CimplyMe Privacy Policy

CimplyMe® Privacy Policy

Last updated: December 2020

This Privacy Policy (the Policy) describes the information CimplyMe (the App) collects and uses.

1. WHO WE ARE AND HOW YOU CAN CONTACT US

UCB or we means UCB Biopharma SRL, with its registered office at Allée de la Recherche 60, 1070 Brussels, Belgium, registered with the Crossroads Bank for Enterprises under No. 0543.573.053. As the controller, i.e., the legal entity that decides on the why and how information relating to you (personal data) is collected and processed in the context of the App, we respect your right to privacy. We will only process your personal data as described in this Policy and in accordance with the relevant data protection legislation, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR). At UCB we have a data protection officer (DPO), who can be contacted by any of the following means for any privacy-related questions, including regarding how we collect, store, and use your personal data:

  • E-mail: dataprivacy@ucb.com ; or
  • Regular mail: UCB Biopharma SRL To the attention of the Data Protection Officer Allée de la Recherche, 60 1070 Brussels Belgium

2. THE REASON BEHIND THIS POLICY

The Policy governs the collection, use and retention by UCB of (personal) data relating to your use of the App. This Policy applies to all users of the App. The Policy consists of five main components and informs you about:

  1. Who we are and how you can contact us;

  2. The reason behind this Policy

  3. The purposes for which we process your (personal) data, the related legal basis under the GDPR and applicable retention periods;

  4. What your rights are in relation to the personal data we hold about you and how you can exercise them; and

  5. Further details on how we process (including transfer) your (personal) data. This Policy may be updated periodically to reflect changes in our (personal) data processing practices. In that case we will post a prominent notice on the App to inform you of any significant changes.

3. THE PURPOSES FOR WHICH WE PROCESS YOUR (PERSONAL) DATA AND APPLICABLE LEGAL BASIS:

The table below indicates per purpose (i) the categories of personal data we collect and process concerning you, (ii) the source from which we obtained such information, (iii) how long we retain your personal data, (iv) who we share it with, and (v) the relevant legal basis under the GDPR.

CimplyMe® App Users

A. In-App data processing:
The App enables you to store on your mobile device the following information (which is not shared with UCB, as further explained below): 1. Data relating to the setup of the App (e.g., country and language) (*) These data are stored on your mobile device and are not transferred at all to UCB.
2. Disease related data required for the setup of the App (*), such as:
your medical condition (to be selected between rheumatoid arthritis, psoriatic arthritis, axial spondyloarthritis/axSpA, or psoriasis), type of injection device used, data relating to your use of CIMZIA® (including length of usage and prescribed dose regimen)
3. Other health data input by you in the App after setup such as:
any changes in your CIMZIA® dose regimen, CIMZIA® injection dates, interrupted CIMZIA® injections, CIMZIA® injection punctuality, any CIMZIA® injection delivery error, reasons for early or late CIMZIA® injections, health trackers such as pain (including body area), mood, energy, and physical activity (time and intensity) or skin condition (including body area), itch and pain (including body area), mood and daily life
These data are stored on your mobile device and are fully anonymised and aggregated before being transferred to UCB (as further explained below). Failure to provide the personal data with an (*) will prevent you from using the App.
The App enables the generation of the following fully anonymised and aggregated data about you: 4. The personal data under categories 2 and 3 above will be sent in a fully anonymised and aggregated form to UCB. For this purpose, a dataset and dataset key are created using hashing algorithms. The dataset key will be unique to each patient and mobile device. Each installation of the application on a mobile device generates a new unique identifier, which can be only preserved through mobile device backups. This unique identifier is part of the input for the hashing algorithm to produce the dataset key. It is impossible for UCB to re-identify the patient based on the dataset key as the hashing algorithm is irreversible. The App uses the same algorithm family as that which is currently used in the finance industry to protect information such as passwords and credit-card details through hashing. UCB combines all data from other patients using the App, also via random dataset and dataset keys identifiers, to create aggregated data. This data will help UCB to understand patient behaviours and needs and to improve our support and services to you and other patients.


B. To ensure the App is functioning as it should as well as to ensure potential issues are detected and addressed, UCB:

Collects the following personal data about you: 1. Electronic identification data, i.e.: your IP address, your country of residence, information regarding the mobile device you use to access the App (such as the type and the operating system), your provider of mobile network
2. Information collected through logfiles (e.g., error messages, stack trace…). Please note that you cannot be identified from this data.
Obtains this personal data from: You, through your use of the App.
Retains (**) your personal data for: - Electronic identification under (1) above is accessible by UCB for up to 90 days, except for your IP address. Please note that your IP address is received only briefly by our processor Microsoft Visual Studio App Center and is immediately deleted by it. UCB does not see or receive this information.
- Log file information under (2) above is accessible by UCB for up to 90 days. Please note that you cannot be identified from this data.
Shares your personal data with: UCB affiliates and third-party processors, including Microsoft (as detailed in Section 5.A)
Relies on the following GDPR legal basis: Processing necessary for performance of a contract with you


C. To support and improve our App functionality (including making it more intuitive) and to better understand usage patterns, we use Google Analytics for Firebase that enables us to evaluate on an aggregated level the use made of our App and how users (including yourself) access different features of our App. In that context, UCB:

Collects the following personal data about you: 1. Information regarding your use of the App, such as: time spent on a page, pages visited, clicked hyperlinks, watched videos.
For details on how Google Analytics for Firebase processes your personal data, please check their terms of service, available here: https://firebase.google.com/terms/analytics. Google Analytics for Firebase is used to understand how people use the App. This is done via an SDK that automatically captures a number of events and App usage metrics. Once the data are captured, it is made available to UCB via a dashboard with aggregated data from all the users of the App.
2. Aggregated feedback if you have responded to online surveys about the App.
Data about your usage and the proper functioning of the App during such use will be aggregated into summary reports (statistics).
Obtains this personal data from: You, through your use of the App
Our third-party service provider (Google Analytics for Firebase)
Retains (**) your personal data for: For the data collected via Google Analytics for Firebase, two years maximum from the last date on which you access the App
Shares your personal data with: UCB affiliates and third-party processors, including Google (as detailed in Section 5.A)
Relies on the following GDPR legal basis: Processing based on your consent. If you do not give your consent, no personal data will be processed by Google Analytics for Firebase (or UCB).

(**) We will retain your personal data in accordance with the retention periods set out in the table above. These retention periods, included in our data retention policy, are dictated by:

  • applicable statutory/legal requirements;
  • industry guidelines, and
  • for those data categories for which no express statutory or legal requirements apply, certain other determining factors such as the need to prove or enforce a transaction or contract, enforce our policies, etc.

We will delete or anonymize your personal data once the abovementioned retention periods will have expired or if you object to or withdraw your consent to our processing of your personal data (to the extent such processing is based on your consent), except where we need to hold on to such data (i) for the establishment, exercise or defence of legal claims, (ii) for the protection of the rights of another natural or legal person, (iii) for compliance with a European Union or European Union Member State legal obligation which requires such further processing or (iv) where we need to prove or enforce a transaction or contract or enforce our policies.

4. YOUR RIGHTS AND HOW YOU CAN EXERCISE THEM

4.A. Your rights

To the extent applicable, you have the following rights under the GDPR regarding our processing of your personal data:

  • right of access to your personal data
  • right to rectification of your personal data
  • right to erasure of your personal data
  • right to restriction of the processing of your personal data
  • right to object to the processing of your personal data
  • right to data portability
  • right to withdraw consent (when the processing is based on your consent and if you have given your consent in the first place).

In accordance with Article 77 of the GDPR you have the right to lodge a complaint with a supervisory authority, in particular in the European Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that UCB’s processing of your personal data infringes the GDPR. Please visit the website of the relevant supervisory authority for more information on how to submit such a complaint.

4.B. How to exercise your rights

You can exercise some of the above rights via the different features of the App such as ‘My health’ and ‘Settings’:

  • by accessing and viewing your personal data via the App directly on your mobile device
  • by rectifying or deleting any personal data you have input into the App, which is stored only on your mobile device, or
  • by deleting the App from your mobile device (in this latter case, please note that all the personal data stored in the App will be deleted from your mobile device together with the App).

You can also withdraw at any time your consent to the use of Google Analytics Firebase via the Settings of the App. Please note that this will not affect the lawfulness of the processing before the withdrawal of your consent.

Alternatively, you can also contact UCB’s Data Protection Officer by e-mail at dataprivacy@ucb.com or otherwise reach out to us by regular mail at: UCB Biopharma SRL To the attention of the Data Protection Officer Allée de la Recherche 60 1070 Brussels Belgium

Please clearly identify the right(s) you wish to exercise and include your contact details (including a valid e-mail or postal address) so that we can respond to your request. Please note that you may be asked to provide proof of your identity.

When you contact us to exercise any of the rights mentioned above, we will respond to your request within one month following receipt of the request. This period may be extended by two additional months where necessary, but in that case, we will inform you of any such extension within one month of receipt of your initial request together with the reasons for the delay.

Please note that as described in the table in Section 3 above, UCB only has access to (very) limited personal data about you. If you exercise one of your rights under the GDPR, and we are not able to identify you, we will inform you thereof. In accordance with Article 11 of the GDPR, we may need to ask you to provide additional information to enable your identification in the event you wish to exercise your rights of access, rectification, erasure, portability, objection, and restriction considering we only receive anonymised data from the App (as explained above).

5. MORE DETAILS ON HOW WE PROCESS YOUR PERSONAL DATA

5.A. Who we share your personal data with

Principle

We will disclose your personal data only as described in this Policy (as further detailed above), as may be updated from time-to-time.

UCB affiliates and third-party processors

UCB transfers or discloses your personal data to its personnel, affiliates and our third-party service providers processing personal data on UCB’s behalf for the purposes set out above.

Third-party service providers include IT services/consulting and App hosting companies, providers of data analytics (including Google), as well as service providers (including Microsoft Visual Studio App Center) that provide technical and administrative support for the App and underlying IT systems. These service providers may provide their services from locations within and outside the European Economic Area (EEA).

Other third parties include regulatory and government agencies (see further below in this Policy), our advisors and external legal counsels, our auditors and potentially, third parties with whom UCB may merge or which may be acquired by UCB (see further below in this Policy).

Compliance with laws and legal proceedings

UCB will disclose your personal data where:

  • UCB is required to do so by applicable law, by a governmental body or by a law enforcement agency;
  • to establish or exercise our legal rights or defend against legal claims;
  • to investigate, prevent or take actions against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our policies or as otherwise required by law.

Other

If a third-party acquires all (or substantially all) of our business and/or assets, we will disclose your personal data to that third-party in connection with the acquisition. However, such disclosure will occur subject to and in accordance with applicable data protection laws, including the GDPR.

5.B International transfers

UCB may transfer your personal data to its affiliates, including our affiliates outside of the EEA. In that case UCB relies on UCB's Binding Corporate Rules.

If we need to transfer your personal data to third-party service providers (as set out above under section 5.A) in countries outside of the EEA that do not ensure an adequate level of (data) protection, such transfer will occur on the basis of Standard Contractual Clauses that are executed between UCB and the relevant third-party service provider. In that case, you may - by exercising your rights set out above under section 4.B (How to exercise your rights) - obtain a copy of the relevant safeguard UCB has put in place or ask UCB to redirect you to the place where they have been made available.

In the absence of the aforementioned appropriate safeguards, UCB may - to the extent permitted under and in accordance with applicable data protection laws (including the GDPR) - rely on a derogation applicable to the specific situation at hand (e.g., the data subjects’ explicit consent, the necessity for the performance of an agreement, the necessity for the establishment, exercise, or defence of legal claims).

For more information on how Google processes your personal data within the framework of Google Analytics, please consult How Google uses data when you use our partners' sites or apps.

For details on how Microsoft processes your personal data within the framework of Microsoft Visual Studio App Center, please check their Privacy standards, available here.