Honestica is the publisher of the Lifen service and will hereafter be referred to as "Lifen" for the purposes hereof.
Lifen attaches great importance to the protection of your privacy and your personal data. It is a founding element of our approach. The purpose of this personal data protection charter (hereafter the "Charter") is, therefore, to present to you in more detail our approach to your personal data, to explain to you the cases in which we collect them, the reasons justifying this collection and what we do with them. It also presents the security measures we apply to protect their confidentiality, and reminds you of your rights regarding your personal data and the means to exercise them. We draw your attention is drawn to the fact that the data collected via Lifen are sensitive and confidential data that require special vigilance.
This data refers to information concerning natural persons, identified or identifiable, directly or indirectly, including data relating to physical or mental health (hereinafter the "Personal Data"). Our Charter applies in compliance with the provisions relating to the protection of Personal Data, and in particular, European Regulation 2016/679 of 27 April 2016, and the Data Protection Act of 1978 as amended, as well as the provisions of the Public Health Code (CSP), (hereinafter the "Act"). This Charter is intended to apply to the users of Lifen and to the visitors during their navigation on the lifen.health website (hereafter the "Website"). This Charter is an integral part of the General Conditions of Use of the Site.
For the purposes hereof, the terms and expressions defined below shall have the following meanings:
The person responsible for the collection and processing of your Personal Data is:
Lifen outsources some of its activities for the performance of its services. For example:
We are committed to ensuring that our subcontractors guarantee the same level of safety as we do. The User and Honestica (hereinafter the "Parties") agree to comply with the Law applicable to the Processing of Personal Data. The Parties undertake to abdide by the General Health Information Systems Security Policy issued by ASIP Santé (hereafter the"PGSSI-S").
Lifen only processes your Personal Data for the purposes below:
For the exchange of documents, the data processing carried out consists of extracting information contained in the medical documents and then using them to accomplish the purposes of the processing.
For the remote follow-up of patients exhibiting symptoms of Covid-19, the data processing carried out consists of collecting medical information from patients through targeted questionnaires received via SMS or e-mail for a period of 14 to 30 days.
The questionnaires are analysed automatically and are presented to health professionals in the form of dashboards and alerts to help them adapt their patient follow-up according to the results.
Unless otherwise expressly stated by the User, Lifen does not use your Personal Data for commercial or marketing canvassing, research, or the publication of statistics.
The Personal Data Lifen processes is:
Cookies
What is a cookie?
A "cookie" is a piece of information stored on your device when you browse a website. It allows your device to be identified each time you visit the aforementioned website.
What are cookies used for?
Lifen uses cookies in order to:
- Offer you a better browsing experience on Lifen.health;
- Measure and improve the services offered on Lifen.health.
What can you do to manage the cookies stored on your device?
You can accept or decline cookies. If you reject the cookies, some aspects of Lifen's Webite may not work on your device, and you may not be able to access certain features of Lifen's Website.
The Personal Health Data is strictly intended for the Users concerned in the process of issuing and/or receiving medical documents. Lifen guarantees that they will not be transmitted to any unauthorized third party, subject to possible subcontractors of Lifen, such as the certified health data host or the desktop publishing provider.
The Personal Data collected in the contact forms and the cookies is only intended for the administrators of Lifen. Lifen does not transfer Personal Data to countries that are not members of the European Union or the European Economic Area.
Lifen may, however, communicate the Personal Data it processes to third parties when such communication is required by law, regulation or court order or if such communication is necessary to ensure the protection and defence of its rights.
Concerning Personal Health Data, Lifen undertakes, when the legal framework allows it:
The User, as the person responsible for processing personal health data, is responsible for:
Lifen, as a Subcontractor, undertakes to:
In accordance with Article 28 of the GDPR, the Data Controller generally authorises Lifen to have recourse to subcontractors (hereafter "second tier subcontractors") to carry out specific processing activities.
Lifen ensures that the second tier subcontractor presents the same guarantees in regards tothe implementation of the Security Measures for the missions entrusted to them. Lifen undertakes to enter into a contract with the Sub-Contractor under which its access to the data of the Data Controller will be strictly limited to the purpose of the contract entered into with Lifen.
The Sub-Contractors with which Lifen has entered into a contract, in force at the date of signature of the Contract, are AWS (certified hosting provider), Corus (desktop publishing), MS Santé (secure health messaging) and Apicem (secure health messaging).
The Data Controller has the right to object to the use of a Second tier Subcontractor from the date of receipt of this information.
Lifen implements all security measures required to protect your Personal Data. To ensure the security of your Personal Information, Lifen has implemented the following procedures and processes:
The Parties undertake to take appropriate measures to ensure that any employee, partner, subcontractor and any individual acting under the authority of the Data Controller or Lifen is duly authorized to access Personal Data. Healthcare professionals who use Lifen are subject to professional secrecy by law. Thus, each User is invited to implement, under their responsibility, all useful and relevant security measures for the purposes of protecting access to their computer, phone or other mobile devices, and to all Personal Data accessible on Lifen, in particular with respect to third parties.
In order to guarantee the confidentiality, integrity and security of Personal Data, Lifen acknowledges having implemented the Security Measures below, intended to protect Personal Data:
Lifen hosts personal data in hosting providers, which can be either:
If Lifen comes to contract with a new host outside of France, Lifen undertakes to give the Data Controller the choice of the country of hosting of its Personal Data.
Health Data
Lifen is committed to retaining the Personal Data collected for a limited period of time. However, Lifen is not responsible for the obligations of the Data Controller regarding the retention period of Personal Data.
The retention periods of Personal Data collected via Lifen are different according to the type of data, and are specified below:
At the end of the retention period, Lifen undertakes, at the choice of the Data Controller, to:
However, medical documents that have been sent to the Processor, or that the latter has sent via Lifen, may be retained as long as other medical professionals sending or receiving such medical documents remain active on Lifen.
Administrative data
Personal Data used for the purposes of sending contact forms and managing Lifen's customer files are kept for a period of three years from the time of their collection or from their last contact with Lifen.
Browsing data
Connection logs, cookies and other tracers set up on Lifen's Website will be kept in accordance with the applicable regulations for a period of 13 months. For more details, refer to the "Cookies" section hereabove.
In accordance with the Law, you have a right of access, rectification, limitation, opposition, deletion and portability of your Personal Data, which you may exercise for legitimate reasons, and subject to any legitimate compelling reasons that Lifen may have for retaining your Personal Data. These rights may be exercised at any time by filling in this form (PDF - ODT) and returning it:
In the event of a request, Lifen undertakes to inform, as soon as possible, the Data Controller and to provide them with the information necessary for the transmission of the data to their patient.
The Data Controller acknowledges that they are exclusively responsible for the aforementioned information and the collection of consent from patients in compliance with the provisions of the GDPR. The User, as Data Controller, must designate a person within their organisation (the "Customer Contact") who will be able to designate a health professional to Lifen when necessary, in the event, for instance, of any problem requiring access to health data or relating to the management of patient relations. The Data Controller must make sure to communicate to Lifen, through their DPO, a new Customer Contact when necessary, in particular in the event where a Customer Contact separates from service.
Lifen informs you about the collection and processing of your Personal Data and the rights you have in this respect:
Lifen informs its Users who are part of the same healthcare team that it is their responsibility to provide the patients they care for (hereinafter the "Patients") with the following information prior to sharing their health data:
For Lifen Users who are not part of the same healthcare team, we inform them that the Patient must expressly consent, by means of a checkbox:
You can ask us at any time:
You have the right to retrieve the Personal Data you have provided to us. Lifen is committed to providing you with your Personal Data in a structured, commonly used and readable format.
You may object to the processing or request the deletion of your Personal Data, i.e. their deletion by Lifen.
We have appointed a Délégué à la Protection des Données personnelles (Personal Data Protection Officer, in French - hereinafter the "DPO") at the CNIL, to demonstrate our commitment to respect your privacy and your rights to your Personal Data. For any question related to the processing of Personal Data by Lifen, you may contact our DPO at the following email address: dpo@lifen.fr, or by post at Lifen at Wework, 106 Boulevard Haussmann, 75008 Paris, France.
Impact analysis relating to the protection of Personal Data
In accordance with Article 35 of the GDPR, the Data Controller undertakes to carry out an impact analysis to ensure the compliance of the Processing with the Law, when it is likely to generate a high risk for the rights and freedoms of the persons concerned by the Processing.
In the event that Lifen becomes aware of a high risk to the rights and freedoms of the persons concerned by the Processing, we undertake to inform the Data Controller of such a risk as soon as possible and to assist them in carrying out the impact analysis, as well as in carrying out the prior consultation with the supervisory authorities.
Certification
We undertake to provide the Data Controller with proof of our certifications on request, and to inform them of any change of certifications office within 30 days.
Furthermore, we undertake to provide the latest audit report on our certifications upon request by the Data Controller.
Notification of violations of Personal Data
In accordance with Article 33 of the GDPR, the Data Controller undertakes to notify the supervisory authority, within a maximum period of seventy-two (72) hours from the time of becoming aware of any violation of Personal Data.
Lifen undertakes to inform the Data Controller, as soon as possible after becoming aware of any breach of Personal Data, concerning the Processing for which the Data Controller is responsible, and to take the appropriate measures to limit the risk and protect the aforetmentioned Personal Data.
The notification will be sent by Lifen to the Data Controller by e-mail, and will contain, as far as possible, any piece of information useful to the Data Controller in order to enable them to notify, if necessary, the violation to the supervisory authority.
The notification sent to the Data Controller by Lifen does not constitute an acknowledgement of fault or responsibility on the part of the latter.
Audit
The Data Controller reserves the right to conduct audits to verify Lifen's compliance with the provisions of this Charter.
After informing Lifen in writing, including by email at dpo@lifen.fr, with twenty (20) days' notice, the Data Controller may have an audit performed, at its own expense, to verify compliance with all security measures implemented to ensure the security of Personal Data. Such an audit may take place at any time, subject to a limit of one audit per calendar year.
The audit shall be performed by an independent and recognized expert, whose choice shall be approved by Lifen at least five (5) days before the audit begins. Such an audit will be the subject of a tripartite agreement, the main clauses of which shall be in accordance with the PASSI requirements published by the ANSSI.
In any case, the audit operations must not disrupt the operation of the service implemented by Lifen beyond the constraints inherent to an audit.
The audit shall not include information that is not specific to the Data Controller, in order to preserve the confidentiality of information specific to other Lifen customers or information of which its disclosure could jeopardise the security of other customers and other personal data concerning them.
Lifen agrees to provide the User with the results of an independent external audit of Lifen's pooled operational features (security features that Lifen has in place for all of its customers).
Lifen agrees to cooperate in good faith with the auditor and to facilitate the audit by providing all necessary information and byresponding to all audit-related requests.
A copy of the audit report prepared by the auditor will be provided to each party.
If the conclusions of the audit contain recommendations, the conditions for their implementation will be studied in a contradictory manner as soon as possible by the Data Controller and Lifen, jointly.
The auditor, a designated natural person, will be duly mandated in writing by the contractor, and will be subject to the strictest confidentiality and business secrecy.
Lifen reserves the right to modify its Policy at any time, and will publish the modified version on its webite.
Last update: August 17, 2022