Doctor Anytime: Data Protection Policy

This Privacy Policy (hereafter the "Data Protection Policy") applies to the online services provided by the Website www.doctoranytime.be (hereafter referred to as the "Website") developed by DOCTOR ANYTIME BELGIUM SPRL (hereafter "ANYTIME DOCTOR"), whose head office is Avenue Louise 416, 1050 Ixelles.

By accepting the DOCTOR ANYTIME general Terms and Conditions, the User expressly accepts the following provisions of the DOCTOR ANYTIME Data Protection Policy.

The services provided by DOCTOR ANYTIME through the Website (hereafter, the "Services") allow its Users to enjoy various facilities enabling them to find a practitioner in the field of health and booking/managing medical appointment. This way, two categories of users can be distinguished:

  • The practitioner user, who wishes to benefit from the Services (i) to enjoy more visibility, (ii) to enjoy an online appointment management service offered to his patients.
  • The patient-user, who wants to find a health practitioner registered with DOCTOR ANYTIME and request an appointment with a health practitioner registered with DOCTOR ANYTIME.

These two types of users are grouped, for the purpose of this policy, under the term «User(s)».The Website allows its Users to register, access/log-into and benefit from the Services.

The Services are made available by DOCTOR ANYTIME with the intervention of several third-parties (Doctor Anytime Members):

  • Service providers: providers of services or goods or any other third party with whom the User uses the Website to register with them, or to connect to their website/application;
  • SIM controllers: the telecommunication operator of the User;
  • Identity registrars: entities that can control the identity of the User.

DOCTOR ANYTIME acts as data "controller" in accordance with the Belgian laws and, as such, DOCTOR ANYTIME is responsible for the collection and use of Users' personal data.

This following policy explains the different elements of the personal data that will be collected, the purposes of collection, any sharing of that data with third parties, User’s rights as the data subject and the measures taken to protect his personal data. DOCTOR ANYTIME draws the User's attention to the fact that the Services necessarily imply that we will collect and store personal data pertaining to the User and that DOCTOR ANYTIME will communicate some elements of the User’s personal data to third parties, as described below.

This Data Protection Policy only describes the processing of personal data performed by DOCTOR ANYTIME or on its behalf as part of the Services - the SIM Controllers, Service Providers and Identity Registrars also process User’s personal data in the context of their own services or activities; for those processing activities, please refer to their Personal Data Protection Policies.

1. THE PERSONAL DATA DOCTOR ANYTIME COLLECTS AND HOW

1.1. Personal data DOCTOR ANYTIME processes

In order to offer the Services as set out in this Data Protection Policy, DOCTOR ANYTIME processes different categories of personal data:

  • Data relating to the research of a practitioner and the booking/management of appointments via the Website, which allows DOCTOR ANYTIME to propose to the User the contact information of a practitioner in the desired geographical area, and possibly (if the practitioner is registered on the DOCTOR ANYTIME platform) book an appointment schedule:
    • Specialty sought, the name of practitioner or medical center sought;
    • Geographic area of the sought practitioner;
    • Surname, first name, address, specialty, expertise, telephone number;
    • Type of consultation, Message entered during the appointment process, appointment history, evaluations and comments following the optional surveys.
  • Identity data, which allow DOCTOR ANYTIME to identify the User, and possibly his relatives. These cover different kinds of data:
    • core identity data, consisting of full name, gender, legal address, nationality, date and place of birth, language spoken, computer equipment used for navigation and IP address, web browser cookies, and possibly ID or passport number.
    • contact information (e-mail address and mobile phone number);
  • Enrolment data, which are specific to the registration process and cover information such as the User's consent to the Terms and Conditions and the Data Protection Policy of DOCTOR ANYTIME. As part of the registration, DOCTOR ANYTIME collects the username and password chosen by the User.

All the data mentioned above are mandatory in order to benefit from the Services. DOCTOR ANYTIME could process other data on a voluntary basis, but in such case, DOCTOR ANYTIME would inform the User and ask for his prior thereto.

1.2. How personal data are collected

The different categories of personal data described are either collected directly from the User or by DOCTOR ANYTIME, or a DOCTOR ANYTIME Member:

  • The data relating to the search for a practitioner and the booking/management of appointments via the Website are collected directly from the User when using the Site or from practitioners who have given their consent or by subscribing to the Services, either by accepting that their contact information appears on the Website.
  • Identity Data is collected either directly from the User or from the Identity Registrar the User enrolled with for the Application. When the User enrolled with them he consented to the transfer of his identity data to DOCTOR ANYTIME.
  • Enrolment data is created when registering for a DOCTOR ANYTIME account. Enrolment data is obtained either directly from the User, when registering through the Website, or through the Identity registrar.

2. WHAT IS YOUR PERSONAL DATA USED FOR

The personal data DOCTOR ANYTIME collects are used to provide the User with the Services, it being understood that this includes:

  • offer the User the possibility of finding a practitioner in a defined geographical area;
  • offer the User the possibility of making an appointment with a practitioner directly via the Website;
  • carry out the operations the User requests from the Website and more generally, the operation of the Website;
  • operate, evaluate and improve the Services offered by DOCTOR ANYTIME, such as: (i) managing our communications with the User, (ii) monitoring the usage of the Website after an advertising or marketing campaign, (iii) analyzing DOCTOR ANYTIME's products, services and Websites, (iv) facilitating the functionalities of the Website, (v) showing additional services that could be of interest of the User and (vi) performing accounting, auditing, billing, reconciliation and collection activities;
  • fraud and risks management; and
  • any processing required to comply with applicable legal requirements and industry standards as well as policies applicable to DOCTOR ANYTIME.

The different categories of personal data are processed for the purposes and in the manner described below.

2.1. When will the Data relating to the finding a practitioner and the booking/management of appointments via the Website be processed and how

  • Searches carried out by the User: the data relating to the search for a practitioner and the booking/management of appointments via the Website will be collected the first time the User registers after he consented to the Terms and Conditions of DOCTOR ANYTIME;
  • Archiving: once the User has terminated his use of the Services, the collected data will be archived until the closing of the User’s account.

2.2. When will the Identity Data be processed and how

  • Registering for services or appointment request without account creation: we will collect User’s identity data when he agrees to the DOCTOR ANYTIME Terms and Conditions. The User has expressly consented to their acceptance.
  • Registration with a Service Provider: every time the User registers for the first time with a Service Provider through the App, his consent is requested. This is because in such case DOCTOR ANYTIME will have to transfer elements of his identity data to them. The User will be asked to consent to each data transfer and to any additional data request should it arise.
  • Archiving: once the User has terminated his use of the Services or after a period of inactivity of a year, the data will be archived for evidentiary purposes for a period of two years, after which they will be destroyed.

All elements of User’s Identity Data that are communicated to Service Providers will be processed by those Service Providers acting as Data Controllers in accordance with their own privacy policy.

2.3. When will the Enrolment Data be processed and how

  • At the enrolment: the enrolment data will be generated and collected at the time of the User's enrolment with the Services;
  • Appointment request without account creation: enrolment data will be generated and collected at the time of making an appointment request without creating an account (enrolment of the User with the Services);
  • Evidence and Archiving: enrolment data is kept in the database either by the Identity Registrar (acting as a subcontractor for DOCTOR ANYTIME), or directly by DOCTOR ANYTIME for evidentiary purposes. Once the User has terminated his use of the Services, the data will be archived for a period of two years. After this period, enrolment data will be destroyed.

3. PERSONAL DATA AND THEIR SHARING

DOCTOR ANYTIME does not sell nor disclose personal data it collects about the User to third parties, except as described in this Data Protection Policy (here above and below). DOCTOR ANYTIME will only share personal data to enable the performance of any Service to which the User has chosen to use. In this respect, DOCTOR ANYTIME may share the User's personal data with other Users (practitioners who are registered on DOCTOR ANYTIME), our members, including the Service Providers, as described above.

DOCTOR ANYTIME transfers data to third parties who process data in the context of performing the Service on behalf of DOCTOR ANYTIME (subcontractors). Those actors are not authorised to use the data or disclose it in any way except as described above or to comply with legal requirements. DOCTOR ANYTIME contractually requires these third parties and its Members to appropriately safeguard the privacy and security of the personal data they process on its behalf.

DOCTOR ANYTIME may also disclose data about the User (i) if DOCTOR ANYTIME is required to do so by law or legal process, (ii) to law enforcement authorities or other government officials in accordance with their competences, or (iii) where DOCTOR ANYTIME believes that disclosure is necessary or appropriate to prevent physical harm, or (iv) in connection with an investigation into suspected or actual fraudulent or illegal activity.

DOCTOR ANYTIME also reserves the right to transfer any personal data that DOCTOR ANYTIME has about the User in the event that DOCTOR ANYTIME sells or transfers all or a portion of his business or assets affecting the Services. Should such a sale or transfer occur, DOCTOR ANYTIME will ensure that the personal information that the User has provided to DOCTOR ANYTIME remains to be treated in a manner that is consistent with this Data Protection Policy.

4. YOUR RIGHTS AND CHOICES

4.1. Access, rectification and data portability

At any time, the User may exercise his right to access and rectify his personal data that DOCTOR ANYTIME may retain in connection with the Services, in accordance with applicable data protection laws, either through the interface of the Website itself, either by sending a request with a copy of the front of your identity card, passport or other proof of identity to the following address: [email protected], in writing to DOCTOR ANYTIME Avenue Louise 416 1050 Ixelles, or the Data Protection Officer (DPO), [email protected]

DOCTOR ANYTIME draws the attention of the User to the fact that certain elements of his personal data can be consulted via the interface of the Website and as User, he has the right to rectify and modify these data at any time. However, because the security of the Services depends on the integrity of the core identity data, the modification of these identity data will only be possible by following the steps of enrolment: either through an Identity Registrar or via the DOCTOR ANYTIME website.

Finally, as soon as applicable, the User will also have the right to data portability in accordance with applicable data privacy laws.

4.2. Erasure

The User may at any time exercise his right to data deletion in accordance with applicable data protection laws, by sending a request with a copy of the front of his ID card, passport or any other proof of identity to the following address: [email protected], in writing to DOCTOR ANYTIME Avenue Louise 416 1050 Ixelles, or to the Data Protection Officer (DPO), [email protected] DOCTOR ANYTIME will refrain from using any personal data contained on this application and will only continue to store any past personal data for evidentiary purposes over a period of 2 years, after which they will be erased. Once the data has been deleted, the Users will no longer be able to use the Services.

4.3. Objection

When using the Website or the Services, the User is requested to consent to certain data processing activities. The User will have the right to withdraw his consent to such activities at any time, by sending a request with a copy of the front of his ID card, passport or other proof of identity to the following address: [email protected], in writing to DOCTOR ANYTIME Avenue Louise 416 1050 Ixelles, or to the Data Protection Officer (DPO), [email protected] Such withdrawal will not affect the awfulness of past data processing. Please note that opposing to some processing can, however, impact your continued use of the Services because DOCTOR ANYTIME can not provide the Services without processing the necessary elements to his personal data.

At any time, if the User considers that his rights have not been respected, he may also log a complaint with the Belgian Commission for the Protection of Privacy, rue de la Presse, 35 to 1000-Brussels.

5. HOW WE PROTECT PERSONAL DATA

5.1. How we ensure the integrity of stored data

DOCTOR ANYTIME maintains appropriate technical and physical safeguards to protect personal data against accidental or unlawful destruction, accidental loss, unauthorised modification, disclosure or unauthorised access, misuse and any other illegal form of processing of personal data in its possession.

The security measures DOCTOR ANYTIME adopts depend on the different types of information collected and stored.

  • Data Storage

    All User’s personal data, whether used actively or archived, is stored in the servers of DOCTOR ANYTIME and not the Website itself or the Application itself. DOCTOR ANYTIME uses secured servers, which are located in Germany to store the data. No personal data will be stored outside the European Union.

  • Restricted Access

    Internal access to personal data is limited on a strict ‘need-to-know’ basis. Only authorised personnel, whose activity will be monitored to prevent any misuse, will be able to access the data.

6. DATA PROCESSING

In this section of the contract, the term “processor” designates Doctoranytime; and the term “controller” designates the practitioner committed with Doctoranytime to a contract of service sales.

As a processor of the practitioner, Doctoranytime is not required to obtain consent or inform the patient about how they process personal data. Where appropriate, these obligations rest upon the practitioner.

However, their status of processors does not mean that Doctoranytime is exempt from complying with the Regulation (EU) 2016/679, also called “General Data Protection Regulation” and hereafter known as “GDPR.” In accordance with Article 28 of the GDPR, the processor shall provide sufficient guarantees as to the implementation of appropriate technical and organisational measures in order to ensure that the processing of data meets the GDPR requirement. The processor shall also underwrite the protection of the rights of the data subject.

The processor cannot recruit another processor without the prior authorisation, being specific or general, from the controller.

The GDPR requires the controller and the processor to sign a contract which specifies its outlines: the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of the data subjects, and the obligations and rights of the controller.

This contract provides, in particular, that the processor:
  • shall only process personal data following documented instructions from the controller,
  • shall ensure that the persons authorised to process personal data commit to respect confidentiality or obey an appropriate legal obligation of confidentiality,
  • shall take all the measures required by the Article 32 of the GDPR, as part of the security of personal data,
  • in the event the processor would be authorised to use another processor, he shall apply the same obligations, standards and requirements to the latter as those applying to himself, under the contract concluded with the controller,
  • shall consider the nature of the processing of data and assist the controller, by setting up appropriate technical and organisational measures, to the greatest extent possible, to comply with his obligation to respond to requests from the data subjects that contact him in order to exercise their rights,
  • shall assist the controller to ensure compliance with the obligations provided by the Articles 32 to 36 of the GDPR (i.e. data security, notification to the supervising authority of any breach in personal data, communication of the breach to the data subjects, impact analysis, prior consultation); the processor shall take into account the nature of the processing of data, and the information available to the controller,
  • shall delete every personal data according to the choice of the controller, or send them back to the controller, at the end of the service delivery relating to the processing of data; the processor shall also destroy existing copies unless the regulations require the retention of such data,
  • shall make available to the controller all information necessary to demonstrate compliance with the obligations set out above and to allow audits, including inspections, to be carried out by the controller or another auditor he may have mandated, and to contribute to such audits.

7. DATA TRANSFERS

DOCTOR ANYTIME does not transfer any of the User's personal data outside the European Economic Area, nor in any manner not specified here above.

8. UPDATE TO THIS PRIVACY POLICY

This Data Protection Policy may be periodically updated to reflect changes in our personal data practices. DOCTOR ANYTIME will post a prominent notice on its Website to notify the User of any significant changes to its Data Protection Policy and indicate at the top of the notice when it was most recently updated. Where required, the User will be asked to renew his consent to this Data Protection Policy.

9. HOW TO CONTACT US

If the User has any questions or comments about this Data Protection Policy, if the User would like to exercise your rights, or to update the information that DOCTOR ANYTIME has about him or his preferences, please contact us here: [email protected], in writing to DOCTOR ANYTIME Avenue Louise 416 1050 Ixelles, or to the Data Protection Officer (DPO), [email protected]

EU Greece ESPA 2011 - 2014

The project is co-financed by Greece and the European Union