About the Service
See separate ‘Terms of Service’ (cmrad.com/terms) for descriptions of the Service that Collective Minds Radiology provides.
Collective Minds Radiology collects, processes and stores two distinct sets of personal data. We will process the following personal data on the Services:
A. User profiles
- contact details (e-mail address, telephone number, address, country of residence, nationality);
- position, title and workplace;
- medical doctor’s license;
- social network references.
- such as the URL you are accessing the Services from, your IP address, unique device ID, network and computer performance, browser type, language and identifying information and operating system;
- information about your use of the Services, such as what you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs), consultation length(s), recurrence of visits and other interaction information, methods used to browse away from the page.
We are unable to provide you with the Services unless you provide us with the personal data listed in point A above. The processing of the personal data above is necessary to enter into the Terms of Service with us and to maintain the contractual relationship between you and us, where Collective Minds Radiology will act as Data Controller for the collected data. Some of this collected information is subject to processing of third parties, both within and outside the European Union (third countries). A list of these third parties and what they do for us with the use of this data can be found here: about.cmrad.com/data-processors
The data listed in B above is solely collected and used for performance and issue handling pertaining to the platform, and will not be used for identifying you as a user, unless this is requested by official legal investigations as in ‘Responding to Legal Requests and Preventing Harm’ below.
A third set of personal data is processed using the Collective Minds Platform, which is the data that you as a User will upload to the platform. This data is referred to as ‘User generated Material’ in the Terms of Service, and Collective Minds Radiology will act as Data Processor on behalf as of you as Data Controller for this data:
C. Pseudonymous patient case information
- pseudonymized DICOM images including embedded metadata;
- content that you post, upload and/or contribute to the Services;
For this data listed in C above, where you as a User of the Services will act as Data Controller and Collective Minds Radiology provide Services as Data Processor, a separate Data Processing Agreement must be in effect. The reason for a seperate Data Processing Agreement is to outline what kind of processing we’re instructed to perform on your behalf regarding personal data pertaining to Data Subject’s where you are Data Controller.
Purposes of Processing
Collective Minds Radiology will process the personal data sets described above for the following purposes:
- To enable you to verify your account, to administer your account, to enable and provide the Services and integration with third party services, and to provide, personalize and improve your experience with the Services, and to otherwise provide the Services according to the Terms of Service;
- to send you alerts or messages by email or otherwise, including to provide you with marketing of our and our related parties’ products and services;
- to inform you about updates of the Services or the terms of Service;
- to improve and develop the Services or new services and to analyse your use of the Services;
- to ensure the technical functioning of the Services and to prevent the use of the Services in breach of the Terms of Service;
- to enforce the Terms of Service, including to protect our rights, property and safety and the rights, property and safety of third parties if necessary;
- to fulfill our obligations as Data Controller and Data Processor;
- to respect and fulfill our obligations in regards to the Rights of the Data Subject;
- to respond to any queries you raise with us and to provide customer support; and
- to fulfil requirements by law (see ‘Responding to Legal Requests and Preventing Harm’ below).
Fulfilment of contract. By accepting Collective Minds Radiology’s Terms of Service, we process your personal data to be able to fulfil our agreement with you for the purposes listed above in ‘Purposes of Processing’.
Legal obligation. Collective Minds Radiology will process personal data if it has a legal obligation to do so to fulfil requirements by law as pointed out in ‘Responding to Legal Requests and Preventing Harm’ below’.
Legitimate interest. The processing of your personal data for the purposes listed in ‘Purposes of Processing’ above is conducted on the basis of the legitimate interest of Collective Minds Radiology. Our legitimate interest for the processing is maintaining sufficient IT security through logging data when you use our Services and to evade fraud and to protect the Services from cyber threats. We also log data for the maintenance and improvement of our Services.
Disclosure of Personal Data
We do not commercially exploit or distribute personal data to any third party for commercial purposes. We share and disclose your personal data to companies with which we have contracts in place. These companies mainly provide data storage, data analytics, advertising, IT support and other services to be able to run and improve our Services. For a complete list of third party companies, please see about.cmrad.com/data-processors
Responding to Legal Requests and Preventing Harm
We may access, preserve and share your personal data in response to a legal request (like a search warrant, court order or a subpoena or the like), or when necessary to detect, prevent and address fraud and other illegal activity, to protect ourselves, you and other Users, including as part of investigations described in Article 23(1) in the GDPR.
Cookies, Pixels and other System Technologies
Personal data about registered Users will be retained for as long as the User has an active profile on the Services. Users who have not used our Services will have all personal data deleted after 2 years of inactivity on the Services.
If you agree to be added to our mailing list, we will keep your personal information for that purpose unless and until you tell us that you want to unsubscribe or be removed from the list. If you advise that you do not want to be added to our mailing list or you ask to be removed, we will delete your personal data (aside from keeping a record that you have asked us not to send you marketing information).
The Services are not directed to persons under the age of thirteen (13). If you are a parent or guardian of a person under the age of 13 and you become aware of that the child has provided personal data to us without your consent, please contact firstname.lastname@example.org to exercise your access, rectification, erasure, limiting of processing and objection rights.
The importance of security for personal data is of great concern to us. At Collective Minds Radiology, we have gone to great lengths to manage the security and integrity of the Services and to ensure that we use best–in-class services when providing secure transmission of information from your device. Personal Data collected via the Services is stored in secure environments that are not available or accessible to the public; only those duly authorised people, officers, employees or agents of Collective Minds Radiology who need access to your information in order to do their jobs are allowed access.
Anyone who violates our privacy or security policies is subject to disciplinary action, including possible termination of their contract with Collective Minds Radiology and civil and/or criminal prosecution. Collective Minds Radiology uses the latest technologies to ensure utmost security, including utilising several layers of firewall security and encryption of personal data to ensure the highest level of security.
Please see our Security White Paper for further information on our security practices. The Services are hosted in Amazon Web Services (AWS) at its data centres in the EU. You can read more about this here: aws.amazon.com/compliance/gdpr-center/
You have an absolute right to object to the processing of your personal data for direct marketing. You also have the right to recall your prior given consent. The withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal, and we may continue processing your personal data based on other legal grounds, except for direct marketing.
You have the right to request access and further information concerning the processing of your personal data, or request that we correct, rectify, complete, erase or restrict the processing of your personal data. You have the right to obtain a copy of the personal data that we process relating to you free of charge once (1) every calendar year. For any additional copies requested by you, we may charge a reasonable fee of 10€ based on administrative costs.
If the processing is based on the legal grounds consent or fulfilment of contract you have the right to data portability. Data portability means that you can receive the personal data that you have provided to us, in a structured, commonly used and machine-readable format, and have the right to transfer such data to another data controller.
To exercise your rights, or if you have any questions regarding our processing of your personal data, please contact us our Data Protection Officer (DPO) at the following address: email@example.com or Collective Minds Radiology AB, Hörnåkersvägen 14, 183 65 Täby, Sweden. In your letter/email please state your full name, your username (if you are a user) and which institution you are linked to. Note that you should sign the request to receive information about the processing of your personal data yourself.
If you have any complaints regarding our processing of your personal data, you may file a complaint to the competent data protection authority. You can find out more about the local data protection authorities under the following link ec.europa.eu/newsroom/article29/items/612080