Data Protection Policy
LOXAMED, a French simplified joint-stock company (SAS) registered with the Companies Register of LORIENT under the registration number 887 672 137, which principal place of business is at 256 rue Nicolas Coatanlem, 56850 CAUDAN, FRANCE (hereinafter referred to as “LOXAMED”), is processing personal data during the course of its business. All the words starting with a capital letter in this Policy have their meaning defined in article 15, “Defined terms”, below.
- This data protection policy (the “Policy”) sets out how LOXAMED collects, uses, and Processes your Personal Data as Data Controller in accordance with the applicable regulations. The Policy applies in France.
- The Policy applies to the Personal Data that we may collect from our customers, our suppliers, our service providers and our Subcontractors in the course of various types of business contracts. The Policy also covers the Personal Data of the users of our website www.loxamed.fr (notably the users who book appointments through the “BOOK AN APPOINTMENT” page), the Personal Data of the individuals who apply for our job offers and any other individuals whom we may legitimately contact during the course of our business.
- LOXAMED may amend or update the Policy from time to time based on its activity and to reflect the changes in law or regulation. We invite you to read the Policy carefully and to check it regularly for any change that we may have made to it.
- LOXAMED values your privacy and is committed to protect and preserve your rights in relation to the privacy of your Personal Data. Should you disagree with some parts of the Policy, you may exercise your legal rights as set out in the articles 10, 12 and 13 below.
1. ORIGIN OF DATA
We may collect your Personal Data from the following sources:
- Personal Data that you provide directly to us during the course of our business relationship, which may be an existing relationship or at the prospection stage (such as when you contact us by e-mail, by phone or by any other means; or when you give us your business card; or when you come by our premises);
- Personal Data originating from our website when you visit our website or when you use the features and resources available on or through our website;
- Personal Data related to the appointment booking service that we provide (the “BOOK AN APPOINTMENT” page on our website);
- Personal Data provided by third parties (such as a rating agency or a business information website such as Infogreffe).
2. PURPOSES AND LEGAL BASES OF THE DATA PROCESSING
a) Purposes of the data processing
We process your Personal Data for the following purposes:
- to allow our partners, users and contacts to request information about LOXAMED and its services*;
- to prepare and submit commercial offers, take part in call for applications or tenders*;
- to manage our commercial and contractual dealings with our clients (sending estimates, sending invoices, execute orders, technical assistance and follow-up, dispute resolution…);
- to invite our partners, users and contacts or our prospects to events organized by LOXAMED during trade shows, conventions or trade fairs*;
- to organize calls for applications or calls for tender and to manage our commercial and contractual relationship with our suppliers, our service providers and our Subcontractors;
- to perform our obligations arising from our contracts;
- to promote our services to our current customers or our prospects*;
- to perform quality audits*;
- to process unsolicited job applications or applications sent for a job posting*;
- to preserve the safety and security of our facilities (including the visits log and the security cameras recordings) and the electronic security of our systems*;
- to improve our products and services (identifying problems, plan the improvements, create new products and services)*;
- for our accounting, finances, legal and audit operations*;
- in case of legal proceedings (to establish, exercise or preserve a right before the courts)*;
- to schedule the appointments for RT-PCR tests, antigen tests, online consultations and other appointments on the websites powered by LOXAMED*;
- to meet our legal obligations.
b) Legal bases
We Process your Personal Data for the abovementioned purposes under of one or multiple lawful bases:
- The Data Processing may be required for the performance of the contract that your entered into with us or for the execution of the actions necessary to perform the contract;
- The Data Processing may be required to comply with a legal obligation;
- The Data Processing may have its lawfulness based on your prior consent (this legal basis applies only to optional Data Processing, and does not apply to required or mandatory Data Processing);
- We have a legitimate interest to Process the Personal Data for the purposes abovementioned in a) and followed by a star (*).
3. NATURE OF THE COLLECTED PERSONAL DATA
The Personal Data that we may collect vary based on the purpose of the Data Processing. Their main use is to allow the identification of individuals in the course of their business relationship with LOXAMED. In any case, the collected Personal Data are restricted only to the data needed for the purposes mentioned in article 2 above.
Note for the visitors and users of our website: some features and components of our website may be used only when some Personal Data are provided. The user may provide or decline to provide some or all of the Personal Data requested from them. Should the user decline from providing all the Personal Data requested, some features and/or components of our website may be partially or entirely unavailable or non-operational.
Personal Data of customers and prospects:
We may collect the following Personal Data about our customers and prospects:
- Personal information (first and last name) and contact details (mailing address, shipping address, assistant’s contact information if required, phone number, e-mail address) of our contacts within a customer or prospect company;
- Estimates and order data (list and details of orders including their amounts);
- Payment information and payment terms (date of payment, payment summary, amounts paid);
- Data about customers’ needs or requirements collected by our customer satisfaction surveys, that we may use to improve the relevance of the marketing campaigns;
- Additional Personal Data that our customers choose to provide to us, to the extent that they are required for the performance of the purposes mentioned in article 2 above.
Personal Data of suppliers, service providers and Subcontractors:
We may collect the following Personal Data about our suppliers, our service providers and our Subcontractors:
- Personal information (first and last name) and contact details (mailing address, shipping address, assistant’s contact information if required, phone number, e-mail address) of our contacts within a supplier or service provider company for the good management of our business relationship;
- Additional data that our contacts within the supplier, service provider or subcontracting company chose to provide us, to the extent that they are required for the performance of the purposes mentioned in article 2 above.
Personal Data of job applicants:
We may collect the following Personal Data pertaining to individuals who submit job applications to LOXAMED:
- Personal information (first and last name, photo);
- Demographic data (gender, date of birth or age, place of birth, nationality, title);
- Professional information (occupation, employment status, professional address);
- Contact information (mailing address, phone number, e-mail address);
- Information about the applicant’s career, degrees and motivations.
Personal Data of users of our website:
See article 14 below, “COOKIES POLICY”.
Personal Data of individuals booking an appointment through our services (see “BOOK AN APPOINTMENT” page of our website):
The following personal data that are entered on our website (more accurately the MOBMINDER platform from CLOUD-TECH SPRL, our Belgian Subcontractor), first name, last name, phone number and e-mail, are collected and processed for the sole purpose of booking an appointment (date and time). The booking system is exclusively intended to help the scheduling of appointments, minimize the waiting lines and optimize and simplify the nurses’ work.
Depending on the website, the online booking may be unavailable and appointments may be made using other methods, or appointment may not be needed at all.
4. WHO MAY ACCESS THE COLLECTED PERSONAL DATA
The Personal Data may be accessed by (i) the authorized internal departments of LOXAMED and (ii) the authorized suppliers, service providers and Subcontractors of LOXAMED, for the purpose of managing customer accounts and providing the services.
5. PROTECTION OF PERSONAL DATA OF MINORS
LOXAMED does not deliberately collect or store Personal Data of minors, except in relation to the appointment booking mentioned in article 3 above.
6. SENSITIVE PERSONAL DATA
LOXAMED does not Process or store Personal Data pertaining to your health; health data are Processed and stored exclusively by the health professionals working with LOXAMED, in compliance with the regulations that govern their activity.
LOXAMED does not intend to collect or Process Personal Data during the normal course of its activities, except under the following cases:
- to comply with a legal obligation: when the Data Processing is required or allowed by the applicable law (for instance to comply with our various reporting obligations);
- to detect and prevent criminal offenses (including to prevent fraud);
- consent: when, in accordance with the law, we secured your prior and express content to Process your Sensitive Personal Data (this legal basis applies solely to optional Data Processing, and does not apply to required or mandatory Data Processing).
In case you share Sensitive Personal Data of third parties with us, you must specifically mention it.
7. THIRD PARTIES TO WHICH WE MAY SHARE PERSONAL DATA
We may share your Personal Data with the following third parties, each of them within their respective perimeter and only with the Personal Data that are relevant to them:
- the legally authorized authorities, the courts, the administrative authorities, in answer to their requests or orders, or for the purpose of reporting real or suspicious security breaches, in accordance with the law;
- the accountants, auditors, lawyers and other professionals who are under an obligation of confidentiality and which services LOXAMED uses;
- the service providers, suppliers and Subcontractors (such as the equipments and modules providers, the payment service providers, the charter and transportation companies, the IT service providers…);
- any potential acquirer, in case we sell or assign all or part of our assets or activities (including during a reorganization, dissolution or liquidation).
When one of our Subcontractors processes your Personal Data (to date, that’s the case of CLOUD-TECH SPRL, a Belgian company that supplies the MOBMINDER online booking platform), it is subject to contractual obligations that require it to (i) Process the Personal Data exclusively in accordance with our written and prior instructions, (ii) implement sufficient measures to protect the privacy and security of the Personal Data, and (iii) comply with any other obligation required by the applicable regulations.
Furthermore, and specifically with regard to the Personal Data of individuals booking an appointment through MOBMINDER (the “BOOK AN APPOINTMENT” page of our website), your Personal Data are shared solely with the employees in charge of scheduling the appointments.
8. PERSONAL DATA LIMITATION AND RETENTION POLICY
8.1 We take all the appropriate measures to ensure that the amount of Personal Data that we process is restricted only to the Personal Data that are reasonably needed by the purposes set forth in this Policy.
8.2 We take all the appropriate measures to ensure that your Personal Data are stored only for a length of time that does not exceed the duration needed by the purposes set forth in this Policy.
The following rules establish the duration of storage of Personal Data:
- Your Personal Data are stored in a format that allows your identification as long as your Personal Data are needed to fulfill the lawful purposes set out in article 2 of this Policy, for which we have a legitimate basis.
- Your Personal Data are stored for the length of the applicable statute or period of limitation (the time during which an individual can file a complaint with us, or file a lawsuit against us in relation to their Personal Data or for which their Personal Data are relevant).
- In any case, your Personal Data will be permanently deleted or anonymized five (5) years at the latest after they have been provided to us.
8.3 With regard to Personal Data related to appointments booking (for tests, online consultations or others), LOXAMED will delete such data one month after the end of the contract pertaining to the relevant LOXAMED site (i.e. the contract between LOXAMED and its customer who ordered the deployment of a specific module or health unit). You will be notified of the date upon request by e-mail to email@example.com.
9. TRANSFER OF PERSONAL DATA OUTSIDE THE EU
We do not transfer the Personal Data outside the EU.
Specifically with regard to the Personal Data of individuals booking an appointment through MOBMINDER, such Personal Data are stored on two OVH facilities in France. OVH is the storage provider of CLOUD-TECH SPRL, our Belgian Subcontractor.
10. YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA
Based on the type of Data Processing, the GDPR regulation gives you various rights with regard to the processing of your Personal Data. Such rights are set out by the regulation and generally include the following rights:
Right to not share your Personal Data with us:
In such case, we may be unable to provide the full extent of our products and services to you. For instance, we may be unable to process your orders or appointment booking on our website without the relevant information and contact details.
Right to object to the Data Processing based on legitimate interest or public interest:
You may object to the processing of your Personal Data at any time. We will process your objection diligently and will stop processing your data if you wish so. However, we reserve the right to not stop the Data Processing if :
- we can demonstrate compelling legitimate grounds for the Processing which override your personal interests;
- we Process your Personal Data to establish, exercise or preserve a right before the courts.
Right to withdraw your consent:
If we secured your consent to the Processing of your Personal Data for some Data Processing other than those for which consent is not required, you may withdraw such consent at any time and we will stop the specific Processing to which you gave your consent, except if we deem that there exists another reason that legitimates that Processing, in which case we will notify you.
Please note that such withdrawal of consent does not change the lawfulness of any Processing performed before the date at which we received your consent withdrawal; and neither does it prevent the Processing of your Personal Data on the ground of other available legal bases.
Right of access:
You may request to access or to receive copies of your Personal Data, along with data related to the type of Processing and the list of people who access these Personal Data.
We do not charge your access to your Personal Data unless your request is clearly unfounded or abusive. If the law allows it, we may charge you administrative fees if you request multiple copies of the same information. If permitted by law, we may possibly deny your request; in which case we will always justify such denial.
Right to erasure:
Under some circumstances, you may request the deletion of your Personal Data.
In principle, the Personal Data subject of the erasure request must meet one of the following conditions:
- your Personal Data are no longer needed to achieve the purposes for which we initially collected and/or Processed them;
- you withdrew your consent to the Processing of your Personal Data and there is no other legitimate reason for us to keep Processing it;
- your Personal Data has been involuntarily Processed unlawfully;
- if we are Processing your Personal Data because we have deemed that such Processing was needed for the purpose of our legitimate interests, if you have opposed such decision and if we were unable to demonstrate that there was a legitimate and imperative interest to continue the Processing.
We may deny your erasure request for one of the following reasons:
- to exercise the right to freedom of expression and information;
- to comply with our legal obligations;
- for public health reasons, in the public interest;
- for archival, research or statistical purposes;
- to exercise or defend a right.
When answering to a valid Personal Data erasure request, we will take all appropriate measures to delete such Personal Data.
Right to restrict Processing:
Under some cases, you may request that we restrict the Processing of your Personal Data. That means we may only keep your Personal Data and may not Process it any further, with the following exceptions: (i) resolution of one of the circumstances listed below; (ii) your consent; (iii) further Processing is required to establish, exercise or defend a right before the courts, to protect the rights of another person, or on important grounds of public interests of the European Union or of a Member State.
The circumstances where you may request us to restrict the Processing of your Personal Data are:
- when you challenge the accuracy of the Personal Data pertaining to you that we are Processing. In such case, we will restrict the Processing of your Personal Data to the verification of their accuracy;
- when you oppose our Processing of your Personal Data for the purpose of our legitimate interests. You may request a restriction of the Processing while we verify our reasons for Processing your Personal Data;
- When we inadvertently Processed your Personal Data unlawfully, and you chose to request a restriction of their Processing rather than their deletion;
- when we no longer need to Process your Personal Data but you request it in order to establish, exercise or defend a right before the courts.
If we shared your Personal Data with third parties, we will notify them of the restricted Processing, unless that proves impossible or involves unreasonable efforts. Naturally, we will inform you before we lift any restriction to the Processing of your Personal Data.
Right to rectification:
You may also request that we rectify inaccurate or incomplete Personal Data pertaining to you. If we shared such Personal Data with third parties, we will notify them of the rectification unless that proves impossible or involve unreasonable efforts. When applicable, we will provide you the list of the third parties with which we shared the inaccurate or incomplete Personal Data. If we deem reasonable to reject your request, we will notify you of the reasons of such decision.
Right to receive the Personal Data and right to portability of the Personal Data that we Process based on your consent or during the performance of a contract:
You may request to receive and transfer your Personal Data from one Data Controller to another. For that purpose, we will provide you your Personal Data in a commonly used, structured, machine-readable format. The right of portability applies to the following Personal Data: (i) Personal Data that we process automatically (i.e. without human intervention), and (ii) Personal Data that you provide.
Right to lodge a complaint with a Supervisory Authority:
You have the right to lodge a complaint with a Supervisory Authority, in particular the Supervisory Authority of the Member State of your residence, place of work or where the alleged infringement occurred. Such right does not waive your other rights under the applicable laws and regulations.
You can use the contact information provided at article 13 of our Policy to exercise one or several of the abovementioned rights or any other provision of this Policy, or to enquire about the Processing of your Personal Data. Please note that:
- We may request a proof of your identify before granting your requests;
- when your request requires fact-findings or additional investigations (for instance to assess the lawfulness of the Processing), we will review your request as promptly and reasonably as possible before making a decision.
Any individual who, after contacting LOXAMED, believes that their rights under the General Data Protection Regulation are not respected, may lodge a complaint with the CNIL in France:
Commission nationale de l’informatique et des libertés (CNIL)
3 place de Fontenoy
75334 PARIS CEDEX 07
11. SECURITY OF PERSONAL DATA
We are committed to taking all necessary steps to protect your Personal Data in our possession against any misuse, loss, alteration, unauthorized disclosure, destruction, unauthorized access and any other form of unlawful or unauthorized Processing, in accordance with the applicable law. We implement various technical and organizational measures to that effect. Such measures may also be intended to address suspected Personal Data infringements.
Because of the open nature of the Internet, the transmission of information over it is not 100% secure. While we are taking all reasonable precautions to protect your Personal Data, we may not guarantee the security of your Personal Data when they are sent to us over the Internet. Such transmission is at your own risk and you are responsible for ensuring that any Personal Data that you send to us is transmitted securely.
If you suspect a misuse, a loss or an unauthorized access of your personal information, please report it immediately to us in accordance with the provisions of article 13 below.
The access to the Personal Data is restricted to the employees, corporate officers, suppliers, service providers and Subcontractors of LOXAMED that require such access for the performance of their mission. Every individual who has access to your Personal Data is under a confidentiality obligation and may face disciplinary measures and/or other penalties if they break such obligation.
12. CONFLICT RESOLUTION
While LOXAMED has taken all necessary measures to protect your Personal Data, no transmission or storage technology is foolproof.
LOXAMED nonetheless cares about protecting your Personal Data. If you have reasons to believe that the security of your Personal Data has been compromised or that your Personal Data were subjected to unlawful use or misuse, you may contact LOXAMED at the following address:
- Mailing address: Legal department, LOXAMED – 256 rue Nicolas Coatanlem – 56850 Caudan (France), or
- E-mail: firstname.lastname@example.org
LOXAMED will process your complaints about the use and unauthorized disclosure of your Personal Data and will endeavor to answer them in accordance with the principles set out in this Policy.
The unauthorized access to Personal Data or their misuse may constitute a violation of the applicable law.
For any inquiry related to the Policy, to stop receiving commercial information from LOXAMED or to exercise your rights pertaining to your Personal Data, you may send an e-mail at email@example.com
14. COOKIES POLICY
When you visit our website, we may save cookies on your device or read cookies that were previously saved on your device, provided that we obtained your prior and express consent.
What’s a cookie?
Cookies can be distinguished based on their origins, functions and lifetimes. Here are the main characteristics of cookies:
- Session cookies: these cookies are saved on your computer only for the duration of your browsing session and are deleted automatically when you close your browser. They usually contain a session identifier that allows you to visit our websites without having to log in on each page;
- Persistent cookies: a cookie that is stored as a file on your computer and is not deleted when you close your browser. The cookie can be read by the website which created it when you visit the same website again. We use persistent cookies for Google Analytics and for personalization (see below);
- Strictly necessary cookies: these cookies are required for the proper use of our website and may not be disabled. The services that are available to you on our website cannot be provided without these cookies. These cookies do not store data about you that can be used for commercial purposes or to remember the web pages that you have visited;
- Performance cookies: these cookies allow us to monitor and improve the performance of our website. For instance, they allow us to measure the number of visitors, to identify the traffic sources and to identify the most visited pages of our website;
- Functionality cookies: these cookies are used by our website to save your choices (for instance your username, your language or your country) in order to provide improved functionalities. They allow us to provide you information or updates relevant to the services you use. Functionality cookies may also be used to save the changes you made to the font size, the font family and other elements of the web page that you can customize. They may also be used to provide the services you requested, such as watching a video or posting comments on a blog;
- Personalization cookies: these cookies allow us to show you information about solutions that may interest you.
- to track how you use our website. It allows us to understand how you use our website and to learn the individual or larger group trends. It allows us to develop and improve our website and our services to better satisfy the wishes and needs of our visitors;
What is the lifetime of our cookies?
The cookies that we use on our website expire after twelve (12) months at most.
Some cookies are stored by third parties, which also determine their own cookies’ lifetimes.
How you can manage the cookies
Most browsers are configured to automatically accept all cookies. Depending on the browser that you use, you may configure it (i) to be notified before cookies are set, so that you can accept or reject these cookies, or (ii) to always reject cookies. Use the “Help” menu (or a similar menu) of your browser to learn how to customize your cookies management. Please note that disabling cookies entirely may alter your browsing experience on our website.
If you use multiple devices to visit our website, you will need to configure your cookies preferences on each device.
You can learn more about it on http://www.allaboutcookies.org/manage-cookies/. Please note that LOXAMED is not affiliated with third-party websites and may not be held liable for them.
You may also opt out of cookies from some companies by visiting the following websites: http://www.aboutads.info/choices/#completed and http://www.youronlinechoices.com/. Please note that LOXAMED is not affiliated with third-party websites and may not be held liable for them.
15. DEFINED TERMS
For the purposes of this Policy, and in accordance with the French Data Protection Act of January 6, 1978 and the GDPR, these following terms have the meaning ascribed to them below:
- “Supervisory Authority” means an independent public authority established by the law to supervise the enforcement of data protection laws.
- “Personal Data” means all information relative to an identified or identifiable individual, in particular an identifier such as a name, identification number, location data, an online identifier or one or multiple specific elements.
- “Sensitive Personal Data” means the Personal Data relative to racial or ethnic origin, political opinions, religion and philosophical beliefs, trade union membership as well as genetic data, health data, data about sex life or sexual orientation, data relating to criminal convictions and offences or related security measures, as well as any information that may be deemed sensitive under the applicable law.
- “Data Controller” means the entity that determines the purposes for which and the means by which Personal Data is Processed. Under many jurisdictions, the main responsibility of the Data Controller is the compliance with the data protection laws.
- “GDPR” means the General Data Protection Regulation (EU) 2016/679.
- “Subcontractor” means any individual or legal entity that Processes Personal Data on behalf of the Data Controller, other than the employees of the Data Controller.
- “Processing” or the verb “To Process” means any operation performed on the Personal Data, with or without automated methods, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, viewing, use, transmission, diffusion under any form, cross-checking and cross-referencing, restriction, erasure or destruction.