Privacy Policy 
Eforto® Mobile Application
FORTO 2.0 study

1. Introduction

At UniWeb, as manufacturer of the Eforto® investigational device, we care greatly about your privacy. In order to protect the security and confidentiality of your data, we have developed the Eforto ® investigational device, Dynamometer & Mobile Application, and related web application, the Telemonitoring Platform with attention to security and data privacy. UniWeb is experienced in web development for 20+ years and is ISO 9001:2015 and ISO 27001:2013 certified.

Our high standards and strong controls for information security allow us to protect your critical and sensitive personal data contained in our information systems. As such, we prevent your personal data from being compromised, altered, lost, destroyed, published or disclosed without proper authorization.

The Eforto® Mobile Application and Telemonitoring Platform on which the test results are stored are ready to meet the challenges of the General Data Protection Regulation.

2. Who has access?

Data Controller

You are using the Eforto ® investigational device in the frame of a clinical investigation. Therefore, the hospital or research site will act as Data Controller, and the data privacy principles and security measures were shared with you during the recruitment and informed consent process.

Following partners are supporting the research for the Eforto ® product and act as Data Controller:

• Vrije Universiteit Brussel (VUB)-Universitair Ziekenhuis Brussel (UZB)
• Radboud University Medical Center Nijmegen (Radboudumc)
• Ziekenhuis Groep Twente (ZGT)

Data Processing/Transfer Agreements were made between the Data Controllers and UniWeb BV, manufacturer and Data Processor of the Eforto ® investigational device.

Data Processor

The Eforto® device is manufactured by UniWeb BV (hereafter referred to as ‘Data Processor’, as defined under applicable data protection law). UniWeb has developed, is hosting and maintaining the Eforto® investigational device. UniWeb processes personal data submitted, stored, sent or received by the Eforto ® device (hereafter referred to as ‘Data Controller’) and you, the user, (hereafter referred to as ‘Data Subject’; ‘processing personal data’, ‘Data Controller’ and ‘Data Subject’ as defined under applicable data protection law). UniWeb processes the personal data for the sole purpose of providing services and technical support as agreed between UniWeb and the Data Controller.

3. What do we process and why?

During the use of the Eforto® Mobile Application, the Data Controller only acquires the data below. This data is only processed for the purposes strictly necessary for fulfilling the investigational objectives, user safety, security and product design improvement as described below.

The following information can be collected (non-exhaustive list):

• Email address or user ID
• Answers to the built-in questionnaires
• Measurement data from the Eforto® tests
• Device identification data (smartphone and Eforto® Dynamometer)
• Usage data from the Eforto® mobile application
• Error logs, technical diagnostic data from the Eforto® Mobile Application

This data is processed for the following purpose(s):

• Authentication and authorization in the Eforto® Mobile Application
• Traceability of the results to the right user and transfer of the results to the Eforto® Telemonitoring Platform for follow up by the site’s investigator, Data Controller
• Analysis of the clinical data collected by the Data Controller in relation to the research purposes i.e. investigational study
• Analysis of the usage data, error logs and technical diagnostic data for user support, issue resolution and product design improvement

If you wish to consult the detailed data inventory or wish to acquire more information about the purpose of the data processing activities, please contact your hospital, research site or the Data Processor’s DPO on dpo@uniweb.eu.

4. Where do we store your personal data?

The Data Processor is responsible for the hosting of the Eforto® Telemonitoring Platform, storing the user and measurement data, and has full control over the hardware used to store your personal data. The production and test servers are located in Belgium at a secure colocation data center which is ISO 27001:2013 and ISO 22301:2012 certified. The development servers of the Data Processor are located in Belgium, at the secure offices of UniWeb BV. The backups of all servers are stored at both locations.

5. How long do we store personal data?

Default retention period

As required by applicable data protection legislation, the Data Controller strives to remove your personal data as soon as it is no longer necessary to accomplish the purpose for which it was originally collected, but with respect to the other regulatory requirements (e.g. for device safety reporting, research purposes).

Data retention in case of a removal request

Please see: Removing your data

6. How do we ensure security?

Security by design

The following security measures have been implemented to help protect personal data processed through the applications against unauthorized access, alteration, loss, or destruction (non-exhaustive list):

• Authentication data is encrypted both at rest and in transit between the Mobile Application and central Eforto® Telemonitoring Platform. All data transferred from the Eforto® Mobile Application to the Eforto® Telemonitoring Platform is encrypted
• All data is fully backed up

Information security events

If an information security event should occur, the Data Controller and the Data Processor will deal with this promptly and adequately in accordance with the standard operating procedures. Like the security measures, these procedures are frequently reviewed and updated to meet the ever changing challenges of information security.

All employees of the Data Controller and the Data Processor receive regular training with regards to security best practices and company procedures. The same level of commitment is expected from all suppliers, whose services are regularly reviewed.

7. What are your rights as a Data Subject?

Unless your request is reasonably deemed excessive or unfounded, you may exercise the following rights in relation to your personal data processed through the applications:

• Request information concerning the processing of your personal data
• Request a copy of all your data in possession of the Data Controller and the Data Processor in a standard format
• Request the Data Controller to modify or correct your personal data if it is wrong
• Request the restriction of certain processing activities in certain circumstances as specified under applicable data protection legislation
• Object against certain processing activities as specified under applicable data protection legislation
• Withdraw your consent
• Have your personal data erased in certain circumstances as specified under applicable data protection legislation

For a full review of your rights as Data Subject, please consult the General Data Protection Regulation.

You can easily exercise any of your rights by contacting your hospital or research site.

The Data Controller reserves the right to charge a reasonable fee in case your request is deemed excessive at our sole discretion.

Removing your personal data

The following procedure will be applied when a request for removal of data from the Data Subject is presented to UniWeb:

The Data Subject must send by written a personal data removal request to the Data Controller or to the UniWeb DPO.

The DPO will assess without undue delay the nature of the request, discuss with the Data Controller and check which data need to be removed from which database, in accordance with the GDPR requirements.

If the personal data is present in the application and no exemption to GDPR requirement is applicable, the Data Controller will remove the personal data from the database of the application/system within 30 calendar days following the personal data removal request. The DPO notifies by writing the Data Subject about removal within 30 calendar days.

If the Data Controller cannot grant the request for removal, the DPO will notify the Data Subject about the decision and the motivation within 30 days following the data removal request.

All personal data that you have selected for deletion will be fully purged from the backups within 180 days.

8. How can you provide consent?

During the initiation of the investigation, the hospital or research site has shared the privacy principles of the Data Controller. By accepting this privacy statement and furnishing personal data via the Eforto® Mobile Application, the Data Subject expressly gives consent to the Data Controller to process the data for the stated purposes.

If the Data Controller or the Data Processor wishes to pass on specific personal data to third parties, additional consent will be requested from the user, unless the data is anonymized. The foregoing also applies to processing of personal data outside of the EU, both in countries or recognised and not recognised by the European Commission to offer adequate data protection. Where required, a data transfer agreement will be entered into, in accordance with the contractual clauses set out in EU Commission Decision C(2010)593 Standard Contractual Clauses (processors) for the purposes of Article 26(2) of Directive 95/46/EC.

9. Who can you contact?

If you have any questions about this privacy policy, or if you want to exercise any of the Data Subject rights stipulated above, please contact the hospital or research site or the manufacturer’s DPO: dpo@uniweb.eu.

UniWeb BV
‘s Herenweg 16
1860 Meise
+32 2 306 00 00