I am a patient
I'm a doctor
Non-binding consultation
EN
DOCTOR MENU
Non-binding consultations
I am a patient
EN
All about Emmy
Testimonials
Emmy's Voice
Pricelist
Contact

Emmy Medical Privacy Policy (part of the PZS)

This privacy policy (the "Policy") is intended to provide transparent information about the processing of personal data in connection with the operation of the Emma web application for health care providers (the "PHP"), which is accessible at https://dr.sestraemmy.cz/ (the "Application"). The Policy forms an integral part of the public terms and conditions of the PHP portion of the Application.


1. Emma's role and subjects

1.1 Emmy Medical s.r.o., company registration number: 06785247, with registered office at 1066 Levohradecké nám., 252 63 Roztoky (hereinafter referred to as "Emmy") may be a controller or processor in relation to the processing of personal data in connection with the operation of the Application. Emmy's role always depends on the purpose of the processing.

1.2 The data subjects of the processing of personal data under this Policy are the PZS who is a natural person ("PZS FO"), or a person representing the PZS who is a legal person ("Representative"), and all users of the PZS customer account on the Application ("Customer Account").


2. Emmy as administrator

No automated decision-making, including profiling, is involved in any of the processing referred to in this article.

Emmy is the controller for the following purposes:

2.1. administration of the contractual relationship with PZS and maintenance of the Customer Account

Emmy may process the personal data of the PZS FO, or the Representative, as the case may be, for the purposes of administering the contract between Emmy and PZS (the "Contract") and setting up and maintaining the Customer Account, which also includes placing the personal data of the PZS FO in the patient section of the Application or in notifications of the Application. Emmy is then entitled to include the PZS FO's details outside the Application as a reference under the Contract. In addition, this purpose also includes the provision of support services for the Customer Account.

In the case of the PZS FO, the legal basis for the processing in question is the negotiation or performance of the contract (Article 6(1)(b) GDPR). In the case of the Representative, the legal basis is the legitimate interests of Emmy and PZS (Article 6(1)(f) GDPR) in the performance of the contractual relationship.

The categories of personal data concerned may be:

‗identifyingdata (e.g. first name, last name), contact data (e.g. email, phone, address), login data, settings and usage data (e.g. time data, IP address), data about the relationship with PZS and the Contract (e.g. function, signature), content of communication (regarding support).

The source of the data is the subject or the PZS itself. Without the provision of identification and contact data, the Contract cannot be concluded.

The data will be processed for this purpose for the duration of the Contract, whereby some data may subsequently be further processed on the basis of Emma's legitimate interests (Article 6(1)(f) GDPR) to defend rights and property, up to the period of statutory limitation periods.

2.2 Operation and improvement of the Application

Emmy may process personal data of users of the Application Customer Account to ensure the security, availability and performance of the Application, as well as for its further development. The legal basis for this processing is Emmy's legitimate interests in providing a quality service (Article 6(1)(f) GDPR).

The categories of personal data concerned may be:

‗identifyingdata (e.g. name, surname), contact data (e.g. email), usage data (e.g. number of visits, number and types of requests made, time data, IP address, location, device), feedback.

The source of the data is primarily automatic collection (logging), for which we may also use third-party tools , but we may also use data provided directly by the subject to obtain feedback.

The data will be processed for this purpose for the time necessary to fulfil the purpose, which in some cases is 6 months.

2.3 Sending commercial communications

This purpose includes sending newsletters and other communications that do not fall under any other processing purpose set out in this Policy to PZS FOs or Representatives. The legal basis for this processing is Emma's legitimate interests in maintaining contact with the customer (Article 6(1)(f) GDPR).

The categories of personal data concerned are:

identifying data (e.g. first name, surname), contact data (e.g. email, telephone).

The source of the data is the subject directly, or the PZS, and it is the data entered during registration.The data will be processed for this purpose until the refusal to send communications (by unsubscribing) or objection to this processing, but no longer than for the duration of the Contract.

2.4 Fulfillment of legal obligations

This purpose includes the processing of Customer Account Users' data to comply with Emma's legal obligations - e.g. responding to a data breach, responding to an assertion of rights, etc. The legal basis for this processing is the fulfilment of Emma's legal obligation (Article 6(1)(c) GDPR).

The categories of data concerned may be:

‗identifyingdata (e.g. first name, surname), contact data (e.g. email, telephone), contractual relationship data, other data necessary to fulfil the relevant obligation.

The source of the data may be the subject directly, or it may be data collected automatically.

For this purpose, the data will be processed for the time necessary to fulfil the relevant legal obligation or as directly provided for by law.


3. PZS as controller and Emmy as processor

In relation to most of the personal data of Customer Account Users processed in the Application, Emmy acts as a processor. In fact, for the general purpose of processing set out below, PZS is the controller directly.

PZS, as the controller, is responsible for ensuring that it has a legal basis for the processing and that the Customer Account users are provided with full information about the processing of the data it carries out through the Application. The information provided in this Article 3 is of a general and informative nature only, and its accuracy and completeness are not guaranteed.

PZS processes Customer Account users' data for the following purposes:

3.1. accessing and using the Customer Account

This purpose includes managing Customer Account users and their permissions, as well as keeping records of Customer Account users' access and activity, including the inclusion of personal data in the patient section of the Application.

The legal basis may be the performance of a contract, usually an employment contract, between PZS and a Customer Account user (Article 6(1)(b) GDPR), or the performance of a legal obligation of PZS (Article 6(1)(c) GDPR) or the legitimate interests of PZS (Article 6(1)(f) GDPR).

The categories of personal data concerned are:

identifyingcdata (e.g. first name, last name,), contact data (e.g. email, phone, address), login data, settings and permissions, data about the relationship to the PSS (function, workplace), data about access and activity (e.g. time data, changes).

The source of the data is either the subject or the PSC directly, or it may be data collected during the performance of work tasks by the subject. The recipients of the data are the employees of the PHC, the patients (users of the patient part of the Application) and Emmy as the processor.

For this purpose, the data will be processed by PZS in the Application for the time necessary to fulfil the purpose of the processing. The data will be removed from the Application in the event of termination of the contractual relationship between Emmy and PZS.

3.2 Organisation of the provision of health services

Emmy is the processor of personal data for PZS for the organisation of the provision of health services. This purpose includes maintaining a patient directory, verifying and receiving requests from patients, and, where applicable, the establishment of requests by PZS. It also includes dealing with registered requests, including making appointments for personal visits and carrying out related communications, i.e. sending messages to the Application or comments.

Upon active selection of a PZS (the PZS will have information about the activation of the extension listed in the PZS profile in the Application), it also includes the use of OCR and AI technology to improve and accelerate the provision of health services by that PZS. Emmy shall proceed with the use of this technology only as directed by the PZS. Documents uploaded to the Application are then converted into text form using OCR technology, and information is prepared in an AI closed environment for the PZS, which Emmy sends to the PZS. PZS does not rely on these outputs in any way and must always check for consistency with the original. Information on security measures when using AI and OCR is provided in clause 5.4 of this Policy.

The legal basis may be the negotiation or performance of a contract (Article 6(1)(b) GDPR) or the performance of a legal obligation by the PHC (Article 6(1)(c) GDPR). Sensitive health data is then generally processed by the PHC on the legal basis of the provision of healthcare pursuant to Article 9(2)(h) GDPR or, where granted, explicit consent pursuant to Article 9(a) GDPR.

The categories of personal data concerned may be:‖

Patient identification data (e.g. name, surname, date of birth), patient contact data (e.g. e-mail, telephone, address), data relating to the patient's request (e.g. health data, appointment data, employment data), patient insurance data (e.g. type, health insurance company, insurance number), registration data with the PZS (including e.g. language of communication).

The source of the data is the patient directly or may be data collected during the provision of healthcare, including data from state registers or health insurance registers. The recipients of the data are the employees of PZS and Emma (primarily as a processor).

For this purpose, the data will be processed by PZS in the Application for the time necessary to fulfil the purpose of the processing. PZS, as the controller, is entitled to remove any data from the Application at any time. Data will also be removed from the Application in the event of termination of the contractual relationship between Emmy and PZS.

4. Recipients and transfer of data

4.1 Personal data processed by Emmy as controller may, to the extent strictly necessary, be disclosed to persons involved in the processing. These are Emmy employees and carefully selected processors, in particular those involved in the maintenance and support of the Application and IT service providers, a current list of which can be found at the end of this document.

4.2 The data of the PZS FO and the Representative, processed by Emmy as controller, may be made available to users of the Customer Account. Furthermore, the recipients of the PZS FO Data may also be patients (users of the patient part of the Application) or the public. Alternatively, the data processed by Emmy may also be disclosed to the extent necessary to Emmy's advisors bound by confidentiality obligations (e.g. attorneys) and, to the extent provided for by law, to public authorities.

4.3 Emmy will not disclose the personal data processed to third parties other than as set out in this Policy.

4.4 The processed personal data is stored on servers in the data centre of the authorised processor Amazon Web Services EMEA SARL, which is located in the EU. The transfer of processed personal data to third countries (usually the USA) may only take place to a very limited extent (e.g. In this case, appropriate safeguards are always provided through so-called standard contractual clauses, a copy of which can be requested, or our processors are registered in the so-called EU-U.S. Data Privacy Framework, i.e., based on the European Commission's adequacy decision, they provide the same protection as if the data were in the EU.

5. Security

5.1 We care about the security of your data and patient data, and therefore we take strict security measures when processing it, whether in our role as controller or processor.

5.2 All data exchanged between patients and PZS is encrypted in transit and is also encrypted when stored ("at rest"). Our trained staff will only access patient data where necessary and in accordance with this Policy, and only a minimum number of designated staff are authorised to access patient data, who are also bound by confidentiality obligations.

5.3 AWS, which Emmy uses as its IT infrastructure provider, holds ISO 27001, ISO 27017 and ISO 27018 security certifications. AWS services are used by banking, financial and healthcare service providers worldwide. For more information on AWS datacenter security, click here.

5.4 Once the PZS is actively selected, the OCR and AI functionality will be used in the Application. Patients' personal data is only processed in this context for the time necessary to provide these functions (i.e. seconds to a few minutes), this data is then only stored in the Application. The AI-provided functionality ensures that the embedded data is not used for further training of language models. More information regarding security and privacy for AI (in English) can be found here.


6. Cookies

6.1 The App uses cookies as described in the Cookie Policy, available here.


7. Commercial communications

7.1 Unless refused by the PZS FO or the Representative when concluding the Agreement, Emmy is entitled to use the registered contacts (e-mail, telephone) to send messages that are in the nature of commercial communications. The processing of personal data in this case is described in Article 2.3.


8. Rights of subjects

In relation to the processing of their personal data, whenever the conditions laid down by law are met, subjects have the rights set out below. These rights may be exercised vis-à-vis Emma as controller via the contact details in Article 8. With regard to processing where PZS is the controller (see Article 3), the rights must be exercised directly with PZS.

The data subject is entitled to the following rights:

8.1 The right of access to personal data, i.e. the right to request confirmation as to whether your data is being processed and, if so, to obtain information about the processing in question or a copy of the data processed;

8.2 The right to request the rectification of inaccurate or incomplete data;

8.3. the right to request the immediate erasure of the processed data if one of the grounds under the legislation applies;

8.4. the right to request a temporary restriction of the processing of personal data if one of the reasons under the legislation applies;

8.5 The right to object to the processing of data on the legal basis of legitimate interests or for direct marketing purposes;

8.6 The right to withdraw consent to the processing of personal data at any time;

8.7. the right to the portability of personal data, i.e. the right to request the processed data in a structured, machine-readable format, provided that the conditions under the law are met.


9.

9.1 You can contact our Data Protection Officer with requests to exercise your rights or any questions regarding the processing of personal data by emailing poverenec@sestraemmy.cz, or by writing to us at our registered office. If the subject has a complaint regarding the processing of personal data, he/she has the right to address it directly to the supervisory authority, which is the Data Protection Authority.


LIST OF PERSONAL DATA PROCESSORS

- Amazon Web Services EMEA SARL, Czech Branch, ID No.: 09049266, with registered office at Sokolovská 689/115, 186 00 Prague
- Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA, 94043, USA
- Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
- Zendesk Inc., 989 Market Street, San Francisco, CA 94103, USA
- Formagrid Inc. (AirTable), 799 Market Street Fl 8, San Francisco, CA 94103, USA
- Pipedrive Inc., 530 5th Ave Ste 802, New York, NY 10036, USA
- Solitea, a.s. (operator of the iDoklad service), registration number 01572377, with registered office at Drobného 555/49, Ponava, 60200 Brno
- Vocalls Inc s.r.o., registration number 06413421, with registered office at Rostovská 314/14, Vršovice, 101 00 Prague 10
- ROBOTEER AUTOMATION LIMITED, 15 Bridge Road, Wellington, Telford, TF1 1EB, United Kingdom
- SENDINBLUE - 106 boulevard Haussmann, 75008 Paris, France

Version1.3

Effective from: 6 August 2024

Download the document here.

(Previous version of the document can be downloaded here.)

Back to main page
All about EmmyPrivacy PolicyBusiness terms and conditionsDownload AnyDesk Client (for Windows)

Contact

For technical questions or interest in Emma, you can contact us at pomoc@mojaemmy.pl

Call us at
+48 732 059 615