DBC Health Privacy Policy
Updated: Nov 14, 2024, v.2.4
DBC Health (Apptive Health in the US) is an application intended for self-initiated risk stratification of problems related to musculoskeletal system, information sharing, digital coaching and care, care management, quality monitoring, and communication related to care.
This Privacy Policy Statement outlines how we use and process the information we collect from people and organizations registered in the DBC Health information system. We also describe the purposes and objectives of personal data processing.
Data protection is a top priority for us. When processing personal data, we observe with the EU’s General Data Protection Regulation (GDPR) as well as other relevant legislation and guidelines that apply to our operations, such as national data protection regulations and patient legislation.
1. General definitions
1.1. Definitions according to the EU’s General Data Protection Regulation
“Personal data” means any information related to an identified or identifiable natural person, referred to as a “data subject” below. A natural person is considered to be identifiable when they can be identified directly or indirectly based on particular identification information, such as name, personal identity code, location information or network identification information, or based on one or more characteristic physical, genetic, psychological, financial, cultural or social factors.
“Health information” means personal data related to a natural person’s physical or mental health, including information on the provision of health services, which indicates the person’s state of health.
“Profiling” means the automatic processing of any personal data where the personal data is used to assess certain personal properties of a natural person. For this Privacy Policy Statement in particular, this means the analysis or anticipation of characteristics related to the natural person’s health and behavior.
1.2. Definitions according to this Privacy Policy Statement
“Application” means the DBC HEALTH (or APPTIVE HEALTH) application, including the mobile application and a potential web application, as well as the related server system in the background where the personal data is processed.
“Data subject” means a person who is registered for the application and/or whose personal data is otherwise processed within the application.
“User” means a person using the application either concerning themselves, on behalf of another person, for instance, as the legal guardian of a minor, or as an invited user whom a primary user has authorized to access the application.
“Data controller” means the organization identified in section 2.1 of this Privacy Policy Statement. The data controller defines the purposes and means of personal data processing. The data controller is the organisation that is responsible for the service provided to the data subject with the help of the application.
“Application provider” means for the purpose of this Privacy Policy Statement the organisation in the name of which the application is made available in application stores, such as Apple App Store or Google Play Store, or on a website.
“Sending Organization” means the health organization sending User or Data subject to Services linked to the use of this Application or the Organization acting as a payer of these services e.g., Insurance company or Employer.
“Pseudonymized data” refers to information that only the Data controller can associate with a particular person. The Application Provider only deals with pseudonymized information and cannot associate this information with an individual. For the sake of clarity, only the Data controller can process personal data with customers identification information.
2. Data controller and the data controller’s contact information
2.1. Data controller and the data controller’s contact information
It is the data controller’s responsibility to define the purposes and means of personal data processing for the application.
The data controller is the organization as the customer of which a data subject is registered or a user register for the application.
The contact information of the data controller can be found within the application after logging into it. This information can be found in the Account menu under Contact.
Data subject (end user) may later authorize other Data controllers to use his/ her own data.
2.2. Application provider and application service supplier and their contact information
The application provider / data processor is responsible for presenting the application in application stores and, potentially, for local user support.
Name of the organization: DBC Global Oy
Address: Bertel Jungin aukio 5C, Alberga Business Park, 6. kerros, 02600 Espoo, FINLAND
Name of the person responsible for matters related to registers: Ali Laitasaari
Email: ali.laitasaari@dbc.fi
Telephone: +358 50 3000 533
Privacy policy statement: https://www.dbc.fi/dbc-privacy-policy
2.3. Registered Groups
The collected data pertains to the following groups of data subjects, which include:
Users of the DBC HEALTH (or APPTIVE HEALTH) application.
Individuals registered as customers of Data Controllers. Please note that only the Data controller can see the personal information and all the professionals who can access this information are using their own personal IDs.
Organizations and individuals registered as customers of DBC Global. DBC Global processes only group level data from DBC Health.
For each group, the following personal information may be collected:
Full name (first and last name)
Personal identity code (to identify the data subject)
Contact information (telephone number, email address)
Any other relevant data necessary for the provision of services and user experience enhancement.
Below more detailed about the data collected at DBC Health
3. Name of the register
Register for the DBC HEALTH (or APPTIVE HEALTH) application.
4. Purpose of personal data processing and the legal grounds for the processing
The processing of personal data serves the following purposes:
Providing the data controller with care-related information pertaining to the data subject, which is either automatically transmitted to the data controller by the application or manually entered by the user into the application and subsequently submitted to the data controller.
Offering the data subject a personalized experience within the application.
Facilitating communication between the data controller and the user or data subject.
Referring organizations, such as payers, may be given access to personal and health information, provided that local law permits the sharing of such information.
Transferring Personal Data and Health Information to applicable Electronic Health Records (whether national or private) for storage.
Upon inviting a data subject to become a user of the application, the data controller may process the data subject's identifying information, such as their name and personal identity code, as well as their contact information, such as telephone number and/or email address. This processing of personal data is grounded in the establishment of a customer relationship and the legitimate interests of the data controller. The personal identity code is processed to fulfill the rights and obligations of both the data subject and the data controller, such as verifying the identity of the data subject.
The processing of personal data required by the application following registration is based on the explicit consent of the data subject. Additionally, the data controller may process other personal data not falling within the specific personal data categories of the data subject, such as health information, for statistical purposes, based on legitimate interest.
Furthermore, subject to the data subject's separate consent, the data controller and/or application provider may process personal data for research or marketing purposes.
The data controller is obligated to transfer and store Personal Data and Health Information in appropriately applicable Electronic Health Records in accordance with legal requirements.
5. Information content of the register
The register contains the following information on the data subject and user.
The following information is stored for the data subject:
Information related to identification and identity verification, such as:
Full name (first and last name)
Personal identity code (to identify the data subject)
Other identity related codes e.g., Member Number
Information related to communication, such as:
Telephone number and/or email address
Preferred language if multiple language option is used
The data controller/-s whose customer the data subject is
The purposes and times of visits, meetings and exercises related to the data subject
Information provided by the user through the application, such as:
A picture of the data subject the user may have uploaded
Timestamps of tasks the user performs within the application
Information entered by the user within the application, such as answers to queries and exercising content
Any discussions the user has with the data controller within the application
Other information provided voluntarily by the user
In addition, the following information is stored for the user:
Any discussions the user has with the data controller within the application
Data stored by various measuring instruments connected to the application by the user, such as a pedometer
Other information provided voluntarily by the user about themselves in the application
In addition, the following data (later referred to as “technical data”) is automatically saved about the user during use to be stored and used for investigating potential misuses and faults later:
IP addresses from which the application has been used
The manufacturer and model of the user’s mobile device or web browser and the operating system and application versions
The dates and times when the application has been used
Exercising data
6. Retention period for personal data
Personal data is stored in the application for as long as it is necessary for the service provided by the data controller with the help of the application. Even after that, certain information will be stored as required by legislation, such as log information and archival requirements prescribed by law.
In addition, the application supplier may store pseudonymized data even after the retention period mentioned above. Pseudonymized data is intended to be used for constructing and maintaining a profiling model as described in section 11, and for statistical purposes to develop the application and service.
7. Regular sources of data
Sources of the data that is stored in the application include:
The data controller whose customer the data subject is. Data collected about data subjects and application users is transferred into the application either manually by the data controller or automatically through information system integration.
Data transmitted by the identification service used by the user during registration.
Data provided by the user within the application, such as contact information provided during registration, answers to queries provided during the use of the application, uploaded pictures, timestamps of care pathway tasks and data from any separate measuring instruments connected by the user, such as pedometer data.
Technical data collected about the user automatically during the use of the application, such as the IP address, the times when the application was used, the terminal device make and model and the application version.
Depending on the data controller, registration for a user of the application takes place either (1) through strong identification or (2) through a unique activation code with restrictions on time and the number of uses created for the user on the data controller’s initiative, together with the user’s telephone number or email address and a password set by the user or (3) using any other identification method. The created user ID and password will later be used for logging into the application if the user logs out of the application. It is the user’s responsibility to ensure that the user ID and password cannot be used by unauthorized persons.
8. Regular disclosure of data
The information entered and sent by the user in the application is transmitted to the data controller whose customer the data subject is. From that point onwards, the data controller takes care of processing the data according to its own principles.
As a part of supplying the application (such as in delivering the application to users, maintaining it, monitoring its functioning, information security and lawfulness, identifying a person and in the information exchange and messaging channels), the application provider also uses the following types of third-party services, during the use of which it processes a part of items considered personal data as follows:
Cloud computing environment where the service is produced, and the data is stored. All personal data described in section 5, which the user and data controller enter or is automatically collected as technical data, is processed in this environment.
Storage and delivery of pictures through the application, such as portraits and other pictures that the user or data controller has stored in the application or sent through it.
Messaging services:
SMS transmission service: For instance, sending user invitations or informing the user by the data controller, application provider or application service supplier (the user’s telephone number to which the message is transmitted)
Sending email messages: For instance, sending a new password or informing the user by the service supplier (the user’s name and email address)
Chat messages between customer and data controller and /or application provider. These messages may be personal 1:1 or group messages. Chat messages may also include messages between customers or customer groups.
Discussion channels, such as a chat or video conferencing service that the user can use to contact the data controller
A strong identification service used for verifying a person’s identity in a reliable way (includes at least the personal identity code and possibly other identifying personal data, such as name information, and contact information, such as address and preferred language, as well as data collected automatically by the identification service, such as IP address and the user’s terminal device model, type and operating system version)
When using with devices with the Android operating system (potentially at least the user’s Google ID, the device type used and the IP address):
When downloading and using the application, Google Play Store
Sending push notifications to Android devices through the Google FCM service
When using with Apple iOS devices (potentially at least the user’s Apple ID, the device type used and the IP address):
When downloading and using the application, Apple App Store
Sending push notifications to iOS devices through the Apple Push Notification service (APNs)
Measures by the application service supplier related to monitoring the application’s functioning and conformity to law, such as data protection and archival requirements (concerning, for instance, the internal user ID of the service, the user’s IP address, the user’s terminal device model and type, the operating system version, application version and time of use):
System log information is stored in a separate log service
Alarms for errors and suspected misuse are delivered through a separate messaging channel to the service supplier’s maintenance, application development or monitoring personnel
Recording application errors and exceptions
Services used for measuring the performance of the application
Application usage analytics used to support service development (processed as data from which the user cannot be directly identified without separately stored information, for instance, the user’s country, the manufacturer and type of the terminal device, application version, the times when the application was used and the functions the user has used)
Subject to the user’s separate and explicit consent, for marketing purposes where marketing communication channels, such as email and other marketing channels, are used
When the user contacts the data controller, application provider or any other dedicated customer support in a problem situation, the user can be offered technical user support by the application provider in which case the need to identify the user arises. In this connection, data belonging to the user’s personal data may have to be processed by the support staff of the application provider or dedicated customer support based on data provided by the user as a part of the troubleshooting process, as necessary.
9. Transferring data outside the EU or the European Economic Area
As described in section 8, personal data collected by the service is mainly stored on servers located within the area of the European Union (EU); however, some of the personal data is also processed outside the EU and the European Economic Area by external organizations.
The transfer of data outside the EU and the European Economic Area as a part of the use of the service is based on prerequisites provided for in the EU’s General Data Protection Regulation (2016/679), such as a sufficient level of data protection in the target country (through the Privacy Shield mechanism, see https://www.privacyshield.gov), and standard contractual clauses approved by the European Commission.
Using Apple services with iOS devices, such as receiving push notifications through the Apple Push Notification service (APNs) and using the Apple Maps service, is based on the user’s consent.
10. Principles of protecting the register
We use the necessary technical, physical, administrative, contractual, and organizational security measures to protect the personal data from unauthorized access, as well as accidental or unlawful erasure, changing, disclosure, transmission or other illegal processing of the data.
The personal data can only be accessed with the personal user ID of an authorized employee or a professional participating in the provision of care. There are several levels of access rights, and each user is granted an access right that is sufficient for carrying out their task but as restricted as possible. The data subject has the right to inspect the personal data stored in the service. The data subject can agree on this, for instance, with the data controller during a meeting.
11. Profiling
Profiling performed by the application is intended to support the best possible success of the service received by the data subject. For instance, the application may seek to recognize whether the data subject belongs to any of the following risk groups:
Canceling or postponing care or a treatment is probable
A complication resulting from a treatment is probable
Content designed according to the primary treatment target
Based on a profile, the application or data controller may target the data subject with special attention, such as reminders. This data processing will not result in automatic decisions that would have legal effects concerning the data subject; decisions concerning the data subject (such as decisions on procedures) are always made by a natural person, such a professional employed by the data controller. In case of No Risk or Low Risk classification in application based Self-Assessment, proactive progressive exercise programs and general information about MSK issues may be shared automatically.
When a user engages with a digital proactive training program, they understand that the program is specifically tailored based on their individual responses within the DBC Health application. They also recognize that if they need assistance, the DBC Health application includes a Customer Assistance Request (CAR) feature, enabling them to easily connect with an expert whenever necessary.
For the technical implementation of profiling, the service supplier may save and store pseudonymized data, i.e., data from which identifying factors related to the data subject have been erased and in which the data subject cannot be identified in any manner.
Based on the data subject’s separate consent, the data controller and application provider may store data on the data subject that is used, for instance, for general quality control of care, for the development of the application or the care offered by the data controller, or for research purposes. Such data obtained from the data subject is kept in a separate database in a format that makes it impossible to identify the data subject from the data without separately stored additional data.
12. Rights of the data subject
12.1. The right of the data subject to access their data (right of inspection)
When logging on to the application, the user can always see most of the data the application is collecting.
The data subject also has the right to inspect what other information concerning them has been stored in the application. An inspection request must be made according to section 13 of this Privacy Policy Statement. The right of inspection can be denied with the grounds provided for in the legislation. As a rule, exercising the right of inspection is free of charge, but if the data is requested again for the same time period, the data subject may be charged for the cost incurred.
12.2. The data subject’s right to demand the rectification or erasure of data or restricting its processing
The data subject can update their own basic information in the application. To the extent the data subject can act themselves, they shall, without undue delay after having received the information on an error or detecting the error themselves, on their own initiative rectify, erase, or supplement the data contained in the register that is contrary to the purpose of the application, erroneous, unnecessary, defective or outdated.
To the extent that the data subject cannot rectify the data themselves, a rectification request shall be made according to section 13 of this Privacy Policy Statement.
12.3. The right of the data subject to demand the erasure of their data
The data subject also has the right to demand the data controller to erase their personal data to the extent that it is allowed by the legislation.
The erasure of data from the application or withdrawing one’s consent to the use of the application will not restrict the data controller’s statutory right to the processing of personal data.
12.4. The right of the data subject to demand restricting the processing
The data subject also has the right to demand the data controller to restrict the processing of their personal data, for instance, in a situation where the data subject is waiting for the data controller’s response to a request to rectify or erase their data.
Restricting the processing is not possible to the extent that the data controller is fulfilling its statutory duty.
12.5. The right of the data subject to transmit their data from one system to another
To the extent that the data subject has entered data into the application themselves and this data is processed based on the data subject’s consent, the data subject has the right to receive such data for themselves, primarily in a machine-readable format. The data subject also has the right to transmit this data to another data controller. Such data includes, for instance, information describing the data subject’s health or prior medical history that the data subject has entered the service.
12.6. The right of the data subject to file a complaint to the supervising authority
The data subject has the right to file a complaint to the competent supervising authority if the data controller has not complied with the relevant data protection regulations in its operations.
12.7. Other rights
If personal data is processed based on the data subject’s consent, the data subject is entitled to withdraw their consent by notifying the data controller of this.
13. Contact
For all questions related to the processing of personal data and in situations related to exercising one’s rights, the data subject shall contact the data controller. The contact information of the data controller can be found in section 2.1.
The request must clearly indicate which data you want to have changed, erased, inspected, or updated, or for which data you want to set processing restrictions. The data controller will act on your request as soon as possible. Please note that rectifying, updating, or erasing certain data may mean that your account needs to be temporarily deactivated, during which time you cannot access the application. In such a case, we will not be liable for any harm caused.
If necessary, the data controller may ask the data subject to further specify their request in writing, and the identity of the data subject may be verified, if necessary, before any other action is taken.
14. Marketing and Promotional Activities
On behalf of the Data Controller personal data may be utilized for marketing and promotional purposes only with the explicit consent of the data subject. Users have the right to refuse marketing communications or to withdraw consent for such use at any time. Procedures for opting out of marketing communications are outlined within the application, and users can also contact the data controller to exercise this right. All marketing activities will comply with applicable laws and regulations regarding data protection and privacy.
For clarification, DBC Global acts as Data Processor and will always manage only group level data or pseudonymized data and.
15. Changes to this Privacy Policy Statement
The Data Processor is entitled to make changes to this Privacy Policy Statement as a part of its own or the application's development activities, or when there are changes in legislation. The updated Privacy Policy Statement will be published within the application. Before continuing the use of the application, the user must read the updated Privacy Policy Statement if the changes made in it have an impact on the processing of personal data or change the principles of personal data processing.