Privacy Policy

1 - Introduction

Honestica is the publisher of the Lifen service and will hereafter be referred to as "Lifen" for the purposes hereof.

Lifen attaches great importance to the protection of your privacy and your personal data. It is a founding element of our approach. The purpose of this personal data protection charter (hereafter the "Charter") is, therefore, to present to you in more detail our approach to your personal data, to explain to you the cases in which we collect them, the reasons justifying this collection and what we do with them. It also presents the security measures we apply to protect their confidentiality, and reminds you of your rights regarding your personal data and the means to exercise them. We draw your attention is drawn to the fact that the data collected via Lifen are sensitive and confidential data that require special vigilance.

This data refers to information concerning natural persons, identified or identifiable, directly or indirectly, including data relating to physical or mental health (hereinafter the "Personal Data"). Our Charter applies in compliance with the provisions relating to the protection of Personal Data, and in particular, European Regulation 2016/679 of 27 April 2016, and the Data Protection Act of 1978 as amended, as well as the provisions of the Public Health Code (CSP), (hereinafter the "Act"). This Charter is intended to apply to the users of Lifen and to the visitors during their navigation on the lifen.health website (hereafter the "Website"). This Charter is an integral part of the General Conditions of Use of the Site.

2 - Definitions

For the purposes hereof, the terms and expressions defined below shall have the following meanings:

• "Control Authority" means the Commission Nationale de l'Informatique et des Libertés (CNIL) or any other competent control authority;
  
• "Lifen Account" means an account allowing a user to log in to Lifen in an authenticated and secure manner;
• "DPO" means the Personal Data Protection Officer, in accordance with Article 37 of the DPOGR;
• "Personal Data" means information concerning natural persons, identified or identifiable, directly or indirectly, of which the User is the Data Controller, and which is processed by Lifen on behalf of the Client ;
• "Personal Health Data" means Personal Data relating to the physical or mental health of a natural person, including in particular data produced in the course of the prevention, diagnosis, care or dispensing of medicinal products by a Health Professional and any element capable of characterising the health of a natural person;
• "Patient" refers to the data subjects of the medical documents and medical questionnaires ;
• "Desktop publishing service provider" means the desktop publishing service provider, Corus, with which Honestica entered into a contract on 23 October 2018, or any other service provider who prints, envelopes and sends by post the reports in paper form.
• "Law" means all laws and regulations applicable to the processing of Personal Data;
• "Health professional" means any health professional practising within a liberal structure or a health establishment, registered with his professional association or registration authority ;
• "Controller" shall mean the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data ;
• "Sub-processor" means the natural or legal person who processes Personal Data on behalf of the Controller ;
• "Subcontractor" means a third party Subcontractor engaged by Lifen who, in the course of providing services on behalf of Lifen, is authorized to process Personal Data;
• "Processing" means any operation or set of operations, whether or not carried out by automated processes, which is applied to Personal Data or sets of Personal Data;
• "User" refers to a health professional (practising within a liberal structure or a health establishment, registered with its professional order or registration authority, and the structures, services or PMSI), a medical secretary, a medical administrative assistant who uses Lifen.
  

3 - Who processes your personal data?

The person responsible for the collection and processing of your Personal Data is:

• The User, for the Personal Health Data collected - we act as a subcontractor. This means that Lifen, in its capacity as a subcontractor, only processes this Personal Data on the User's instructions. As the person in charge of the processing, the User carries out the formalities of declaration of conformity with the CNIL to use Lifen. If Lifen is not required to carry out these formalities, we have nevertheless put in place security and confidentiality measures to guarantee the protection of your Personal Data.
  
• Honestica, including any company controlled by it under the terms of Article L.233-1 of the French Commercial Code, for Personal Data collected either in the context of the creation of the User's Lifen Account, or from contact forms, or when browsing Lifen.fr, or for Personal Data that patient users transmit via their personal account to a healthcare professional.

Lifen outsources some of its activities for the performance of its services. For example:

• the hosting of the Personal Data processed is carried out with hosts certified as Health Data Hosts by the French Ministry of Health, the company AWS;
  
• The printing, enveloping, and posting of medical communications that require a hard copy is carried out by the company Corus.

We are committed to ensuring that our subcontractors guarantee the same level of safety as we do. The User and Honestica (hereinafter the "Parties") agree to comply with the Law applicable to the Processing of Personal Data. The Parties undertake to abdide by the General Health Information Systems Security Policy issued by ASIP Santé (hereafter the"PGSSI-S").

4 - For what purposes is your data processed?

Lifen only processes your Personal Data for the purposes below:

• allowing the exchange of medical documents between Users;
  
• the remote follow-up of patients exhibiting symptoms of Covid19;
• ensuring an optimal website navigation experience.

For the exchange of documents, the data processing carried out consists of extracting information contained in the medical documents and then using them to accomplish the purposes of the processing.

For the remote follow-up of patients exhibiting symptoms of Covid-19, the data processing carried out consists of collecting medical information from patients through targeted questionnaires received via SMS or e-mail for a period of 14 to 30 days.

The questionnaires are analysed automatically and are presented to health professionals in the form of dashboards and alerts to help them adapt their patient follow-up according to the results.

Unless otherwise expressly stated by the User, Lifen does not use your Personal Data for commercial or marketing canvassing, research, or the publication of statistics.

5 - What data is processed?

The Personal Data Lifen processes is:

• Personal contact data (first name, surname, date of birth, email address, mobile phone number and home address);
  
• Sensitive personal data (health data), such as medical reports, medical questionnaires, etc., may be used for the purpose of the processing of personal data;
  
• Personal traceability and navigation data on the site (IP address, cookies, logs, etc.).
  

Cookies

What is a cookie?

A "cookie" is a piece of information stored on your device when you browse a website. It allows your device to be identified each time you visit the aforementioned website.

What are cookies used for?

Lifen uses cookies in order to:
- Offer you a better browsing experience on Lifen.health;
- Measure and improve the services offered on Lifen.health.

What can you do to manage the cookies stored on your device?

You can accept or decline cookies. If you reject the cookies, some aspects of Lifen's Webite may not work on your device, and you may not be able to access certain features of Lifen's Website.

6 - What does Lifen do with your data?

The Personal Health Data is strictly intended for the Users concerned in the process of issuing and/or receiving medical documents. Lifen guarantees that they will not be transmitted to any unauthorized third party, subject to possible subcontractors of Lifen, such as the certified health data host or the desktop publishing provider.

The Personal Data collected in the contact forms and the cookies is only intended for the administrators of Lifen. Lifen does not transfer Personal Data to countries that are not members of the European Union or the European Economic Area.

Lifen may, however, communicate the Personal Data it processes to third parties when such communication is required by law, regulation or court order or if such communication is necessary to ensure the protection and defence of its rights.

Concerning Personal Health Data, Lifen undertakes, when the legal framework allows it:

• as a matter of priority, to communicate the data requested by the requesting authority only with the consent of the Data Controller;
  
• to communicate as soon as possible to the Data Controller any information on the scope of the data entries and/or on the persons concerned by the data entered.
  

The User, as the person responsible for processing personal health data, is responsible for:

• Supervising data processing;
  
• Carrying out the declarative CNIL formalities that are necessary to the processing, which it proceeds via the use of Lifen.
  

Lifen, as a Subcontractor, undertakes to:

• Carry out the processing entrusted to it solely within the framework of the purposes which are the subject of the processing;
  
• Maintain a record of all processing activities;
  
• Make all the information necessary available to the Controller to demonstrate compliance with the obligations incumbent upon them;
• Communicate the extract from its register of processing activities corresponding to the processing operation under the responsibility of the Controller, upon written request of the Controller;
• To enforce the utmost professional secrecy with respect to Personal Health Data in transit through Lifen to persons under its responsibility or to service providers who may be involved in its execution. Lifen is required, in the application of the GDPR, to inform the Data Controller if one of its instructions constitutes a violation of the Law.
  

Second tier subcontractors

In accordance with Article 28 of the GDPR, the Data Controller generally authorises Lifen to have recourse to subcontractors (hereafter "second tier subcontractors") to carry out specific processing activities.

Lifen ensures that the second tier subcontractor presents the same guarantees in regards tothe implementation of the Security Measures for the missions entrusted to them. Lifen undertakes to enter into a contract with the Sub-Contractor under which its access to the data of the Data Controller will be strictly limited to the purpose of the contract entered into with Lifen.

The Sub-Contractors with which Lifen has entered into a contract, in force at the date of signature of the Contract, are AWS (certified hosting provider), Corus (desktop publishing), MS Santé (secure health messaging) and Apicem (secure health messaging).

The Data Controller has the right to object to the use of a Second tier Subcontractor from the date of receipt of this information.

7 - Protection of your data and retention period

Security

Lifen implements all security measures required to protect your Personal Data. To ensure the security of your Personal Information, Lifen has implemented the following procedures and processes:

• Pseudonymization and/or encryption of web log-ins and Personal Data;
  
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  
• The possibility of restoring the availability and access to Personal Data within appropriate time limits, in the event of a physical or technical incident;
  
• The hosting of Personal Health Data within certified health data hosts;
  
• A strong authentication of Users in order for them to access Personal Data;
  
• Appropriate measures to protect Personal Data against loss, misuse, unauthorised access, disclosure, alteration or destruction;
  
• Access traceability;
  
• A process to regularly test, analyse and evaluate the effectiveness of technical and organisational measures to ensure safe processing.
  

‍

The Parties undertake to take appropriate measures to ensure that any employee, partner, subcontractor and any individual acting under the authority of the Data Controller or Lifen is duly authorized to access Personal Data. Healthcare professionals who use Lifen are subject to professional secrecy by law. Thus, each User is invited to implement, under their responsibility, all useful and relevant security measures for the purposes of protecting access to their computer, phone or other mobile devices, and to all Personal Data accessible on Lifen, in particular with respect to third parties.

In order to guarantee the confidentiality, integrity and security of Personal Data, Lifen acknowledges having implemented the Security Measures below, intended to protect Personal Data:

• All Personal Data processed by Lifen is hosted, i.e. stored, on a permanent or occasional basis for processing purposes, by a health data host certified by the French Ministry of Health;
  
• All Personal Data processed by Lifen is saved on a system ensuring its redundancy, and hosted by a health data host certified by the French Ministry of Health on the same hosting websites;
  
• All connections to the server are encrypted using the HTTPS protocol. All Personal Health Data is stored and encrypted in a "health data" database;
  
• In accordance with the provisions of article L.1110-4 of the Frencg Public Health Code, decree no. 2007-960 of 15 May 2007 known as the "confidentiality decree", and ASIP Santé's recommendations, particularly the "Authentication reference system for healthcare professionals", Lifen has set up a strong User authentication system;
  
• Access to Functional Tracks and Personal Data are tracked and logged in accordance with the principles of the S-ISMP. Lifen undertakes, on request, to give access to this traceability to the Data Controller;
  
• Medical reports sent by postal mail are sent to the Desktop Publishing Service Provider via a secure FTP server with IP restriction;
  
• Lifen is a certified MSSanté messaging operator by ASIP Santé.
  

Geographical areas

Lifen hosts personal data in hosting providers, which can be either:

• the company Amazon Web Services EMEA SARL, a limited liability company registered with the Luxembourg Trade and Companies Register under the number B186284, whose registered office is located at 38, avenue John F. Kennedy, L - 1855 Luxembourg. In this context, the Personal Data is transferred to the servers of the AWS site in Dublin without being stored there.
  

If Lifen comes to contract with a new host outside of France, Lifen undertakes to give the Data Controller the choice of the country of hosting of its Personal Data.

Retention Period

Health Data

Lifen is committed to retaining the Personal Data collected for a limited period of time. However, Lifen is not responsible for the obligations of the Data Controller regarding the retention period of Personal Data.

The retention periods of Personal Data collected via Lifen are different according to the type of data, and are specified below:

At the end of the retention period, Lifen undertakes, at the choice of the Data Controller, to:

• Destroy all Personal Data;
  
• Return the Personal Data to the Data Controller;
  
• Archive personal data after they have been made anonymous.
  

However, medical documents that have been sent to the Processor, or that the latter has sent via Lifen, may be retained as long as other medical professionals sending or receiving such medical documents remain active on Lifen.

Administrative data

Personal Data used for the purposes of sending contact forms and managing Lifen's customer files are kept for a period of three years from the time of their collection or from their last contact with Lifen.

Browsing data

Connection logs, cookies and other tracers set up on Lifen's Website will be kept in accordance with the applicable regulations for a period of 13 months. For more details, refer to the "Cookies" section hereabove.

8 - Your rights and how you can exercise them

In accordance with the Law, you have a right of access, rectification, limitation, opposition, deletion and portability of your Personal Data, which you may exercise for legitimate reasons, and subject to any legitimate compelling reasons that Lifen may have for retaining your Personal Data. These rights may be exercised at any time by filling in this form (PDF - ODT) and returning it:

• by e-mail to dpo@lifen.fr;
  
• by post to the following address: Lifen at Wework, 106 Boulevard Haussmann, 75008 Paris, France;
  
• or directly to the health data hosting companies, namely 'AWS' at 38, avenue John F. Kennedy, L - 1855 Luxembourg.
  

In the event of a request, Lifen undertakes to inform, as soon as possible, the Data Controller and to provide them with the information necessary for the transmission of the data to their patient.

The Data Controller acknowledges that they are exclusively responsible for the aforementioned information and the collection of consent from patients in compliance with the provisions of the GDPR. The User, as Data Controller, must designate a person within their organisation (the "Customer Contact") who will be able to designate a health professional to Lifen when necessary, in the event, for instance, of any problem requiring access to health data or relating to the management of patient relations. The Data Controller must make sure to communicate to Lifen, through their DPO, a new Customer Contact when necessary, in particular in the event where a Customer Contact separates from service.

Right to information

Lifen informs you about the collection and processing of your Personal Data and the rights you have in this respect:

• in the present Charter, which Users can read at any time on Lifen's Website, or when they create a Lifen Account;
  
• within the UGC;
  
• when creating a Lifen Account.
  

Lifen informs its Users who are part of the same healthcare team that it is their responsibility to provide the patients they care for (hereinafter the "Patients") with the following information prior to sharing their health data:

• their identity as Data Controller ;
  
• the purpose of the secure messaging service and its conditions of implementation, including in the case of data hosting with a host certified for this purpose;
  
• the data collected;
  
• the recipients of the said data;
  
• the said data's retention period;
  
• the rights available to them and the procedures for exercising those rights.
  

For Lifen Users who are not part of the same healthcare team, we inform them that the Patient must expressly consent, by means of a checkbox:

• to the collection and processing of their Health Data;
  
• to the sharing of information concerning them ,explicitly. The delivery of information, and the collection of the Patient's consent must be carried out by the User, through the communication of an information-consent notice.
  

Right of access, rectification and limitation:

You can ask us at any time:

• details of the Personal Data we process;
  
• to modify your Personal Data;
  
• to limit the processing of your Personal Data.
  

Right to portability

You have the right to retrieve the Personal Data you have provided to us. Lifen is committed to providing you with your Personal Data in a structured, commonly used and readable format.

Right of opposition and right of erasure

You may object to the processing or request the deletion of your Personal Data, i.e. their deletion by Lifen.

9 - To whom should you address your requests?

We have appointed a Délégué à la Protection des Données personnelles (Personal Data Protection Officer, in French - hereinafter the "DPO") at the CNIL, to demonstrate our commitment to respect your privacy and your rights to your Personal Data. For any question related to the processing of Personal Data by Lifen, you may contact our DPO at the following email address: dpo@lifen.fr, or by post at Lifen at Wework, 106 Boulevard Haussmann, 75008 Paris, France.

10 - Other commitments

Impact analysis relating to the protection of Personal Data

In accordance with Article 35 of the GDPR, the Data Controller undertakes to carry out an impact analysis to ensure the compliance of the Processing with the Law, when it is likely to generate a high risk for the rights and freedoms of the persons concerned by the Processing.

In the event that Lifen becomes aware of a high risk to the rights and freedoms of the persons concerned by the Processing, we undertake to inform the Data Controller of such a risk as soon as possible and to assist them in carrying out the impact analysis, as well as in carrying out the prior consultation with the supervisory authorities.

‍

Certification

We undertake to provide the Data Controller with proof of our certifications on request, and to inform them of any change of certifications office within 30 days.

Furthermore, we undertake to provide the latest audit report on our certifications upon request by the Data Controller.

‍

Notification of violations of Personal Data

In accordance with Article 33 of the GDPR, the Data Controller undertakes to notify the supervisory authority, within a maximum period of seventy-two (72) hours from the time of becoming aware of any violation of Personal Data.

Lifen undertakes to inform the Data Controller, as soon as possible after becoming aware of any breach of Personal Data, concerning the Processing for which the Data Controller is responsible, and to take the appropriate measures to limit the risk and protect the aforetmentioned Personal Data.

The notification will be sent by Lifen to the Data Controller by e-mail, and will contain, as far as possible, any piece of information useful to the Data Controller in order to enable them to notify, if necessary, the violation to the supervisory authority.

The notification sent to the Data Controller by Lifen does not constitute an acknowledgement of fault or responsibility on the part of the latter.

‍

Audit

The Data Controller reserves the right to conduct audits to verify Lifen's compliance with the provisions of this Charter.

After informing Lifen in writing, including by email at dpo@lifen.fr, with twenty (20) days' notice, the Data Controller may have an audit performed, at its own expense, to verify compliance with all security measures implemented to ensure the security of Personal Data. Such an audit may take place at any time, subject to a limit of one audit per calendar year.

The audit shall be performed by an independent and recognized expert, whose choice shall be approved by Lifen at least five (5) days before the audit begins. Such an audit will be the subject of a tripartite agreement, the main clauses of which shall be in accordance with the PASSI requirements published by the ANSSI.

In any case, the audit operations must not disrupt the operation of the service implemented by Lifen beyond the constraints inherent to an audit.

The audit shall not include information that is not specific to the Data Controller, in order to preserve the confidentiality of information specific to other Lifen customers or information of which its disclosure could jeopardise the security of other customers and other personal data concerning them.

Lifen agrees to provide the User with the results of an independent external audit of Lifen's pooled operational features (security features that Lifen has in place for all of its customers).

Lifen agrees to cooperate in good faith with the auditor and to facilitate the audit by providing all necessary information and byresponding to all audit-related requests.

A copy of the audit report prepared by the auditor will be provided to each party.

If the conclusions of the audit contain recommendations, the conditions for their implementation will be studied in a contradictory manner as soon as possible by the Data Controller and Lifen, jointly.

The auditor, a designated natural person, will be duly mandated in writing by the contractor, and will be subject to the strictest confidentiality and business secrecy.
‍

11 - Amendments

Lifen reserves the right to modify its Policy at any time, and will publish the modified version on its webite.

Last update: August 17, 2022