SeriousMD – Now
Serving
Privacy Statement
A.
INTRODUCTION
This Privacy Statement is hereby adopted in compliance
with Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), its
Implementing Rules and Regulations, and other relevant policies, including issuances
of the National Privacy Commission (NPC). Serious MD – Now Serving (SMD-NS)
respects and values your data privacy rights, and makes sure that all personal
data collected from you, our clients and customers, are processed in adherence
to the general principles of transparency, legitimate purpose, and proportionality.
B.
SCOPE
1.
This Privacy Statement enumerates SMD-NS’s policy in relation to
the collection, use, storage, sharing and disposal of all personal data
processed by the organization in accordance with the Data Privacy Act, its IRR,
and all related issuances of the NPC.
2.
SMD-NS maintains the right to amend and/or modify this document
to comply with any future developments in data privacy regulations where
applicable and to reflect any changes in the organization’s policies and/or
personal data processing activities.
3.
This Privacy Statement applies, in general, to all personal data
processing activities conducted by SMD-NS including, but not limited to, the
collection, use, storage, sharing and disposal of all personal data about our
clients and customers.
C.
DEFINITION OF TERMS
•
Anonymization: refers to the processing of data to render it in such a way
that the data subject is not or no longer identifiable.
•
Consent of the data subject: refers to any freely given,
specific, informed indication of will, whereby the data subject agrees to the
collection and processing of personal information about and/or relating to him
or her. It may be given on behalf of the data subject by an agent specifically
authorized by the data subject to do so.
•
Data Subject: refers to an individual whose personal data is processed.
This includes, among others, the clients, users and/or customers of SMD-NS.
•
Data Sharing: refers to the disclosure or transfer to a third party of
personal data under the control or custody of a personal information
controller. The term excludes outsourcing, or the disclosure or transfer of
personal data by a personal information controller to a personal information
processor.
•
Processing: refers to any operation or any set of operations
performed upon personal information including, but not limited to, the
collection, recording, organization, storage, updating or modification,
retrieval, consultation, use, consolidation, blocking, erasure or destruction
of data.
•
Personal Information / Personal Data: refers to any information whether
recorded in a material form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by the entity holding
the information, or when put together with other information would directly and
certainly identify an individual.
•
Personal Information Controller: refers to any person or
organization who controls the collection, holding, processing or use of
personal information, including a person or organization who instructs another
person or organization to collect, hold, process, use, transfer or disclose
personal information on his or her behalf.
•
Personal Information Processor: refers to any qualified natural
or juridical person to whom a personal information controller may outsource the
processing of personal data pertaining to a data subject.
•
Sensitive Personal Information: refers to personal information
(a) About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations; (b) About an individual’s
health, education, genetic or sexual life of a person, or to any proceeding for
any offense committed or alleged to have been committed by such person, the
disposal of such proceedings, or the sentence of any court in such proceedings;
(c) Issued by government agencies peculiar to an individual which includes, but
not limited to, social security numbers, previous or current health records,
licenses or its denials, suspension or revocation, and tax returns; and (d)
Specifically established by an executive order or an act of Congress to be kept
classified.
D.
THE COLLECTION AND USE OF
PERSONAL DATA
1.
We collect the following personal data from our clients and
customers:
•
Name, address, contact information;
•
Medical history, medical examinations, x-ray and other
diagnostic imaging results, laboratory tests, other medical reports
accomplished by physicians, health personnel, and non-medical technical
personnel, and other medical or health information;
•
Videos, audios, and digital photographs that were recorded
during a telemedicine consultation session;
•
Government issued identifying information; and,
•
Credit card, debit card, electronic money transfer, and other
payment information.
•
Information about visitors to our website and social media
profiles as well as individuals who use our digital platforms and/or mobile
applications. Such information may include, among others, social media
profiles, browsing activities, IP Addresses, services procured, and links visited.
2.
We collect the personal data for the following reasons:
•
We collect and process personal data for the fulfilment of
contractual services to our clients and customers, including, among others, the
use of the services of SMD-NS; for debugging; for verification of their
identities; for communication and maintenance of continued customer relations;
for processing of payments by our clients and customers; and, for compliance
with the requirements of applicable laws and legal processes (e.g. court
orders).
•
We may use the contact information of our clients and customers
for administrative purposes, such as customer service and providing notices;
and for promotional activities, relating to products and services offered by us
and by third parties we work with. You have the ability to opt-out of receiving
any promotional communications by sending us an e-mail at privacy@seriousmd.com.
•
We may use your anonymized personal data for statistical,
analytical, research, and other related purposes to create anonymous and
aggregate reports.
•
We may use automatically collected information, such as cookies
and similar technologies, to identify your device and record your preference.
We use this information to enhance your customer experience and determine
tailored content to meet your preferences and needs.
• We outsource or contract the processing of Customer Data to third parties, such as but not limited to, cloud storage vendors, video call provider, electronic mail provider, SMS provider, etc., to fulfill any of the above purposes. They are only authorized to use the personal data for such contracted purposes. They may have access to personal data for a limited time under reasonable contractual and technical safeguards to limit their use of such information. We require them to protect personal data consistent with the SMD-NS Privacy Statement.
3.
We collect and process personal data in the following manner:
•
We directly collect personal data from our clients and customers
when they register to avail of our services. For personal data that falls under
the definition of sensitive personal information, we obtain the data subject’s
express and affirmative consent through our Website or mobile application
before we collect and process the information.
•
We obtain personal data automatically from clients and customers
when they visit our Website, social media profiles, digital platforms, and/or
mobile applications.
•
We may obtain personal data indirectly from physicians and other
health care and medical workers who invite their patients to use our services.
E.
THE DISCLOSURE OF PERSONAL DATA
We do not sell or disclose the personal data we process
to third parties without the consent of data subjects unless we are legally
required to do so; if it is necessary to fulfill the purposes for which we
process personal data as mentioned above; or if such action is necessary to
protect, defend and/or enforce our rights, property or the personal safety of
our employees and other individuals. We only permit our authorized personnel
and our customer’s physician/s and their registered representatives to access
or process your personal data. We restrict access to such information to our
authorized personnel, contractors, and agents who need to know such information
in order to process it for us, who are subject to strict contractual and
technical safeguards, and are accountable if they fail to meet these
obligations.
Our authorized contractors who provide outsourced
functions include, among others:
• Cloud storage systems to meet the company’s storage
management requirements;
• Video Call Provider;
• Electronic Mail Provider; and,
• SMS Provider.
SMD-NS remains responsible over the personal data
disclosed to such third parties. As such, we ensure that such third parties are
contractually obligated to comply with the requirements of the Data Privacy Act
and shall process your data strictly in accordance with the purposes enumerated
above.
F.
THE RIGHTS OF DATA SUBJECTS
•
Right to be informed: As a data subject, you have the right
to be informed that your personal data shall be, are being, or have been
processed. This right also requires personal information controllers to notify
you within a specific period of time if your data has been compromised, i.e. in
the case of a personal data breach.
•
Right to access: You have the right to gain reasonable access to your
personal data upon request. You may request access to the following:
1.
Contents of your personal data that were processed;
2.
Sources from which they were obtained;
3.
Names and addresses of the recipients of your data;
4.
Manner by which such data were processed;
5.
Reasons for disclosure to recipients, if there were any;
6.
Information on automated processes where the data will or likely
to be made as the sole basis for any decision which would significantly affect
you;
7.
Date when your data was last accessed and modified; and,
8.
Name and address of the personal information controller
•
Right to object:You have a right to object to the processing of your
personal data, including processing for direct marketing, automated processing
or profiling. You likewise have the right to be notified and given an
opportunity to withhold consent to the processing in case of changes to the
information given to you regarding the processing of your information.
•
Right to erasure or blocking: You have the right to suspend,
withdraw, or order the blocking, removal or destruction of your personal data.
You can exercise this right upon discovery and substantial proof of any of the
following:
1.
Your personal data is incomplete, outdated, false, or unlawfully
obtained;
2.
It is being used for purposes you did not authorize;
3.
The data is no longer necessary for the purposes for which they
were collected;
4.
You decided to withdraw consent, or you object to its
processing, and there is no overriding legal ground for its processing;
5.
The data concerns personal information prejudicial to the data
subject — unless justified by freedom of speech, of expression, or of the
press; or otherwise authorized;
6.
The processing is unlawful; or,
7.
The personal information controller, or the personal information
processor, violated your rights as a data subject
•
Right to rectification: You have the right to dispute any
inaccuracy or error in your personal data and have the personal information
controller correct it immediately, unless the request is vexatious or
unreasonable.
•
Right to data portability: Where your personal information is
processed by electronic means, you have a right to obtain from the personal
information controller a copy of your personal data in an electronic or
structured format that is commonly used and allows for further use.
G.
THE POLICY ON THE COLLECTION AND USE OF PERSONAL
DATA
In relation to the rights of Data Subjects, it is
SMD-NS’s policy to:
1.
Ensure that data subjects affected by the organization’s
personal data processing activities are fully and adequately informed of their
rights;
2.
Ensure that they are fully and adequately informed of all
processing activities performed by SMD-NS with respect to their personal data;
3.
Ensure that their consent is obtained in accordance with the
requirements set forth in the Data Privacy Act, its Implementing Rules and
Regulations, and Memorandum Circulars issued by the NPC where applicable. Where
the processing does not require consent from our clients and customers in the
instances set forth in Sections 12 and 13 of the Data Privacy Act pertaining to
the Criteria for the Lawful Processing of Personal Information and the Criteria
for the Lawful Processing of Sensitive Personal Information, respectively, such
rules and procedures will ensure that our customers and employees are fully and
adequately informed of the bases of such processing other than consent;
4.
Ensure that they have the facility to reasonably access, review
and amend their personal data and to request for copies thereof in a commonly
portable format;
5.
Ensure that they have the facility to: dispute any inaccuracy or
error in their personal data, object to any changes in the manner and purpose
by which they are processed, withdraw consent where applicable, and to suspend,
withdraw, block, destroy, or remove any unnecessary, falsely collected or
unlawfully processed personal data;
6.
Ensure that such personal data are proportional, necessary and
limited to the declared, specified and legitimate purpose of the processing;
7.
Ensure that such personal data are retained for only a limited
period or until the lawful purpose of the processing has been achieved;
8.
Ensure that such personal data are destroyed or disposed of in a
secure manner;
9.
Ensure that information collected from clients and customers
that are intended to be used for statistical, analytical, research, and other
related purposes, shall first be anonymized to render it unidentifiable and
untraceable to the data subject;
10.
Ensure that they have the facility to lodge complaints to SMD-NS
relating to any violations to their rights as data subjects and that such
complaints are adequately and timely addressed.
H.
DATA PROTECTION OFFICER
To oversee our privacy compliance efforts, SMD-NS has
appointed a Data Protection Officer (“DPO”) to manage and safeguard the
handling of our personal data processing activities. Should you have any
concerns regarding SMD-NS’s privacy practices and policies, you may reach the
DPO through the following contact information:
Data Protection Officer: Solomon See
Contact Information: privacy@seriousmd.com
I.
INFORMATION SECURITY POLICY
1.
We apply reasonable and appropriate security measures to protect
the information submitted to us, both during transmission and once we receive
it. We maintain appropriate administrative, technical and physical safeguards
to protect personal data against accidental or unlawful destruction, accidental
loss, unauthorized alteration, unauthorized disclosure or access, misuse, and
any other unlawful form of processing of the Personal Data in our possession.
This includes, for example, firewalls, password protection and other access and
authentication controls. We use SSL technology to encrypt data during
transmission through the
public internet, and we also employ application-layer
security features to further anonymize Personal Data during processing
of aggregate information.
In addition, we implement the following physical, technical, and
organizational controls to ensure the security of the personal data:
• SMD-NS implements server redundancy and
creates multiple backups in different availability zones within Amazon Web
Services to protect personal information against natural dangers such as
accidental loss or destruction, and human dangers such as unlawful access,
fraudulent misuse, unlawful destruction, alteration and contamination.
• SMD-NS setups a secure computer network
to protect against accidental, unlawful or unauthorized usage or interference
with or hindering of their functioning or availability;
• Data is anonymized and transferred
securely when processing the information;
• Processes are in place for identifying
and accessing reasonably foreseeable vulnerabilities in its computer networks,
and for taking preventive, corrective and mitigating action against security
incidents that can lead to a security breach; and
• Regular monitoring of server activity
is done to detect security breaches; and in the event of a breach, procedures
are in place to allow SMD-NS to take preventive, corrective and mitigating
action and to inform its users about the impact of the breach and inform them
about necessary steps to secure themselves from the vulnerability.
• SMD-NS imposes an obligation upon its
employees who have access to information not intended for public disclosure, to
keep all the data under strict confidentiality. This obligation shall continue
even after they leave the company, transfer to another position, or upon
termination of employment or contractual relations.
• SMD-NS implements data breach protocols
that are activated when the personal data of our clients and customers are
compromised.
Despite the foregoing controls, we emphasize that no method of
transmission over the Internet, or method of electronic storage, is 100%
secure. We cannot ensure or warrant the security of any information you
transmit to us or store in our Website or mobile application, and you do so at
your own risk. We also cannot guarantee that such information may not be
accessed, disclosed, altered, or destroyed by breach of any of our physical,
technical, or managerial safeguards. If you believe your personal data has been
compromised, please contact our data protection officer in the contact details
provided in this document. If we learn of a security systems breach, we will
inform you of the occurrence of the breach in accordance with applicable law.
2.
We practice the Data Minimization principle in the retention and
disposal of your personal data. We only retain the Personal Data collected from
you for as long as your account is active or otherwise for a limited period of
time as long as we need it to fulfill the purposes for which we have initially
collected it, unless otherwise required by law. We also retain and use
information as necessary to comply with our legal obligations, resolve
disputes, and enforce our agreements, in accordance with the statute of
limitations as provided by law.
When disposing of your Personal Information, we take reasonable
measures to ensure that it is done properly and is not accessible to the
public.
3.
Our disclosure of personal data to third-party processors are
governed by the following safeguards:
a. Support secure transmission
of data through the use of industry standard encryption and while data is at
rest;
b. Review the processors’
privacy policy and ensure that it adheres to SMD-NS Privacy Policy guidelines;
c. Technical Review of
third-party service to ensure it passes security standards and adheres to
privacy policies of SMD-NS; and,
d. Removal and disposal of all
client data from third-party platforms upon the opt-out of the user and when
data is no longer needed.
J. CHANGES AND UPDATES TO THIS POLICY
Please revisit this page periodically to stay aware of any changes to
this Policy, which we may update from time to time. If we modify the Policy, we
will make it available through the Service, and indicate the date of the latest
revision, and will comply with applicable law. Your continued use of the
Service after the revised Policy has become effective indicates that you have
read, understood and agreed to the current version of the Policy.
Please contact us with any questions or comments about this Policy,
your Personal Data, our use and disclosure practices, or your consent choices
by email at privacy@seriousmd.com.
Date: May 10, 2020