The purpose of this Data Protection Policy is to :
In all its activities, ALMAVIVA SANTE and its establishments are subject in this capacity, in addition to the ethical and confidentiality obligations specific to healthcare professionals, to the obligations imposed by the regulations in force in France and within the European Union with regard to personal data and in particular Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "RGPD").
- Data controller:
- Refers to the entity which determines the means and purposes of processing personal data.
- Joint controller:
- Refers to the entity which jointly determines the purposes and means of processing with a controller.
- Sub-processor:
- Refers to the person processing personal data on behalf of the Data Controller, who acts under the authority of the Data Controller and on the instructions of the latter.
- Authorised third party:
- Refers to a body that can access certain data contained in public or private files because a law expressly authorises it to do so.
- Personal data:
- Personal data is information relating to a natural person who can be identified, directly or indirectly. Moreover, a natural person may be identified from a single item of data or from the cross-referencing of a set of data.
- Health data :
- Personal health data is data relating to the physical or mental health, past, present or future, of a natural person, which reveals information about that person's state of health.
- Processing of personal data:
- This is an operation, or a set of operations, involving personal data, regardless of the process used.
- Data recipient:
- A person authorised to obtain communication of data recorded in a file or processing operation by virtue of his or her duties.
- Data transfer:
- This refers to any communication, copy or transfer of personal data intended for processing in a country outside the European Union.
- Consent:
- Consent is the data subject's agreement to his or her data being collected and used. It is one of the six legal bases set out in the RGPD. Consent must be free, specific, informed and unambiguous.
- Data controller and joint data controllers
The legal representative of the healthcare establishment in which you will be treated is the data controller for its suppliers, partners, patients and employees.
He/she acts as joint data controller for data processing carried out as part of a patient pathway requiring :
- The involvement of independent healthcare professionals (e.g. anaesthetists, psychologists, etc.);
- Exchanges with healthcare establishments (e.g. transfer of care).
- Data collection objectives
In connection with these activities, ALMAVIVA SANTE and its establishments may collect and process nominative, administrative and medical data about you. Unless you give your express consent, this data is processed automatically (by computer) or non-automatically (on paper) in order to provide you with the best possible care.
The express consent of the person concerned is required when the data is processed for reasons other than a legal obligation, a contract with the person concerned, or legitimate interests (which do not override the interests, freedoms and fundamental rights of the person concerned).
Healthcare establishments are required to collect and process administrative, social and medical data in relation to their purposes (article L6111-1 of the Public Health Code):
- To diagnose, monitor and treat patients, the injured and pregnant women;
- Providing residential, outpatient or home care;
- Participate in the coordination of care in relation to members of the health professions practising in towns and cities and medico-social establishments and services;
- Participating in the implementation of public health policy and vigilance measures designed to guarantee health safety;
- Conducting internal discussions on the ethics of care and medical treatment.
Specifically, the Human Resources Department, in compliance with the Labour Code, is responsible for :
- Managing applications and recruitment
- Personnel management
- training
- Social and trade union relations
- Career and skills management
- Human resources information systems
- Payroll management
- Management of temporary staff and trainees
- Work organisation
Specifically, communication management, in compliance with the consent of the person concerned (e.g. image rights):
- Management of online communication(website, LinkedIn, Facebook, Twitter, YouTube, etc.) subject to the website's confidentiality policies,
- Press communication management.
Each data processing operation therefore has a legitimate, specific and explicit purpose in the context of its activities, as set out in the register of processing activities for each of the establishments.
Data may be used for statistical purposes. The processing of patient data is presented in the welcome booklet when patients are admitted to our establishments.
- Information for data subjects
In the interests of transparency, the establishments take care to inform their patients, employees and business partners of each of the processing operations that concern them, in particular by means of:
- Postings,
- Specific information documents when data is collected (e.g. admission passport, internal regulations, etc.),
- Subcontracting contractual clauses.
This information concerns
- The data controller and the purposes for which the data is collected;
- The legal basis for data processing;
- The compulsory or optional nature of data collection for the management of your request and a reminder of the categories of data processed;
- The source of the data (when data other than that provided via the online service is used to process your request);
- The categories of data subjects;
- The recipients of the data;
- How long the data is kept;
- Security measures (general description);
- The possible existence of data transfers outside the European Union or automated decision-making;
- Your data protection rights and how to exercise them with ALMAVIVA SANTE and its establishments.
- Data collected and persons concerned
The establishments collect and process personal data in a fair, lawful and transparent manner. There is no automated decision-making.
For each of the processing operations carried out, the schools undertake to collect and use only data that is adequate, relevant and limited to what is necessary for the purposes for which it is processed.
They shall also ensure that the data is accurate and, if necessary, kept up to date, and implement procedures to enable inaccurate data to be deleted or rectified so that it does not become obsolete.
Depending on the case, establishments may process personal data on patients, employees and any individuals with a contractual link:
- Relating to the identity of individuals (including title, surname, first names, date of birth);
- Relating to the means of contacting individuals (such as business and, where applicable, personal postal address, business and, where applicable, personal fixed and/or mobile telephone number, fax number, business and, where applicable, personal email address);
- Necessary to process the service requested or any other request (e.g. medical file, employee file).
Depending on the case, healthcare establishments may process the following personal data:
- Identification data ;
- Data relating to personal life (e.g. marriage);
- Data relating to professional life (e.g. training);
- Economic and financial information (e.g. cheques);
- Connection data (e.g. creation of software access code);
Where appropriate, if the purpose is legitimate, sensitive data such as :
- Religious beliefs (e.g. advance directive);
- Biometric data (e.g. access by fingerprint);
- Health data (e.g. content of your medical file);
- Life and sexual orientation (e.g. gynaecological treatment);
- Unique national identification number (social security number).
The sources from which your data is collected:
- Health professionals involved in your care,
- Line managers and the human resources department (staff-related data),
- The legal representatives of patients under our care (guardians, trustees, minors),
- Families of patients under your care (where applicable).
Data collected that is not mandatory is formalised by means of a consent form (e.g. satisfaction survey, transfusion, right to image, etc.).
- Data recipients
In any event, the establishments undertake not to pass on personal data to third parties whose activity or purpose would be to acquire new prospects with a view to sending commercial prospecting.
Recipients of the data:
- Healthcare professionals and professionals involved in prevention and care, in order to ensure continuity of care in compliance with the provisions of articles L. 1110-4 and L. 1110-12 of the Public Health Code, including via access to the shared medical file and the digital health space;
- The people in charge of the secretariat, who only have access to the information they need to carry out their duties;
- The staff of health insurance organisations, in order to enable the reimbursement of acts and benefits and their control, who have knowledge, as part of their duties and for the time necessary to carry them out, of the identity of the insured person, his/her social security number and the code number of the acts and benefits performed and the pathologies diagnosed under the conditions defined in article L. 161-29 of the Social Security Code;
- The staff of supplementary health insurance organisations, authorised by their function to process health data, in particular the identity of their insured persons, their national insurance number and, in the form of grouped codes, the categories of procedures and services performed;
- Public bodies involved in healthcare provision(EFS, Regional Health Agencies - ROR);
- Health care structures involved in patient care (Hospitalisation à domicile, Services Soins Infirmiers à Domicile, Soins Médicaux et de Réadaptation, centre hospitalier, etc.);
- Coordination Support Systems.
Persons with access to data:
- The establishment's departments specialising in the evaluation of care practices,
- ALMAVIVA SANTE support services(Almaviva Santé teams)
- Departments of the establishment and ALMAVIVA SANTE responsible for medico-economic management,
- Organisations specialising in the evaluation of care practices, which may receive personal health data;
- Service providers for software and workstation maintenance;
- Software hosting service providers;
- Service providers involved in improving our care;
- Authorised third parties: State, guardianship and control bodies for the purposes of legal obligations. (Union de recouvrement des cotisations de Sécurité sociale et d'allocations familiales, Caisses Primaires Assurances Maladie, HAS, Agences Régionales de Santé, CNIL, EFS, etc.).
- Data retention
Retention periods are defined according to the purposes of the processing carried out by ALMAVIVA SANTE and its establishments, and in particular take account of applicable legal provisions imposing a specific retention period for certain categories of data, any applicable limitation periods and CNIL recommendations concerning certain categories of data processing.
For this purpose, the ALMAVIVA SANTE establishments have a register of retention periods specifying the legal period for each document, of which the following are a few examples:
- The employee file is kept for 5 years after leaving the workforce,
- Billing data is kept for 10 years,
- Patient files are kept for 20 years.
We keep the data you have sent us as part of the processing linked to the management of past contracts and for the legal periods applicable after the end of the contracts.
- Data security
The security of personal data is of particular importance to us.
Appropriate technical and organisational measures are implemented to ensure that data is processed in such a way as to guarantee its protection against accidental loss, destruction or damage that could undermine its confidentiality or integrity.
When developing and designing, or selecting and using, the various tools that enable personal data to be processed, the data controller shall ensure, where appropriate with the publishers of such tools, that they provide an optimum level of protection for the data processed.
Establishments shall therefore implement measures that comply with the principles of protection by design and protection by default of the data processed as advocated by the RGPD. To this end, they will use data anonymisation or encryption techniques whenever possible and/or necessary.
When a service provider is used, the establishments will only communicate personal data to it after requiring it to comply with its own security principles.
Security measures are implemented in accordance with the Almaviva Santé information systems security policy (PSSI), taken from the document corpus of the General Health Information Systems Security Policy of the Agence du Numérique en Santé(link).
- Data transfer
Data may be transferred outside the European Union:
- Are governed by standard contractual clauses (e.g. Monegasque subcontracting of certain servers),
- Is anonymised: data transferred to parent companies as part of product improvements (e.g. operating theatre robots).
As a matter of principle, we do not pass on personal data to any third party, unless requested as part of the exercise of rights covered by REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data or for the strict purpose of achieving the purposes for which the data was collected, and always in compliance with confidentiality rules.
Establishments may, however, be required to communicate personal data in order to comply with a legal obligation, at the request of an administrative or judicial authority or for the exercise of a legitimate interest.
Requests to exercise your rights under the RGPD may be made:
- Via the website via the contact request below:
In compliance with the conditions and deadlines laid down by the applicable regulations: proof of the identity of the person exercising their rights may be requested. The establishments will inform any data subject wishing to exercise their rights that their request has been received and will notify a reply even if it is impossible to follow up the request.
In accordance with the French Data Protection Act (Loi Informatique et Libertés) and/or the General Data Protection Regulation (RGPD), you have the following rights
- The possibility of asking whether the data controller holds any information about you, and requesting that this information be communicated to you in full (right of access);
- The right to restrict the processing of your personal data if you consider that the processing is unlawful or excessive (right to restrict processing);
- The right to request rectification of inaccurate, incomplete, ambiguous or out-of-date information about you (right of rectification);
- The possibility of objecting, where appropriate and for legitimate reasons, to being included in a file held by the data controller (right of objection);
- the possibility of requesting, where appropriate and if there are no legal obligations to the contrary, that your data be deleted from a file held by the data controller (right to be forgotten).
- The right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (link).
The persons concerned will be able to exercise their rights in compliance with the RGPD and other regulations governing the right to certain data and in particular the Public Health Code, the Labour Code, the Social Security Code, the Social Action and Family Code and the collective agreement for the private hospital sector; by contacting the establishment's data controller.
The register of processing activities is provided for in Article 30 of the RGPD. It is an essential part of the documentation required to manage and demonstrate compliance with the RGPD.
Its preparation enables the Data Protection Officer and the RGPD correspondents of the establishments to:
- Make an inventory of the personal data being processed;
- Ask the right questions, together with the various ALMAVIVA SANTE business lines and its establishments, about the objectives of the files set up, the minimisation of the data collected, their sensitivity, their storage conditions, their recipients, and to assess the risks;
- Gather the information necessary to inform the persons identified in the data processing of ALMAVIVA SANTE and its establishments;
- Define a "GDPR compliance" action plan.
The standard register of the data processing activities of a healthcare establishment is available at this link
To make an appointment online, it's quick and easy
click on the link below and let us guide you.
Tél : 01 43 62 22 22
41-49 Avenue du Maréchal Juin, 93260 Les Lilas