Privacy policy of the Emmy application (patient section) and www.sestraemmy.cz

We care very much about maintaining your privacy. This Privacy Policy (hereinafter referred to as”Policies“) aim to inform in a transparent manner about the processing of your personal data in connection with the operation of the patient part of the Emma web application accessible at https://moje.sestraemmy.cz/ (hereinafter referred to as'Applications“) and a website accessible at www.sestraemmy.cz (hereinafter referred to as'The Web“). The policy forms an inseparable part of the terms of use of the patient part of the Application (hereinafter referred to as”Terms“).
‍

1. Role in processing
‍
1.1. Our company Emmy Medical s.r.o., ID: 06785247, with its registered office in Levohradecká nas. 1066, 252 63 Roztoky (hereinafter referred to as ”Emmy“ chi ”We”) may be the controller or processor in relation to the processing of your personal data. The role of Emma always depends on the purpose of processing.

1.2. Emmy is the administrator primarily in connection with the management of your patient user account in the Application (hereinafter referred to as ”User account“), by operating the interface of the Application and the Web. Resolving your requests in the Application (hereinafter referred to as ”demands“), including an appointment for an in-person visit, related communications, and in the event that Emmy is instructed by your chosen healthcare providers (hereinafter referred to as “PZS“) as well as for processing your medical documentation using text conversion (OCR) and AI models, the administrator is always chosen by the PZS. Emmy then acts for PZS in the role of processor, which processes the data under the responsibility of PZS.

1.3. Emmy is in no way a controller in relation to your sensitive health data processed in the App. This is always only your chosen PZS with which you communicate. Emmy and PZS do not in any way act as joint data controllers. Emma's role is limited to providing a technical solution in the form of Application and processing of personal data entered into the PZS Application exclusively for the purposes specified by the PZS and in accordance with its instructions. Emmy does not make decisions about what data, how and for what purpose will be processed through the Application.

1.4. As a registered user of the Application (hereinafter referred to as ”User“) you can easily determine which PZS is the controller of personal data in relation to your Requests visible in the Application. The selected PZS is always clearly identified in the Application interface.
‍

2. Emmy as Trustee

Emmy, as controller, may process your personal data for the purposes listed below. There is no automated decision-making, including profiling, during these processes.

Emmy is a trustee for the following purposes:

2.1. Maintaining a User Account in the Application

This purpose also includes linking to selected PZS (data transfer for the purpose of User authentication), sending notifications to the Application about changes in the status of your Requests, sending information about the contractual relationship and providing support services in relation to the User Account. The legal basis for the processing is the negotiation of a contract or its performance (Art. 6 (1) (b) GDPR).

The categories of personal data concerned may be:

‍identification data (e.g. name, surname, date of birth, number of insured person, gender) contact details (e.g. e-mail, telephone, address), login details, settings and activity data of the User Account (e.g. time data, PZS preferences, notifications received, IP address), data on the contractual relationship (e.g. its beginning), content of communication (about support).

As a rule, you are the source of the data, and only some auxiliary data can be collected automatically. The provision of identification and contact data is a contractual requirement and therefore, if you do not provide this data, you cannot create a User Account. We need the number of the insured (birth number) in order to transmit it to the PZS in order to verify the User.

The data will be processed for this purpose for the duration of our contractual relationship, and subsequently some data may be further processed on the basis of our legitimate interests (Art. 6 (1) (f) GDPR) in the defense of rights and property, up to the statutory limitation periods.

2.2. Ensuring the operation of the Application and the Website and its improvement

This purpose includes ensuring the security, availability and performance of the Application and the Website, as well as their further development. The legal basis for this processing is Emma's legitimate interests in providing quality services (Art. 6 (1) (f) GDPR).

The categories of personal data concerned may be:

‍identification data (e.g. name, surname), contact details (e.g. email) usage data (e.g. number of visits, time data, IP address, location, device) feedback.

The source of the data is primarily automatic collection (logging), for which we can also use third-party tools (e.g. Google Analytics), but we may also use the data provided by you to collect feedback.

The data will be processed for this purpose for the period necessary to fulfill it (usually 6-14 months). If necessary, this data may also be used on the basis of our legitimate interests (Art. 6 (1) (f) GDPR) to defend our rights and property.

2.3. Sending news and other communications

This purpose includes sending newsletters and other communications, the sending of which does not fall under the other processing purpose specified in this Policy, to the Users of the Application. The legal basis for this processing is Emma's legitimate interests in maintaining contact with the customer (Art. 6 (1) (f) GDPR).

The categories of personal data concerned are:

‍identification data (e.g. name, surname), contact details (e.g. email, phone).

The source of the data is directly you, and this is the data entered when creating the User Account.

The data will be processed for this purpose until the refusal to send the communication (unsubscribe) or the objection to such processing, but not longer than for the duration of our contractual relationship.

2.4. Responding to inquiries

This purpose includes dealing with your questions or requests in the event that you are not a User of the Application and have no interest in becoming one. The legal basis for this processing is your consent expressed together with the sending of the relevant enquiry or request (Art. 6 (1) (a) GDPR).

The categories of personal data concerned are:

‍identification data (e.g. name, surname), contact details (e.g. email, telephone), content of communication.

The source of the data is directly you, and this is data provided by you completely voluntarily.

The data will be processed for this purpose for the period necessary to fulfill it.

2.5. Fulfillment of legal obligations

This purpose includes the processing of data in order to comply with our legal obligations — e.g. responding to a data breach, responding to the exercise of rights, etc. The legal basis for such processing is the fulfilment of Emma's legal obligation (Art. 6 (1) (c) GDPR).

The categories of personal data concerned are:

‍identification data (e.g. name, surname), contact details (e.g. email, telephone), data on the contractual relationship, other data necessary to comply with the relevant obligation.

The source of the data may be directly you or it may be automatically collected data.

The data will be processed for this purpose for the period necessary to comply with the relevant legal obligation or directly stipulated by the legislation.


3. PZS as administrator and Emmy as processor
‍
In relation to most of your personal data processed within the Application, Emmy acts as a processor. For the general purpose of the processing set out below, the administrators of the PZS are directly chosen by you.

As controller, the relevant PZS is responsible for ensuring that it has a legal basis for processing and that you are provided with all information about the processing of data that it carries out through the Application. In view of the fact that each PZS has the possibility to influence the scope of the data processed, the retention period and the exact purpose of the processing, the information referred to in this Article 3 shall be of a general and informative nature only, and its accuracy and completeness are not guaranteed.

PZS generally use the Application to process your data for the following purposes:

3.1. Organization of the provision of health services

This purpose includes maintaining a patient directory, verifying your identity as an Application User and receiving your Requests, or establishing Requests by PZS. It also includes the solution of the registered Requirements, including ordering personal visits and conducting related communications, i.e. sending messages to the Application or comments to your contacts.

After the active selection of the PZS (the PZS will have information about the activation of the extension indicated in the PZS profile in the Application), it is also part of the use of OCR (optical word processing) and AI technology to improve and accelerate the provision of health services to the PZS. Emmy proceeds in the use of this technology only on the basis of PZS instructions. Documents uploaded to the App are then converted into text form using OCR technology. In an AI closed environment, information for PZS is prepared, which Emmy sends to PZS. PZS does not rely on these outputs in any way and must always check compliance with the original. Information on security measures when using AI and OCR is set out in clause 5.4 of this Policy.

The legal basis may be the negotiation of a contract or its performance (Art. 6 (1) (b) GDPR) or the fulfilment of a legal obligation of the PZS (Art. 6 (1) (c) GDPR). Sensitive health data are usually processed by the PZS on the legal basis of the provision of health care according to Art. 9 (2) (h) GDPR, or express consent under Art. 9 (a) GDPR, if the PZS has been granted.

The categories of personal data concerned may be:

‍identification data (e.g. name, surname, date of birth) contact details (e.g. e-mail, telephone, address), Data relating to the Request (e.g. health data, order data for the PZS, employment data), insurance data (e.g. type, health insurance company, number of the insured), registration data with the PZS (including, for example, the language of communication).

The source of the data is directly you or it may be data collected in the provision of health care, including data from state registries or health insurance registries. The recipients of the data are employees of PZS and Emma (primarily as a processor).

For this purpose, the data will be processed by the PZS in the Application for the period necessary to fulfill the purpose of processing. PZS, as administrator, is entitled to delete all data from the Application at any time. Data will also be deleted from the App in the event of termination of the contractual relationship between Emmy and PZS.

In connection with the processing of these data, anonymous aggregate statistics can be generated, based on the legitimate interest of the PZS in determining the effectiveness of the use of the Application (Article 6 (1) (f)), anonymous aggregate statistics informing patients about the use of the App.

3.2. Sending news and other communications

‍PZS may, on the basis of its legitimate interest in high patient information (Art. 6 (1) (f) GDPR), take advantage of their identifying (first and last name) and contact details (e.g. e-mail or telephone) for the purpose of sending newsletters and other informational communications, including messages to identify interest in the offered performances, provided that the regulations governing the sending of commercial communications (if applicable) are complied with. Recipients of the data are employees of PZS and Emmy (as processor). In the event of an epidemic occurrence of a serious infectious disease (e.g. COVID-19), other legal bases apply for the use of the above data for the purpose of sending a communication to establish an interest in vaccination covered by health insurance (e.g. Article 6 (1) (e) and (d) GDPR). In addition, the use of other data referred to in Article 3.1, including sensitive data on state of health (pursuant to Art. 9 (2) (i) GDPR). The regulation of the sending of commercial communications shall not apply in this case. Extraordinary reporting obligations of the PZS (the basis of Art. 6 (1) (c) GDPR) may also be associated with the subsequent implementation of vaccinations, where the other recipients of the data are mainly public authorities (e.g. MZ, health insurance companies).

In connection with the use of processing IT services, data may be transferred to a third country (USA) to a limited extent for this purpose, in which case appropriate safeguards are provided, through so-called standard contractual clauses and binding corporate rules.


4. Recipients and transmission of data

4.1. Your personal data, processed by Emmy as controller, may, to the extent strictly necessary, be disclosed to the persons involved in their processing. These are Emma employees and our carefully selected processors, in particular those involved in the maintenance and support of the Application, IT service providers or identity verification services, the current list of which can be found at the end of this document. Emmy contractually ensures that all its employees and persons authorized to process data on the part of other processors are bound by confidentiality obligations.

4.2. Your personal data processed by Emmy as controller may be further disclosed to the PZS of your choice (in particular for the purpose of verifying the User), to the extent necessary also to our advisors bound by confidentiality obligations (e.g. lawyers) and, to the extent stipulated by law, also to public authorities.

4.3. You can be assured that we will not sell your personal information to anyone and that we will not disclose it to third parties other than as described in this policy.

4.4. Your personal data is stored on servers located in the data center of our processor Amazon Web Services EMEA SARL (hereinafter “AWS”) located in the EU. The transfer of your data to third countries (usually the USA) may only take place to a limited extent (e.g. in connection with the use of the Website or the use of tools such as Google Analytics), in which case appropriate guarantees are always provided, through so-called standard contractual clauses, a copy of which you can request, or our processors are registered in the so-called “Standard Contractual Clauses”. EU-U.S. The Data Privacy Framework, based on the adequacy decision of the European Commission, provides the same protection as if the data were in the EU.


5. Security

5.1. We really care about the security of your data, which is why we place emphasis on strict security measures when processing them, whether in the role of controller or processor.

5.2. All data exchanged between patients and PZS is encrypted during transmission and is also encrypted when stored (“at rest”). Our trained employees will only access your data when necessary and in accordance with this Policy, and only a minimum number of designated employees are authorized to access, who are additionally bound by confidentiality obligations.

5.3. AWS, which Emmy uses as an IT infrastructure provider, holds security certifications ISO 27001, ISO 27017 and ISO 27018. We use Amazon Cognito services to secure all access to Emma. AWS services are used by banking, financial and healthcare providers around the world. For more information on AWS datacenter security (in English), see hereunder.

5.4. After the active selection of PZS, the OCR and AI functions will be used in the App. The personal data of patients are processed in this context only for the time necessary to provide these functions (i.e. seconds to a few minutes), these data are subsequently stored only in the Application. The AI-provided functionality guarantees that the embedded data is not used for further training of language models. More information on security and privacy for AI (in English) can be found here


6. Cookies

6.1. The App and the Website use cookies as described in our Cookie Policy, which are available hereunder.


7. Business communication

7.1. In the event that we want to send you commercial communications, we will first give you the option to decline the sending. If you do not refuse it, Emmy will be entitled to use your contacts (e-mail, telephone) to send you messages of a commercial nature. In this case, the processing of your personal data is described in Article 2.3. You can then opt out of receiving communications in the manner specified in each individual communication, for example via an unsubscribe link.

7.2. You can be assured that we will not overuse the ability to contact you and that we will never send you advertising messages regarding third party products or services.


8. Your rights

In relation to the processing of personal data, whenever the conditions stipulated by law are fulfilled, you have the rights set out below. You can exercise your rights against Emma as controller through our Data Protection Officer, whose contact details can be found in Article 9. Please note that you must exercise your rights directly with the relevant PSC, whose contact can be found in the Application interface for processing (see Article 3).

As a data subject, you have the following rights:

8.1. The right to access personal data, i.e. the right to request confirmation that your data is being processed and, if so, to obtain information about the processing in question, or a copy of the processed data;

8.2. The right to request correction of inaccurate or incomplete data;

8.3. The right to request the immediate erasure of the processed data, if any of the reasons given in accordance with the legislation are given;

8.4. The right to request a temporary restriction of the processing of personal data, if one of the reasons given in accordance with the legislation is given;

8.5. The right to object to the processing of data on the basis of legitimate interests or, where appropriate, for direct marketing purposes;

8.6. The right to withdraw the consent granted to the processing of personal data at any time;

8.7. The right to the portability of personal data, i.e. the right to request the processed data in a structured, machine-readable format, if the conditions are given in accordance with the legislation.


9. contact

9.1. With requests for the exercise of rights or any questions regarding the processing of personal data, you can contact our Data Protection Officer via e-mail poverenec@sestraemmy.cz, or contact us in writing at the address of the company's registered office. If you have a complaint about the processing of personal data, you also have the right to contact the supervisory authority, which is the Office for Personal Data Protection.


LIST OF PERSONAL DATA PROCESSORS

- Amazon Web Services EMEA SARL, Czech Branch, ID: 09049266, registered office at Sokolovská 689/115, 186 00 Prague
- Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA, 94043, USA
- Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
- Zendesk Inc., 989 Market Street, San Francisco, CA 94103, United States
- Twilio, Inc., 375 Beale St Suite 300, San Francisco, CA 94105, United States
- TopEfekt s.r.o., ID 29444268, registered office B. Němcové 767/13, 787 01 Šumperk
- Bank Identity, a.s., ID 09513817, registered office Smrčkova 2485/4, Libeň, 180 00 Prague 8
- Vocalls Inc s.r.o., ID 06413421, with registered office Rostovská 314/14, Vršovice, 101 00 Praha 10
- ROBOTEER AUTOMATION LIMITED, 15 Bridge Road, Wellington, Telford, TF1 1EB, United Kingdom
- SENDINBLUE — 106 boulevard Haussmann, 75008 Paris, France


Version 1.3

Effective August 6, 2024

Downloadable document hereunder.

(Previous version of the document for download hereunder.)