PERSONAL DATA PROTECTION POLICY

Respecting privacy is a fundamental right and one of the core values of Consultenligne.

Consultenligne is committed to complying with French and European regulations on personal data protection, particularlyfsome the General Data Protection Regulation (EU) of April 27, 2016 (“GDPR”) and the French Data Protection Act of January 6, 1978, as amended (“LIL”).

We work with data protection authorities at the European level and in each country where we operate, with public bodies responsible for organizing the healthcare system, and with all representatives of patients, healthcare professionals, and healthcare institutions to ensure that we meet all our legal obligations regarding the protection of personal and health data.

Consultenligne has a dedicated team for the protection of personal data, including a Data Protection Officer registered with the CNIL, a security team, a legal team, and engineers specialized in data protection.

The personal data (including health data) of patients and healthcare professionals using Consultenligne services are hosted by OVH, a physical infrastructure host and data manager certified as a Health Data Host (HDS).

ARTICLE 1 – DEFINITIONS

The terms used in this Personal Data Protection Policy (hereinafter “Policy”) with capital letters are defined in the “Definitions” document.

In case of a conflict between the terms defined in this Policy and the terms in the “Definitions” document, the terms of this Policy prevail.

ARTICLE 2 – PURPOSE OF THE POLICY

All individuals, visitors to the professional website https://www.consultenligne.com (hereinafter the “Site”); Subscribers and Users with a Consultenligne account; healthcare professionals listed in the directory displayed on https://www.consultenligne.com; and healthcare professionals listed by the Services as potentially interested in our services (collectively hereinafter referred to as “Professionals”), may be subject to automated processing by Consultenligne.

This Policy explains how Consultenligne processes and protects the personal data of Professionals.

ARTICLE 3 – IDENTITY OF THE DATA CONTROLLER

According to the General Data Protection Regulation (hereinafter “GDPR”), the Data Controller is the person who determines the means and purposes of processing. The Processor is a person processing personal data on behalf of the Data Controller. The Processor acts under the authority of the Data Controller and on its instructions.

Whether as a Data Controller or a Processor, Consultenligne takes necessary measures to ensure the protection and confidentiality of the Personal Data and Health Personal Data it holds or processes in compliance with the Data Protection Act and the GDPR.

1. For Personal Data collected for: Site navigation, User account creation, (creating statistics related to the use of services, their calculation, and anonymization): the Data Controller is Jacob Bénichou, 16 rue Washington, 75008 Paris.
2. For Health Personal Data collected when booking an appointment by the User directly through the Site, by the Healthcare Professional in their Consultenligne calendar, or during document sharing by the User or the Healthcare Professional: the Data Controller is each individual Healthcare Professional with whom the User has booked an appointment or exchanged data. Each healthcare professional is considered the Data Controller of their patients’ Health Personal Data. For these health personal data, Consultenligne acts as a Processor and follows specific instructions from Healthcare Professionals in their relationship with their patients.

ARTICLE 4 – SOURCE OF PERSONAL DATA

The personal data processed by Consultenligne are collected through different channels.

Personal Data Provided by Professionals

Consultenligne may process personal data provided directly by the User when creating their Consultenligne Account or using Consultenligne Services, through contact forms, or any other documents available online on the Site, and during external events such as professional fairs, or phone exchanges with Consultenligne.

Personal Data Collected from Public Sources or Third Parties

Consultenligne may collect personal data about the User from third parties.

Recommendations from Other Healthcare Professionals: Some functionalities available in the Services allow Consultenligne Subscribers who wish to use Consultenligne.

The information thus completed can be used by Consultenligne to contact the User and offer access to the Services. Communications sent include information about the origin and nature of the collected personal data and an unsubscribe link.

Public Data: Consultenligne may use public personal data available notably on the ameli.fr site or from RPPS databases provided by CNAM. This personal data is used to create and make available to the public a directory of healthcare professionals, available on the https://www.consultenligne.com site.

Third-Party Databases: Consultenligne may also use services provided by specialized companies to access up-to-date databases of healthcare professionals.

Personal Data Automatically Collected During the Use of Consultenligne Services

When browsing the Site, Consultenligne may collect personal data to establish Site traffic statistics and conduct targeted advertising campaigns.

ARTICLE 5 – PURPOSES AND PROCESSING OF COLLECTED PERSONAL DATA

The data of Consultenligne Users are primarily processed to:

• Enable navigation on the Site;
• Allow the User to view and manage their care journey;
• Allow the User to share documents with healthcare professionals;
• Facilitate interactions between Users (patients and healthcare professionals);
• Enable the User to manage appointments for their dependents or close aides.

Additionally, User data is also collected to:

• Prevent and combat IT fraud (spamming, hacking…);
• Improve Site navigation;
• Conduct optional surveys on Consultenligne services and their potential developments;
• Conduct optional surveys on the quality of Services or the quality of care provided by Healthcare Professionals;
• Perform anonymized statistics on Service usage.

ARTICLE 6 – PROCESSORS AND RECIPIENTS OF PERSONAL DATA

Internal Use: The personal data of Professionals may be processed Consultenligne employees and its subsidiaries, within the limits of their respective responsibilities, and exclusively to fulfill the purposes of this Policy.

Recipients and Processors:

Processors: Consultenligne also uses services provided by several specialized companies (mailing, audience analysis) listed in the annex.

Cross-Border Transfers: To provide its Services, Consultenligne may use providers located outside the European Union. If the transfer occurs to a third country whose legislation is not recognized as offering an adequate level of personal data protection, Consultenligne ensures that appropriate measures are implemented according to the Data Protection Act and GDPR, including, when necessary, incorporating standard contractual clauses or equivalent ad hoc clauses in the contract between Consultenligne and the subsequent processor.

Finally, Consultenligne may be required to disclose User information in response to legal requisitions from competent administrative and judicial authorities.

ARTICLE 7 – EXERCISING RIGHTS

7.1 Professionals

According to law no. 78-17 of January 6, 1978, Professionals have the following rights regarding their personal data:

• Right of access (Article 15 GDPR): Professionals can access their personal information held by Consultenligne at any time.
• Right to rectification (Article 16 GDPR) and right to erasure (Article 17 GDPR): Professionals can request the modification or deletion of their personal data.
• Right to object (Article 21 GDPR): Professionals can object to the processing of their personal data for direct marketing purposes and/or processing based on Consultenligne’s legitimate interest.
• Right to restriction of processing (Article 18 GDPR): Professionals have the right to limit the processing of their personal data only in the following situations: when the Professional contests the accuracy of their data, believes the processing of their personal data is unlawful, or needs this limitation for the establishment, exercise, or defense of their legal claims.
• Right to data portability (Article 20 GDPR): Professionals can request to recover the personal data they provided to Consultenligne for personal use or to transmit to a third party of their choice. This applies only when the personal data is processed by automated means based on the Professional’s consent or a contract.
• Right to define the fate of personal data after death: Professionals can define how their personal data should be managed after their death and choose whether Consultenligne should communicate (or not) their personal data to a third party they have previously designated. Upon becoming aware of a User’s death and in the absence of instructions, Consultenligne commits to destroying their personal data, unless retention is necessary for probative purposes or to comply with a legal obligation (such as patient file retention).

Professionals also have the right to file a complaint with a supervisory authority, notably the CNIL (https://www.cnil.fr/fr/plaintes).

For more information or to exercise their rights, Professionals can contact Consultenligne by email at contact@consultenligne.com.

In such cases, Professionals must specify the personal data they wish Consultenligne to correct, update, or delete, and identify themselves precisely with a copy of an ID (identity card or passport) or any other element proving their identity.

7.2 Users

Users can exercise certain rights regarding their Data processed by the Owner.

In particular, Users have the right to:

• Withdraw their consent at any time: Users have the right to withdraw their consent if they have previously given consent to the processing of their Personal Data.
• Object to the processing of their Data: Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the corresponding section below.
• Access their Data: Users have the right to know if their Data is being processed by the Owner, obtain information on certain aspects of the processing, and receive a copy of the Data undergoing processing.
• Verify and obtain rectification: Users have the right to verify the accuracy of their Data and request that it be updated or corrected.
• Restrict the processing of their Data: Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, the Owner will process their Data solely for storage purposes.
• Have their Personal Data deleted or erased: Users have the right, under certain circumstances, to obtain the erasure of their Data from the Owner.
• Retrieve their Data and transfer it to another controller: Users have the right to receive their Data in a structured, commonly used, and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the User’s consent, on a contract to which the User is a party, or on pre-contractual obligations.
• Lodge a complaint: Users have the right to bring a claim before their competent data protection authority.

ARTICLE 8 – SECURITY

Regarding the Services, Consultenligne implements appropriate technical and organizational measures related to security in accordance with the provisions of the Data Protection Act and the GDPR to ensure an appropriate level of security against risks presented by the processing of User’s Personal Data.

To assess the appropriate level of security, Consultenligne will consider risks that may result from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to transmitted, stored, or otherwise processed Personal Data, in accordance with the provisions of Article 32 of the GDPR.

ARTICLE 9 – “COOKIES” AND INTERNET TAGS

Please refer to our General Terms of Use.

ARTICLE 10 – PERSONAL INFORMATION AND MINORS

The Consultenligne Site is intended for individuals who are of legal age to contract obligations under the laws of their country of residence.

The use of the Consultenligne Platform is reserved for healthcare professionals. They acknowledge that they are acting within the scope of their professional activity practiced in France and commit to verifying that each Professional acts within the scope of their professional activity practiced in France.

ARTICLE 11 – POLICY APPLICATION CONDITIONS

Consultenligne may modify, supplement, or update this Policy to reflect legal, regulatory, jurisprudential, and/or technical developments.

In case of significant changes (related to processing purposes, collected Personal Data, rights exercise, transfer of Personal Data) to the terms of this Policy, Consultenligne commits to informing Professionals by any written means at least thirty (30) days before their effective date.

Any access and use of Consultenligne Services beyond this period will be subject to the terms of the new Policy.

Professionals are informed that the only version of the Policy that is binding is the one found online, which they acknowledge and accept without restriction.

Professionals are required to refer to the online version of the Policy at the date of access and each use of the Services.

By using the Consultenligne Site and Services, Professionals accept the terms and conditions mentioned in this Policy.

ARTICLE 12 – CONTACT US

For any questions or complaints regarding Consultenligne’s compliance with this Policy, or for any recommendations or comments aimed at improving the quality of this Policy, Professionals can contact Consultenligne by email at contact@consultenligne.com.