Data Protection Policy

Last update: 05.05.2020

Founded in 1998, the PSIH Group brings its clients unique health expertise in France. Through a combination of skills and commitments combining technological mastery and innovation, The Group participates alongside health institutions or health groups in major projects that have a profound impact on the care offering by helping decision makers to Better Understand, Better Decide to Better Care. The Group has three business areas: Business Intelligence, Data Hosting and Data Science.

Groupe PSIH
Le Terralta – 77 Boulevard Vivier Merle – 69003 Lyon
+ 33 (0)4 26 10 06 30 – contact@groupepsih.com

This document constitutes the Personal Data Protection Policy (hereinafter the “Policy”) of the PSIH Group. As part of the transparency requirement of the European Regulation (EU) 2016/679 on the protection of personal data (GDPR), the Policy was drafted with the ambition of being understandable and easily accessible in order to emphasize the importance given by the PSIH Group to data protection law. The Group also appointed a Data Protection Officer (DPO).

The Policy is intended for all natural persons who are in contact with our company, on the occasion of any collection of personal data and for anyone who wishes to know our company’s commitments in this field. In particular, the Policy is permanently accessible on the PSIH Group website at https://groupepsih.com in order to ensure its broadest circulation, as well as being available on request by any other means to anyone who wishes it.

The completion of the PSIH Group’s activities which may lead to the execution of data processing in partnership with third parties without the Group’s direct relationship with the concerned natural persons, we invite the latter to contact these third parties directly to find out their commitments and to submit any request relating to the exercise of the rights resulting from the GDPR.

The Policy is structured around five complementary parts:

I. The principles and requirements of the GDPR applied by the PSIH Group
II. Data processing carried out by the PSIH Group
III. The rights accorded to any natural person
IV. The procedures for exercising the rights resulting from the GDPR, the possibility to ask any questions
V. The Data Protection Officer of the PSIH Group 

As the policy is likely to evolve, it should be referred to regularly.

I – The principles and requirements of the GDPR applied by the PSIH Group 

For the purposes of the GDPR, personal data means any information relating to an identified or identifiable natural person who can be identified, directly or indirectly. Processing means any operations applied to the data in order to fulfil specific objectives. The PSIH Group shall collect and process data in accordance with the requirements of the GDPR with a view to operating services on its own behalf or on behalf of customers who have subscribed to its health products and services.

Taking into account the general requirements of the GDPR, in case of data processing:

  • We ensure that we collect and process data within the strict scope of the provision of the concerned, for lawful, explicit, legitimate purposes, according to fairly measures, with a view to providing our services;
  • We ensure the transparency of processing by providing appropriate information to individuals in all cases of data collection, when the data is received from individuals themselves or possibly from third parties or technologies;
  • In case of data collection from the data subject (direct data collection), we specify whether the requirement to provide personal data is regulatory or contractual in nature, or whether it conditions the provision of a service or the conclusion of a contract, and whether the data subject is required to provide the data subject staff, just as we specify the possible consequences of not providing data;
  • In case of data collection from other data controller (non direct data collection), where data collection is not carried out from the data subject of our company, data elements similar to those to be communicated in the case of direct data collection, as well as indications on the source of the data are then, as the case may be, provided to the persons through us or by the stakeholders for whom we act; this information must be provided within a reasonable time, but also at the time of the first communication with the persons when the data are intended for that purpose, or at the latest when the personal data are communicated for the first time to another recipient if such use is envisaged;
  • When the case arises, we indicate the existence of automated decision-making, including profiling, with the indication of useful information regarding the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
  • In case of intention to carry out any further processing of personal data for a purpose other than that for which the data were collected, we provide prior information to individuals about this other purpose and any other information enabling it to be understood in a transparent manner;
  • We only disclose restricted data to authorised recipients, including our company’s authorised services and any third parties involved in the provision of our commercial services;
  • We undertake to
    • minimise data processing,
      • ensure regular updating of data,
      • ensure the proportionate retention of data for no longer periods than is necessary, in particular with regard for the purposes for which the personal data are processed, contractual or operational requirements or to meet our regulatory obligations, in compliance with applicable law,
      • supervise relations with data recipients and data processors by any appropriate  means to ensure compliance with legal obligations,
      • take all possible measures, in the event of possible transfer of data to a country outside the European Union in order to ensure compliance with the applicable regulations in Europe,
    • make employees aware of the need to protect personal data and their confidentiality,
      • ensure the security of processing and data,
      • take into account all the data subject rights under the applicable regulations.

Within the PSIH Group, taking into account the principles and requirements of the data protection law, data processing shall be accompanied by organisational and technical measures in order to effectively apply the provisions of the GDPR and to provide operational guarantees.

II – Data processing carried out by the PSIH Group 

A – In the context of the management of the commercial relationship and communication

The PSIH Group collects and processes personal data for the purpose of making contact with prospective customers interested in its activities, as well as in the management of commercial and contractual relations, including partners and suppliers, as well as external communication management. This is a business management objective. The data are collected in these different frameworks is processed by the PSIH Group as a data controller. The data are intended for our services and, if necessary, for third parties who are strictly authorised to do so. The information provided is kept for a period corresponding to each sub-purpose, as well as on a case-by-case basis in the context of legal retention obligations. The data related to requests for information and those related to the organisation of events are generally kept for the period necessary for the management of the various processing activities and, where appropriate, for any additional period in case of contractualization. Data related to business management are generally retained during the contractual period, as well as for the legal periods applicable at the end of the business relationship.

B – In the context of the provision of health services

The PSIH Group processes data on behalf of its clients for the following purposes in the health sector through three main activities:

Hospivision

Hospivision is a decision-making offering that enables the teams of an hospital as well as those of a Territorial Hospital Group (GHT) to analyze the main cost. The PSIH Group acts in this context as a subcontractor within the meaning of the GDPR, as a supplier and integrator of a technological solutions allowing the production of dashboards and their comparison in a common platform of the partner institutions constituted by the platform called Open BI. Data processing is carried out under the control of each business customer who remains data controler responsible for processing within the meaning of the GDPR. The Hospivision solution is described at https://groupepsih.com/hospivision/

Health data hosting

The activity of health data hosting provide health actors with hosting data services and applications that meets the legal standards defined by the French State. The PSIH Group has a Health Data Provider (HDS) accreditation, which is currently in the process of being certified. In this context, the PSIH Group acts as a provider of data controllers under Article L. 1111-8 of the French Public Health Code. The latter are health actors who have collected personal health data in the context of prevention, diagnosis, care or social and medico-social monitoring activities. The health data hosting solution is described at https://ids.host

Infrastructure & Data science  

The Data Science activity is part of an offer that combines our hosting infrastructure with that of our Artificial Intelligence and data exploitation solutions. The objective is to enable customers to rely on dedicated resources to better care by combining machine learning. The PSIH Group acts in this context as a subcontractor within the meaning of the GDPR. Health actors remain data processor within the meaning of the GDPR. The Infrastructure & Data science solution is described at https://groupepsih.com/data-science/

C – As part of the online application process

The PSIH Group’s website allows job seekers to respond to an offer posted under the “Talent” section or to submit an application spontaneously.  The information received in this context is subject to the processing of personal data by the PSIH Group as controller for the purpose of managing applications. The information is only intended for internal or external contacts authorised to recruit. The information provided by the candidates shall be kept for the duration of the examination of the applications and subsequently in the event of non recruitment for several months pending a position which may be suitable for the candidate with the possibility for the latter to assert the rights recognised by the GDPR and in particular to oppose the processing of data concerning it.

III – The rights accorded to any natural person

All natural persons have a set of rights relating to their personal data which apply on a case-by-case basis, taking into account the circumstances of the processing and the relationship of the persons with the PSIH Group. It should be noted that the exercise of rights must be carried out with the data controller, as the PSIH Group cannot replace the data controllers for whom it would be contractually acting only as a sub-processing within the meaning of the GDPR in order to provide technological solutions.

The rights of individuals are:

  • The right to be informed when personal data is collected directly or indirectly;
  • The right of access, enabling confirmation that personal data are or are not processed and, where they are, the possibility of obtaining access to the data;
  • The right of rectification to obtain the rectification of personal data when they are inaccurate and, taking into account the purposes of the processing, the right to obtain that the data are completed, including by providing a supplementary declaration;
  • The right to erasure of personal data when certain reasons are gathered;
  • The right to limit processing for a certain period of time when certain factors apply, such as a possible challenge to the accuracy of personal data, unlawful processing by a person, or in case of the need to process data of the data subject for the establishment, exercise or defence of legal rights, or in case of verification of the possible prevalence of the legitimate reasons pursued by the controller over those of the data subject;
  • The right to data portability when processing is based in particular on a person’s consent or a contract;
  • The right of opposition, to a certain extent with regard to the applicable texts, in case of possible automated individual decision-making based on the particular situation of a person;
  • The right to object to data processing for prospecting purposes.

Individuals also have the right to lodge a complaint with a data protection supervisory authority to which the PSIH Group depends within the European Union. This is the Commission nationale de l’informatique et des libertés (CNIL) in France. The CNIL may be seized by any person who believes (www.cnil.fr) that he or she has not been satisfied following the exercise of his or her rights with the PSIH Group.

IV – The procedures for exercising the rights resulting from the GDPR, the possibility to ask any questions

The PSIH Group undertakes to examine any request received from natural persons by facilitating the exercise of the rights recognized by the GDPR. We will endeavour to provide answers to questions in a concise, transparent, understandable and easily accessible manner, in clear and simple terms.

In addition, you can contact the Group at any time to learn more about the processing of data, as well as the application of the GDPR, the Data Protection Act and the application of this Policy. Responses may be provided in writing or by other means, including by electronic means if appropriate or when the request is made in that form. The information may be provided to you orally, provided that the identity of the person can be demonstrated.

Requests relating to the exercise of rights, as well as any questions related to the protection of personal data and the application of the regulations can be made, according to your choice in writing or oral, using the following contact details :

PSIH Group
GDPR
Le Terralta – 77 Boulevard Vivier Merle
69003 Lyon
+ 33 (0)4 26 10 06 30
contact@groupepsih.com

In order to ascertain the identity of individuals, you may be asked to provide supporting information or documents.

V – The Data Protection Officer of the PSIH Group

The PSIH Group has appointed a Data Protection Officer (DPO) to the French data protection supervisory authority, the Commission nationale de l’informatique et des libertés (Ref. DPO-81594). All the elements of this designation are available in open data on the CNIL website: https://www.cnil.fr/en/opendata.

The DPO intervenes in all processing projects, taking into account the rights of individuals and more generally in the context of the dissemination of a data protection culture to internal collaborators and partners and clients.

It is possible for anyone to contact the PSIH Group’s DPO on all matters relating to the processing of personal data and the exercise of GDPR rights.

Contact information for the DPO is as follows :

Caron Avocat Law firm
dpo.psih@caron-avocat.fr
+ 33 (0)1. 85 09 72 54
122 avenue des Champs Elysées 75008 Paris -France.