PRIVACY AND DATA PROTECTION POLICY OF THE mAI-Health APPLICATION
1 Introduction
We consider privacy a matter of utmost importance and in this policy, the principles to which we adhere to and the measures implemented to ensure the lawful processing, security and protection of the end users’ personal data are presented. The mAI-Health application is developed and maintained by SQUAREDEV BV,[Le1] as a result of their participation in the AI-PROGNOSIS project. We remain committed to complying with all relevant EU and national legislation regarding the protection of personal data and the "rights and freedoms" of the data subjects, in accordance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
​
To this end, we have developed and implement this Privacy Policy and any other necessary policies and procedures regarding the processing and protection of personal data which regulates the use of the mAI-Health application, hereafter also referred to as "the application", during its testing and deployment phase. This applies to all processing operations on the personal data of the end users of the application.
Moreover, we hereby provide the end users with the necessary information regarding the collection, use, sharing, retention and general processing of their personal data. At the same time, we provide information about their rights and how to exercise them properly and in accordance with the GDPR.
​
We remain at the end users’ disposal to provide them with any information within the framework of our compliance with the current European and national legislation on the protection of personal data, as applicable, and the applicable regulatory directives related to the management of personal data, guaranteeing a secure environment for the processing of end users’ data.
​
For the purposes of this policy, clinical partners are considered the following entities, participating in the AI-PROGNOSIS project:
i. Technische Universitaet Dresden, PIC 999897729, established in Helmholtzstrasse 10, Dresden 01069, Germany,
ii. Fundacion Iniciativa para las Neurosciencias - foundation for initiatives in neuroscience, PIC 887896388, established in Calle Reventon 11, Madrid 28002, Spain,
iii. Centre Hospitalier Universitaire de Toulouse, PIC 999894819, established in Rue Viguerie 2 Hotel dieu Saint Jacques, Toulouse cedex 3 31052, France and
iv. King's College London, PIC 999981052, established in Strand, WC2r 2ls, London, United Kingdom
​
For the purposes of this policy, technical partners are considered the following entities, participating in the AI-PROGNOSIS project:
i. Netcompany - Intrasoft SA, PIC 999702371, established in RUE NICOLAS BOVE 2B, Luxembourg 1253, Luxembourg,
ii. Aristotelio Panepistimio Thessalonikis, PIC 999895692, established in KEDEA building, Tritis Septemvriou, Aristotle University Campus, Thessaloniki, 54636, Greece,
iii. Ainigma technologies, PIC 892135579, established in Kapeldreef 60, Leuven 3001, Belgium,
iv. Ethniko Kentro Erevnas kai Technologikis Anaptyxis, pic 998802502, established in Charilaou Thermi road 6 km, Thermi Thessaloniki 57001, Greece and
v. Faculdade de Motricidade Humana, PIC 998795324, established in Estrada da Costa, Cruz Quebrada Lisboa 1495-688, Portugal
vi. Katholieke Universiteit Leuven, PIC 999991334, established in Oude Markt 13, Leuven 3000, Belgium,
vii. SQUAREDEV BV, PIC 903934271, established in Kantersteen 47, Brussels 1000, Belgium and
viii. Kypriako Idryma Erevnon gia ti Myiki Distrofia, PIC 999642522, established in 6 Iroon avenue, Agios Dometios 2371, Cyprus
2 Definition of personal data
2.1 Personal data includes any information in paper or digital form that may lead either directly or in combination with other information (indirectly) to the unique identification of a natural person.
​
2.2 For the purpose of provision of the services by the application during the clinical study (dBM-DEV study, NCT06444789), the following personal data will be collected from the data subjects, through direct insertion of them in the application or performance of active tests in the application or automated collection through the use of a customized virtual keyboard, hereafter also referred to as "Research keyboard" or "keyboard", that is bundled with the application or automated collection through the use of a wearable device (smartwatch) that will be worn by the end users and that will be connected to the application:
​
i. Participant coded ID that will be provided by the study personnel,
ii. Password that will be provided by the study personnel
iii. Age – year of birth
iv. Sex at birth
v. Weight
vi. Height
vii. User’s wake up time and sleep time
viii. On which hand the user wears the watch
ix. Self-report of REM behaviour disorder episode during the previous night
x. Accelerometer measurements
xi. Heart rate measurements
xii. Beat-to-beat interval measurements
xiii. Body landmarks extracted by a pose detection algorithm during the performance of an active motor test
xiv. Scores during the performance of active cognitive tests
xv. The time a typing session with the keyboard started/ended
xvi. Keyboard current language
xvii. Distance between keys tapped
xviii. Timestamps corresponding to the moment keys were tapped down
xix. Timestamps corresponding to the moment keys were released
xx. Normalized (0-1) maximum pressure applied for each key tap
xxi. Binary flag denoting whether a key was long pressed
xxii. Binary flag of type of key feedback, vibration or sound; in case of vibration, its duration
xxiii. Landscape or portrait orientation of the keyboard
xxiv. Number of times the backspace/delete key was tapped
xxv. Timestamps corresponding to the moment Space key was pressed
xxvi. Timestamps corresponding to the moment Space key was released
xxvii. Timestamps corresponding to the moment backspace/delete key was pressed
xxviii. Timestamps corresponding to the moment backspace/delete key was released
xxix. Data related to the use of the mAI-Health application (date of installation, application version)
xxx. The preference of the user on receiving notifications
xxxi. The user's eligibility to answer the REM behaviour disorder questions
xxxii. Preferred language to be used (For app localisation purposes)
xxxiii. User’s time zone (For notification scheduling)
xxxiv. User’s first login to the app
2.3 Moreover, for the purpose of pairing the mAI-Health application with the Garmin smartwatch provided to the data subjects, the application requests and ephemerally collects and processes the user’s location, as part of a relevant condition related to general Bluetooth scanning and connectivity, which is not relevant to the purposes of the study. Following the application pairing, the location will no longer be processed and discarded. During the study, we will not request or process your location in any way.
​
2.4 For the initialization of the Garmin smartwatch, the following personal data will be requested by the data subject and processed ephemerally:
​
i. Age
ii. Weight and height and
iii. Sex at birth
​
We do not collect or process your aforementioned personal data on our servers. This information is stored on the smartwatch and locally, in your application's settings objects. Garmin, the manufacturer of the smartwatch, does not have access to or any way processes any of your personal data.
​
2.5 Most of them are considered special categories of data under Article 9 of the GDPR as being health related personal data. The concept of special categories of personal data includes personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic or biometric data, data concerning the health, sexual life or finally, sexual orientation of an individual.
​
2.6 The personal data collected will be stored in a pseudonymized form. No identifiers related to the personal information of the patients will be requested during the use of the application and such information will be stored only by the clinical site that is conducting the study and will not be transferred, disclosed or in any way become available to any other project partner or third party. The personal information and any identifiers of the patients will not be processed in any way throughout the testing and deployment phase of the mAI-Health application and will not be requested to be provided in the application. The study participants will receive a unique coded ID from the study personnel onboarding them, with the additional information that could help identify the participants being available only to the clinic conducting the study, thus ensuring anonymity of the patients in relation to the rest of the partners.
3 mAI-Health - Research Keyboard
Alongside the mAI-Health application, the mAI-Health Research keyboard is installed, and the user is requested to enable it as the default keyboard. It can be disabled through the device settings and, when it is enabled, collects the information – personal data presented in xv up to xxviii of subsection 2.2 of the current policy.
​
The deletion of the mAI-Health application from the user’s mobile phone uninstalls the keyboard as well permanently. It is noted that no text typed by the user is captured, collected, or in any way processed by the Research keyboard.
4 Processing operations on personal data
The envisaged processing operations on the aforementioned personal data are the following:
​
i. Collection of personal data directly from the end users or automatically through the use of the application and a connected wearable device (smartwatch) or through the use of the research keyboard that is bundled with the application.
ii. Personal data transfers from the wearable device to the smartphone application via Bluetooth connection.
iii. Personal data transfers through HTTPS/TLS protocols and network security ensured through Firewalls, to the AI-PROGNOSIS Cloud-based data management infrastructure. During this procedure and to monitor the collection of the personal data, a visualization will be performed, with which it will be recorded whether each participant provides the necessary categories of personal data.
iv. Storage of personal data on the AI-PROGNOSIS data management infrastructure and the premises of the clinical and technical partners of the AI-PROGNOSIS project.
v. Curation and harmonization of personal data to a common data model.
vi. Processing of personal data for assessing data quality and adherence to study procedures by participants - end users. During this procedure, cumulative reports will be generated and provided to study personnel.
vii. Analysis of personal data for evaluating the primary, secondary and exploratory objectives and outcomes of the dBM-DEV study (NCT06444789).
viii. Publication of parts of the study results to scientific journals, conferences and Open Science repositories, with the personal data being anonymized before the publications may take place.
ix.Publication of parts of the data to Open Science repositories, with the personal data being anonymized before the publications may take place.
​
Further information regarding the processing operations will be provided in the participant information sheet and consent forms that will be provided to the participants - end users and that will be signed by them before any processing operations take place.
5 Distinct Roles and Responsibilities
5.1 According to Article 4, paragraph 7 of the GDPR, the definition of the data controller is given, stating that "a data controller is a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law."
​
According to the above, the clinical and technical partners are considered the (Joint) Data Controllers, are assumed responsibility, and shall be able to demonstrate compliance with the GDPR. The purposes and means of processing are defined by the Grant Agreement (ID 101080581) and any other project related documentation of the AI-PROGNOSIS project and the project partners implement the appropriate technical and organizational measures to protect the data being processed.
​
5.2 Additionally, according to the definition provided in Article 4, paragraph 8, "data processor" is defined as "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller."
​
Mainly, the appointed personnel of the project partners, including scientists, healthcare professionals, clinical researchers, software developers, and legal representatives, are the ones executing the processing on behalf of the project partners. Agreements have been concluded between the project partners and the aforementioned personnel, outlining their responsibilities as processors, with specific reference to the nature, purpose, and duration of the processing, the types of data, and the categories of data subjects.
​
Under certain circumstances, other natural or legal persons may also be engaged by the project partners as processors. The project partners ensure that they collaborate exclusively with processors who provide sufficient assurances for the implementation of appropriate technical and organizational measures to meet the requirements of the Regulation and ensure the protection of data subjects' rights.
​
5.3 The processing by the processor is governed by a contract or other legal act subject to Union or Member State law, which binds the processor in relation to the project partners and specifies the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the data controller. No third party may have access to personal data processed by the project partners without prior signing of a cooperation and confidentiality agreement with the related project partner or a data access committee appointed by the consortium. Compliance with data protection legislation is the responsibility of all employees processing personal data.
​
The processor and any person acting under the supervision of the data controllers, processes the personal data under the defined purposes and instructions set out by the data controller, unless required to do so by Union or Member State law. The processor does not engage another processor without the prior specific or general written authorization of the project partners.
6 Lawful Processing
6.1 Data processing refers to any act or series of acts carried out, with or without the use of automated means, on personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making available, alignment or combination, restriction, erasure, or destruction.
​
6.2 A general rule in data processing is that, in principle, it is unlawful unless the conditions set forth in Articles 6 and 9 of the Regulation are met, which provide the necessary legal framework which defines the lawfulness of the processing operations on personal data.
​
6.3 The legal basis for processing the personal data referred to in section 2.2 of the current policy for the project-related purposes, through the application, is informed consent, according to articles 9 par 2a’ and 7 of the GDPR. The end users are provided with a participant information sheet and consent form, with which they will provide their consent to the processing operations on their personal data, as they are described in sections 2 and 3 of the current policy. Additionally, since the processing of the end users’ personal data is based on their previously given explicit informed consent, they have the right to withdraw from it at any time by making a relevant request to the study site that enrolled them through the contact details provided in the participant information sheet or in the dedicated help and feedback section of the application. Alternatively, they can make a relevant request the authorized legal partner of the project via an email at legalint@diadikasia.gr.
​
6.4 During the course of the consent provision process, the end users will be thoroughly informed regarding the processing operations, the personal data that will be processed, the purpose of the personal data processing operations, the data controllers and any potential data processors, the period of storage of the personal data and their data protection related rights and the way they could exercise them.
7 Collection of personal data
During the use of the application and depending on the personal data, the project partners collect the personal data through the following means:
​
i. Automatically through the use of the wearable (smartwatch) to be worn by the end user, which will transfer the collected personal data via ii. Bluetooth to the mAI-Health application or
iii. Automatically through the use of the Research keyboard that is bundled with the mAI-Health application or
iv. Through the performance of an active motor test in the mAI-Health application or
v. Through the performance of cognitive tests in the mAI-Health application or
vi. Through direct insertion of the personal data from the end users themselves in the mAI-Health application.
8 Principles of Data Collection and Processing
8.1 With this Privacy Policy, our aim is to provide the necessary information to the end users of the application about the terms of collection, processing, and transmission of their personal data by our project partners as the Data Controller or Processor. The project partners and their appropriately trained personnel adhere fully to the principles governing the processing of personal data as provided in the GDPR, namely the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.
​
8.2 Additionally, the project partners respect, protect, and ensure the exercise of the data subjects’ rights provided in the GDPR, including:
​
i. “Right to be informed” regarding anything that is related to the processing of personal data (arts. 12-14 GDPR),
ii. “Right of access” to the personal data and any other information related to the data processing activities (art. 15 GDPR),
iii. “Right to rectification” of inaccurate personal data or completion of incomplete personal data (art. 16 GDPR),
iv. “Right to erasure” (“right to be forgotten”), according to which the data subject could achieve the deletion of his/her personal data under certain conditions (article 17 GDPR),
v. “Right to restriction of processing” of the personal data under certain conditions (art.18 GDPR),
vi. “Right to data portability”, according to which the data subject can receive the personal data concerning him/her, which had been provided to a controller, in a structured, commonly used and machine-readable format and transmit them to another controller without hindrance from the controller to which the personal data had been previously provided (art. 20 GDPR),
vii. “Right to object” at any time to processing of personal data concerning him/her (art. 21 GDPR),
viii. “Right to object to the automated individual decision-making, including profiling” (art. 22 GDPR),
ix. “Right to withdraw from the provided consent” freely, at any time and
x. “Right to appeal against the competent supervisory authority”.
​
8.3 The project partners remain at the disposal of the data subjects – end users to respond to any of their requests regarding the above and to ensure the substantial and effective protection of personal data throughout the use of the mAI-Health application, in compliance with the applicable European and national legislation for data protection, as well as applicable regulatory directives related to data management.
​
For this purpose, the end users can submit a request or exercise their rights by contacting the project partner in charge of the study that they are participating, and, as a consortium, we will make all reasonable and practical efforts to comply with their request. They may file a relevant request to the email address or the mean of communication provided to them by the project partner in charge of the study that they participate in, according to the information provided in the consent form.
9 Minimization, Storage, and Deletion of Personal Data
9.1 We request from the end users the minimum necessary personal data, according to the data minimization principle and as required by law, to fulfill the study objectives. The selection of the personal data to be collected and processed is based on scientific knowledge and existing technological tools for monitoring Parkinson’s disease motor and non-motor symptoms.
​
9.2 We will store the personal data for as long as required by current legislation, based on the respective purpose of processing. Following their collection, the personal data will be stored in the AI-PROGNOSIS data management infrastructure and the premises of the clinical and technical partners of the AI-PROGNOSIS project. The personal data stored in the premises of each clinical partner will be the ones related to the patients located in the premises, while the ones stored by the technical partners, will be in a pseudonymized form, with the identifiers – additional information not being available to them but remaining to the relevant clinical partner.
​
9.3 The AI-PROGNOSIS data management infrastructure, set out by partner Netcompany-Intrasoft, is hosted via Cloud provider Hetzner, a German company which is ISO27001 certified. An agreement with Hetzner has been signed concerning availability, back-up, malware protection, encryption, etc. The information is stored in the Economic European Area. Data infrastructure will offer access only to authorized users, with authentication mechanisms and interfaces for secure data exchange with the Cloud-based back end being implemented. Access to the AI-PROGNOSIS data management infrastructure is provided only to specific personnel of the clinical and technical partners by the provision of limited entry credentials.
​
9.4 As a general rule, the partners who will in any way process the end user’s personal data, will be deleting them following the end of the project, following a relevant personal data deletion plan. Further processing of the personal data may take place though in case a relevant legal basis according to articles 6 par. 1 and 9 par. 2 of the GDPR may be applicable and especially, in case certain clinical partners are legally obliged to store the personal data for an additional period, following the end of the project.
10 Data Transfer to Third Parties
10.1 As a rule, our project partners do not transfer personal data to any third parties without the need of such processing operation to take place and additionally, the explicit consent of the data subjects. Respecting the principle of confidentiality, they ensure that the personal data processed is not disclosed to unauthorized individuals, taking necessary measures accordingly.
​
10.2 In the context of processing of the end users’ personal data, it may be necessary to transfer the personal data to the project partner of AI-PROGNOSIS located in the United Kingdom. In this case, we inform the end users that such transfer is considered secure since the United Kingdom’s legal framework for data protection has been deemed adequate by the issuance of an adequacy decision by the European Commission, according to article 45 of the GDPR.
​
10.3 In any case, the project partners categorically state that they will not transfer the personal data collected during the use of the mAI-Health application to any third parties for their direct use for promotional purposes (marketing).
11 Security
11.1 The secure processing of the end users’ personal data is of utmost importance to us. Our project partners take all appropriate organizational and technical measures to ensure the confidentiality, integrity, and availability of the personal data collected under this Policy.
​
11.2 The project partners acknowledge the purposes described in the Grant Agreement (ID 101080581) or any other official documentation of the AI-PROGNOSIS project, determine the means of processing according to the aforementioned project related purposes and implement the appropriate technical and organizational measures to protect the data being processed. The project partners and any third parties collaborating with them on the processing of personal data, have already fully understood and complied with this policy. No third party can access personal data processed by the project partners without signing a cooperation and confidentiality agreement.
​
11.3 In compliance with the applicable European and national legislations on the protection of personal data, our project partners have appropriately trained and educated their staff, follow appropriate security policies, and use appropriate technical and operational tools, such as anonymization (whenever applicable), pseudonymization, data encryption, and continuous and targeted staff training.
​
11.4 Within the framework of the "risk-based approach," which is a novelty of the GDPR, the project partners implement the necessary measures on a case-by-case basis, both primarily preparatory and during processing, to ensure the integrity and security of the end users’ personal data. Some of the measures we have taken as a project partners to ensure the integrity and security of data include the commitment of the partners with confidentiality clauses, the identification, restriction, and recording of individuals (physical or electronic) with access to databases, personal data, files, etc., conduction of access policies and measures for secure storage and access control, especially for the special categories of personal data that will be stored in the AI-PROGNOSIS data management infrastructure.
12 Actions in Case of a Data Breach event
12.1 Despite our project partners’ efforts to ensure the integrity and security of the end users’ personal data, the rapid development of technology may lead to the emergence of new, unforeseen methods that could result in malicious loss, misuse, alteration, or destruction of their personal data. While our project partners cannot absolutely guarantee the security of the personal data in every unforeseen situation, they do guarantee vigilance and effective management of potential risks, always in collaboration with the competent authorities, beyond the security measures already taken.
​
12.2 According to Article 33 of the GDPR, the data controller shall notify, without undue delay and, if feasible, within 72 hours of becoming aware of the personal data breach, the supervisory authority as per Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. When notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay. If it is not possible to provide the information simultaneously, it may be provided gradually without unjustified delay.
​
12.3 Additionally, according to Article 34 of the GDPR, if the personal data held in the project partners’ records are breached in a manner that may pose a high risk to the end users’ freedoms and rights, we have the corresponding obligation to inform them without undue delay, as provided for in the applicable General Data Protection Regulation (GDPR).
13 Contact
If you have any questions or comments regarding this Privacy Policy, the measures taken by our project partners to protect your personal data or you wish to exercise any of your rights as a data subject, please contact the authorized legal partner of the iPROLEPSIS project, Diadikasia Business Consulting Symvouloi Epicheiriseon AE, via the email: legalint@diadikasia.gr.
14 Validity of the Privacy and Personal Data Protection Policy
This Policy was published by the Project partners on 01/10/2024 and is subject to periodic improvement and revision. For this purpose, we encourage the end users to periodically review this Policy to stay informed about how we manage the end users’ personal data.
​
​Last updated October 1, 2024