Datenschutzbestimmungen

Exeevo und Datenschutz

Exeevo und der DatenschutzExeevo Inc. ist dem Recht des Einzelnen auf Datenschutz verpflichtet. Diese Datenschutzerklärung gilt für alle Tochtergesellschaften, Websites und Dienstleistungen, die Exeevo gehören und von Exeevo betrieben werden, und beschreibt unsere Datenschutzpraktiken für die Art und Weise, wie wir personenbezogene Daten („personenbezogene Daten“) sammeln, verwenden, weitergeben und verarbeiten, und wie Sie sich über Ihre Rechte und Wahlmöglichkeiten in Bezug auf die Verarbeitung Ihrer personenbezogenen Daten informieren können. Als globales Unternehmen halten wir uns an alle geltenden Datenschutzgesetze, wie den California Consumer Privacy Act (CCPA“), die General Data Protection Regulation (GDPR“) der Europäischen Union, den US Health Insurance Portability and Accountability Act (HIPAA“) und das brasilianische Lei Geral de Proteção de Dados (LGPD“). Jedes dieser Gesetze legt den Schwerpunkt auf Transparenz und Vertrauen.

1. EINLEITUNG

Der Schutz personenbezogener Daten/geschützter Gesundheitsinformationen (PHI)/persönlich identifizierbarer Informationen (PII) ist für Exeevo und seine Kunden wichtig.

Exeevo hat diese Datenschutzrichtlinie zum Schutz und zur Kontrolle der Erhebung, Verarbeitung, Speicherung und/oder Übertragung solcher Daten erstellt.

Diese Richtlinie soll an unsere Kunden, Lieferanten, Geschäftspartner und Mitarbeiter weitergegeben werden, damit sie die Richtlinien und Praktiken in Bezug auf personenbezogene Daten/PHI/PII, die von Exeevo im Rahmen der erbrachten Dienstleistungen verwaltet werden, kennen.

2. DATENSCHUTZPOLITIK

Exeevo verpflichtet sich, personenbezogene Daten in Übereinstimmung mit seinen Verantwortlichkeiten unter verschiedenen gesetzlichen Rahmenbedingungen und den Rechten des Einzelnen zu schützen. Als Unternehmen, das Lösungen für das Gesundheitswesen anbietet, sind die Führung, das Management, die Mitarbeiter und die Geschäftspartner von Exeevo bestrebt, personenbezogene Daten zu schützen, indem sie:

  • Identifizierung interner und externer interessierter Parteien und des Ausmaßes, in dem sie in die Verwaltung des Systems zur Verwaltung personenbezogener Daten der Organisation einbezogen werden
  • Bereitstellung von erstklassigen Ressourcen und Methoden zur rechtmäßigen, fairen und transparenten Verarbeitung personenbezogener Daten in Bezug auf die Rechte von Datengrundsätzen oder betroffenen Personen
  • Schutz der personenbezogenen Daten durch Erfassung, Verarbeitung, Speicherung und Übermittlung in einer Form, die die Identifizierung von Personen nur für ausdrücklich festgelegte Zwecke ermöglicht
  • Bereitstellung klarer Informationen für natürliche Personen (einschließlich besonderer Sicherheitsvorkehrungen bei der Erhebung von Daten von Kindern) darüber, wie und von wem ihre personenbezogenen Daten verwendet werden können, und durch die Achtung der Rechte des Einzelnen in Bezug auf seine personenbezogenen Daten
  • Sicherstellung, dass eine Weiterverarbeitung oder Archivierung im öffentlichen Interesse, zu wissenschaftlichen oder historischen Forschungszwecken oder zu statistischen Zwecken nicht als unvereinbar mit den ursprünglichen Zwecken angesehen wird
  • Verarbeitung in einer sicheren Art und Weise, die den Schutz vor unbefugter oder unrechtmäßiger Verarbeitung und vor zufälligem Verlust, Zerstörung oder Beschädigung gewährleistet
  • Ergreifung angemessener Maßnahmen, um sicherzustellen, dass die personenbezogenen Daten den Zwecken entsprechen, für die sie verarbeitet werden, dafür erheblich sind und auf das für die Zwecke, für die sie verarbeitet werden, erforderliche Maß beschränkt sind
  • Ergreifung angemessener Maßnahmen, um die Richtigkeit der personenbezogenen Daten zu gewährleisten
  • Befolgung bewährter Verfahren für die sichere Speicherung, Übertragung und Vernichtung von Daten
  • Implementierung geeigneter Sicherungs- und Notfallwiederherstellungssysteme
  • Reaktion auf Verletzungen des Schutzes personenbezogener Daten auf die angemessenste und schnellstmögliche Weise: Bei versehentlicher oder unrechtmäßiger Zerstörung, Verlust, Änderung, unbefugter Weitergabe oder unbefugtem Zugriff auf personenbezogene Daten bewertet Exeevo unverzüglich das Risiko für die Rechte und Freiheiten des Einzelnen und meldet eine solche Verletzung an die Datenschutzstelle (siehe Abschnitt 5: Governance-Struktur für den Schutz personenbezogener Daten), damit weitere Maßnahmen gemäß den gesetzlichen Anforderungen ergriffen werden können.

Allgemeine Bestimmungen zu dieser Politik:

  • Applicability: This policy is applicable to all personal information processed at Exeevo.
  • Ongoing Compliance: The Data Protection Cell shall be responsible for Exeevo’s compliance with this policy.
  • Cognizance: This policy shall be made available to all employees and associates of Exeevo as documented information and shall also be communicated appropriately. This policy shall be made aware to all of Exeevo’s employees, its associates, and interested parties effectively. Review: This policy shall be reviewed at least once annually.

3. ANWENDUNGSBEREICH

  • Diese Richtlinie gilt für alle personenbezogenen Daten/PII und PHI, die von Exeevo verarbeitet werden.
  • Diese Richtlinie gilt für alle Dienstleistungen und Projekte, die für die Kunden von Exeevo durchgeführt werden.

4. DEFINITIONEN

Bedingungen 

Definition 

Vereinbarung für Geschäftspartner

Bezieht sich auf die Vereinbarung zwischen dem Geschäftspartner (Exeevo) und der betroffenen Einrichtung.

Geschäftseinheit (BU)

Bezieht sich auf verschiedene Abteilungen in Exeevo.

Abgedeckte Einrichtung

Refers to an organization that routinely handles personal information, PII, and PHI.

Data Protection Officer (DPO)

Refers to the person heading all data privacy-related programmes and initiatives within the organization.

Engagement

Refers to the project, programme or engagement conducted or performed by Exeevo on behalf of its clients or covered entity.

Electronic Protected Health Information (EPHI)

Refers to all individually identifiable health information that is created, maintained or transmitted electronically.

General Data Protection Regulation (GDPR)/(EU) 2016/679

Legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).

Health Insurance Portability and Accountability Act (HIPAA)

Act of 1996 that specifies laws for the protection and use of personal (or protected) health information (PHI), which is essentially an individual’s medical records.

Personal identifiable information (PII)

Refers to any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered as PII. Any information about an individual’s identity such as their name, social security number, date and place of birth, mother’s maiden name and biometric records can be considered as PII.

PII also can constitute “PHI” under HIPAA Act of 1996.

Privacy Rule

Refers to the part of the HIPAA rule that addresses the saving, accessing and sharing of medical and personal information of an individual, including a patient’s own right to access.

PHI

Refers to any information that identifies an individual AND relates to:

  • The individual’s past, present or future physical or mental health; OR
  • The provision of healthcare to the individual; OR
  • The past, present or future payment for healthcare.

Privacy Single Point of Contact (SPOC)

Refers to the person monitoring the personal data/PII/PHI management under each BU.

Security Rule

Refers to the part of the HIPAA rule that outlines national security standards intended to protect health data created, received, maintained or transmitted electronically.

SPOC

Refers to the single point of contact/point persons.

Online Channel

Preselected website that can automatically send updated information for immediate display or viewing on request.

Special categories of personal information

The following types of data are categorized as special categories of personal information:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade-union membership
  • The processing of genetic information
  • Biometric information for the purpose of uniquely identifying a natural person
  • Information concerning health or information concerning a natural person’s sex life or sexual orientation.

High-risk personal information

The following types of data are categorized as high risk personal information:

  • Special category personal information
  • Personal bank account and other financial information;
  • National identifiers, such as national insurance numbers;
  • Personal information relating to vulnerable adults and children;
  • Detailed profiles of natural persons (including children); and
  • Sensitive negotiations which could adversely affect natural persons.

5. GOVERNANCE STRUCTURE FOR PERSONAL DATA PROTECTION

Data Privacy Cell

Exeevo shall ensure appropriate governance of personal data/PII/PHI. In pursuance of this objective, a personal data privacy cell has been structured as shown below:

Data privacy cell consists of DPO and all the BU-SPOCs. 

  • To identify personal data/PII/PHI under all operations and projects across Exeevo
  • To analyze risks and implement control measures to protect personal data/PII/PHI
  • To provide a support framework to manage the rights of data subjects
  • To address requests and grievances of data subjects
  • To ensure compliance with the data privacy requirements of data controllers
  • To ensure compliance with various legal and regulatory requirements across jurisdictions
  • To provide adequate measures for data privacy with processors/subprocessors as required
  • To provide for appropriate technology and operational controls for transfer / import / export / storage / destruction of personal data / PII / PHI

The summary of proceedings of data privacy governance shall be discussed in the quarterly Information Security Group review meeting.

6. SOURCES OF PERSONAL DATA/PII/PHI

The methods and technologies by which the personal data/PII/PHI are collected are as follows:

Collection of Personal Data/PII/PHI Directly From the Individual

In the instance where Exeevo collects personal data/PII/PHI about an individual, measures shall be taken to respect the privacy preferences of the individual.

Engagements/Programmes/Projects 

Personal data/PII/PHI is collected from participants in an engagement who access Exeevo websites, portals, platforms, etc. We may collect additional information relating to an individual’s participation in Exeevo programmes. Please note that we also collect personal data/PII/PHI relating to an individual at the time of enrolling in an Exeevo programme, as well as in the course of allocating and issuing a unique ID and password to access the Exeevo websites, portals, platforms, etc.

Automatic Collection of Information

When an individual visits an Exeevo website, we automatically collect and analyze certain information about the individual’s computer. This information includes, but may not be limited to the Internet Protocol (IP) address used to connect the individual’s computer to the Internet, information about the browser type and language, the date and time the individual accessed the website, the content of any undeleted cookies that the browser previously accepted from Exeevo and the referring website address.

Cookies and Other Technologies 

We use various technologies to collect information on an Exeevo website. Cookies: When an individual visits an Exeevo website, we may assign the computer one or more “cookies.” A cookie is a small text file that contains information that can later be read by Exeevo to facilitate access to the site and personalize the online experience. For example, when an individual signs into an Exeevo site, we may record his/her user ID in a cookie file on the individual’s computer. In addition, through the use of a cookie, we may automatically collect information about the online activity on Exeevo site, such as the web pages visited, the links clicked and the searches conducted. Most browsers automatically accept cookies; however, an individual can usually modify the browser setting to decline cookies by visiting the Help section of the browser’s toolbar. If an individual chooses to decline cookies, please note that he/she may not be able to sign in or use some of the interactive features offered on Exeevo websites.

Other technologies: Exeevo may use standard Internet technology such as Web beacons (also called clear GIFs or Pixel tags) and similar technologies, to deliver or communicate with cookies and track usage of Exeevo sites. We may also include Web beacons in e-mail messages or newsletters to determine whether messages have been opened and acted upon. The information we obtain in this manner enables us to customize the services we offer and measure the overall effectiveness of our online content, advertising campaigns, and the products and services offered through the website. Also, we use cookies to provide social media features, and to analyze our traffic.

7. MANAGING DATA PRIVACY RIGHTS IN PROJECTS

The scope of business at Exeevo does not require us to disclose personal data/PII/PHI to any parties out of designated programme area except for legal and statutory obligations.

Before the initiation of a project, we ensure that:

  • The business SPOC is communicated regarding the project/programme
  • Contract-specific clauses for the project/programme are reviewed and monitored
  • Risk analysis and treatment is carried out for the complete programme/project and contingency and mitigation is put in place
  • Each and every member of the programme/project shall be responsible to ensure the PII/PHI is kept confidential
  • Access to the entire or limited PII/PHI, based on their role in the engagement should be restricted
  • We recognize the covered entities that are to be provided access to the PII/PHI in a de-identified format
  • Any third parties who have access to the PII/PHI comply with Exeevo’s policies and give proof of compliance
  • The respective privacy SPOC of the team should provide reports to the DPO on updates, problems, and breaches with regard to PII/PHI
  • The BU SPOC ensures that all the team members are trained with information of do’s and don’ts of the data

8. MANAGING DATA PRIVACY RIGHTS FOR PERSONAL DATA/PII/PHI COLLECTED FROM WEBSITES AND OTHER ONLINE CHANNELS

In general, any individual may access Exeevo websites or online channels without providing any personal information about themselves. However, we collect certain information such as:

  • Information that is provided via our websites, including information provided when an individual registers on our website, for example, name, email address, designation, company, country and telephone number
  • Information about an individual’s computer, visits and the use of Exeevo websites, such as IP address, demographics, computer’s operating system, and browser type and information collected via cookies.

Use of Personal Information 

We may use the personal information we obtain to:

  • Provide and administer our products and services
  • Communicate about and administer our products, services, events, programmes and promotions (such as by sending alerts, promotional materials, newsletters and other marketing communications)
  • Conduct and facilitate surveys, sweepstakes, focus groups and market research initiatives
  • Perform data analytics (such as market research, trend analysis, financial analysis and customer segmentation)
  • Provide customer support
  • Process, evaluate and respond to requests, inquiries and applications
  • Operate, evaluate and improve our business (such as by administering, enhancing and improving our products and services; developing new products, services and online channels; managing our communications and customer relationships; and performing accounting, auditing, billing, reconciliation and collection activities)
  • Conduct investigations and comply with and enforce applicable legal requirements, relevant industry standards, contractual obligations and our policies and terms (such as this Privacy Policy and other online channels terms of use)
  • Maintain and enhance the safety and security of our products, services, online channels, network services, information resources and employees

We may combine personal information we obtain through online channels with information we obtain through offline channels, as well as other information, for the purposes described above. We may anonymize or aggregate personal information and use it for the purposes described above and for other purposes to the extent permitted by applicable law. We also may use personal information for additional purposes that we identify at the time of collection. We obtain the individual’s/data subject’s consent for these additional uses to the extent required by applicable law.

Consequences of Not Providing Personal Data/PII/PHI

If an individual/data subject chooses not to provide their personal information that is mandatory to process a request, then, Exeevo may not be able/restricted from providing the corresponding service.

9. PURPOSES FOR WHICH WE PROCESS PERSONAL DATA AND THE LEGAL BASIS

The purposes are programme/project specific. However, the common purposes are mentioned as follows:

  • We process personal data/PII/PHI when it is necessary for the performance of a contract to which the individuals/data subjects are the party or in order to take steps at a request prior to entering into a contract. This applies in any case where we provide services to a client in pursuance to a contract, such as when an individual/data subject uses our website or processes for registration on the websites/online channels.
  • We process the personal data/PII/PHI when it is necessary for the purposes of a legitimate interest pursued by us or a third party (when these interests are not overridden by the data protection rights and regulatory obligations). This applies in the following circumstances: 
    • To identify the individuals/data subjects
    • To contact and respond to the individual’s questions or requests
    • To provide access to desirable content and/or services based on preferences/contractual obligations

Sharing of Personal Data/PII/PHI

In general, our clients are the data controllers responsible for processing the personal data/PII/PHI.

Transfer of Personal Data/PII/PHI Outside the European Economic Area (EEA)

We transfer personal information to countries outside the EEA (generally referred to as third countries) only if included in our contractual agreement that we have signed with the client, including to countries which have different data protection standards to those which apply in the EEA. Our service providers are primarily located in the United States, Singapore, India and the United Kingdom. Where service providers process personal data/PII/PHI in countries deemed adequate by the European Commission, we rely on the European Commission’s decision to protect personal information.

For transfers to Exeevo group companies and service providers outside the EEA, we use standard contractual clauses or rely on a service provider’s Privacy Shield certification or a service provider’s (EU Data Protection Authority approved) corporate rules that are in place to protect the personal data/PII/PHI.

When required, Exeevo discloses personal data/PII/PHI to external law enforcement bodies or regulatory authorities to comply with legal obligations

Access, Correction, Objection With Regard to Personal Data/PII/PHI

Data subjects have the rights to request access to correct, delete or transfer personal data/PII/PHI that we hold, including profile and preferences. Data subjects also have the rights to object to certain processing and, where our client or we have asked for the consent to process the personal data/PII/PHI, to withdraw this consent.

Where we process the personal data/PII/PHI because we have a legitimate interest in doing so, data subjects also have a right to object this. These rights may be limited in some situations, for example, where we can demonstrate that we have a legal requirement to process the personal data/PII/PHI.

Data subjects can assert their rights where such information was provided by contacting us at info@exeevo.com.

​United States residents can contact us at the below mentioned address and phone number as well

Exeevo, Inc. Office Address: 600 Third Avenue, 2nd Floor, New York, NEW YORK, 10016
Board line Number: +1 732 750 2901

Data Security

Exeevo adopts reasonable and appropriate security practices and procedures including administrative, physical security and technical controls to safeguard the personal information.

We take precautions including organizational, technical and physical measures to help safeguard against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the personal data/PII/PHI we process or use.

Data Retention and Destruction

Exeevo will retain the personal data/PII/PHI as per the project/programme agreement. On the completion of agreed period, the data shall be archived/destroyed/transmitted to client according to the regulatory norms.

If the client wishes to retain the personal data/PII/PHI, the client’s employee identified in the statement of work or service agreement should request for the data in writing. Exeevo will provide the data in the prescribed format.

Reference document: Sections 6.5 and 8 of Exeevo Information SOP For Exeevo Information Lifecycle Document.

Children’s Personal Information

We do not knowingly collect personal data/PII/PHI from children under the age of 16. If the parents or guardians believe that their child/ward has provided us with personal data without their consent, such parents or guardians can contact us at info@exeevo.com and we will take steps to delete such personal data/PII/PHI from our systems

Restrictions on Automated Processing and Decision Making With Significant Effects on the Data Subject(s)

Restrictions on automated processing of data and decisions based solely on automated processing without human intervention (which could include profiling) shall apply if the decisions produce legal effects or similar significant effects on the data subject, individuals have a right to object to automated decision making.

Automated processing of data may be used if it is:

Necessary to enter into, or to perform, a contract between a data subject and controller

Authorized by Union or Member State law

Based on the individual’s explicit consent

We share personal data/PII/PHI (as per business needs) with:

10. REFERENCES

Exeevo Data Breach Notification procedure

BS 10012:2017 Standard (specification for Personal Information Management System)

HIPAA_Privacy Rule

GDPR ([EU] 2016/679)

California Consumer Privacy Act, AB-375 (2017–2018 Session)

ANHANG-1 VERANTWORTLICHKEITEN DER WICHTIGSTEN AKTEURE

Der behördliche Datenschutzbeauftragte von Exeevo ist für die Entwicklung und Umsetzung von Richtlinien und Verfahren verantwortlich, die darauf abzielen, die ständige Einhaltung der weltweiten Gesetze in Bezug auf PII/PHI zu gewährleisten. Die Aufgaben eines DSB sind wie folgt:

  • Festlegung von Zielen für den Datenschutz und die Datensicherheit
  • Genehmigung und regelmäßige Überprüfung der Datenschutzpolitik
  • Benennung von Datenschutzbeauftragten (SPOCs) für jede Geschäftseinheit
  • Sicherstellung der Angemessenheit des Rahmens für den Datenschutz im gesamten Unternehmen

Zuständigkeiten der Datenschutz-SPOCs (BU)

Die Ansprechpartner/SPOCs sind für den Datenschutz in den ihnen zugewiesenen Geschäftsbereichen verantwortlich. Die Verantwortlichkeiten umfassen:

  • Durchführung einer Risikobewertung vor der Aufnahme eines Projekts oder eines Auftrags in Bezug auf personenbezogene Daten/PII/PHI, die erhoben, gepflegt, verwendet, gespeichert oder übermittelt werden, auf der Grundlage von GDPR, HIPAA und anderen geltenden Datenschutzvorschriften
  • Bestimmung der physischen, administrativen, operativen und technischen Kontrollen, die auf der Grundlage der Risikobewertung erforderlich sein können, um die ermittelten Risiken angemessen zu behandeln
  • Implementierung der Kontrollen nach der Aufnahme des Auftrags/Projekts gemäß der Dokumentation der Risikobewertung
  • Pflege der auftragsspezifischen Risikobewertungsdokumentation
  • Sicherstellung, dass die Angebote, Rahmendienstleistungsverträge, Arbeitsbeschreibungen, Arbeitsaufträge und Änderungsanträge den Bestimmungen dieser Datenschutzrichtlinie entsprechen
  • Überwachung der Einhaltung der genehmigten und zulässigen Methoden zur Erhebung, Verarbeitung, Speicherung und Übermittlung von personenbezogenen Daten/PII/PHI
  • Weiterleitung von Anfragen einer Person/eines Datensubjekts bezüglich ihrer Rechte an info@exeevo.com

Kontaktinformationen im Falle von Fragen, Bedenken oder Reklamationen

Fragen, Bedenken oder Beschwerden über die Praktiken von Exeevo in Bezug auf personenbezogene Daten oder diese Datenschutzrichtlinie können an den Datenschutzbeauftragten gerichtet werden.

Wenn eine Person oder eine betroffene Person glaubt, aufgrund einer Verletzung der Datenschutzrechte durch Exeevo im Rahmen dieser Datenschutzrichtlinie einen Schaden erlitten zu haben, und Exeevo die Beschwerde nicht in zufriedenstellender Weise bearbeitet hat, kann jede in der EU ansässige Person auch eine Beschwerde bei der zuständigen Aufsichtsbehörde einreichen.