Legal & regulatory
Terms of use & legal details
Understand how moveUP leads in compliance and regulatory affairs.
Privacy policy
Version 5 –APRIL 2021
1. DEFINITIONS.
2. Why do we process your data?
3. What data is collected and processed?
4. Is your data disclosed or shared with third parties?
5. Do we transfer your data outside the European Union?
6. How long is your data kept?
7. How do we protect your privacy?
8. What are your rights and how to exercise them?
9. Do we use cookies?
10. What is the applicable law and the competent jurisdictions?
11. Be mindful to the update of this policy
This Policy is established by moveUP N.V:
Kantersteen 47 ,1000 Bruxelles
VAT: 0643.795.235.
Hereinafter, the "moveUP" or "we", “us”,” our”.
We are particularly vigilant to the protection of personal data (hereinafter referred to as data) and to the respect of the privacy of all persons who come into contact with us. We act transparently, in accordance with national and international provisions in this area, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th 2016 on the protection of individuals with regard to data processing for personal use and for the free movement of this data, and which repeals Directive 95/46 / EC (hereinafter referred to as the "General Data Protection Regulation" or "GDPR / GDPR").
This policy describes the measures undertaken for the treatment and processing of your personal data, and your rights as a data subject.
moveUP as processor of sensitive data such as health data, processes on behalf of hospitals, health care providers or b.clinic. You should therefore contact them for information on the processing of your personal data.
If your personal data are processed by b.clinic (virtual clinical expert clinic), please find b.clinic’s privacy policy here.
You can react to any of the treatment described below by contacting us.
We inform you that your data will be used in compliance with this data protection declaration.
1.DEFINITIONS
In this statement, the following words and expressions shall be understood as follows:
Statement: This privacy statement.
General terms and conditions of use: The general terms and conditions and the condition of use of moveUP which administer the use of moveUP.
Personal data: Any information processed relating to an identified or identifiable physical person in accordance with this declaration is described in the article "The data processed".
Data relating to health: Data of a personal nature relating to the physical or mental health of a physical person, which reveal information about the health condition of that person.
Our professional healthcare partners: The healthcare professionals who are connected to the patient via moveUP.
Our services: All the services we provide on moveUP in the context of our professional activity or in execution of our statutory purpose, as described in our general terms and conditions of use, more specifically: a personalized monitoring and rehabilitation program with a choice of exercises adapted to your situation by means of videos, a personalized follow-up, figures and graphs of your progress as well as, where applicable, connecting with our professional healthcare partners, etc.
Person responsible for processing: The legal entity that determines the effectiveness and means of processing personal data in accordance with this declaration, namely us.
Processing: Any operation or set of operations, whether or not carried out with the aid of automated processes and applied to data of a personal nature, such as collection, recording, organization, storage, adaptation or alteration, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, association or linkage, as well as the locking, erasure or destruction of data of a personal nature; in this declaration, the terms "processing", "processing", "processed", etc. refer to the present definition.
Anonymized data: Removing identifiable elements such as name and e-mail address and using masking data.
DPO: The data privacy officer (DPO) is the person who monitor’s moveUP compliance with the General Data Protection Regulation (GDPR) in relation to the protection of personal data.
2.Why do we process your data?
We collect and process your personal data for different reasons based on a legal ground determined by the GDPR (for example, compliance with a legal obligation to which we are subject or the performance of a contract concluded with you). The table below sets out the purposes and the legal grounds for the use of your personal data.
Processing: Management of our medical care customers.
Purposes:
We process your personal data in order to carry out operations relating to the contracts; invoices; accounting; provision of documents;
We could process your personal data to contact you or a member of your team and answer your questions;
Legal grounds for processing:
In accordance with article 6.1.b) of the GDPR, this processing is necessary for contractual or statutory measures.
Some processing is necessary to achieve our legal obligations in accordance with article 6.1.c) of the GDPR.
Processing: Management of the application and the identification and authentication of doctors and other care providers; or patients/customers.
Purposes:
We process your personal data to give you access to our application. We could also process your data to contact you and answer your questions; ensure the technical administration and security of moveUP;
Legal grounds for processing:
In accordance with article 6.1.b) of the GDPR, this processing is necessary for contractual or statutory measures.
We may process your data, in accordance with the provisions of Article 6§2, f), on the basis of our legitimate interest, as soon as we have balanced this interest with your interests or fundamental rights and freedoms by examining your "reasonable expectations".
Processing: Management of our patients/customers.
Purposes:
We process your personal data in order to carry out operations relating to the contracts; invoices; accounting; provision of documents; We could process your personal data to contact you and answer your questions;
Legal grounds for processing:
In accordance with article 6.1.b) of the GDPR, this processing is necessary for contractual or statutory measures.
this processing is necessary to achieve our legal obligations in accordance with article 6.1.c) of the GDPR.
Research, statistics, and improving our application software.
We process personal data in order to provide and improve our services.
We process personal data to conduct scientific, historical and statistical research;
We realize statistical analysis, for that purposes we anonymize your data, and remove identifiable elements such as name and e-mail address and using masking data for market research or other professional purposes.
Anonymized data do not fall within the GDPR’s scope.
In accordance with article 6.1.a) of the GDPR, we may process your data on the basis of your consent.
You can withdraw your consent anytime by contacting us (privacy@moveup.care).
Processing: Management of our communication.
Purposes:
We process personal data in order to provide you with information relating to our activities and services.
We may use your data to respond to our legitimate interest or to that of third parties, when this is necessary without affecting your interests or your fundamental freedoms and rights to offer and promote all services and / or share with your informative messages that corresponds to what you can reasonably expect from us in the context of our existing relationship or possible future relationship.
Legal grounds for processing:
We may process your data, in accordance with the provisions of Article 6§2, f), on the basis of our legitimate interest, as soon as we have balanced this interest with your interests or fundamental rights and freedoms by examining your "reasonable expectations".
You can object to the processing by contacting us.
Processing: Management of our pre-contractual relationships.
Purposes:
We process your personal data in order to respond to requests that you address to us (in particular via the contact form on our site), or if you sent us your Curriculum.
We can also process your personal data in order to contact you to initiate a possible future collaboration.
Legal grounds for processing:
In accordance with article 6.1.b) of the GDPR, this processing is necessary in order to take steps prior to entering into a contract.
Processing: Management of our suppliers.
Purposes:
We process personal data to fulfill our contractual obligations to you or to your company or our legal obligation, for instance accountable legal obligations.
Legal grounds for processing:
In accordance with article 6.1.b) of the GDPR, we process your data for the performance of our contracts concluded with you or your company.
This processing could also be necessary to achieve our legal obligations in accordance with article 6.1.c) of the GDPR.
Processing: Management of our litigation.
Purposes:
We may use your personal data to respond to our legitimate interest or to that of third parties, when this is necessary without affecting your interests or your fundamental freedoms and rights to manage a litigation in the context of our existing relationship or possible future relationship.
Legal grounds for processing:
We also have a legitimate interest in processing personal data for the defense of our interests, in particular but not exclusively in the context of a dispute or legal action on the basis of Article 6.1.f) of the GDPR.
We may also be required to process sensitive data in this context, in accordance with the provisions of article 9.2, f) of the GPDR.
Unless they are within a legal exception, you can object to the processing based on this basis, or on your consent at any time, by contacting us.
3.What data is collected and processed?
We only collect personal data that is adequate, relevant and limited to what is strictly necessary with regard to the purposes for which it is processed.
Depending on the purposes, data collection is carried out differently.
We detail below the personal data that we collect about you, as well as the methods of collection.
Processing: Management of our medical care customers.
The data collected and processed:
- Personal identifying data: first and last name; personal address; phone number.
- Electronic identification data: email address.
- Professional data: job title; workplace; Your Riziv/INAMI number; VAT.
Collection method:
- Directly through you. You have made them publicly available, on public media and social networks, mainly LinkedIn.
- Via your patient, colleague, healthcare institution, hospital that is in contact with us.
Processing: Management of our patient/customers.
The data collected and processed:
- Personal identifying data: first and last name; personal address; phone number; national register number.
- Electronic identification data: email address, IP address; encrypted password and username, or the PIN code.
- Personal feature: date of birth; place of birth; gender; nationality.
- Family data: marital and familiar status; (Family composition).
- Photos and videos according to your rehabilitation.
- Your identity card may be requested for the verification of your data - directly through you (if you request information about a possible inclusion, when registering to start, from the first use of our platform, at your initiative, by any clear positive action, any given expression of free will, although specific, informed and unambiguous, including by e-mail, text message, verbally by phone, during a visit to our address, when you enter information in an application form).
Collection method:
- Directly through you
- You have made them publicly available, on public media and social networks, mainly LinkedIn.
- Via your patient, colleague, healthcare institution, hospital that is in contact us.
Processing: Management of the application and the identification and authentication of doctors.
The data collected and processed:
- Personal identifying data: first and last name; personal address; phone number.
- Electronic identification data: email address, encrypted password and username; IP address.
- Professional data: job title; workplace; your Riziv/INAMI number; job title; workplace; national register number.
- Your identity card can be requested to verify your data.
Collection method:
- Directly through you (if you request information about a possible collaboration, when you register to setup, from the first use of our platform, at your initiative, by any clear positive action, any given expression of free will, albeit specific, informed and unambiguous, including email, text message, verbal by phone, during a visit to our address, when you fill in information in an application form, at any event or training that we organize where you present your business card or personal data).
Processing: Research, statistics, and improving our application software.
The data collected and processed:
- Personal identifying data: surname, first name, address, telephone number, order number, etc.
- Electronic identification data: email address, encrypted password.
- Personal feature: nationality, gender, languages spoken, country and town/city of birth
- Heath data
- Encrypted data
- Photographs
- Any data, heath data required for our clinical trial or the research to improve our application.
Collection method:
- Directly from you. You have made them publicly available.
Processing: Management of our communication.
The data collected and processed:
Personal identifying data: surname, first name, telephone number, address.
- Electronic identification data: email address.
- Directly from you.
- You have made them publicly available.
- Via your patient, colleague, healthcare institution, hospital that is in contact us.
- Management of our pre-contractual relationships.
- Personal identifying data: surname; first name; address; telephone number; order number.
- Electronic identification data: IP address; email address.
- Personal features: age; sex; date of birth; country; language; in your resume.
- Professional data: diploma; career; in your resume.
- Photographs.
- ID copy.
Collection method:
- Directly from you.
You have made them publicly available (if you request information about a possible collaboration, at your initiative, by any clear positive action, any given expression of free will, albeit specific, informed and unambiguous, including email, text message, verbal by phone, during a visit to our address, when you fill in information in an application form, at any event or training that we organize where you present your business card or personal data).
Processing: Management of our suppliers.
The data collected and processed:
- Personal identifying data: first and last name; address; telephone number; order number.
- Electronic identification data: IP address; email address.
- Financial data: VAT, bank account number; open receivable.
Collection method:
- Directly from you. You have made them publicly available.
Processing: Management of our litigation.
- The data collected and processed:
- Personal identifying data: last and first name; address; telephone number; order number.
- Electronic identification data: IP address; email address.
- Family data: marital status.
- Personal feature: age; sex; date of birth; language.
- Professional data: profession; diploma; career.
- Health data from your medical file.
- Any, sensitive or not, data necessary for the defense of our legal interests.
Collection method:
- Directly from you. You have made them publicly available.
- From your healthcare institution, hospital, health care provider.
4. Is your data disclosed or shared with third parties?
The data listed above is accessible to people who are members of our team, or intervening as collaborators, professional healthcare practitioners, and only to the strict extent necessary to our lawyers or any technical advisers, to banking or insurance organizations.
We are also likely to transmit your data:
- at the request of a legal, judicial or administrative authority or auxiliary of justice; or
- in good faith, considering that this action is required to comply with any current law or regulation.
- in order to protect and defend our rights or those of other users of our services.
We may also be required to leave access to certain data to our co- contracting parties, qualified as "subcontractors" within the meaning of the legislation, to the extent strictly necessary for the achievement of our purposes, such as the operation of applications or computerized management systems.
In all circumstances, we ensure the protection of your data by agreements ensuring confidentiality.
Type of service provider: processor – controller - Location
Customer service tool for your feedback and complaint handling. - In Europe
Software development company. - In Europe
Document management, productivity tools and emails. - In Europe
Providers of mailing solutions. - In Europe
Document management. - In Europe
Database infrastructure and service provider. - In Europe
Database management system. - In Europe
Providers of IT solutions and maintenance of the website. - In US
CRM. - In Europe
Social media. - In Europe
Cloud provider and database server. - In Europe
Lawyers and legal services providers. - In Europe
HR services and social security. - In Europe
Accountants and financial services providers: Invoicing and payment. - In Europe
Communication tools. - In Europe
Banks - In Europe
More information about the subcontractors is available via "privacy@moveup.care" or via our DPO: "sp@altalaw.be".
Finally, in the context of academic or scientific research, in the context of scientific or statistical surveys, we may transfer certain data as long as these data have been rendered anonymous or pseudonymized.
Access by health care providers to the data is on the basis of a therapeutic relationship that is activated when the account is created. The user can request and modify these therapeutic relationships at any time.
In all circumstances, we do not communicate personal data to third parties without your consent, except in the cases mentioned above.
5.Do we transfer your data outside the European Union?
We do not make transfers outside the European Union. If applicable, data transfers to a country outside the Union will only be authorized if and only if:
- The European Commission has issued a decision granting an adequate level of protection equivalent to that provided for by European legislation, personal data will be transferred on this basis.
- The transfer is covered by an adequate measure granting a level of protection equivalent to that provided for by European legislation, such as the Commission's Standard Clauses.
- Your consent
6.How long is your data kept?
Your personal data that we process will be kept for:
- The duration of our contractual relationship
- The time strictly necessary for the fulfilment of our legal and contractual obligations, as part of your registration/application.
- The time strictly necessary to protect the vital interests of you or any other person
Processing - Duration.
Management of our medical care customer. - Data storage is 7 years from the 1 January of the year following the end of the financial year, in accordance the legal retention period of accounting laws.
Management of patient/customer - Data storage is 30 years from our last action in your files.
Management of the identification and authentication of doctors and other care providers. - There is no storage, your data are deleted at the end of our contractual relation.
Research, statistics, and improving our application. - Data storage is 20 years after completion of our study and research for clinical trial.
Management of our communication. - Data storage is 2 years from your last contact with us.
Management of our pre-contractual relationships. - Data storage is 2 years after our last contact.
Management of our suppliers. - Data storage is 7 years from the 1 January of the year following the end of the financial year, in accordance the legal retention period of accounting laws.
Management of our litigation. - In the event of a dispute the data storage is 7 year from the notification of the decision, in accordance the legal retention period of accounting laws.
7. How do we protect your privacy?
We strive to optimally protect your personal data against unauthorized use and leakages. To this end, we use physical, organizational, technological, administrative and appropriate measures such as, and not limited to:
- We use recognized security and encryption processes that are recognized to ensure the security of the transmission and storage of your data to and from moveUP.
- We have organizational measures in place, such as restricting access to our computer systems in accordance with the strict needs of each member of staff, with respect to his or her job;
- As soon as we can, your data will be pseudonymized or anonymized (depending on the purpose).
- We host your information on our servers which are protected by ad hoc security and certificates.
- We have an internal privacy policy and we conduct regular basic training to maintain data privacy awareness.
8. What are your rights and how to exercise them?
We attach a great deal of importance to the rights we have as individuals. We are at your service and invite you to contact our contact person at the following e-mail address: privacy@moveup.care or via our generic contact address: info@moveup.care or by post to our postal address. We have also appointed a DPO, who is available to you at the following e-mail address: sp@altalaw.be
You can exercise the following rights:
- Right of access, information and rectification.
You can request information at any time about our treatments, the objectives pursued, the categories of personal data that we hold about you, the categories of recipients of this data (third countries or international organizations), the retention periods or criteria for determining these periods, your other rights, other sources of your data and the existence of an automated decision-making process.
You may also ask for your data to be corrected or supplemented if it proves to be incorrect or incomplete. When exercising this right, you must specify the exact dates you wish to have corrected and completed. We will answer your question as soon as possible, but we are obliged to consider the rights and freedoms of others when providing this information.
- Right to restrict processing.
You have the right to ask for the processing of your personal data to be restricted when:
1. You dispute the accuracy of these data.
2. You are in the waiting period necessary to evaluate the interests at stake before exercising the right to object to the processing of certain personal data.
3. The processing of your personal data is unlawful, but you do not wish to exercise your right to deletion.
4. We no longer need your personal data for the purposes set out in this data protection declaration, but you will need them in the context of legal action.
- Right to object.
You can object to the processing of your personal data if your data is processed on the basis of our legitimate interests or on the basis of consent. To exercise this right, please send us an e-mail at the following address: privacy@moveup.care. You can also click on "unsubscribe" which you will find in every e-mail you receive from us.
- Right to data portability.
If your information is treated as part of our contractual obligations or following your consent, you have the right to have your personal information transferred in the form in which we hold it or to have it transferred to another person designated by you.
To exercise this right, you must indicate this on the form we make available on our website. You can also send us an e-mail at the following address: privacy@moveup.care.
- Right to erasure / right to be forgotten.
In the cases provided for by the General Data Protection Regulation (GDPR) or the law, we will proceed with the deletion of your personal data at your request. In principle, you can exercise your rights free of charge. You can also send us an e-mail at the following address: privacy@moveup.care.
At the latest one month after receipt of your request, we will inform you in writing of the action we have taken at your request. Depending on the difficulty of your request or the number of requests we receive from other people, this period may be extended by two months. In this case, we will inform you of this extension within one month of receiving your request. In some cases (e.g., legal obligations, rights of others, limitation periods, ...), you may not be able to exercise your rights, in whole or in part. You will then be informed as to why we cannot fully comply with your request.
- Right to individual decision making.
You have the right not to be subject to a decision based solely on automated processing. We combine automated processes with human intervention, with no fully automated individual decision-making for the time being. You can always ask questions about this via privacy@moveup.care.
- Questions, comments, complaints, data leaks?
We remain at your disposal for any questions, comments or complaints regarding the protection of your personal data. If you notice a data leak or if you suspect a data leak, please report it to us immediately via privacy@moveup.care.
In addition, in accordance with Article 37 of the GDPR, we have appointed a Data Protection Officer (DPO).
You can contact it at the following address: sp@altalaw.be
Finally, you also have the right to lodge a complaint with the Data Protection Authority (DPA) at the following address:
https://www.dataprotectionauthority.be/citizen
Rue de la Presse, 35 at 1000 Brussels
Phone : +32 (0) 2 274 48 00
Fax : +32 (0) 2 274 48 35
Email : contact@apd-gba.be
You can also lodge a complaint in the first instance court.
For further information on complaints and possible remedies, you are invited to consult the following address of the Data Protection Authority:
https://www.dataprotectionauthority.be/citizen/actions/lodge-a-complaint
For each demand, we will respond as soon as possible and at least within the month of your demand. Depending on the difficulty of your request or the number of requests we receive, this period may be extended by two months. In such case, we will notify you of this extension within one month of receiving your request.
In all circumstances, when communicating this information, we are always obliged to take into account the rights and freedoms of other people.
9.Do we use cookies?
A cookie is a code in the form of a file stored on your computer. Cookies help us to improve our website, to facilitate your browsing and to analyze audiences. Learn more about our Cookie Policy.
10. What is the applicable law and the competent jurisdictions?
This Policy is governed by Belgian law. Any dispute relating to the interpretation or execution of this Policy will be subject to Belgian law and will fall under the exclusive jurisdiction of the courts of the judicial district of Brussels.
11. Be mindful to the update of this policy!
This Policy can be updated at any time without notice of modification. We advise you and invite you to consult it regularly.
Last update on April 14, 2021.
ISO13485 certificate
ISO 13485 specifies requirements for a quality management system where an organisation needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. To obtain the ISO 13485 certificate, moveUP was checked by an external, independent and professional agency on all the requirements. More about ISO 13485 >
ISO27001 certificate
ISO/IEC 27001 is an international standard on how to manage information security. To provide you with personalised care, moveUP asks and stores patient data. Patient data are stored safely. moveUP adheres to all requirements that ISO puts on information systems. More about ISO 27001 >
Your safety - our highest priority
Much is being written about “safety” and “data privacy” in the media. This webpage details how we guarantee your safety when using moveUP.
1. moveUP remote care is safe
moveUP is recognised as a safe medical device. We would like to stress that moveUP patients are guided by real people; not robots or a computer program. Your care team may consist of kinesitherapists, physiotherapists, dieticians and other medical professionals. The degrees of professionals using moveUP to provide remote care are checked on their authenticity.
It is important to realise that for a safe rehabilitation patients need diligently follow experts’ instructions. Additionally, questionnaires are to be answered truthfully and within 8 hours after reception. On this page you can read how we handle patient data security.
2. The moveUP app is safe
moveUP is recognised as a safe medical device. Multiple studies have confirmed that moveUP is both safe and effective.
3. The step counter is safe
The step counter adheres to all safety rules as one would expect from an automatic activity tracker. Garmin also respects European legislation regarding data privacy and security.
4. Safety and security of patient data
As a digital medical device moveUP adhere to strict safety and security ruling regarding patient data management. For example, the server on which patient data is stored is located in Belgium. This computer is protected by specialists. All moveUP employees frequently have to change their passwords. An external agency checks moveUP’s data safety and security management in practice.
moveUP's safety and quality marks
CE-mark
moveUP has the CE-mark. The CE-mark indicates that moveUP adheres to all EU-rulings regarding safety, health and environment. Read more about the CE-mark of the EU >
Officially recognition in Belgium
The Federaal Agentschap voor Geneesmiddelen en Gezondheidsproducten (Federal Agency of Medication and Health Products) has approved to describe moveUP as a “safe, of good quality and effective medical device”.
The eHealth-platform, a federal public agency in Belgium, has confirmed the safety and security of moveUP’s information and patient data privacy practices.
The Rijksinstituut voor ziekte- en invaliditeitsverzekering, the national health insurance, has decided to cover the moveUP treatment plan.
To obtain these recognitions, the mobile Health Belgium platform played a part. This platform is an initiative of the Belgian federal government. Read more about mobile Health Belgium >
Privacy Charter
Version 1 –SEP 2023
This Privacy Charter (“the Charter”) is entered into between:
- moveUP NV, a limited liability company (naamloze vennootschap – NV) under Belgian law, having its registered office at Kantersteen 47, 1000 Brussels and registered with the Crossroads Bank for Enterprises under number 0643.795.235, duly represented by Ciaran McCourt, CEO, hereinafter referred to as “moveUP”;
AND
- The partner that incorporates moveUP’s services and application(s) within its operational healthcare provision framework, under the terms of the services agreement concluded between moveUP and partner, hereinafter referred to as “Partner”;
moveUP and Partner may be jointly referred to as the "Parties" and individually as a "Party".
All capitalized terms used throughout this Charter will have the meaning assigned to them in Annex I, which constitutes an integral part of this Charter.
- GENERAL INTRODUCTION AND SUBJECT-MATTER
- As a digital therapeutics company, moveUP supports life science organizations and healthcare professionals to implement advanced digital health pathways. The integrated suite of moveUP services and applications (collectively referred to as the "Solution"), provides comprehensive insights and bolsters clinical decision-making across the entire patient journey. By tailoring treatment and rehabilitation to each individual patient's needs, the Solution aims to contribute to a value-based healthcare. Furthermore, moveUP extends professional rehabilitation services through a dedicated team of healthcare professionals.
- Partner is an entity active in the healthcare sector that leverages the Solution of moveUP within its operational framework, integrating advanced digital therapeutics into its healthcare provision model. This partnership (the “Partnership”) is governed by a services agreement (the “Main Agreement”) that specifies the respective obligations and responsibilities of Parties in their professional relationship.
- In the course of the Partnership, the Parties will engage in the processing and exchange of Personal Data. Parties therefore wish to enter into this Charter, with the aim to delineate their respective responsibilities with regards to the principles and obligations set out in applicable Data Protection Legislation, including the GDPR. This Charter supersedes and replaces any prior agreements or understandings between the Parties on this subject, including any prior data processing agreement(s) executed between the Parties pursuant to Article 28 of the GDPR.
- DESCRIPTION OF PROCESSING ROLES AND ACTIVITIES
- Categories of Personal Data exchanged and processed by the Parties:
- Identification and contact data, such as first name, last name, home address, date of birth, gender, telephone number and e-mail address;
- Healthcare information, such as symptoms, treatments, illnesses, medical background, lifestyle info of the patient;
- Rehabilitation information, such as treatment plans, progress reports, patient feedback, and outcomes of therapeutic interventions.
- Categories of Data Subjects to whom the Personal Data relates:
- Patients of the Partner
- Where applicable: healthcare professionals employed or contracted by the Partner
- Where applicable: other individuals involved in the patient's care, as required or permitted by law.
- Purposes of exchanging and processing Personal Data by the Parties:
The Parties warrant that they will only exchange and process the Personal Data to ensure the proper execution of the Partnership under the Main Agreement and in accordance with the provisions of this Charter. Processing for any other purposes requires a prior written agreement between the Parties.
In particular, Parties will exchange and process Personal Data for the purposes of:
- Providing and tailoring healthcare services to individual patients’ needs, including diagnosis, treatment, and rehabilitation;
- Monitoring patient progress and outcomes;
- Supporting clinical decision-making;
- Performing administrative tasks related to patient care and rehabilitation, such as scheduling appointments, calling patients to inform them about the Solution, managing patient records;
- Conducting research and development activities to improve the Solution and its applications, including by means of aggregated analytics, data-driven insights, reporting and occasional publications, at all times in line with and compatible with the primary processing purposes.
- Roles and responsibilities of Parties in relation to data protection:
- Where, pursuant to the Main Agreement, the Solution is leveraged by the Partner alongside concurrent rehabilitation services from moveUP, such that moveUP's dedicated personnel actively participates in the rehabilitation process of the Partner's patients (hereinafter referred to as "Scenario 1"), the Parties' roles and qualification under GDPR are as follows:
- Both Parties act as Controllers, both determining the purposes and means of processing Personal Data.
- Where, pursuant to the Main Agreement, the Solution is leveraged by the Partner without concurrent rehabilitation services from moveUP, such that moveUP's dedicated personnel does not participate in the rehabilitation process of the Partner's patients (hereinafter referred to as "Scenario 2"), the Parties' roles and qualification under GDPR are as follows:
- moveUP acts as Processor. As the Processor, moveUP processes Personal Data on behalf of the Partner, in accordance with the instructions provided by the Partner and the terms of this Charter and the Main Agreement.
- Partner acts as Controller. As the Controller, the Partner determines the purposes and means of processing Personal Data via the Solution, providing instructions to moveUP regarding the processing of such data in accordance with the terms of this Charter and the Main Agreement.
- The additional provisions of Section 10 of this Charter shall apply to the processing activities occurring under this Scenario 2.
- The Parties agree to promptly inform each other of any changes that may affect their roles under the GDPR as set forth in this Section.
- For the avoidance of doubt, this Charter does not apply to the processing of Personal Data by a Party that occurs prior to, after or independent from the performance of the Partnership, such as processing activities pertaining to the provision of each Party’s respective independent services to the Data Subject. As such, without limitation, this Charter does not apply to the processing of Personal Data by moveUP for the purposes of creating user accounts for applications within the Solution, or delivering moveUP’s direct services to patients without instruction from or cooperation with Partner.
- COMPLIANCE WITH LEGISLATION
- Both Parties expressly undertake to comply with the provisions of the applicable Data Protection Legislation, including but not limited to the GDPR, and not to do or refrain from doing anything that may cause the other Party to breach the applicable Data Protection Legislation.
- Both Parties shall assist each other in complying with their obligations under the applicable Data Protection Legislation, taking into account the nature of the processing and the information available to it.
- TECHNICAL AND ORGANIZATIONAL MEASURES
- During the term of this Charter, both Parties shall adopt and maintain appropriate technical and organisational measures in such a way that the processing and the technical set-up of the Application complies with the requirements of the applicable Data Protection Legislation and that the protection of the rights of the Data Subject is guaranteed. In particular, both Parties shall take appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR and taking into account the respective roles and responsibilities as set out in Section 2 of this Charter . When assessing an appropriate level of security, particular account shall be taken of the nature of processing and risks involved in processing, in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to the Personal Data transmitted, stored or otherwise processed.
- Parties may engage (Sub)Processors to processes Personal Data for the purposes set out in this Charter. In any such case, Parties shall:
- engage such (Sub)Processor only if it provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that its processing will meet the requirements of the applicable Data Protection Legislation;
- ensure that the necessary contractual provisions are established in accordance with Data Protection Legislation, including as laid down in Article 28 of the GDPR.
- Each Party may reserve the right to, after prior written notification, suspend and/or terminate the Charter for an indefinite period of time if the other Party can no longer provide for technical and organisational measures commensurate with the processing risk. After such notification, both Parties shall ensure that they cooperate in good faith to address the concerns raised by the notifying Party.
- CONDUCT WITH REGARD TO NATIONAL PUBLIC BODIES AND JUDICIAL AUTHORITIES
- The Parties shall promptly notify each other of any request, order, investigation or subpoena addressed to them by a competent national governmental or judicial authority which involves the communication of the Personal Data processed by the Party or its (Sub)Processors or any data and/or information relating to such processing by the Party or their (Sub)Processors.
- DATA SUBJECTS’ RIGHTS
- If either Party receives a request or complaint from a Data Subject that pertains to a processing activity for which the other Party acts as Controller, it shall promptly notify the other Party in writing and forward the request or complaint without responding to it themselves, except as required by applicable law. The forwarding Party shall use reasonable efforts to ensure that the request or complaint is forwarded accurately and promptly but shall not be responsible for any errors or omissions in the forwarding process.
- Parties agree to provide any reasonable assistance and information requested by the other Party in relation to that Party’s obligation to process and manage a request or complaint from Data Subjects that relates to the subject matter of this Charter.
- For the avoidance of doubt, the responsibility to manage a request or complaint from Data Subjects with respect to their rights in relation to the Personal Data processed pursuant to the Partnership and to communicate its decision to the Data Subject, shall at all times remain vested in the respective Party acting as Controller with regards to the request.
- PERSONAL DATA BREACH
- In the event of a Personal Data Breach that relates to the subject matter of this Charter, the Party who has suffered the Personal Data Breach undertakes to notify the other Party promptly after it has become aware of such Personal Data Breach, if and to the extent such Personal Data Breach may affect the operations and/or processing activities (or any part thereof) that take place under control of the other Party. The notifying Party may redact any information included in its notification where necessary to protect its business secrets or other confidential information but shall provide a meaningful summary as to enable the other Party to assess the impact and/or potential adverse consequences of the Personal Data Breach on its own operations and/or processing activities.
- In any such event described in Article 7.1, the Parties shall ensure that they cooperate in good faith to mitigate the potential adverse consequences of such Personal Data Breach. For this purpose, the Parties shall in good faith agree upon a plan of action, taking into account each Party’s role, the requirements laid down by applicable Data Protection Legislation and the information and technical and organizational capacities at the disposal of each of the Parties.
- For the avoidance of doubt, the decision to notify the competent Supervisory Authority and/or the impacted Data Subject(s) shall at all times remain the sole responsibility of the Party acting as Controller with regards to the Personal Data impacted by the Personal Data Breach.
- INTERNATIONAL TRANSFERS
- The Parties agree that Personal Data may be transferred to and/or kept by a recipient outside the European Economic Area (EEA) to countries for which an adequacy decision is adopted by the European Commission. If an adequacy decision is lacking, any such transfer shall be governed by the terms of an agreement containing standard contractual clauses as published in the European Commission Decision of 4 June 2021 (Decision 2021/914 (EU), or by other mechanisms provided by the GDPR.
- CONFIDENTIALITY
- Both Parties undertake to treat the Personal Data and the processing thereof (including the terms of this Charter) with the utmost confidentiality. The Parties shall ensure confidentiality between themselves through measures that are no less restrictive than those used to protect their own confidential material, including Personal Data.
- Each Party guarantees that any person authorised by them to process the Personal Data have undertaken to observe confidentiality or are bound by an appropriate legal obligation of confidentiality.
- ADDITIONAL OBLIGATIONS OF MOVEUP ACTING AS PROCESSOR
- The provisions of this Section 10 shall be applicable solely if and to the extent Personal Data are being accessed and Processed by moveUP acting in the capacity of Processor, as set forth in Article 2.4.2 of this Charter. In the event of a conflict or inconsistency between this Section 10 and the other provisions of this Charter, the terms of this Section 10 shall prevail.
- moveUP acting as Processor shall Process Personal Data only on the basis of (i) the written instructions of the Partner acting as Controller and in any case in accordance with the Processing activities set out in Section 2 of this Charter, or (ii) legal obligations to which moveUP is subject. In the latter case, moveUP shall notify the Partner of such legal requirement prior to the Processing, unless legislation prohibits such notification for important reasons of public interest. The Partner may unilaterally make limited changes to the instructions. moveUP shall be consulted before any significant changes are made to the instructions and both Parties must agree to any changes affecting the main provisions of this Charter or the Main Agreement. moveUP shall promptly notify the Partner if it believes that an instruction violates applicable Data Protection Legislation.
- moveUP will, by implementing and/or using appropriate technical and organisational measures, assist the Partner insofar as this is possible and taking into account the nature of the Processing, in ensuring compliance with the respective obligations of the Partner pursuant to Articles 32 to 36 of the GDPR.
- moveUP shall make available to the Partner all reasonable information necessary and shall allow for audits, including inspections, by the Supervisory Authority(ies) under whose supervision the Partner is subject to verify moveUP’s compliance with this Charter and the Data Protection Legislation.
moveUP performs periodic internal and/or external audits and assessments to ensure compliance with relevant organizational and technical security measures. moveUP shall bear the costs of such audits. Certificates validating such audits and assessments are available on the moveUP website. Upon the Partner’s request, moveUP will provide relevant audit reports (with the omission of confidential information).
The Partner may conduct additional audits only if it can demonstrate justifiable grounds, and under the following circumstances:
- Once every 5 years, for a maximum duration of 2 business days, within moveUP’s standard business hours; or
- In response to an actual Personal Data Breach, only if such data breach has not been notified and if no remediation actions have been demonstrated; or
- If valid and relevant compliance certificates, which were in place at the inception of this agreement, are no longer available.
The Partner shall take all appropriate measures to minimize any impediments that such additional audit may cause to the day-to-day operation of moveUP or to the Solution and other services provided by moveUP. The Partner shall bear the cost of any additional audit within the meaning of this Article, unless the audit reveals that moveUP has manifestly failed to comply with this Charter and/or the Data Protection Legislation, in which case moveUP shall bear the cost of such audit.
- After termination of this Charter pursuant to Article 11.1 and in derogation of Article 11.2 of this Charter, moveUP shall, at the choice of Partner, delete or return all Personal Data to Partner, and deletes existing copies, unless applicable law requires further storage of the Personal Data. Notwithstanding, it is understood that moveUP may retain de-identified datasets for legitimate secondary research and development purposes, provided these datasets cannot be used to re-identify any individuals.
- DURATION OF PROCESSING
- This Charter remains into effect for the duration of the Partnership. In the event of a breach of this Charter or of the provisions of applicable Data Protection Legislation by a Party, either Party may instruct the other Party to suspend the processing of Personal Data.
- After termination of this Charter pursuant to Article 11.1 and without prejudice to Article 10.5 of this Charter, each Party, in its capacity as a Controller, is independently responsible for erasing data in accordance with its respective data retention policies, unless explicitly otherwise agreed between the Parties.
- LIABILITY FOR PROCESSING OF PERSONAL DATA
- Either Party is liable for the damage caused by processing Personal Data only where it has not complied with its obligations of this Charter or the applicable Data Protection Legislation.
- A Party shall be liable (whether in contract or tort (including default) or in any way whatsoever in connection with this Charter, including liability for severe misconduct, for any proven failure attributable to it. The liability of the Parties for any failure under this Charter shall be limited to foreseeable, direct and personal damages, excluding consequential damages (even if advised of the possibility of such consequential damages or if the chance of such consequential damages was reasonably foreseeable), where "consequential damages" means: damage or loss which does not result directly and immediately from a contractual and/or non-contractual breach of contract, but instead indirectly and/or over time, including but not limited to loss of income, interruption or stagnation of business operations, increase in personnel costs and/or the cost of staff redundancies, damage consisting of or as a result of claims from third parties, lack of expected savings or benefits and loss of data, profit, time or income, loss of orders, loss of customers, increase in overhead costs, consequences of a strike, regardless of the causes thereof.
- If it appears that both Parties are responsible for the damage caused by the processing of Personal Data, both Parties shall be liable and pay damages, in accordance with their individual share in the responsibility for the damage caused by the processing. In any event, the total liability of each Party per cause of damage is limited to € 50.000,00 per calendar year. In no event shall a Party be held liable if the Party can prove he is not responsible for the event or cause giving rise to the damage.
- AMENDMENTS TO THE CHARTER
- moveUP may amend this Charter at any time and undertakes to guarantee that any amendment shall be in accordance with applicable ethical principles and legislation, such as applicable Data Protection Legislation. Amendments will take effect thirty (30) days after publication by means of a written notification. If the Partner does not wish to accept the amendments to this Charter, the Partner has the right to terminate this Charter by registered letter at the latest on the date the amended terms become effective. This will have the consequence that moveUP can no longer offer the Solution to the Partner. After the effective date, the Partner will be deemed to have tacitly accepted the changes. The `Partner can always find the most recent version of this Charter on the moveUP website.
- MEDIATION AND JURISDICTION
- This Charter shall be interpreted under the laws of Belgium, and the rules on conflict of laws shall not apply.
- Each Party agrees that if the Data Subject brings a claim for damages against him under this Charter, it will accept the Data Subject's decision:
- To submit the dispute to an independent person for mediation;
- To submit the dispute to a competent court.
- The Parties agree that the choice of the Data Subject shall not affect the substantive or procedural rights of the Data Subject to seek redress in accordance with other provisions of applicable national or international law.
- Any dispute between the Parties over the terms of this Charter shall be submitted to the competent courts of Ghent.
Annex I: DEFINITIONS
For the purpose of this Charter, the following capitalized terms shall have the following meaning:
Controller
The natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data carried out under his authority;
Data Protection Legislation
Means all applicable data protection and privacy legislation, regulations and guidance including, without limitation the Regulation (EU) 2016/679 (“GDPR”) (as amended or re-enacted from time to time and including any replacement or subordinate legislation);
Data Subject
An identified or identifiable natural person;
Main Agreement
Shall have the meaning assigned to it in Article 1.2;
Partnership
Shall have the meaning assigned to it in Article 1.2;
Personal Data
Any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
Processor
A natural or legal person, public authority, agency or any other body which is authorised to process Personal Data on behalf of the Controller;
Solution
Shall have the meaning assigned to it in Article 1.1;
Supervisory Authority
An independent public authority which is established by a member state pursuant to Article 51 of the GDPR.