top of page

Privacy Policy
for healthcare professionals

The platform myDiabby Healthcare is a Class IIa medical device under EU Regulation 2017/745 with IUD number 3770026228MYDIABBYXQ, and aims to help patients with type 1, type 2 and gestational diabetes manage their disease. 

The purpose of the Platform is to enable you, as a medical professional, to make a diagnosis, provide follow-up, prepare a therapeutic decision, prescribe procedures or products, remotely interpret the data required for the medical follow-up of your patients, monitor their state of health and, more generally, take all appropriate decisions regarding their care.

MyDiabby Healthcare was designed and developed in France by MDHC, the publisher. It complies with the interoperability and security guidelines drawn up by the ANS (French Digital Health Agency).

MDHC is concerned about the protection of your personal data. It is committed to ensuring the highest level of security protection and confidentiality of your data in accordance with Law No. 78-17 of 6 January 1978 relating to information technology, files, and freedoms (hereinafter the "Data Protection Act") and Regulation 016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter the "GDPR").

 

PURPOSE OF THE POLICY  

The purpose of this Policy is to inform healthcare professionals using the platform myDiabby Healthcare, web application (hereinafter the Platform) about the processing of personal Data carried out by MDHC in accordance with applicable legislation and regulations. 

It applies to all users and patient users where we act as the "Controller" of personal data processed through the use of the Platform and the showcase Site. 

In this policy, the terms "we", "us" and "our" refer to MDHC. The terms "you", "your" and "yours" may refer to you or the data subjects for whom we process personal data, depending on the context.

For further information on the legislation applicable to the protection of your personal data, you may consult the Commission Informatique et Liberté website at www.cnil.fr.  

DEFINITIONS 

"myDiabby healthcare professional User Account" means an account enabling a healthcare professional User to connect to the Platform in an authenticated and secure manner;

"Personal Data" means information relating to natural persons who are identified or identifiable, directly or indirectly, by a User;

 

“Health Data" refers to personal Data relating to the physical or mental health of a natural person, including data produced during preventive, diagnostic, treatment or medication dispensing activities by a healthcare professional, as well as any element likely to characterize the health of a natural person; 

"DPO" means Data Protection Officer, in accordance with Article 37 of the GDPR;

"Healthcare Professional" means any healthcare professional practicing in a private practice or a healthcare registered with their professional association or registration authority and using the Platform;

"Data Controller" means the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data; 

"Sub-processor" means a Sub-processor appointed by MDHC who, in the course of providing services on behalf of MDHC, is authorized to process Personal Data;

"Processing" means any operation or set of operations, whether or not by automatic means, which is applied to Personal Data or sets of Personal Data;

"Patient User" refers to a user who uses myDiabby Healthcare and is monitored by a healthcare professional as part of their medical follow-up. 

1. WHO IS THE DATA CONTROLLER?

MDHC, a société par actions simplifiée (simplified joint stock company) with its registered office at 66, avenue des Champs Elysées - 75008 Paris, represented by Mrs Anastasia Pichereau, in her capacity as Chairman,  is responsible for processing your personal data. 

 

You can contact MDHC by e-mail at the following address: support@mydiabby.com or by telephone at the following number: 01 76 40 01 78.

 

2. WHAT ARE THE PURPOSES OF THE PROCESSING?

When using the Platform, your data is collected to:

  • enable the creation and management of your mydiabby user account, which is necessary to use the Platform; 

  • to enable you to use the Platform for the remote monitoring of your diabetic patients, in particular by entering any appropriate data concerning their state of health;

  • transmit your data to the French Social Security system for reimbursement of your patients' remote monitoring costs;

  • to personalize the functionalities we offer you via the platform and ensure their continuous improvement; 

  • manage and send you alerts that you set up according to your choice;

  • process and implement your requests concerning your rights of access, rectification, deletion, portability of your data as well as your rights to limit and object to the processing of your data or your right to define directives relating to the conservation, deletion and communication of your personal data after your death; 

  • ensure the corrective and evolutionary computer maintenance of the Platform; 

  • monitoring the possible adverse effects of medical devices on human health (materiovigilance);

 

Furthermore, we inform you that your personal data, once irreversibly anonymised, may be used for statistical analyses and studies in compliance with the provisions of the French Data Protection Act and the GDPR.

Under no circumstances will your data be used for commercial purposes. It will not be transferred or used for purposes other than those set out in this article.

 

3. WHAT DATA IS COLLECTED?

This section includes: 

  1. the source of the data from which we may process your data; 

  2. the general categories of personal data we may process; 

  3. the purposes for which we may process personal data;  

  4. the lawful basis for processing.

 

1. Data sources:

- Personal Data collected directly from the healthcare professional User: 

All personal data relating to healthcare professional Users is collected by MDHC when their myDiabby accounts are created or via forms and other documents completed as part of using the Platform. 

- Personal data that MDHC collects automatically when using the Platform:

MDHC may automatically collect personal information when using the Platform. This automatic collection may take place through the use of cookies.

2. MDHC collects and processes the following information about you via the Platform: 

(The compulsory nature of the data concerning you is indicated on the form by an asterisk).

Identity and contact Data:

Title* (Mr, Mrs, Doctor, Professor), practice name*, practice first name*, profile photo, signature, email address*, MSSANTÉ address, telephone number, professional postal address, identity document (if applicable), medical speciality*, category, CPS card number, RPPS number, AM number, ADELI number, place(s) of practice of the medical profession* (name + postal address + team).

Browsing data and technical identifier of devices: 

Account connection data: date and time of account creation and deletion, 

Date and time of connections to the Platform (date, time, changes), IP address, type and version of Internet browser used to connect to the Platform (time, type of activity, duration).


Audit log data: 

The identification of the persons concerned by the data, the identification of the persons who have accessed the data on the Platform, the date and time of access, the methods of access and modifications to the data.

 

This data is collected by MDHC in particular:

  • when you create your user account, which is required to use the Platform; 

  • when you enter data about yourself or about your diabetic patients monitored remotely via the Platform; 

  • when you contact our customer service or assistance/support department;

  • when you ask us to keep you informed of developments and new features on the Platform; 

  • when you programme alerts as part of the medical monitoring of your patients monitored remotely via the Platform.

 

To find out more about the processing of your personal data, please click on this link: Click here

 

4. WHO ARE THE RECIPIENTS?

 

4.1 Internal Recipients

 

In the context of your use of the Platform, MDHC employees, authorized in the performance of their duties, may have access to your data insofar as this is reasonably necessary for the purposes, and on the legal bases, defined in this policy.

 

4.2 External recipients

MDHC undertakes not to disclose your personal data to unauthorized third parties. We will protect and consider your interests at all times. However, we may disclose your personal data to the extent reasonably necessary for the purposes for which it was collected and in accordance with the legal bases set out in this policy. In certain cases, the external recipients are as follows:

1) our subcontractors;

2) the French National Health Insurance (Assurance maladie) for reimbursement of the cost of remote monitoring of your Patients (where applicable);

3) the Agence nationale de sécurité du médicament et des produits de santé (French National Agency for the Safety of Medicines and Health Products) in the event of an incident or risk of serious incident related to the Platform being reported;

4) the competent public authorities and judicial authorities;

For further information

 

1)  MDHC uses subcontractors who may process Users' personal data in connection with the provision of the Platform. We may disclose your personal data to our suppliers or subcontractors to the extent reasonably necessary to provide the various features of the Platform. However, personal data is subject to enhanced security measures. 

In accordance with our commitments, we choose our subcontractors by checking that:

- contractual compliance with the requirements of Article 28-3 of the General Data Protection Regulation."

- the level of protection of personal data is equivalent to that of MDHC;

- the implementation of all appropriate measures to ensure the protection of your personal data that they may be required to process;

 

If you would like to obtain the current list of MDHC subcontractors processing your personal data, please contact us at the following address: support@mydiabby.com.

2) The myDiabby Healthcare Platform is a medical device reimbursed by the French Assurance Maladie for the remote monitoring of Type 1 and Type 2 diabetes. Where applicable, as part of the reimbursement of the remote monitoring of your patients, your data used for the billing of the remote monitoring is transmitted to the Assurance Maladie.

3) Where MDHC becomes aware of an incident or risk of a serious incident relating to the Platform, it must report this to the French National Agency for the Safety of Medicines and Health Products, where appropriate. In accordance with our legal obligations, in particular the current Medical Devices Directive (93/42/EEC) and the Medical Devices Regulations in force from 26 May 2021, we may process information about you for the purposes of archiving incidents and complaints which may be made available to public authorities upon their request.

4) We may also disclose your personal data to other public authorities such as the CPAM or the CNIL (French Data Protection Authority) where this is necessary to comply with a legal obligation to which we are subject. We may also be required to communicate information relating to the User to the competent administrative and judicial authorities in the context of legal requests.

 

5. WHERE IS YOUR DATA HOSTED?

Your personal data collected via the Platform is hosted in France on a dedicated infrastructure appropriate for hosting health data and designed to ensure its security and confidentiality in accordance with the provisions of the French Data Protection Act and the GDPR.

In this respect, MDHC has subcontracted the performance of this hosting service to an approved health data host within the meaning of the provisions of Article L.1111-8 of the Public Health Code and listed by ANS on the list of approved health data hosts: the company Avenir Télématique (hereinafter "ATE"). 

MDHC undertakes to renew the contract with ATE when it expires or to enter into a new agreement for the same purpose with another approved host of its choice.

MDHC shall in no case commit itself beyond the commitments, in particular in terms of protection of health data, subscribed by ATE towards MDHC.

 

6. ARE THERE ANY INTERNATIONAL TRANSFERS OF YOUR DATA?

If you reside within the European Union, your personal data and medical records will always be hosted within the European Union and protected by the General Data Protection Regulation (GDPR). 

We may use subcontractors based outside the European Union or the European Economic Area to outsource certain functionalities of the Platform. If personal data is transferred outside the European Union or the European Economic Area, we will always ensure that the transfer is lawful. Any international transfer of personal data will be protected by appropriate safeguards, namely the use of standard contractual clauses adopted or approved by the European Commission, an adequacy decision from the European Commission or your explicit consent.

7.  WHAT IS THE SHELF LIFE?


All personal data collected is processed and stored for a limited period depending on the purpose of the processing and the legislation applicable to the Platform.

In the context of the use of the Platform for remote monitoring purposes, your data is kept according to the following archiving procedure: 

  •  in the active database, until the closure of your user account; 

  • then, in an intermediate archive as part of a separate information system with restricted access, for ten (10) years, plus, where applicable, the duration of any legal proceedings that may be brought before the data is permanently deleted. 

  • At the end of this period, your personal data will be permanently deleted. You can also choose to permanently anonymise your personal data from your account. This data will be used for research and development in the field of diabetes.

In any event, if your user account is inactive for more than two (2) years, it will be automatically closed. We will alert you via the e-mail address you provided prior to this closure to allow you to object to it or to allow us to archive your data for a determined and reasonable period not exceeding two (2) years, to reactivate your account in the future. At the end of this period, your data will be rendered anonymous.

In the context of processing carried out as a Subcontractor, we act solely on your instructions. We do not ourselves determine the length of time we keep personal data. However, as a service provider, we may set default retention periods for the purposes of compliance and security of your Services.

8. INFORMATION ON SHARING YOUR HEALTH DATA WITH YOUR HEALTHCARE TEAM

The healthcare professionals involved in the care of a patient via the Platform constitute a care team within the meaning of article L. 1110-12 of the French Public Health Code. 

 
We remind you that you are bound by professional secrecy with regard to the data of your patients monitored remotely via the Platform. 

1) The members of the healthcare team may (i) access the patient's medical file and interpret the data in the context of the remote monitoring of the patient, (ii) share it with each other and (iii) exchange personal information concerning the patient which seems relevant to the needs of the Patient's care and to ensure the coordination and quality of care. As such, when the patient creates a myDiabby account, he/she has the option of agreeing to share his/her personal information and medical record with you and the healthcare team involved in his/her remote monitoring. 

2) Nurses may also access patients' data and interpret their health data in the context of their remote monitoring via the Platform.

3) Administrative staff may access patients' personal data as part of the administrative management of their telemonitoring treatment. 

Patients may object to their personal data being shared between the healthcare professionals and service providers involved in remote monitoring by sending a request to that effect either directly to one of the members of their medical team or to the following address: support@mydiabby.com.

 

9. INFORMATION ON THE REMOTE MEDICAL MONITORING OF PATIENTS' DIABETES ON MYDIABBY HEALTHCARE

Since 1 July 2023, remote medical monitoring of diabetes has been one of the medical procedures reimbursed by the French social security system (following publication of the registration order on 22/06/2023, available at this link. It is available to healthcare professionals for enhanced management of their patients.

This means that healthcare professionals can prescribe the "remote monitoring of diabetes" medical procedure "in the same way" as a physical device, for a defined period and with the patient's agreement.

In the context of remote monitoring, your Patients' non-identifying technical and statistical data resulting from the use of the Platform may be sent to public authorities where this is necessary to comply with a legal obligation to which we are subject.

 

10. WHAT IS OUR POLICY ON COOKIES?

 A cookie is a small file stored by a server in a user's terminal (computer, telephone, etc.) and associated with a web domain (i.e. in most cases with all the pages of a single website).  This file is automatically sent back when you subsequently contact the same domain.

As part of your browsing on our website, MDHC uses essential cookies, which are exempt from your consent under the GDPR. These cookies are strictly necessary for the operation and proper administration of the myDiabby showcase site, the provision of services requested by the internet user, the protection of the myDiabby Platform from computer attacks and navigation on the showcase site.

 

Retention period : 

 

- Cookies for measuring system efficiency: up to 12 months 

- Cookies for security: session

- Session user identification cookies: up to 12 months

11. WHAT SECURITY MEASURES ARE IN PLACE TO PROTECT YOUR DATA?

We implement all technical and organizational measures to ensure the security of processing and the confidentiality of your personal data. 

 

In view of the nature of the personal data and the risks presented by the processing, we take all useful precautions (control of logical access, securing of computer channels, double authentication procedures with personal and secure access via confidential identifiers and passwords, logging of connections, traceability measures, encryption, anonymisation of certain personal data, archiving procedure, physical protection of premises, etc. ) to preserve the security of personal data and prevent them from being distorted, damaged or accessed by unauthorized third parties. 

 

We regularly conduct penetration tests to monitor, evaluate and assess the effectiveness of the security measures in place.

 

We also ensure that data protection and security are taken into account in the planning and development of our Platform

 

12. WHAT ARE YOUR RIGHTS?

In compliance with applicable Regulations, you have a right to access, rectification, erasure, and portability of your data as well as a right to withdraw consent at any time (if such processing is based on consent), a right to restrict and oppose the processing of your data. 

In addition, you may set out instructions on the retention, erasure, and disclosure of your personal data after your death.

 

For more information on your rights, you can consult the CNIL website: https://www.cnil.fr/fr/les-droits-pour-maitriser-vos-donnees-personnelles
 

For any request for your rights access, in case of reasonable doubts about the identity of the applicant, we must proceed to the verification of your identity by asking you to provide us with a copy of an identity document (identity card or passport) or any other element allowing us to prove your identity.

At any time, you may lodge a complaint with a supervisory authority, in particular with the Commission Nationale de l'Informatique, and withdraw your consent to the processing of your data where appropriate.  You can submit your complaint on the CNIL website (https://www.cnil.fr/fr/plaintes) or by post by writing to : CNIL - Service des Plaintes - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07. 

You can exercise your rights by sending a specific request with proof of identity to the following address:  support@mydiabby.com 


Find out more about my rights: 

- the right to information: you have the right to obtain concise, transparent, comprehensible and easily accessible information on how we process your data and on your rights through a transparent, clear and precise privacy policy. 

- the right of access: you have the right to access the data processed by MDHC and to obtain a copy. 

- the right of rectification: you have the right to demand that your data be rectified if it is inaccurate or out of date and/or that it be completed if it is incomplete. 

- the right to portability of data whose processing is based on consent or the performance of the contract: you have the right to receive the data concerning you or your patients that you have provided to us in a structured, commonly used and machine-readable format. This only applies where the processing is based on your consent or the performance of the contract. 

- the right to request a restriction on data processing: in certain cases, you have the right to request that the processing of your data be restricted, so that we cannot retain your data. 

- the right to object to the processing of data: you may at any time object to the processing of your data where the processing is based on our legitimate interests, unless we have compelling legitimate grounds or the data is necessary for the establishment, exercise or defence of legal claims. 

- the right to erasure (the right to be forgotten): in certain cases, you have the right to obtain the erasure of your data. 

- the right to digital death: you have the right to define the fate of your data after your death and request that your data be registered with a trusted digital third party certified by the CNIL.

 

At your request, we can assist you in dealing with requests made by your Patients using the Platform.

 

13. WHAT ARE OUR POLICY APPLICATION CONDITIONS?

We may modify, supplement, or update this Policy to take into account any regulatory, legal, or technical developments. You will be notified in writing at least thirty (30) days by email prior to the effective date of any major change to this Policy.

 

If you do not agree with the terms of the new Policy, we invite you to delete your user account. After this period, the new Policy will apply to all access and use of our Services.

 

 Date of last update: 21/02/2024 

 

14. HOW TO CONTACT OUR DPO? 

If you have any questions or complaints about this myDiabby Healthcare data use policy, you can contact us at the following address:

 

MDHC - DPO, 66 avenue des Champs Elysées, 75008 Paris or at dpo@mydiabby.com.

bottom of page