Privacy policy -Dhealth processor

1. Who we are?

Dhealth SNC (“Dhealth”, “we”,“us” or “our”) is an information technology company which helpshospitals (“Clients by centralizing hospital and patient data into oneplatform. Dhealth’s platform has the goal, helping doctors to gain insights inpatient outcomes.

Dhealth SNC is registered in the(Belgian) Crossroads Bank for Enterprises under number 0721.829.656 and has its registered office at Rue Picart 7, box 6, 1000Brussels, Belgium.

2. How you can contact us

Any questions, complaints orcomments about this Privacy Policy or the way we handle your personal data canbe submitted to our Data Protection Officer (“DPO”) by sending an email toprivacy@dhealth.be

3. General information aboutthis Privacy Policy

• Scope - ThisPrivacy Policy applies to all personal data processing activities executed byor for Dhealth, including all personal data collected on the Dhealth website.When Dhealth processes personal data on behalf of a Client, we recommend thatyou read the Client’s privacy policy for more information.

• Content - ThisPrivacy Policy basically informs you about why and how we collect and processyour personal data, who will have access to it, and which rights you have.

• Applicable dataprotection legislation - We understand that your privacy is veryimportant. Therefore, we will process your personal data only in accordancewith the applicable European and Belgian data protection law, which mainlyincludes the European General Data Protection Regulation of 27 April 2016(“GDPR”) and the Belgian Act of 30 July 2018 on the processing of personaldata.

• Governing law andjurisdiction - This Website and this Privacy Policy shall be governedby the laws of Belgium. Any disputes arising out of or in connection with thisWebsite or this Privacy Policy shall be submitted to the competent Belgiumcourts.

• Data Protection ImpactAssessment (“DPIA”) - You can request access to our DPIA summarythrough privacy@dhealth.be

• Updates - We mayupdate this Privacy Policy from time to time, and it is the latest version thatwill always apply. We therefore recommend that you check this Privacy Policyregularly online.

4. The role of Dhealth whenprocessing personal data

4.1. Dhealth acts as a processor

Dhealth helps Clients to processmedical data – including personal data – in their custody, so the hospital,their doctors and other healthcare professionals can improve care, improvepatient outcomes.

In this scenario, we processpersonal data of patients on behalf of our Clients. The Client will be actingas controller and Dhealth works as their processor under their instructions. Dhealthmay in turn engage third parties to act as its subprocessors to help with orperform certain data processing activities for the Client.

This means that the Client will bethe main responsible for e.g., the lawful and transparent processing of thepersonal data (incl. obtaining informed consent if legally required), whereas Dhealthand its subprocessors will support the Client on the secure processing of thisdata in accordance with the Client’s instructions. When you exercise yourrights against us/our subprocessors or when we register a data breach, we willreport this to the Client and align with their instructions or refer youdirectly to the Client.

Dhealth takes its responsibilitiesas processor of (medical) data very seriously.

If you would like more informationabout this prior to a collaboration, you can always request this documentationvia privacy@dhealth.be

Please note that the followingsections will mainly focus on Dhealth’s role as a controller. For moreinformation about when Dhealth acts as a processor, we recommend you to readthe privacy policy of the Client acting as a controller for the data processingactivity.

4.2. Dhealth acts as a controller

When we act as a controller, wedetermine the purposes and means of processing personal data. This typicallyoccurs when we collect personal data directly from individuals or when weprocess personal data for our own business purposes.

As a data controller, we areresponsible for ensuring that personal data is processed in compliance withapplicable data protection laws and regulations.

Dhealth typically acts as acontroller of the personal data collected and processed in the context of:

• the data processing activitiesand services provided on the Dhealth Website;

• managing our relations withclients, suppliers of products or services;

• processing applications andcontacting applicants;

• managing and organising events;or

• marketing.

The following sections will providemore details on how we collect and process personal data as a controller.

5. What information do wecollect?

By using this Website, yourpersonal data may be collected and processed by us, this will be the case whenyou choose to provide us with this information yourself or by analysing yourbrowsing behaviour on our Website. In addition, we may also collect informationabout you which we obtain from third parties, such as our vendors, suppliers,contractors and business partners.

5.1. Personal data provided by you

5.1.1. When you contact us

If you contact us via e-mail,contact forms or other means of communication, we may use your contact details,such as your name, e-mail address, telephone number or other relevantinformation, to respond to your request, question or comment.

We will only use your contactdetails to communicate with you and process your request. We may also store acopy of your communication for internal administrative purposes or to complywith legal obligations.

By contacting us, you consent to ususing your contact details to contact you.

5.1.2. Special categories ofpersonal data

Unless specifically requested orrequested by us, please do not send or disclose to us sensitive personal data(also referred to as "special categories of personal data", e.g.,data relating to racial or ethnic origin, political opinions, religion orphilosophical beliefs, health or medical conditions, sex life or sexualorientation, criminal background, trade union membership, or biometric orgenetic data).

If you send us data about you ussensitive data, please limit this to what is strictly necessary. We will onlyprocess this data on the basis of your explicit consent, the substantiation ofa legal claim, or if necessary for reasons of substantial public interest orthe provision of healthcare and always in accordance with applicable dataprotection law.

5.1.3. When you apply for a job

We collect personal data from youwhen you submit an application and other supporting materials to us during therecruitment and application process. We will generally process the followingpersonal data during our recruitment and application process, including: basicinformation (e.g., your name (including name prefix or title), date of birth,gender, marital and family status, place of birth, residency, nationality,immigration status and work authorization), contact information (e.g., yourpostal address, email address and phone number(s)), educational and experienceinformation (e.g., education/academic history, CV, place of study, subject ofstudy, years of study, records of qualifications and/or training, results,extracurricular interests and activities, language skills, personal statements,work experience), payment information and sometimes also health relatedinformation (as permitted or required by applicable law, for example where weneed to know this information to make adjustments to our recruitment processes)

We will process your personal datafor the purposes of recruitment and hiring, to identify and process yourapplication, to communicate with you and to take steps at your request with aview to entering into a contract.

5.1.4. When you subscribe to ourevents, newsletter or participate in promotional offers

If you subscribe to our events,newsletter or other promotional e-mails, we may use your e-mail address toperiodically send you information, offers and updates on our products, servicesor events.

We will not share your emailaddress with third parties for direct marketing purposes without your expressconsent. You may unsubscribe from receiving such emails at any time byfollowing the unsubscribe link included in the emails you receive from us or bycontacting us via the form provided below.

5.2. Personal data relating to your browsing behaviour

The Website uses cookies. Cookiesare small text files placed on your device, to help us analyse the use of ourWebsite. The information generated by the cookie about your use of the Websitealso falls under the concept of personal data.

You can find more information aboutour use of cookies and other tracking technologies in our Cookie Policy.

5.3. Personal data provided by third parties

We may also collect informationabout you from third parties, such as our Clients, vendors, suppliers,contractors and other business partners. For example, we may use suchthird-party data to confirm contact or financial information, verifyqualifications of healthcare providers and check references.

6. Why do we process yourpersonal data?

We process your personal data forthe purposes described below and on the following legal bases:

6.1. Legitimate interests

We process your personal data ifthis is necessary to pursue our legitimate interests as a company. In doing so,we always ensure that there is a fair balance between the legitimate interestand your rights to privacy. In this case, you can always exercise your right toobject to such processing (see section 10 below).

This includes data processingoperations carried out for the purpose of:

• having to be able to function asa business;

o managing our business and ourrelationship with you and our Clients;

o understanding our Clients’ orpotential clients’ services to develop our services and offerings;

o professional networking purposes;

o testing, monitoring, evaluating,analysing and optimising our Website to improve the user experience and detecttechnical problems;

o understanding how our Website isused by collecting general statistical data (e.g., IP address, likely place ofconsultation, hour and day of consultation, which pages were visited) regardingthe use of our services and the Website;

o taking note of and responding toyour requests, questions and comments for evidence purposes, quality control,coaching and training of our staff;

• to promote our products andservices, including sending updates, publications and details of events;

• identifying and consideringappropriate applicants for appointment;

• conducting internal audits andresearch on our products, services and to improve communication with ourcustomers; or

• exercising and defending ourrights (e.g., in legal disputes) and compiling evidence.

6.2. Execution of agreement

We process some data because it isnecessary in the context of the conclusion or performance of a contract. Forexample, when you visit our Website, we process certain personal data to allowus to draft an employment contract for a successful candidate or to allow youto use our Website or when the processing takes place in the context ofproviding the services you have requested (e.g., when you contact us to placean order for one of our products or services).

When you register for an eventorganised by Dhealth, we collect the personal data that is necessary forprocessing your registration for the event and to send you the proof ofregistration. At the event, we may use the data that are linked to yourregistration to the event to verify your identity as a fraud prevention measureand to confirm the authenticity of your proof of registration. To the extentthis processing requires the processing of your personal data, we rely on theperformance of our agreement.

6.3. Legal obligations

In certain cases, we may processyour personal data based on a legal obligation. For example, based on tax andaccounting legislation, we may be required to retain certain information.

6.4. Consent

In certain cases, we process yourpersonal data on the legal basis of consent. This is in cases where that noneof the previous legal bases can be used. You can withdraw your consent at anytime (see Section 10 below).

For example, we will seek yourconsent for:

• sending our newsletter, you canunsubscribe from this at any time, this can be done on simple request by emailor at the bottom of each email via the 'opt-out' choice;

• placing cookies or other trackingtechnologies on our Website to track your click and browsing behaviour (if notbased on legitimate interests). For more information on Cookies, see our Cookie Policy; or

• You may also be asked forpermission to process certain personal data in the context of certainpromotional campaigns, providing feedback or if you use the contact form on ourWebsite.

7. Disclosure to third partiesand international data transfers

Within Dhealth, policies andcontractual arrangements are in place to make sure that (i) access to personaldata is limited to those persons who, due to their function, need to haveaccess to it, and (ii) such persons respect the confidential nature of thatpersonal data.

Dhealth does not allow the transferof personal data to third parties except as provided below:

1. Dhealth will share personal datawe process for Clients or for our own business activities with third partiesthat support us as our (sub)processors (like online platform partners,business/legal advisors, IT and website providers, HR and payroll serviceproviders, payment providers, advertising agencies, recruitment agencies,insurance companies) insofar they need the personal data for their support. Wehave contractual arrangements in place with those third parties to make surethey respect the applicable European and Belgian data protection law. You canfind a list of the subprocessors, this list will be updated from time to time.

2. Dhealth may provide links tothird-party websites which collect personal data like online identifiers andonline behaviour as well. You should be aware that the owners and operators ofsuch third-party websites might collect, use or transfer personal data underdifferent terms and conditions than Dhealth. Upon linking to a third-partywebsite, you should inform yourself of the privacy policies of such third-partywebsites.

3. Dhealth will share personal datawith competent authorities who are authorised to request such information or towhom we have to disclose information, as required by law or as a result oflegal proceedings or court proceedings.

4. Dhealth may share your personaldata with third parties like legal advisors, debt collection agencies andcompetent courts if we determine that such disclosure is reasonably necessaryto enforce our terms and conditions or to legally protect our other legitimatebusiness interests.

5. In the event of areorganisation, merger or sale, we may transfer all the personal data on oursystems to the third party that acquires, becomes part of or absorbs Dhealth,and that continues the activities of Dhealth for which those personal data werelawfully processed. We may also share certain personal data with that thirdparty beforehand insofar this fits the legitimate purpose of conducting a duediligence.

6. Dhealth may transfer yourpersonal data to you or any other party you appoint, at your request (see ‘Yourrights’ below) or with your consent.

All personal data is stored withinthe European Economic Area (EEA). Dhealth does currently not have the intentionto transfer or give access to personal data to third parties located incountries outside the EEA. However, if this should change, Dhealth will updateits Privacy Policy and ensure that the transfer complies with the applicabledata protection laws and that appropriate safeguards are put in place.

8. Security of your PersonalData

It is of course important that allprocessed personal data is very well secured. This is an absolute priority for Dhealth.Dhealth implements technical and organizational measures to protect theconfidentiality, integrity and availability of your personal data, and toprevent unwanted loss, misuse, alteration or destruction of said data,according to the nature of the processing, the risk and the available securitymeans.

9. Data retention period

In general, Dhealth does notprocess your personal data any longer than is necessary for the purposesoutlined in this Privacy Policy. Your personal information will be retained inaccordance with our data retention policy which categorises all of theinformation held by Dhealth and specifies the appropriate retention period foreach category of data. Those periods are based on the requirements ofapplicable data protection laws and the purpose for which the information iscollected and used, taking into account the legal and regulatory requirementsto retain the information for a minimum period, limitation periods for takinglegal action, good practice and Dhealth’s legitimate business purposes.

For personal data that we processas a processor on behalf of a Client, our Client will decide how long thepersonal data is processed, which will typically be no longer than the term ofour contract with the Client, except if different statutory retention periodshave been set, if you consent to this or if there is a strong legitimateinterest (like filing a legal claim or defending against legal claims).

For the retention periods of datacollected via cookies and other tracking technology on our website, please seeour Cookie Policy.

10. Your data protection rights

If and to the extent provided underapplicable European and Belgian data protection law (which contains variousexemptions), you shall have the right:

• to obtain confirmation as towhether or not your personal data is being processed and, where that is thecase, you shall have the right to obtain further information about suchprocessing as well as the right to obtain a copy of your personal data (or insome cases have your personal data transferred to another controller);

• to obtain the rectification ofinaccurate personal data and to have incomplete personal data completed;

• to object to the processing ofyour personal data (especially any processing for direct marketing purposes) ifthe processing was based on legitimate interests;

• to withdraw your consent if theprocessing was based on your consent (please note this will not affect thelawfulness of the processing that occurred before the withdrawal of consent);

• to obtain the erasure of personaldata that is not/no longer lawfully processed; and

• to put the processing of personaldata on hold (‘restriction’) in certain cases (e.g. while we are assessingwhether we should indeed rectify or stop processing your personal data).

To exercise one of these rights,please send your request via sending an email to privacy@dhealth.eu, or viawritten post to Dhealth SNC, Rue Picard 7, box 6, 1000 Brussels, Belgium.Please note that we may have to forward your request to the Client for whom weprocess your personal data, and that we or our Client has an obligation tocheck your identity through reasonable means. We may not be able to meet yourrequest if we cannot identify you in our datasets. If we believe that we arenot legally required to meet your request, we will explain this to you in ourreply.

If you feel we have wrongfullydenied your request, you shall have the right to lodge a complaint with thecompetent data protection authority. Contact details of the Belgian DataProtection Authority are:

Gegevensbeschermingsautoriteit

Drukpersstraat 35

1000 Brussel

contact@apd-gba.be

https://www.gegevensbeschermingsautoriteit.be/

11. External Links

This Privacy Policy does not applyto external links within this Website to websites operated by third parties. Wehave no control over the content of these third-party websites or how thesewebsites process your personal data. When you visit other websites, werecommend that you always read their privacy policy.

12. Questions

If you have any further questionsabout our privacy policy or its implementation, please contact via privacy@dhealth.be

‍