DBC Global Data Protection Description and Privacy Policy
​Updated: February 28, 2018
1. Controller
    Name:     DBC Global Ltd (hereinafter ‘the Controller’)
    Address:     Leppävaarankatu 9 C, 02600 Espoo, FINLAND
    E-mail:     helpdesk@dbc.fi
    Phone:     +358 45 677 6255

2. Contact Person for Register Queries
    Name:     Greg Steele
    E-mail:     gregory.steele@dbc.fi
    Phone:     +358 45 677 6255

3. Name of Register
DBC Health (hereinafter ‘the Service’) user and patient register.

4. Purpose of Processing the Personal Data
The Service is designed to automate patient journey and related communications between a patient and a care provider. The Service is directed especially to the Controller’s customers and their caretakers.

The processing of personal data is primarily based on the care relationship between the Controller and the data subject (hereinafter ‘the User’) formed when the User creates a user account for the Service, and, e.g., insofar as the User enters information on his or her state of health or treatment information in the Service.

Personal data is processed for the implementation and provision of the application or browser based Service offered by the Controller, for the patient guidance, the care coordination and for managing the customer relationship as well as for service development after having been anonymized.

Processing tasks can be outsourced to external service providers in accordance with and within the limits set by the data protection legislation.

5. Register’s Data Content
The User of the Service can be:
  • Patient him or herself, OR
  • Patient’s caretaker.

Information stored on the User may include, for example, the following:
  • Name, nickname, identity code, customer number, sex, language, address, telephone number, e-mail address, and other necessary contact information.
  • Procedure and appointment information such as appointment time, place, type, therapist’s name and the similar information from the related appointments.
  • User’s answers to care related questionnaires such as pre-op questionnaire, patient reported outcome questionnaire or pain meter measurement.
  • User accomplished actions such as preparation and recovery tasks and exercises.
  • The photos uploaded to the Service by the User.
  • Next of kin, guardian(s), dependant(s), number and ages of children under the age of 18 years, residential information, and size of household.
  • Information on prohibitions, restrictions, consents and other choices made by the User regarding the use of personal data.
  • Information necessary for the use of authentication and verification tools and services.
  • Information on the processing of data, such as the storage date and the information source.
  • Information on the communications between the User and the Service, such as the content of messages and their sending times.
  • Other information related to the purpose of the register, e.g., the data that can be connected to the User gathered on the use of the mobile applications or web pages during use of a service, such as the User’s IP address, the time of visit, the pages viewed, transferred data volume, access status (file transferred, file not found etc.), the browser used (such as Internet Explorer or Firefox), and the URL and server from which the User accessed the site.¨
  • The location of the mobile device (in case the user uses it for Apple or Google Maps)

The data stored in the Service is not transferred into the patient data system, unless otherwise agreed.

6. Regular Sources of Information
Information is received mainly from the following sources:
  • The User him or herself, and the information generated by the User during the use of the Service.
  • Another User (caretaker) linked to the User’s profile in the Service with the User’s consent.
  • Information may be fetched from the Controller’s other systems automatically through integrations.
  • Manual entry by the Controller’s care personnel.
  • Parties offering services related to authentication, verification, address data, updates, credit information, or similar services.

7. Regular Disclosure of the Data and the Recipient Groups
Collected data and information is submitted and stored in a secure server provided by third party service providers Amazon Web Services Inc. (servers in Ireland and Germany) and Aptible Inc. (servers in Ireland and Germany).

Data will not be disclosed to the parties other than those participating in the production, development, or maintenance of services or communications of the Controller or on its behalf, except when based on an agreement, separate consent, and/or explicit regulations.

8. Transfer of Data Outside the EU or the EEA
Recipients of personal data may be located in countries outside the European Union (cloud service providers: Amazon Web Services Inc., Aptible Inc.), including the United States, which may not have data protection laws equivalent to those in the European Union. In such a case, the necessary measures will be taken to ensure safety of personal data in accordance with applicable data protection laws.

9. Principles in Accordance with Which the Data Has Been Protected
The Service operates via the internet and can be used via protected data-communication media, such as those used with a browser on a computer, mobile phone, mobile device or other smart device, or with another technical application provided by the Controller at any given time.

The User logs in to the Service by using personal credentials or another authentication method approved of by the Controller. The Controller provides the service and its information security by means of appropriate technical solutions.

Material can only be accessed by employees, practitioners or co-operation partners specifically entitled to do so with a personal User ID and password. There are different levels of access rights, and each User is issued sufficient rights, though as limited as possible, to complete his or her work tasks.

Also, the User him/herself can grant the persons to view and process data on the User stored in the Service, and the right to receive an equivalent restricted access right to the User’s patient data as the User him/herself has. Only persons who themselves are Users of the Service, and thus also Users, can be linked to the with User’s profile in the Service.

When a User terminates his or her account in the Service, the Controller will remove all information related to the Service that the User has saved personally and also the User's profile in the Service, but information related to other services (such as patient register or feedback and information used for allocation of services) will be transferred to and/or will remain in the Controller’s customer register.

The purpose of the measures described above is to ensure the confidentiality of the Service and the availability and integrity of its data, and the fulfillment of the rights of the Users.

10. Cookies
The Service uses Session Cookies (Cookies that are deleted after User having closed the Service).

Cookies are small text files that are stored on a User’s computer's browser directory. Cookies enable websites to recognize the internet browser. They can comprise the exchange of information between a User and the Controller, a third party acting on behalf of the Controller or a third party in accordance with data protection laws.

Cookies can be used by the Controller to collect Users’ data. Users can configure their computers and smartphones to inform them when a Cookie is being sent to them. Furthermore, it is possible to deactivate all cookies. This option can be found in Users’ internet browser settings. If Users deactivate Cookies, they no longer have full access to the wide range of functions that aid their visit to the website. Furthermore, not all Services will function correctly. In the final part of this information on Cookies there are further entries on how a User can administer and deactivate Cookies in their browser.

11. Web Analysis Tools

11.1 - New Relic
Furthermore, the Controller uses a plugin of the performance analysis service of New Relic Inc. ("New Relic") which enables the Controller to statistically analyze the speed of the service.

When a User visits a page with his/her browser or the mobile app makes a request to the back-end which contains such a plugin, the back-end builds a direct connection to the servers of New Relic. New Relic collects information like the service request times and possibly the user IP address.

By integrating the plugin, New Relic receives the information that a User has accessed the corresponding page of the website. If the User is logged in at New Relic, New Relic may assign the User's visit to the website to his/her account at New Relic. If a User is not a member of New Relic, there is still the possibility that New Relic will detect and store his/her IP address.

The purpose and scope of data collection and the further processing and use of data by New Relic, as well as the corresponding rights and settings to protect the privacy of Users, can be found in New Relic's privacy policy under: https://newrelic.com/privacy.

If a User is a member of New Relic and does not want New Relic to collect data about them in order to combine them with the member data stored by New Relic, the User must logout of New Relic before visiting the website.

11.2 - Crashlytics
Furthermore, the Controller uses a plugin of the crash analysis service Crashlytics which is part of the Fabric platform, a business division of Google Inc. ("Crashlytics") which enables the Controller to detect and log the crashes of the mobile apps.

When a User uses the mobile app and encounters an application crash, the mobile app builds a direct connection to the servers of Crashlytics. The Crashlytics service may collect information which includes, but is not limited to, device state information, unique device identifiers, device hardware and OS information, information relating to how an application functions, and the physical location of a device at the time of a crash.

The purpose and scope of data collection and the further processing and use of data by Crashlytics, as well as the corresponding rights and settings to protect the privacy of Users, can be found in Crashlytics' privacy policy under: https://try.crashlytics.com/terms/privacy-policy.pdf.

12. The User’s Right to Prohibit Direct Marketing
The Service may contain adverts by the Register Controller or its partners. The customer cannot prohibit the occurrence of adverts in the Service.

The Controller may never use the collected data for service-external direct marketing, sales or research purposes.

13. Other Rights of the User Regarding the Processing of Personal Data

13.1 - The User’s Right of Access to the Data (information right)
When logging in to the Service, the User can view most of the data included on him or her in the Service.

The User may at any time request free of charge information about the scope, origin and recipients of the stored data as well as the purpose of the storage. Such an information request must be made in accordance with Section 14 of this data protection description. The right to inspection may be declined on statutory grounds.

13.2 - The User’s Right to Demand Rectification or Erasing of Data or a Restriction on Processing Data
The User can also update his or her basic information contained in the Service. Insofar as the User can act, him or herself, after having been informed of an error in the data or having detected such an error him or herself, he or she must, without undue delay, on his or her own initiative, rectify, erase, or supplement the erroneous, unnecessary, incomplete or obsolete personal data or the data contrary to the purpose of the Service.

Insofar as the User cannot rectify, erase, or supplement the data him/herself, the request for rectification, erasure, or supplement shall be made in accordance with Section 14 of this data protection description.

The User also has the right to demand the Controller to restrict the processing of his or her personal data, for example, in a situation where the User is waiting for the Controller’s response to his or her request to rectify or erase data.

13.3 - The User’s Right to Make a Complaint to the Supervising Authorities
A User has the right to make a complaint to the competent supervising authorities if the controller has not followed the applicable data-protection regulations in its operations.

13.4 - Other Rights
If the personal data is being processed on the basis of the User’s consent, the User has the right to cancel the consent by notifying the Controller of this in accordance with Section 14 of this data protection description.

14. Contacts
In all matters related to the processing of personal data and all situations regarding the exercising of one’s own rights, the User should contact the Controller by email or by post to the addresses mentioned in the Section 1.

When required, the Provider can request the User to further define their request in writing, and, if needed, the identity of the User can be authenticated before initiating any other measures.

15. Validity and Timeliness
This Data Protection Description is currently valid and dated as of 28 February 2018. Controller reserves the right to amend the Data Protection Description at any time with effect for the future, in particular to adapt it to further development of the Service or the implementation of new technologies.