SeriousMD – Now Serving

 

Privacy Statement

 

A.                 INTRODUCTION

 

This Privacy Statement is hereby adopted in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission (NPC). Serious MD – Now Serving (SMD-NS) respects and values your data privacy rights, and makes sure that all personal data collected from you, our clients and customers, are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.

 

B.                  SCOPE

 

1.                  This Privacy Statement enumerates SMD-NS’s policy in relation to the collection, use, storage, sharing and disposal of all personal data processed by the organization in accordance with the Data Privacy Act, its IRR, and all related issuances of the NPC.

 

2.                  SMD-NS maintains the right to amend and/or modify this document to comply with any future developments in data privacy regulations where applicable and to reflect any changes in the organization’s policies and/or personal data processing activities.

 

3.                  This Privacy Statement applies, in general, to all personal data processing activities conducted by SMD-NS including, but not limited to, the collection, use, storage, sharing and disposal of all personal data about our clients and customers.

 

C.                  DEFINITION OF TERMS

 

                    Anonymization: refers to the processing of data to render it in such a way that the data subject is not or no longer identifiable.

 

                    Consent of the data subject: refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. It may be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.

 

                    Data Subject: refers to an individual whose personal data is processed. This includes, among others, the clients, users and/or customers of SMD-NS.

 

                    Data Sharing: refers to the disclosure or transfer to a third party of personal data under the control or custody of a personal information controller. The term excludes outsourcing, or the disclosure or transfer of personal data by a personal information controller to a personal information processor.

 

                    Processing: refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

 

                    Personal Information / Personal Data: refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

 

                    Personal Information Controller: refers to any person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.

 

                    Personal Information Processor: refers to any qualified natural or juridical person to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.

 

                    Sensitive Personal Information: refers to personal information (a) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (b) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (c) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and (d) Specifically established by an executive order or an act of Congress to be kept classified.

 

D.                 THE COLLECTION AND USE OF PERSONAL DATA

 

1.                  We collect the following personal data from our clients and customers:

 

                    Name, address, contact information;

                    Medical history, medical examinations, x-ray and other diagnostic imaging results, laboratory tests, other medical reports accomplished by physicians, health personnel, and non-medical technical personnel, and other medical or health information;

                    Videos, audios, and digital photographs that were recorded during a telemedicine consultation session;

                    Government issued identifying information; and,

                    Credit card, debit card, electronic money transfer, and other payment information.

                    Information about visitors to our website and social media profiles as well as individuals who use our digital platforms and/or mobile applications. Such information may include, among others, social media profiles, browsing activities, IP Addresses, services procured, and links visited.

 

2.                  We collect the personal data for the following reasons:

 

                    We collect and process personal data for the fulfilment of contractual services to our clients and customers, including, among others, the use of the services of SMD-NS; for debugging; for verification of their identities; for communication and maintenance of continued customer relations; for processing of payments by our clients and customers; and, for compliance with the requirements of applicable laws and legal processes (e.g. court orders).

 

                    We may use the contact information of our clients and customers for administrative purposes, such as customer service and providing notices; and for promotional activities, relating to products and services offered by us and by third parties we work with. You have the ability to opt-out of receiving any promotional communications by sending us an e-mail at privacy@seriousmd.com.

 

                    We may use your anonymized personal data for statistical, analytical, research, and other related purposes to create anonymous and aggregate reports.

 

                    We may use automatically collected information, such as cookies and similar technologies, to identify your device and record your preference. We use this information to enhance your customer experience and determine tailored content to meet your preferences and needs.

 

                    We outsource or contract the processing of Customer Data to third parties, such as but not limited to, cloud storage vendors, video call provider, electronic mail provider, SMS provider, etc., to fulfill any of the above purposes. They are only authorized to use the personal data for such contracted purposes. They may have access to personal data for a limited time under reasonable contractual and technical safeguards to limit their use of such information. We require them to protect personal data consistent with the SMD-NS Privacy Statement.

 

3.                  We collect and process personal data in the following manner:

 

                    We directly collect personal data from our clients and customers when they register to avail of our services. For personal data that falls under the definition of sensitive personal information, we obtain the data subject’s express and affirmative consent through our Website or mobile application before we collect and process the information.

 

                    We obtain personal data automatically from clients and customers when they visit our Website, social media profiles, digital platforms, and/or mobile applications.

 

                    We may obtain personal data indirectly from physicians and other health care and medical workers who invite their patients to use our services.

 

E.                  THE DISCLOSURE OF PERSONAL DATA

 

We do not sell or disclose the personal data we process to third parties without the consent of data subjects unless we are legally required to do so; if it is necessary to fulfill the purposes for which we process personal data as mentioned above; or if such action is necessary to protect, defend and/or enforce our rights, property or the personal safety of our employees and other individuals. We only permit our authorized personnel and our customer’s physician/s and their registered representatives to access or process your personal data. We restrict access to such information to our authorized personnel, contractors, and agents who need to know such information in order to process it for us, who are subject to strict contractual and technical safeguards, and are accountable if they fail to meet these obligations.

 

Our authorized contractors who provide outsourced functions include, among others:

• Cloud storage systems to meet the company’s storage management requirements;

• Video Call Provider;

• Electronic Mail Provider; and,

• SMS Provider.

 

SMD-NS remains responsible over the personal data disclosed to such third parties. As such, we ensure that such third parties are contractually obligated to comply with the requirements of the Data Privacy Act and shall process your data strictly in accordance with the purposes enumerated above.

 

F.                   THE RIGHTS OF DATA SUBJECTS

 

                    Right to be informed: As a data subject, you have the right to be informed that your personal data shall be, are being, or have been processed. This right also requires personal information controllers to notify you within a specific period of time if your data has been compromised, i.e. in the case of a personal data breach.

 

                    Right to access: You have the right to gain reasonable access to your personal data upon request. You may request access to the following:

1.                  Contents of your personal data that were processed;

2.                  Sources from which they were obtained;

3.                  Names and addresses of the recipients of your data;

4.                  Manner by which such data were processed;

5.                  Reasons for disclosure to recipients, if there were any;

6.                  Information on automated processes where the data will or likely to be made as the sole basis for any decision which would significantly affect you;

7.                  Date when your data was last accessed and modified; and,

8.                  Name and address of the personal information controller

 

                    Right to object:You have a right to object to the processing of your personal data, including processing for direct marketing, automated processing or profiling. You likewise have the right to be notified and given an opportunity to withhold consent to the processing in case of changes to the information given to you regarding the processing of your information.

 

                    Right to erasure or blocking: You have the right to suspend, withdraw, or order the blocking, removal or destruction of your personal data. You can exercise this right upon discovery and substantial proof of any of the following:

1.                  Your personal data is incomplete, outdated, false, or unlawfully obtained;

2.                  It is being used for purposes you did not authorize;

3.                  The data is no longer necessary for the purposes for which they were collected;

4.                  You decided to withdraw consent, or you object to its processing, and there is no overriding legal ground for its processing;

5.                  The data concerns personal information prejudicial to the data subject — unless justified by freedom of speech, of expression, or of the press; or otherwise authorized;

6.                  The processing is unlawful; or,

7.                  The personal information controller, or the personal information processor, violated your rights as a data subject

 

                    Right to rectification: You have the right to dispute any inaccuracy or error in your personal data and have the personal information controller correct it immediately, unless the request is vexatious or unreasonable.

 

                    Right to data portability: Where your personal information is processed by electronic means, you have a right to obtain from the personal information controller a copy of your personal data in an electronic or structured format that is commonly used and allows for further use.

 

G.                 THE POLICY ON THE COLLECTION AND USE OF PERSONAL DATA

 

In relation to the rights of Data Subjects, it is SMD-NS’s policy to:

 

1.                  Ensure that data subjects affected by the organization’s personal data processing activities are fully and adequately informed of their rights;

2.                  Ensure that they are fully and adequately informed of all processing activities performed by SMD-NS with respect to their personal data;

3.                  Ensure that their consent is obtained in accordance with the requirements set forth in the Data Privacy Act, its Implementing Rules and Regulations, and Memorandum Circulars issued by the NPC where applicable. Where the processing does not require consent from our clients and customers in the instances set forth in Sections 12 and 13 of the Data Privacy Act pertaining to the Criteria for the Lawful Processing of Personal Information and the Criteria for the Lawful Processing of Sensitive Personal Information, respectively, such rules and procedures will ensure that our customers and employees are fully and adequately informed of the bases of such processing other than consent;

4.                  Ensure that they have the facility to reasonably access, review and amend their personal data and to request for copies thereof in a commonly portable format;

5.                  Ensure that they have the facility to: dispute any inaccuracy or error in their personal data, object to any changes in the manner and purpose by which they are processed, withdraw consent where applicable, and to suspend, withdraw, block, destroy, or remove any unnecessary, falsely collected or unlawfully processed personal data;

6.                  Ensure that such personal data are proportional, necessary and limited to the declared, specified and legitimate purpose of the processing;

7.                  Ensure that such personal data are retained for only a limited period or until the lawful purpose of the processing has been achieved;

8.                  Ensure that such personal data are destroyed or disposed of in a secure manner;

9.                  Ensure that information collected from clients and customers that are intended to be used for statistical, analytical, research, and other related purposes, shall first be anonymized to render it unidentifiable and untraceable to the data subject;

10.              Ensure that they have the facility to lodge complaints to SMD-NS relating to any violations to their rights as data subjects and that such complaints are adequately and timely addressed.

 

H.                 DATA PROTECTION OFFICER

 

To oversee our privacy compliance efforts, SMD-NS has appointed a Data Protection Officer (“DPO”) to manage and safeguard the handling of our personal data processing activities. Should you have any concerns regarding SMD-NS’s privacy practices and policies, you may reach the DPO through the following contact information:

 

Data Protection Officer: Solomon See

Contact Information: privacy@seriousmd.com

 

I.                    INFORMATION SECURITY POLICY

 

1.                  We apply reasonable and appropriate security measures to protect the information submitted to us, both during transmission and once we receive it. We maintain appropriate administrative, technical and physical safeguards to protect personal data against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Data in our possession. This includes, for example, firewalls, password protection and other access and authentication controls. We use SSL technology to encrypt data during transmission through the public internet, and we also employ application-layer security features to further anonymize Personal Data during processing of aggregate information.

 

In addition, we implement the following physical, technical, and organizational controls to ensure the security of the personal data:

 

•          SMD-NS implements server redundancy and creates multiple backups in different availability zones within Amazon Web Services to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

•          SMD-NS setups a secure computer network to protect against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability;

•          Data is anonymized and transferred securely when processing the information;

•          Processes are in place for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and

•          Regular monitoring of server activity is done to detect security breaches; and in the event of a breach, procedures are in place to allow SMD-NS to take preventive, corrective and mitigating action and to inform its users about the impact of the breach and inform them about necessary steps to secure themselves from the vulnerability.

•          SMD-NS imposes an obligation upon its employees who have access to information not intended for public disclosure, to keep all the data under strict confidentiality. This obligation shall continue even after they leave the company, transfer to another position, or upon termination of employment or contractual relations.

•          SMD-NS implements data breach protocols that are activated when the personal data of our clients and customers are compromised.

 

Despite the foregoing controls, we emphasize that no method of transmission over the Internet, or method of electronic storage, is 100% secure. We cannot ensure or warrant the security of any information you transmit to us or store in our Website or mobile application, and you do so at your own risk. We also cannot guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. If you believe your personal data has been compromised, please contact our data protection officer in the contact details provided in this document. If we learn of a security systems breach, we will inform you of the occurrence of the breach in accordance with applicable law.

 

2.                  We practice the Data Minimization principle in the retention and disposal of your personal data. We only retain the Personal Data collected from you for as long as your account is active or otherwise for a limited period of time as long as we need it to fulfill the purposes for which we have initially collected it, unless otherwise required by law. We also retain and use information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, in accordance with the statute of limitations as provided by law.

 

When disposing of your Personal Information, we take reasonable measures to ensure that it is done properly and is not accessible to the public.

  1. Physical records are shredded within thirty (30) days from our receipt of the client’s opt-out;
  2. Copies of electronic records are removed in the active database and all third-party tools; and,
  3. Historical snapshots of data are only kept for one year, at the most.

 

3.                  Our disclosure of personal data to third-party processors are governed by the following safeguards:

a.      Support secure transmission of data through the use of industry standard encryption and while data is at rest;

b.      Review the processors’ privacy policy and ensure that it adheres to SMD-NS Privacy Policy guidelines;

c.       Technical Review of third-party service to ensure it passes security standards and adheres to privacy policies of SMD-NS; and,

d.      Removal and disposal of all client data from third-party platforms upon the opt-out of the user and when data is no longer needed.

 

J.          CHANGES AND UPDATES TO THIS POLICY

 

Please revisit this page periodically to stay aware of any changes to this Policy, which we may update from time to time. If we modify the Policy, we will make it available through the Service, and indicate the date of the latest revision, and will comply with applicable law. Your continued use of the Service after the revised Policy has become effective indicates that you have read, understood and agreed to the current version of the Policy.

 

Please contact us with any questions or comments about this Policy, your Personal Data, our use and disclosure practices, or your consent choices by email at privacy@seriousmd.com.

 

 

Date: May 10, 2020