Use of Health Data in Solution Development
At Agfa HealthCare N.V., Septestraat, 27, 2640 Mortsel, (“Agfa”), a healthcare information technology company, we are committed to developing safe, reliable and secure products while respecting patient privacy and while complying with data protection laws in the markets we operate in.
We conduct our business in compliance with the Regulation (EU) 2016/679 of the European Parliament and Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or GDPR).
The purpose of this privacy notice is to explain what health data we receive, how we use and store it and with whom we may share it.
How do we receive health data?
Agfa HealthCare receives health data from its customers, typically hospitals.
Which health data are processed, for which purpose and on which legal basis?
Agfa HealthCare receives health data in the form of patient studies, including medical images, reports and other data that drives clinical management.
We process this data to handle support requests, incidents and defect resolution and to drive the development and maintenance of safe, reliable and secure healthcare IT products. This is a contractual and regulatory obligation and a legitimate interest in the markets we operate in.
Technical and Organisational Measures
We use technical and organisational measures to protect health data from unauthorised access, modification or destruction. These include but are not limited to: storage and purpose limitation, training, data minimisation, pseudonymisation, encryption, user and access management, physical security, supplier management and Data Protection Impact Assessments (DPIA).
In addition, we have an Information Security Management System in place which is ISO 27001-certified.
Where is health data processed ?
We process health data in Agfa HealthCare support and development centres worldwide. These are located in the European Economic Area, the US, Canada, China and Australia.
The suppliers we use in these activities are primarily located in the European Economic Area or in countries with an adequacy decision from the European Commission.
Who has access to health data and to whom is it transferred?
Only the following parties have access to health data:
- the customer (hospital) providing the health data to Agfa HealthCare for the above purposes
- Agfa HealthCare employees and suppliers that contribute to the above processing activities
We do not transfer health data to other parties and we do not (re)use them for other purposes.
How long may we retain health data?
The retention time of records depends on the purpose:
- For regulatory compliance this differs per jurisdiction. We maintain the records for as long as each jurisdiction requires us to do.
- For development of safe, reliable and secure software, we maintain health data indefinitely in pseudonymised, minimised form and subject to the above technical and organisational measures.
What are your rights and how can you exercise them?
- You have the right of access to your personal data and the right to request rectification of incorrect, incomplete or irrelevant data.
- You have the right to object to processing of your personal data and to obtain the erasure of your personal data.
- You have also the right to restrict processing of your personal data.
- When processing of your personal data is based on consent, you also have at any time, the right to withdraw your consent for further processing of your personal data. You understand that the personal data that was disclosed by Agfa HealthCare prior to your request to abolish further disclosure is no longer under the control of Agfa HealthCare.
- You have a right to request data portability.
If you have any queries about your personal data or if you want to exercise your rights, please contact us by e-mail at firstname.lastname@example.org or by letter addressed to our Agfa Group Compliance Office, Septestraat, 27, Room 70-03-27, 2640 Mortsel, Belgium.
In case of disagreement relating to the processing of your personal data, you have the right to lodge a complaint with the Belgian supervisory authority (”Autorité de la protection des données” / “Gegevensbeschermingsautoriteit”) or the data protection authority of your country of residence.