ICARE CLINIC SERVICE PRIVACY POLICY FOR OUTSIDE OF US

This privacy policy has been updated on 18/05/2022.

1 CONTROLLER

ICARE FINLAND OY (Business ID 1084502-3) (“iCare”)

Address: Äyritie 22, 01510 VANTAA, Finland

telephone: +358 9 8775 1150 email: [email protected]

The contact details may be amended from time to time and you can find current details in this privacy policy which is available at the address https://www.icare-world.com at all times.

2 PERSON IN CHARGE OF REGISTER MATTERS

Full name: Vesa Hakkarainen

Contact information: [email protected]

The name and contact details may be amended from time to time and you can find current details in this privacy policy.

3 NAME OF REGISTER

The name of the register is iCare CLINIC Service register. The iCare CLINIC Service register includes data originating from devices iCare HOME, iCare HOME2, iCare IC200 and iCare PRO and software / software services iCare CLINIC Service, iCare CLOUD, iCare PATIENT2 Application, iCare PATIENT Application and iCare EXPORT Application. All the devices and services are hereinafter referred to as “Services”.

The provision of Personal Data (as defined below in section 5) is voluntary. In case you do not provide the data that is marked as obligatory when the data is requested, iCare is not able to provide you with the Services.

4 PURPOSE OF USE OF REGISTER AND LEGAL BASIS FOR PROCESSING

4.1 The purposes for and the legal grounds for processing of the Personal Data are as follows:

(a) Performance of the agreements related rights and obligations relating to the Services (“Agreement”) and in order to take steps prior to entering into the Agreement. Agreement related rights and obligations are i) performance of the Agreement, ii) handling of customer service, iii) governing and handling of potential reclamations under the Agreement, iv) customer analyses and marketing research purposes under the Agreement as well as v) further development of iCare’s own products and services.

(b) Compliance with a legal obligation and exercise of rights related to following types of obligations between iCare and you: obligations and rights related to customer relationships such as providing electronic services related mandatory information to you or replying to queries from you.

(c) Your consent to the processing of your Personal Data (as defined below in section 6) in certain, following purposes: obligations and rights related to direct marketing and sections 5.1 b and 5.1 c.

4.2 Handling of storage, reporting and request obligations based on law and administrative orders and related guidelines regarding possible patient data matters.

The legal basis for the processing of the Personal Data are as follows:

(a) You have given your consent to the processing of your Personal Data electronically for the purposes stated in the Section 4.1 c.

(b) Processing of your Personal Data is necessary for the performance of the Agreement and in order to take steps at your request prior to entering into the Agreement. This relates to the above-mentioned purpose in the Section 4.1 a.

(c) Processing of Personal Data is necessary for compliance with a legal obligation of the data controller, that is, the Supplier. This relates to the above-mentioned purposes in the Section 4.1 b.

(d) Processing of Personal Data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. This relates to processing of possible patient data only.

5 CONTENT OF REGISTER

5.1 The Personal Data is defined as follows:

(a) your email address; your password; serial number of the iCare HOME, iCare HOME2, iCare IC200 or iCare PRO device (“Device”); your name; the data or other content uploaded from the Device to the Services; information on which eye is measured; point of time of measurement; measurement angle (angle of the Device compared with your eye); intraocular pressure value; intermediate results of the six samples of intraocular pressure measurements; quality rating of the measurement; cookie related information (see section 10 below); IP addresses relating to the Device and the Services; the free-text data written by you in the Services in connection with the measurement; reminders on when to take measurement or medication (medication information that you have voluntarily provided); the free-text data concerning conditions and actions defined by you related to measurement in general (you have voluntarily provided); the free-text messages exchanged between you and a professional health care provider (you have voluntarily provided); the time after which the Device will disable measurement function; the settings of the Device; and

(b) any data required by Google Inc. and Google Ireland Limited and Google Commerce Limited as stipulated in their contract documentation available in here: https://play.google.com/intl/en-us_us/about/play-terms.html ; and

(c) any data required by Apple Inc. as stipulated in their contract documentation available in here: https://www.apple.com/legal/internet-services/itunes/us/terms.html

6 REGULAR SOURCES OF PERSONAL DATA

enquiry from you
the Services
provided by you when you contact iCare’s customer service or when you utilize the Services

7 REGULAR TRANSFEREES OF DATA

The Personal Data may be transferred to a subcontractor of iCare the Supplier called Taitopilvi Oy (Business ID 2786133-7). The purposes of the transfers are the same as stated in the Section 4.1.

The Personal Data may be transferred to a subcontractor of iCare called Amazon Web Services EMEA SARL, Luxembourg. The purpose of the transfer is that Amazon Web Services EMEA SARL and its prob-processors provide to iCare cloud hosting and data storage service and the Amazon Simple Email Service. Further information:

https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

https://d1.awsstatic.com/Supplementary_Addendum_to_the_AWS_GDPR_DPA.pdf

https://aws.amazon.com/compliance/sub-processors/

8 TRANSFER TO COUNTRIES OUTSIDE EEA

iCare does not transfer your Personal Data to countries outside the European Economic Area (EEA) and European Union (EU) (”Third Countries”) except for Amazon Web Services EMEA SARL and its prob-processors as set out in Section 7.

The basis of a transfer outside the EU area is e.g., the model clauses of the EU Commission or other lawful basis for the transfer. The text of the model clauses is available on the internet at the address http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm or the adequacy decisions of the EU Commission.

The decisions are available on the internet at the address https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

Further information in Section 7.

9 LINKS TO THIRD PARTY WEBSITES

The Services may have hypertext links to third party web sites. Please note that iCare is not liable for personal data processing on such web sites. Such third parties are not personal data controllers or processors towards iCare.

10 COOKIES

iCare’s cookie policy can be found at the address https://www.icare-world.com. Please read the cookie policy together with this document.

11 METHODS ON HOW REGISTER IS SECURED

The Personal Data is secured by using, for example, the following methods and principles:

(a) locking systems at iCare’s and its subcontractors’ premises;

(b) electrical surveillance systems of iCare’s and its subcontractors’ premises and equipment;

(c) firewall, anti-malware and spam filtering systems of iCare’s and its subcontractors’ communication networks and other software and hardware that protect the security of communication networks;

(d) detailed user rights in iCare’s IT systems;

(e) professional knowledge of iCare’s personnel;

(f) regular training of iCare’s personnel;

(g) the content of the register is in electronic form only except in temporary special occasions; and

(h) iCare’s policies and guidelines relating to Personal Data matters.

12 RIGHT OF ACCESS

After having supplied sufficient search criteria, you have the right to get information on which Personal Data on you is being processed or information that no Personal Data is being processed.

Where such Personal Data are being processed, iCare shall provide the following information:

(a) the purposes of the processing;

(b) the categories of Personal Data concerned;

(c) the recipients or categories of recipients to whom the Personal Data are to be or have been disclosed, in particular to recipient in Third Countries;

(d) the period for which the Personal Data will be stored;

(e) the existence of the right to request from iCare rectification or erasure of your Personal Data or to object to the processing of such Personal Data;

(f) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;

(g) communication of the Personal Data undergoing processing and of any available information as to their source;

(h) the significance and envisaged consequences of such processing, at least in the case of measures which produce legal effects concerning you or significantly affects you and which are based solely on automated processing intended to evaluate certain personal aspects relating to you or to analyze or predict in particular your performance at work, economic situation, location, health, personal preferences, reliability or behavior; and

(i) information on the regular sources of Personal Data.

Where you make the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by you.

iCare shall provide a copy of your Personal Data undergoing processing. For any further copies requested by you, iCare may charge a reasonable fee based on administrative costs.

Where requests from you are manifestly unfounded or excessive, in particular because of their repetitive character, iCare may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request.

If you want to inspect the data concerning yourself as mentioned herein, you must represent the request to iCare in a document hand signed by you or in a document certified in a similar manner or personally by visiting iCare.

13 RECTIFICATION, PERIOD FOR WHICH PERSONAL DATA WILL BE STORED AND RIGHT TO LODGE COMPLAINT TO SUPERVISORY AUTHORITY

iCare shall, at your request, without undue delay correct, erase or supplement Personal Data contained in its Personal Data register if the data is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing, including by way of supplementing a corrective statement.

If iCare refuses your request of the correction of the data, iCare will give you a written certificate regarding this. The certificate will also include the reasons for the refusal. In such event, you may bring the matter to be handled by the Data Protection Ombudsman.

The Personal Data are processed as long as this is required and allowed under applicable law. Information regarding the contractual relationship can be processed at least for the time until claims related to the contractual relationship expire. Main rule according to Finnish law for claims related to the contractual relationship to expire is three years. When the applicable law describes a longer or a shorter time period for the processing, such limitation is applied.

Subject to the requirements of the applicable law, the Personal Data can be processed for longer than the above-mentioned time periods it is needed for the establishment, exercise or defense of possible legal claims

You have the right to lodge a complaint to the supervisory authority. The contact details of the supervisory authority:

https://tietosuoja.fi/en/contact-information Office of the Data Protection Ombudsman

P.O. Box 800 FI00531 HELSINKI FINLAND

Address:

Lintulahdenkuja 4, 00530 HELSINKI, FINLAND
Tel: +358 29 56 66700 (exchange)

Fax: +358 29 56 66735

Email: [email protected]

14 RIGHT TO PROHIBIT PROCESSING

You have the right to prohibit iCare to process your Personal Data for purposes of direct advertising, distance selling, other direct marketing, market research, opinion polls, catalogues on persons or genealogical research.

You have the right not to be subject to a measure which produces legal effects concerning you or significantly affects you, and which is based solely on automated processing intended to evaluate certain personal aspects relating to you or to analyze or predict in particular your performance at work, economic situation, location, health, personal preferences, reliability or behavior.

You have the right to object, on grounds relating to your particular situation, to the processing of Personal Data which is based on either of the following grounds for processing: (i) when processing has been found necessary for the purposes of the legitimate interests of iCare or (ii) when processing has been found necessary in order to protect your vital interests. You however do not have the right to object, if iCare demonstrates compelling legitimate grounds for the processing which override your interests or fundamental rights and freedoms.

15 RIGHT TO BE FORGOTTEN AND TO ERASURE

You have the right to obtain from iCare the erasure of Personal Data relating to you and the abstention from further dissemination of such data, where one of the following grounds applies:

(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) you withdraw the consent on which the processing is based, or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;

(d) the processing of the data does not comply with lawful requirements for other reasons.

Instead of erasure, iCare shall restrict processing of Personal Data where:

(a) their accuracy is contested by you, for a period enabling iCare to verify the accuracy of the data;

(b) iCare no longer needs the Personal Data for the accomplishment of its task but they have to be maintained for purposes of proof; or

In cases of restriction of processing of Personal Data in cases defined above, the Personal Data may, with the exception of storage, only be processed for purposes of proof, or with your consent, or for the protection of the rights of another natural or legal person or for an objective of public interest.