal requirements and industry best practices.
Implement secure data disposal methods to prevent unauthorized access or unintended disclosures.
Data Breach Response:
Develop a comprehensive incident response plan to address data breaches, including containment, assessment, and mitigation of the incident.
Promptly report data breaches or unauthorized access to the appropriate authorities and affected individuals as required by applicable laws and regulations.
Compliance and Auditing:
Conduct regular audits and assessments to ensure compliance with data management policies, privacy practices, and relevant laws and regulations.
Stay updated on privacy laws, data protection regulations, and industry standards, and review compliance regularly.
Training and Awareness:
Provide comprehensive training to all personnel with access to personal sensitive and ultrasensitive medical data on data management policies, privacy practices, and security protocols.
Conduct regular refresher training sessions to keep employees informed about evolving best practices and regulations.
Foster a culture of data privacy and security through awareness campaigns.
Accountability and Governance:
Designate a data protection officer or privacy officer responsible for overseeing data management practices and ensuring compliance with policies and regulations.
Assign clear roles and responsibilities to individuals involved in data management processes.
Regularly assess and evaluate the effectiveness of data management practices and identify areas for improvement.
Policy Review and Updates:
Periodically review and update the data management policy to ensure its continued relevance and effectiveness.
Incorporate changes in laws, regulations, industry standards, and organizational requirements.
Notify stakeholders, including employees, healthcare providers, and users, of significant policy updates.
Enforcement and Consequences:
Establish a process for enforcing the data management policy.
Define consequences for non-compliance, including disciplinary actions and termination of employment or contractual agreements
Legal and Regulatory Compliance:
Ensure compliance with all applicable laws, regulations, and standards governing the protection of personal sensitive and ultrasensitive medical data.
Stay up to date with changes in relevant legal and regulatory requirements and make necessary adjustments to policies and practices accordingly.
Maintain documentation and records to demonstrate compliance with applicable laws and regulations.
Data Subject Rights:
Respect and facilitate data subject rights, such as the right to access, rectify, erase, restrict processing, and object to the processing of personal sensitive and ultrasensitive medical data.
Establish processes and mechanisms to handle data subject requests and ensure timely responses.
Vendor and Third-Party Management:
Implement a vendor and third-party management program to assess the privacy and security practices of external service providers who have access to personal sensitive and ultrasensitive medical data.
Establish data protection agreements or contracts with vendors and third parties to ensure the appropriate handling and protection of data.
Incident Reporting and Documentation:
Maintain comprehensive records of data management activities, including data breaches, security incidents, and any remedial actions taken.
Report incidents promptly and accurately to the appropriate authorities and affected individuals, as required by applicable laws and regulations.
Continuous Improvement:
Continuously monitor and improve data management practices to enhance privacy and security.
Conduct regular risk assessments and implement measures to mitigate identified risks.
Stay informed about emerging technologies and best practices in data privacy and security to adapt policies and practices accordingly.
Ethical Considerations:
Adhere to ethical principles and guidelines when handling personal sensitive and ultrasensitive medical data.
Respect patient confidentiality and ensure that data handling practices prioritize patient well-being and privacy.
It is important to note that the above requirements should be reviewed and tailored to the specific needs and legal requirements of Help Me Doctor S.R.L., and it is recommended to seek legal advice to ensure compliance with applicable laws and regulations.
Here is our 3rd party tools/integration that we are using please check carefully their policy
https://elai.io/privacy-policy
https://policies.google.com/privacy
https://www.paypal.com/myaccount/privacy/privacyhub
ttps://aws.amazon.com/privacy/?nc1=f_pr
https://www.facebook.com/privacy/policy/?entry_point=about_fb
Help Me Doctor S.R.L.
Via Nazario Sauro, 30 Cattolica, Rimini, 47841 (Italy)
DATA PROTECTION OFFICER (DPO)
ePrivacy Consultants
represented by Dr. Carlo
Via Nazario Sauro, 30 Cattolica, Rimini, 47841
Contact: ask@helpme.doctor
Owner contact email: ask@helpme.doctor