Who are we?
We are Bluesquare, located at Hive5 – Cours Saint Michel 30b, 1040 Brussels, Belgium.
In the context of our activities, we collect and process certain personal data. Pursuant to EU data protection and privacy legislation, we sometimes act as a ‘data processor’, and sometimes as a ‘data controller’:
- We act as a data processor on behalf of our clients/customers (who act as data controllers) when our clients/customers carry out surveys for example using our web/mobile application; In this case, our clients/customers determine the information to collect via the surveys and the purposes for which this information will be used (such as the follow-up of grants and subsidies);
- We also act as a data processor on behalf of our clients/customers (who act as data controllers) when we are hosting the data collected via the surveys on our cloud-based platform, anonymize and make this information accessible to our clients/customers via this platform, on their request and under their instructions.
- We act as a data controller when we anonymise and aggregate the collected patient data for our own statistical and research purposes and/or collect certain data via access to government databases with their consent.
- We act as data controller when we collect customer and supplier data such as name, function and contact details.
We know that privacy is important and should be respected
- We value individuals’ right to privacy and strive to protect personal data in accordance with applicable data protection legislation and more specifically with the EU General Data Protection Regulation (“GDPR”) and its national implementing legislation.
- For those activities for which we only act as a ‘data processor’, our clients/customers are responsible for providing adequate data processing information to all individuals whose personal data are collected.
How do we collect personal data?
In the context of the services we provide to our clients/customers, we collect personal data relating to individuals who participate in surveys about services received through government or NGO programs in countries around the world.
Generally, the following information is collected and processed:
- Location data (GPS coordinates of the location where the data is inputted by the person interviewing the patient)
- Name and surname
- Information about the hospital, health center or school that was visited by the person
- Type of services the person has received (this might include health services)
- Level of satisfaction indicated by the person, and answers to other questions (e.g. relating to bribes or sexual violence)
This information is generally collected via mobile questionnaires. Local interviewers are requested to complete these questionnaires together with the person and to duly inform the person on the collection and processing of their data, so that they can validly consent hereto. Such consent is then confirmed before the actual survey starts.
Other information can also be collected by us through access to health facility or other public registries and government databases, subject to the legal requirements governing access to such databases.
For what purposes do we use these personal data?
- When we act as a data processor, we collect information from interviewees, as described above, for the purposes specified by our clients/customers, generally relating to the administration and follow-up of grants and subsidies to hospitals, healthcare service providers and schools.
- When we act as a data controller, we aggregate and anonymise interviewees information, as described above, for statistical and research purposes (e.g. to generate geographical maps indicating with geo-codes where interviews have taken place).
We rely on grounds of public interest and statistical research to for the anonymisation process. Insofar as this would not suffice, we have also put in place an opt-in consent mechanism. In any case, as soon as it is fully anonymised, the information can no longer be linked back to the patients concerned and is not ‘personal data’ anymore.
- When we act as a data controller, we collect information from clients, partners and supplies (name, function, organization, contact details) in order to i) share news and updates about what we do and 2) ask about their level of satisfaction with our product and services. We do not share clients’ information to third parties without their explicit consent.
With whom do we share personal data?
In the context of the purposes listed above, we may share personal data with third parties, such as:
- our clients/customers (as they are ‘data controller’);
- independent developers working for us; and/or
- any IT service providers that would be engaged by us to perform some of the processing operations or to host any data sets.
The anonymous/aggregated data sets generated by us may also be shared with third parties. These data sets do however not contain any personally identifiable information.
Where relevant, we will ensure that contractual safeguards are implemented to ensure the protection of personal data in case of disclosure to a third party.
If any party to whom we may disclose personal data would be located outside the European Economic Area (EEA), we will ensure that measures are taken to ensure adequate protection of personal data in accordance with applicable data protection legislation.
How long do we store personal data?
Your personal data will not be stored for longer than is necessary in relation to the purposes for which we process them (as determined by our clients/customers).
Insofar as we would act as data controllers ourselves, we will anonymize any personal data obtained from patients via the surveys we perform as soon as possible, so that we do not retain any personal data in our data sets.
How do we protect personal data?
We will implement the necessary administrative, technical and organizational measures for ensuring a level of security appropriate to the risks that we have identified. In any case, our data warehouse is only accessible to authorized (internal or external) users who have a login and password.
We also protect personal data against destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
Which rights do individuals have and how can they exercise them?
Individuals have the right to:
- information about and access to their personal data;
- rectify their personal data;
- erasure of their personal data (‘right to be forgotten’);
- restriction of processing of their personal data;
- object to the processing of their personal data (‘withdraw their consent’); and
- receive their personal data in a structured, commonly used and machine readable format and to (have) transmit(ted) their personal data to another organization.
Finally, individuals also have the right to lodge a complaint with the Belgian (or any other competent) Data Protection Authority.
To read more about these rights, and circumstances under which they can be exercised, see the Annex below.
Any questions? contact us!
Annex – Rights of data subjects
|Right to information and right to access your personal data||You may at any time request more information on our processing activities and the personal data that we are keeping from you.|
|Right to rectification of inaccurate or incomplete personal data of||You have the right to require us to, without undue delay, rectify or complete any of your personal data that is inaccurate or incomplete.|
|Right to deletion of your personal data (‘right to be forgotten’)||You may request us to delete (part of) your personal data in the following situations:|
– when the processing is no longer necessary for achieving the purposes for which we collected or otherwise processed these; or
– when the processing was based on your consent and you have decided to withdraw that consent;
– when you have other reasonable grounds to object to the processing of your personal data;
– when we would unlawfully process your personal data;
– when your personal data have to be erased in compliance with a legal obligation.
We note that in some cases we may refuse to delete personal data: (i) for exercising the right of freedom of expression and information; (ii) for compliance with a legal obligation; or (iii) for the establishment, exercise or defence of legal claims. As far as the right to deletion would effectively apply, we will anonymise your personal data.
|Right to restriction of processing |
|You may request us to (temporarily) restrict the processing of your personal data in the following situations:|
– when you have contested the accuracy of your personal data, for a period enabling us to verify this accuracy; or
– when the processing appears to be unlawful and you request us the restriction of use of your data instead of the deletion of this data; or
– when we no longer need the personal data for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims; or
– pending verification whether our legitimate grounds override yours in the framework of an objection.
|Right to object to the processing of your personal data (free of charge)||You may under certain circumstances object to the processing of your personal data, in particular if you choose to withdraw the consent on which our data processing activity is based.|
You can revoke your consent at any time, by sending written notice to us at the address indicated above (or by contacting our client/customer). Once you have revoked your consent, your data will be anonymized, so that we can no longer make a connection between you and the data.
|Right to data portability||In some cases, you have the right to receive all your personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. This right applies:|
– in case the processing is based on consent or on the necessity for the performance of a contract; and
– in case the processing is carried out by automated means.