1. Agreement and Acceptance
3. This Policy has been prepared in accordance with Applicable Law (as defined in our Terms) (“Applicable Law”), including Federal Decree-Law No. 45/2021 on the Protection of Personal Data, Federal Law No. (2) of 2019 concerning the Use of Information and Communications Technology in Health Fields and its implementing regulations and the Ministry of Health and Prevention (MOHAP) Resolution No. 51/2021 on exemption for storage and transfer of health records and information.
2. Data Controller
1. DCENTRIC HEALTH LTD a company formed under the laws of the Republic of Cyprus with registration Number (ΗΕ 391425) and registered office at 7 Agiou Mina Str. PANORAMA RESIDENCE BLOCK B, Flat 101 Limassol P.C 4104 shall be the data controller in respect of all personal data (defined below) that you provide directly to us or we receive from third parties upon your instructions and consent, for the purposes set out in our Terms and Conditions.
2. Contact email for exercising rights arising from this Policy: email@example.com
3. This Policy is limited to personal data processed by Dcentric.
4. Personal data refers to any data or information relating to you, which may, by itself or in combination with other data or information, be able to identify you (“Personal Data”).
3. Agreement and Acceptance
1. When you visit our Platform, and more generally use or participate in any of our services through our Platform, we appreciate you trusting us with your Personal Data. Dcentric takes your privacy very seriously; and this Policy, as amended from time to time, sets out how Dcentric collects, processes, uses, maintains, stores, retains, transfers, discloses, erases or destroys your Personal Data, as well as medical records obtained from or through or in connection with the services of the Platform and related services offerings, via the Platform. The specific data points which we collect from you or may receive from third parties upon your consent, are explained below in this Policy. We are committed to protecting your information and right to privacy. We may update this Policy from time to time.
4. Important Announcement Regarding The Right To Erasure With Respect To Medical Records
1. Our Platform uses a blockchain implementation to process (store) pseudonymized health data from Electronic Health Records (EHR) (“medical records”). Dcentric facilitates the exercise of the right to erasure (mentioned in section 5.3) by delinking and destroying the recovery phrase (private key) which connects the medical records stored on the blockchain with a natural person (user).
2. What remains after the delinking and destruction of the phrase (key) is medical records which cannot be connected to a natural person (non-identifiable personal data).
3. If you do not agree to the implementation of the right to erasure, do not use our Platform.
4. For more information regarding this implementation please contact us at the email address stated in section 2.2.
5. Your Rights With Respect To Your Personal Data
1. Right of access to information regarding the Personal Data that concern you provided that they are processed by Dcentric.
2. Right to rectification of inaccurate data as well as to have incomplete Personal Data to be completed in full.
3. Right to erasure of your Personal Data without prejudice to Dcentric’s obligations and legal rights.
4. Right to restriction of processing your Personal Data.
5. Right to withdraw your consent.
6. Right to portability of your Personal Data
7. Right to object to automated decision making.
6. How to Exercise Rights
1. Any request regarding your Personal Data and the exercise of your rights shall be addressed by email to Dcentric at the email address stated in section 2.2 of this Policy.
7. How We Collect Personal Data
1. Directly from you:
1. For Patient Category Users: We collect Personal Data such as Identification document number (“ID”) (as explained in section 9.1.1), first name, last name, gender, date of birth, phone number and email which you provide to us when you enter these details on the My Aria App.
2. For Partner Medical Facilities: We collect Personal Data from employees of Partner Medical Facilities when they provide it to us via our Platform and via forms or documents shared with us for the purposes of their registering on and accessing our Platform.
3. For Marketplace Data Recipients: We collect Personal Data from employees or representatives of Marketplace Data Recipients when they provide it to us via forms and documents necessary for entering into commercial contracts with us and also via our platform for marketplace data recipients.
2. From Partner Medical Facilities: If you are a Patient Category User, then upon your request and consent given to specified onboarded hospitals and medical facilities that are part of Dcentric’s network (“Partner Medical Facility(ies)”), we receive medical records along with a patient identifier (a pseudonymous identifier generated by the Partner Medical Facility) from the Partner Medical Facilities, when you connect to your Partner Medical Facility via the My Aria App.
8. Treatment of Patients’ Medical Records
1. Your selected Partner Medical Facility will remove any personally identifiable information from the EHR they hold relating to you. This process makes your medical records pseudonymized, meaning that they no longer contain information that can directly identify you.
2. Before we store your medical records on Dcentric’s Servers, we double pseudonymize it to safeguard your privacy. The medical records are then stored in encrypted format on Dcentric’s Servers, making it even more challenging for anyone, to trace your medical records back to you. The medical records are encrypted with the keys generated by the specific blockchain wallet that is issued to you as part of the My Aria App and are decryptable only by you, using your private key.
3. We store the medical records on your behalf, including to share with life sciences companies, medical researchers, analytics and consulting firms, healthcare payers, medical device manufacturers and universities (“Marketplace Data Recipients”) upon your opting-in for such sharing via the My Aria App.
4. In the hands of the Marketplace Data Recipients, your medical records are entirely dissociated from any identifiable User, making it anonymous. In practical terms, this means that your medical records are completely de-identified and devoid of any connections to specific Users. The Marketplace Data Recipient does not possess the necessary information or keys required to reverse engineer the medical records in an attempt to identify you. Their access is strictly limited to the de-identified, medical records for the purpose of research, analysis, or other approved uses as outlined in the ToU. This makes your medical records anonymous in the hands of Marketplace Data Recipients.
5. Please refer to the terms and conditions and privacy policies of Partner Medical Facilities and Marketplace Data Recipients to understand their policies, procedures and practices.
9. Personal Data Processed
1. For Patient Category Users:
1. Identification document number (“ID”), whether that is a local ID, a passport, or any official ID which you originally provided at your Partner Medical Facility.
2. Full Name (First Name, Last Name).
3. Phone Number.
5. My Aria ID.
6. Patient Identifier (generated by and received from Partner Medical Facility).
7. Public Key.
8. Gender, and
9. Date of Birth (and by implication, age).
10. Sensitive Personal Data: Medical records, which we receive from Partner Medical Facilities upon your request and consent. The medical records may include:
1. Height, weight, heart rate, and other detailed health information such as allergies, preferences and special need requirements as well as diagnoses and treatment;
2. Physical and mental healthcare records (including results and opinions from third party providers, such as X-rays, scans and blood tests; referrals and second opinions, such as written statements, medical photographs and diagrams and surgical videos);
3. Laboratory results;
4. Radiology results such as scans (e.g., magnetic resonance imaging (MRI), computed tomography (CAT) etc);
5. Medicine prescriptions and medication information; and
6. Immunisation records.
11. Identification Documents (in cases where needed to recover account).
2. For Partner Medical Facilities:
1. Name of employees who may access our Platform on behalf of the Partner Medical Facility
2. Phone number of employees who may access our Platform on behalf of the Partner Medical Facility.
3. Email address of employees who may access our Platform on behalf of the Partner Medical Facility.
3. For Marketplace Data Recipients:
1. Name of employees or representatives who may access our Platform on behalf of Marketplace Data Recipients.
2. Phone number of employees or representatives who may access our Platform on behalf of Marketplace Data Recipients.
3. Email address of representatives who may access our Platform on behalf of Marketplace Data Recipients.
10. Non-Identifiable Data Collected
1. Usage information: We collect information such as the time spent to create an account, number of records received and shared, what screens or features you access, and other similar types of usage information.
2. Device information: We collect information about the device you use to access our services and Platform, including the hardware model, operating system and version, device identifiers set by your device operating system, and mobile network information (like your connection type, carrier and region).
3. We collect the data stated in sections 10.1 and 10.2 to carry out internal analytics in order to develop insights on user behaviour and performance of our Platform, so as to optimize user experience.
11. Purpose of the Processing
1. Personal Data and non-identifiable data of Patient Category Users
1. To provide access and the ability to use our Platform.
2. To communicate with you via email or using autodialled or pre-recorded calls and text messages, at any telephone number and email address that you have provided us, to: (a) notify you regarding your My Aria App account; (b) troubleshoot problems with your My Aria App account; (c) resolve a dispute; (d) poll your opinions about our services through surveys or questionnaires; (e) send you disease awareness campaigns and educational campaigns; or (f) as otherwise necessary to service your account or enforce this Policy, our Terms, our ToU, our Data Use Notice, Applicable Law, or any other agreement we may have with you about our Platform and services, including product updates, awareness and educational campaigns, changes to our policies and Terms, and to request your feedback about our Platform.
3. For the purposes of our advertising and marketing strategy and to tailor our messaging to your needs. Where required by law, we will ask for your consent at the time we collect your data to conduct such marketing. An opt-out mechanism will be provided to you in each communication to enable you to exercise your right to opt out of any direct marketing. You may withdraw this consent or opt-out at any time without affecting the lawfulness of processing based on your prior consent. Where third parties display content as part of awareness and educational campaigns when you visit or use the Platform, these third parties may use information about your visits to our Platform and other platforms that are contained in web cookies and other tracking technologies in order to display content as part of awareness and educational campaigns, provided you have consented to the same.
4. To authenticate your activity, detect, investigate, and prevent malicious conduct, fraudulent activity or unsafe experiences, address security threats, and protect the integrity of the Platform.
5. To facilitate sharing of medical records, your age and gender, upon your request and consent to Marketplace Data Recipients for scientific and research purposes, whereby you will obtain rewards from the use of the medical records by the said Marketplace Data Recipients. When opting in within the My Aria App, you will be able to decide which of the following purposes you allow your data to be used for by Marketplace Data Recipients: medical research; research, development and innovation (RDI) (excluding Artificial Intelligence (“AI”)); training AI models; patient safety; public health (policymaking; official activities or regulatory purposes) and; personalised medicine development.
6. To comply with our legal and regulatory obligations under Applicable Law.
2. Partner Medical Facilities and Marketplace Data Recipients
1. To provide access and the ability to use our Platform and services.
2. To authenticate your activity, detect, investigate, and prevent malicious conduct, fraudulent activity or unsafe experiences, address security threats, and protect the integrity of the Platform.
3. To communicate with you about our Platform and services, including product updates, awareness and educational campaigns, changes to our policies and Terms, and to request your feedback about our Platform. We also use your contact details to respond to you when you contact us or request assistance from us.
4. To comply with our legal and regulatory obligations under Applicable Law.
12. Legal Basis for the Processing of Personal Data
1. We process Personal Data on the following bases - because the information is necessary for the performance of a contract with you or to take steps at your request to enter into a contract; because you have given your consent if we expressly ask for consent to process your Personal Data for a specific purpose; and to comply with legal and regulatory obligations.
13. Medical Records Storage Period
1. As long as the user is using the Platform and for such additional period as may be required for compliance with Applicable Law.
14. Sharing of Your Personal Data with Third Parties
1. We may have to share your Personal Data with selected and trusted third parties, to fulfil our obligations under our contract with you, to meet government, regulatory and law enforcement requests, and to continue providing you with access to and use of the Platform. We will only disclose your Personal Data to third party service providers under strict terms of confidentiality. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.
2. We may have to share or transfer your Personal Data in the specific circumstances listed below:
1. We will share your Personal Data with companies, outside organizations or individuals, if we have your consent to do so.
2. Where we are legally required to do so, we may disclose your Personal Data to comply with Applicable Law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements), or where we find it is necessary to investigate, prevent or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved disclose your Personal Data. Additionally, we may disclose your Personal Data to enforce our Terms, or to protect the rights, safety, and security of Dcentric, our users, other persons or the public.
3. In connection with, or during negotiations of, any merger, sale of our assets, financing, acquisition of all or a portion of our business to another company, any dissolution transaction or proceeding involving sale, transfer, divestiture, or disclosure of all or a portion of our business or assets. In the event of an insolvency, bankruptcy, or receivership, your Personal Data may also be transferred as a business asset forming part of our good will. If another company acquires us, our business or assets, that company will possess the Personal Data collected by us and will assume the rights and obligations held by us regarding your Personal Data, as described in this Policy.
4. Where third parties display content as part of awareness and educational campaigns when you visit or use the Platform, these third parties may use information about your visits to our Platform and other platforms that are contained in web cookies and other tracking technologies in order to display content as part of awareness and educational campaigns, provided you have consented to the same.
5. We may share your Personal Data with our Group in order to provide you with certain services and/or functions, in which case we will require those Group members to honour this policy.
6. In connection with the performance of our services, we may share your Personal Data with third-party vendors, service providers, contractors or agents who perform services for us or on our behalf and require access to such information to do that work. Examples of such third parties include payment processing, customer relationship management, data analysis, email delivery, hosting services, customer service, quality assurance testing, technical support, operational support and maintenance services and marketing efforts.
15. Recipients Who May Receive Your Personal Data
1. Personal Data excluding medical records:
1. Members of our group (including our affiliates, subsidiaries, parent companies, joint venture partners, entities we control and entities under common control) (“Group”) (if needed for proper internal administration of the group (e.g., accountability) or where necessary for providing you services through the Platform);
2. Courts, arbitrators, mediators, opposing party and their lawyers (if needed for the legal proceedings),
3. Police, law enforcement authorities, tax authorities, other government, or municipal institutions;
4. Our professional advisers such as lawyers or accountants (if needed for the protection of our legitimate interests);
5. Service providers who provide information technology and system administration services, marketing, accounting, postal or courier or other services;
6. Other natural or legal persons where this is related to and necessary for the organizational changes at Dcentric, e.g., in the event of merger, acquisition, or sale of Dcentric (as a whole or in part), your Personal Data could be shared with auditors or other representatives of the potential acquirers and transferred to the final acquirer. Please note that in the latter situation the data controller of your Personal Data could become the final acquirer. You will be informed about such organizational changes on our Platform and (or) via contact details provided, if possible;
7. Partner Medical Facilities, Marketplace Data Recipients or other persons or entities (if needed to provide you with services through the Platform as effectively as possible).
2. Medical records:
1. Persons that the user has authorized via My Aria App. In case of Patient Category Users these persons may include, depending on the user’s consent, Marketplace Data Recipients. Users may withdraw consent or opt out from sharing data with such recipients at any time, by modifying their preferences via the Marketplace tab in the My Aria App.
16. Storage and Transfer of Personal Data
1. Your Personal Data is stored and transferred in compliance with Applicable Law.
2. Some of the countries or jurisdictions to which your Personal Data may be transferred may not benefit from an appropriate data protection regulatory framework. For transfer of your Personal Data outside the United Arab Emirates (“UAE”) to such countries or jurisdictions, we shall transfer your Personal Data, upon ensuring that a suitable degree of protection is afforded to it through the implementation of the necessary safeguards, such as an adequacy decision by the relevant authority, adequate binding corporate rules or through the inclusion of standard contractual clauses in our agreements with your Personal Data recipients. We may also transfer your Personal Data to recipients outside the UAE based on your express consent; or if such transfer is necessary for judicial processes; or if such transfer is necessary for entering into or performing a contract between Dcentric and you or between Dcentric and a third party for your interests, or if such transfer is necessary for an act relating to international judicial cooperation; or if the transfer is necessary for protection of public interest.
3. In case of Marketplace Data Recipients who receive your medical records based upon your express consent, some of these Marketplace Data Recipients will likely be located outside of the UAE. We will only allow transfer and secondary use of Personal Data for purposes permitted under the Ministry of Health and Prevention (MOHAP) Resolution No. 51/2021 on exemption for storage and transfer of health records and information. Such transfers of data outside the UAE will be for the purpose of scientific research and/or based upon your consent. Your opting-in for sharing of your medical records with Marketplace Data Recipients outside the UAE will constitute a specific, formal request by you for sharing of medical records with such Marketplace Data Recipients.
17. Automated Decisions
1. No automated decisions are made based on Personal Data processed by the Provider.
18. Data Portability
1. Users may request Dcentric for their Personal Data, to facilitate its portability. Dcentric does not provide an implementation to facilitate data portability to third parties directly. User may get in touch with us for the purpose of obtaining their Personal Data by contacting us via the email address stated in section 2.2 of this Policy.
19. Extraction of Personal Data
1. Users may extract their Personal Data and medical records.
2. Users are strongly advised to use security measures when extracting their Personal Data.
20. Withdrawal of Consent
1. Users may withdraw consent for processing of their Personal Data, for which consent is the legal basis for processing, by modifying their preferences on the Platform or by contacting us via email address stated in section 2.2 of this Policy. For Patient Category Users, deleting your account on the My Aria App will have the effect of withdrawing consent for the processing of your Personal Data by Dcentric. Upon deletion of your account, Dcentric will cease processing your Personal Data, except as required to comply with Applicable Law.
2. Withdrawal of consent shall not affect the lawfulness and legitimacy of the processing performed on the basis of any consent given prior to such withdrawal.
1. We use automated data collection tools such as cookies to automatically collect the non-identifiable data outlined in section 10 of this Policy.
22. Data Protection Officer
1. We have a designated Data Protection Officer (“DPO”). The DPO is responsible for the management and protection of personal data in accordance with Applicable Law and is appropriate for the level of risk involved with such personal data. The DPO is responsible for implementing and maintaining appropriate policies, procedures, systems, and controls in relation to personal data.
2. If you have any questions about our Policy as outlined above, or if you have any complaints, queries of issues pertaining to your personal information, then please contact our DPO at [please insert email ID of designated Data Protection Officer].