Privacy Statement
Faresa BV complies with all applicable laws and regulations, including the General Data Protection Regulation. This means that we at least:
- process your personal data in accordance with the purpose for which it was provided, and these purposes and types of personal data are described in this Privacy Statement;
- limit the processing of your personal data to only those data that are minimally necessary for the purposes for which they are processed;
- request your explicit consent when we need it for the processing of your personal data;
- have taken appropriate technical and organizational measures to ensure the security of your personal data;
- do not transmit personal data to other parties unless necessary for the execution of the purposes for which they were provided;
- are aware of your rights regarding your personal data, want to point them out to you, and respect them.
Owner and data controller
Faresa BV, with registered office at Boerenkrijgsingel 44, unit 0.02, 3500 Hasselt, and registered under company number 0819.967.031 (hereinafter 'Faresa'), is the owner of the products and services and responsible for the processing of your personal data.
You expressly accept that even if the collected data relate to your health, their processing may not necessarily be carried out under the responsibility of a healthcare professional. Faresa ensures that it will exercise increased discretion and caution regarding such health data.
If, after reading our privacy statement, or in a more general sense, you have any questions or wish to contact us, you can do so using the contact details below:
Faresa BV
Boerenkrijgsingel 44 box 0.02
3500 Hasselt
info@faresa.be
Scope
This privacy statement applies to all products and services provided by Faresa.
Which personal data does Faresa collect?
The personal data listed below provide a general overview of the type of data that Faresa collects and processes to provide its products and services (see: content and format of patient records):
- Personal data: name, email address, telephone number, and other contact details; socio-demographic factors such as age, gender, nationality, marital status, family composition, education level, occupation, work, and date of birth; and general information about your relationship with your employer;
- Health data: information about your well-being, physical and mental health, risk situations and risk behaviors, and other health-related or contextual data;
- Usage data: during your use of Faresa's e-mental health applications, the servers hosted by third parties on behalf of Faresa store information about your usage and the device you use to access Faresa's products and services, based on your IP address(es) or in any other manner (whether automatic or not).
- Note: Faresa operates with an Electronic Patient Record (EPR), integrated with a scheduling system and questionnaire administration system, and relies on the services or products of external service providers. These external service providers guarantee compliance with applicable privacy and GDPR legislation.
Faresa processes your personal data on one of the following legal grounds, depending on the purposes:
- Faresa processes your data for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Faresa processes your data to comply with a legal obligation to which the data controller is subject.
- Faresa processes your data to protect the vital interests of the data subject or of another natural person.
- Faresa BV processes your data for the performance of a task carried out in the public interest or in the exercise of official authority vested in Faresa.
- Faresa processes your information for the legitimate interests pursued by Faresa or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (you) which require protection of personal data, in particular where the data subject is a child.
If no other legal basis applies, Faresa processes your data after you have given consent for the processing of your personal data for the purposes described in this document and/or the privacy statement or informed consent of the provided service or product.
As a data subject, you may refuse or refrain from providing personal data, or in certain cases you may be required to provide the personal data. Refusing or refraining from providing the required personal data may have certain consequences for the performance or delivery of services or products provided by Faresa, where the collection of personal data is a legal or contractual requirement, or a requirement necessary to enter into a contract.
Purposes: why does Faresa collect and process your personal data?
Your personal data are processed in order to provide the following products and services:
- Offering an Employee Assistance Program
- Offering e-mental health applications
- Conducting well-being surveys
- Providing workshops, webinars, and training sessions
- Offering adequate assistance
Providing feedback to the employer on anonymized and aggregated information (including information about usage) to enable preventive measures in the workplace
Faresa may anonymize your personal data and further process the anonymized information for statistical purposes, scientific research, and product improvement, in accordance with the original purposes for which the information was collected. Regarding the use for scientific purposes, the data are always processed anonymously and stored confidentially. The data are only viewed and processed anonymously by Prof. Dr. Nele Jacobs, her staff, and interns or research students. Individual participant identification is impossible. Faresa's methodology has been approved by, among others, the ethical committee of Maastricht University (ECP-148-10_01_2015).
In certain cases, your personal data may be used in an automated decision-making or profiling process.
In certain cases, your personal data may be used for a purpose other than that for which your personal data were collected. In such cases, Faresa will provide you with information prior to any further processing.
Faresa will embed data protection "by design & by default" or in the early stages of service and product development in an obvious manner, as required by GDPR legislation. The necessary privacy measures will be built into the standard settings of the tools in a user-friendly manner.
Data retention
Your personal data will be stored from the moment of receipt and for a period of up to 30 years to enable us to efficiently contact you and ensure the continuity of our services (see: file retention period). We do not collect any other data about you than described above.
To protect the personal data under our control, we apply policies, rules, and security techniques entirely in accordance with the applicable privacy protection legislation in the jurisdiction of the products and services. The security measures are intended to prevent unauthorized access, improper use or disclosure, unauthorized alteration, and unlawful destruction or accidental loss of any personal data.
What to do in case of a data breach?
If an employee of Faresa identifies or suspects a breach of personal data, such as the following data breaches:
- Hacking / phishing / ransomware;
- Offline data breach (paper bin, printer,...)
- Email sent to incorrect email addresses;
- Theft or loss of USB stick;
- Theft or loss of paper file;
- Theft or loss of mobile phone, laptop, tablet;
- Reducton or loss of accessibility (e.g., server failure)
the following procedure must be followed:
Phase 1: internal notification: the employee who detects a (potential) data breach immediately and no later than six hours after discovery, reports it to the person or persons designated as DPO within Faresa. This notification is done by email. The employee includes in his email at least: 1) the nature of the data breach (e.g., loss, no longer accessible, breach of confidentiality); 2) the personal data involved; 3) the possible cause (e.g., hacking, loss, theft)
Phase 2: assessment, consultation, and registration in internal register: the person designated as DPO reviews the notification immediately upon receipt and assesses it based on the nature of the breach and the personal data involved, the cause, and the consequences of the data breach. This procedure also applies if a processor notifies Faresa of a data breach. The DPO determines whether there is a first hypothesis, namely no data breach/no personal data/no risks or a second hypothesis risks for the data subjects or involved parties. If the second hypothesis applies, proceed to phase 3.
Phase 3: notification to the Data Protection Authority (DPA). If a risk is identified for the rights and freedoms of the data subjects, the DPO, after consultation with a member of the management team, reports the data breach to the Data Protection Authority. This is done using the form provided on the website of the Data Protection Authority (https://www.gegevensbeschermingsautoriteit.be/professioneel/acties/datalek-van-persoonsgegevens). The notification is made without undue delay and no later than 72 hours after becoming aware of it. If the notification is made later or only partially, this must be justified. The notification contains the mandatory information as provided for in Article 33 of the General Data Protection Regulation. If the data breach does not pose high risks to the rights and freedoms of data subjects, the procedure ends here. Otherwise, proceed to phase 4.
Phase 4: notification to data subjects. In case of high risk to the rights and freedoms of data subjects, the data breach is in principle immediately communicated to those data subjects themselves. This notification contains, in accordance with Article 34 of the General Data Protection Regulation, a description, in clear and simple language, of the nature of the data breach, its likely consequences, the measures to remedy the data breach and its consequences, and to avoid or mitigate them. For each data breach, necessary measures are taken, and the DPO ensures their correct implementation and oversees further follow-up, providing the necessary reporting to the governing body of Faresa.
What are your rights?
If you believe that your personal data is incorrect or incomplete, or if you wish to find out whether your personal data is being processed, you have the right of access (see: right of access), the right to rectification (see: right to rectification), and the right to erasure of data (see: deletion of a file).
As a data subject, you can exercise your rights by contacting Faresa:
Faresa BV
Boerenkrijgsingel 44 box 0.02
3500 Hasselt
info@faresa.be
In the event that you wish to file a complaint about how we handle your personal data, you can contact the Data Protection Officer (DPO) using the above contact information. The Data Protection Officer will investigate your complaint and work with you to resolve the issue.
If you still believe that your personal data has not been processed in accordance with the law, you have the right to lodge a complaint with the supervisory authority.