PRIVACY POLICY CURE 51
Patients Profile Platform and Website
Summary
This Privacy Policy explains how CURE51 collects, uses, shares, and protects personal information of data subjects. CURE51 gathers data such as the name, email address, and IP address to provide and improve its services, personalize the data subject's experience, and communication. This information may be shared with trusted third parties and is protected by appropriate security measures. Data subjects have the right to access, rectify, and delete personal data.
For more details, refer to the General Terms and Conditions of Use ("GTCU") and Cookie Policy. CURE51 may update this policy, so please review it regularly. For any questions, contact us at contact@cure51.com.
Table of content
Privacy. CURE51 (hereinafter "CURE51") takes your privacy very seriously and respects the information you entrust to it. This information is protected by law. They are under no circumstances intended to be communicated to third parties outside the context and for the reasons mentioned in this Privacy Policy.
Collected data. The purpose of this Privacy Policy is to inform you of the nature of the information concerning you that we will collect and use in the context of your visit to the Site and/or your use of the Services.
Modification of the Policy. CURE51 reserves the right to modify this Privacy Policy at any time. You are also invited to consult it regularly in order to be aware of any possible modifications. Any new use of the Site and/or communication of information to CURE51 after posting a new version of this Privacy Policy will constitute acceptance of this latest version.
Information. Although the list is intended to be as exhaustive as possible, any new use or modification or withdrawal of any existing processing will be notified to the data subjects by the publication of new versions of this Privacy Policy on the Site. CURE51 invites data subjects to regularly consult this Privacy Policy online in order to be aware of this new use, modification or withdrawal of any existing processing.
Definitions. The capitalized terms below have, if they are not defined in this document, the definition given to them in the General Terms and Conditions of Use ("GTCU") and the Platform.
1. DATA CONTROLLER AND DATA SUBJECTS
CURE51 is the data controller. CURE51, as a data controller, processes and protects the personal data it collects. CURE51 undertakes to respect at least the following regulations: (i) Law No. 78-17 of January 6, 1978 relating to data processing, files and freedoms known as the amended "Informatics and Freedoms" Law and (ii) European Regulation No. 2016/679/ EU of April 27, 2016 (applicable since May 25, 2018) on data protection ("GDPR"). To do this, CURE51 puts in place procedures and measures to protect your personal data, including in the event of use of subcontractors to carry out the processing of personal data described below.
Communication with the data subjects. The purpose of this Privacy Policy is to meet CURE51's information obligation under the GDPR (articles 12 to 14) and to document the rights of data subjects regarding the processing of their personal data. Privacy and data protection information notices and/or a consent or non-objection form will be communicated to data subjects, if necessary, regarding the specific situations in which CURE51 may process personal health data. This confidentiality policy does not create any obligation beyond what is provided for by the applicable regulations and/or by the GTCU or other contract binding CURE51 with the data subjects.
Data subjects by the data processing of CURE51. This Privacy Policy applies to all processing of personal data of the data subject, within the framework of CURE51's relations with (i) professionals involved in research, (ii) patients, (iii) any user of the website: https://www.cure51.com/ (the "Site").
2. DATA PROCESSING
The personal data that CURE51 processes about data subjects depends on CURE51's relationship with the data subjects, as well as with third parties with whom CURE51 works and who may provide CURE51 with access to the personal data. Thus, CURE51 may process the following personal data:
2.1 Non-technical personal data (depending on the circumstances)
2.1.1 Patients included in Rosalind
The Rosalind Study. CURE51 conducts a study with patients who respond exceptionally well to therapy and the molecular changes in their tumours that may explain this response. This research project is called the Rosalind Study. This research focuses on three cohorts covering metastatic pancreatic ductal adenocarcinoma ("PDAC"), glioblastoma ("GBM") and extensive stage small cell lung cancer ("SCLC") and relating to patients who survived more than five (5) years from the diagnosis date of PDAC and SCLC and three (3) years for GBM. Rosalind's objective is to analyze the biological and clinical signatures of patients who survived several years after cancer diagnosis with a very poor prognosis, in order to discover biomarkers, resistance signatures and therapeutic targets in the field of cancer. CURE51 collects health and genetic data from patients included in the study in order to carry out research and other information relevant to Rosalind.
Pseudonymized data. The data concerning patients included in Rosalind is always collected by a health professional, working within an investigative center or a research location. He does not send us information allowing a direct identification, such as first name, last name, address, telephone number. A code is assigned in the databases and this only can make the link between health data and identity. They fall into the regulatory category of "pseudonymized data".
Legitimate interest. The data we collect is always justified by the protocol that describes the research. It is analyzed and can be reused in aggregated or anonymized form to identify trends, develop new treatments, improve health care and contribute to the advancement of medical knowledge.
Information / consent form. Information notices and/or a consent form are communicated to patients included in Rosalind.
2.1.2 Healthcare professionals participating in Rosalind
We collect data relating to identity and identification (such as surname, first name, email address, telephone number) of healthcare professionals participating in Rosalind.
2.1.3 Site Users
When filling out our contact form on our website (site www.cure51.com), the following data is collected:
2.2 Technical personal data (depending on the circumstances)
We collect data relating to browsing history on the Site / PPP and activity data (access time, pages viewed, form completed on the Site, URL clicked, IP address, etc.). Technical information, such as the type of browser and operating system used by the data subject or information on the data subject's device (unique device identifier, hardware model, operating system and version, mobile network information…).
3. CURE51'S USE OF PERSONAL DATA
3.1 Research and development activities
CURE51 collects and uses personal data, including health data, in order to carry out research and development activities, such as scientific studies, or any other type of scientific research projects. These activities contribute to the search for explanatory factors for patients who have survived poor prognoses with the aim of innovating in their care (new medications, new therapeutic modalities, etc.). The personal data thus collected is used solely for research purposes in the field of health. We are committed to using personal data responsibly and not sharing it with third parties without your explicit consent, except as required by law.
3.2 Ensuring the rights of data subjects
CURE51 ensures that personal data is processed in accordance with applicable data protection regulations, including when Data Subjects decide to exercise their rights with CURE51 in accordance with the GDPR.
3.3 Management of the Site
Management of the Site (contact form, etc.) requires the use of personal data to improve its operation, personalize the user experience, respond to user requests, send marketing information if the user has consented to receiving it.
3.4 Protecting the rights and interests of CURE51
CURE51 may use personal data (i) where required by law, (ii) upon request of a court, (iii) if we believe in good faith that disclosure is reasonably necessary to defend against any claim or third party accusation (iv) protect the security or integrity of our services. We will notify you of any legal process which requires access to personnel data, unless the law prohibits us from doing so. In cases where a court order specifies a period of non-disclosure of the request to data subjects, we will send a delayed notification after the expiration of the non-disclosure period.
4. CURE51'S LAWFULNESS IN DATA COLLECTION AND USE
The purposes for which CURE51 processes personal data described above are based on the legal basis described below pursuant to Articles 6 and 9 of the GDPR.
4.1 Processing is necessary for the purposes of CURE51's legitimate interest
Legitimate interest. When CURE51 processes personal data for its legitimate interest, CURE51 must take into account the fundamental rights and interests of the data subject, in order to assess whether the legitimate interests pursued by CURE51 do not create an imbalance with the fundamental rights and interests of the person concerned. The following treatments implemented by CURE51 are concerned:
Other processing of personal data by CURE51 based on its legitimate interest is as follows:
Public interest. All our research projects meet the public interest criterion provided for by the Data Protection Act. Indeed, CURE51 carries out the processing of personal data that is useful and necessary to achieve the public interest objective of:
4.2 The processing is necessary for the purposes of compliance with the legislation applicable to CURE51
CURE51 may process personal data in order to comply with the legal obligations applicable to CURE51 for the following purposes:
4.3 The data subject has given consent to the processing of their personal data for one or more specific purposes
CURE51 may process personal data for one or more specific purposes for which the data subject has clearly expressed consent to the processing of their personal data for those purposes. For instance, communication of the CURE51 newsletter to the data subject is based on consent.
4.4 Processing is necessary for the purposes of the performance of a contract
CURE51 may process personal data in the context of the performance of a contract between the data subjects (or their employers) and CURE51.
5. SOURCES OF PERSONAL DATA
Direct. Personal data may be collected directly from the data subjects (direct collection), when visiting the website for instance.
Indirect. The collection of personal data relating to patients is indirect: it is carried out through specialized partners, such as CURE51 partner organizations, who are authorized to do so in compliance with their applicable law and in application of their own policies. confidentiality and data protection. In such cases, CURE51 takes great care to ensure the quality of the data it receives. If data subjects have any questions relating to the initial collection of their personal data by the partner, where applicable, CURE51 may invite data subjects to contact them directly and/or refer to their data protection policies.
6. ACCESS OF PERSONAL DATA
Confidentiality. Taking into account the purpose(s) for which the Personal Data of data subjects is processed, CURE51 will ensure that the Personal Data is only accessible to authorized internal and external data recipients who have a need to know it. The recipients of personal data are bound by an obligation of confidentiality. In any case, CURE51 only provides them with the information strictly necessary for the processing of personal data in compliance with the identified purposes. CURE51 decides which data recipients can access which personal data through contract and/or internal policies.
Authorities. Personal data may also be transmitted to any authority legally authorized to receive it. In such cases, CURE51 is not responsible for the manner in which such authorities access and process personal data, but will limit the personal data to which such authorities have access to the strict minimum required by such authorities.
6.1 Internal recipients of CURE51 data
Recipients of patient data. Persons authorized to have access to coded patient data are CURE51 employees.
Recipients of data of other data subjects. Depending on the purpose(s) of the processing and the personal data processed, authorized CURE51 personnel may include: the communications and marketing team; administrative and financial management; operations management.
6.2 External recipients of CURE51 data
Depending on the purpose(s) of the processing and the Personal Data processed, the External Recipient of CURE51 data may include:
7. DURATION OF DATA RETENTION
7.1 Retention period of personal data
CURE51 undertakes to ensure that the data collected is kept in a form allowing the identification for a period which does not exceed the duration necessary for the purposes for which this data is collected and processed. The retention period of personal data is defined by CURE51 in accordance with its legal and contractual obligations and according to specific needs, in particular in compliance with the following principles:
7.2 Cookies in the interfaces
With regard to cookies, it is specified that the information stored in the terminal (e.g. cookies) or any other element used to identify the User for audience statistics purposes is not kept beyond a period of six (6) months. Beyond this period, the raw attendance data associated with an identifier is either deleted or anonymized. In order to ensure the proper functioning and permanent improvement of the Site and its functionalities, the raw traffic data associated with an identifier are kept for a period of thirteen (13) months. Beyond this period, they are deleted or anonymized. For more details, please read the Cookie Policy.
8. EXERCISING THE GDPR RIGHTS
As data subjects and in accordance with applicable data protection laws, individuals have the right to exercise the following rights:
8.1 Confirmation and right of access
Data subjects have the right to ask CURE51 to confirm whether or not their personal data is being processed and request a copy of their personal data. If data subjects request a copy of their personal data electronically, the requested information will be provided in a commonly used electronic format, unless otherwise indicated. Data subjects are informed that this right of access may not cover confidential information or data the communication of which is prohibited by law.
8.2 Rights of updating and rectification
Data subjects have the right to request that CURE51 rectify their personal data, in the event that their personal data is inaccurate, incomplete or out of date.
8.3 Right to object to processing activities
Data subjects have the right to object to the processing of their personal data, subject to any legal restrictions that may exist with regard to this right of objection. For example, with regard to the newsletter sent by CURE51 to data subjects, each of them can unsubscribe at any time by clicking on the "unsubscribe" link at the bottom of CURE51 newsletters.
8.4 Right to erasure
Data subjects may request the deletion of their data if one of the following criteria is met:
In accordance with the legislation on the protection of personal data, data subjects are informed that this is an individual right which can only be exercised by data subjects in relation to their own information. The data subject's right to erasure does not apply where the processing is carried out in accordance with a legal obligation or if the processing is necessary for the establishment, exercise or defense of legal claims.
8.5 Right to portability of personal data
CURE51 will grant requests for personal data portability for purposes based solely on personal consent or contract. In such cases, personal data will be communicated in a structured and commonly used format capable of being read by a machine.
8.6 Automated individual decision making
CURE51 does not engage in automated individual decision-making.
8.7 Complaint before the CNIL
In the event of non-compliance with "Informatics and Freedoms" rights, data subjects can lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL). To find out more: http://www.cnil.fr.
9. CONTACT
To exercise the rights described, individuals must submit a written request via email to dpo@cure51.com or by post to 203 rue Saint Martin, 75003 Paris, including a copy of a signed identity document. As these rights are individual, CURE51 may verify the requester's identity for security reasons, potentially requesting additional information if there are doubts. Requests will be processed within one month, with a possible two-month extension for complex cases, of which the individual will be notified.
10. INTERNATIONAL TRANSFER OF PERSONAL DATA REGULATION
Some data recipients, including subcontractors and research partners, may be located outside the European Union, necessitating the transfer of personal data beyond the EU. Countries like Switzerland have adequacy decisions, ensuring GDPR-equivalent protection and allowing seamless data transfer. For countries without such decisions, CURE51 implements measures like standard contractual clauses and additional safeguards to ensure GDPR-compliant protection for transferred personal data.
11. ENSURING THE SECURITY OF PERSONAL DATA
CURE51 has implemented technical and organizational measures to protect the integrity and confidentiality of the personal data of the data subjects. These measures take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying probability and severity for the rights and freedoms of the data subjects.
This measure includes, for example, security techniques of a physical or logical nature that CURE51 deems appropriate to prevent the accidental or illegal destruction, loss, degradation or unauthorized disclosure of personal data. The main elements of these measures include and are not limited to: