Definitions
- “User” – a person using the Service.
- “Service Owner” – Poznan University of Medical Sciences, Fredry 10, 61-701 Poznań, University Clinical Trials Support Center of PUMS, Marcelińska 42, 60-354 Poznań.
- “Service Administrator” – a natural person acting on behalf of the Service Owner, responsible for the proper functioning of the Service and authorized to take all factual and legal actions necessary to ensure the proper functioning of the Service.
- “Website” – a website located at the ump.edu.pl domain.
- “Data Administrator” – the data administrator referred to in Article 4(7) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Mobile Applications” – the Patient UCTSC application for the Android system and the Patient UCTSC application for the iOS system.
- “Service” – the Website and Mobile Applications.
- “Account” – an account created by the User in the Service, available after logging in (providing an email address, username, and password), a place in the Service where each registered User can enter and modify their data and other elements related to registration in the Service.
General Rules
- The administrator of personal data is Poznań University of Medical Science, Fredry 10, 61-701 Poznań, University Clinical Trials Support Center of PUMS, Marcelińska 42, 60-354 Poznań.
- Personal data will not be and will not be transferred to other entities, unless required by law.
- Email address and username are used to create and properly service the User’s Account. They are necessary to provide this service.
- The User has the right to access their data and modify it.
- The User has the right to delete the Account on the Service.
- The User has the right to withdraw consent for the processing of personal data and can do so through the Website in the User panel. Withdrawing consent is equivalent to deleting the Account on the Service, as without it, the Administrator cannot provide User Account support.
- Personal data processed in computer systems are stored on servers located in the EEA.
§ 1.
This policy is based on the provisions of:
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as “GDPR”.
§ 2.
I. Tasks of the Data Administrator
- The data administrator is obliged to apply technical and organizational measures to protect personal data processed, appropriate to the threats and categories of data subject to protection, and in particular shall secure data against their disclosure to unauthorized persons, taking over by an unauthorized person, processing in violation of the applicable law, as well as their alteration, loss, damage or destruction.
- The data administrator is obliged to ensure that personal data are:
- processed in accordance with the law, in a fair and transparent manner for the data subject;
- collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes;
- adequate, relevant and limited to what is necessary for the purposes for which they are processed;
- correct and, if necessary, updated; action should be taken to ensure that personal data which are inaccurate in relation to the purposes for which they are processed are erased or rectified without delay;
- stored in a form that permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- processed in a way that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
- Only persons authorized by the Data Administrator may be allowed to process data. These persons are obliged to keep this personal data and methods of securing it secret.
- The Data Administrator is obliged to ensure control over what personal data, when and by whom they were entered into the collection and to whom they are transferred.
- The data administrator is responsible for the security of the IT system in which personal data are processed,
- supervision and control of IT systems used to process personal data and persons employed in it,
- supervision of the proper securing of hardware and rooms in which personal data are processed,
- supervision over the software used in the facility and its legality,
- preventing unauthorized access to the system where personal data are processed,
- taking appropriate action to properly secure data,
- investigation of any breaches in the data security system,
- making decisions about the installation of new devices and software used to process personal data,
- supervision over the repairs, maintenance, and disposal of computer equipment containing personal data,
- defining access passwords,
- updating antivirus and other software, unless these updates are performed automatically,
- implementation of internal training on the provisions regarding the protection of personal data,
- ensuring the protection and security of personal data in the IT system and in traditional data collections,
- taking appropriate action in case of detecting unauthorized access to the database or a breach of data security in the IT system.
- ensuring the physical security of the IT system and the system for storing and securing personal data.
- ensuring the security of the functioning of all devices operating in the system,
- providing access to the system only for authorized persons.
II. EMPLOYEES’ AND COLLABORATORS’ RESPONSIBILITIES
- All employees and collaborators are obligated to adhere to the regulations regarding personal data protection.
- Employees are required to ensure the security of the data entrusted to them for processing, archiving, or storage in accordance with the applicable legal provisions.
- Employees are prohibited from:
- Disclosing data, including personal data contained in the systems they operate.
- Copying databases or their parts without explicit authorization.
- Processing data in a manner other than stipulated by the applicable legal provisions.
§ 3.
- Events that compromise the security of personal data or pose a threat to such breach can be categorized as:
- External Random Threats (e.g., fire, flood, power outages, etc.) that may lead to data integrity loss, destruction, and damage to the technical infrastructure of the system and disrupt its operation continuity.
- Internal Random Threats (e.g., employee errors, Data Administrator, hardware failures, software errors, etc.) that can result in data destruction, disrupt the system’s operation continuity, violate data confidentiality, data integrity, and data accuracy.
- Intentional, Conscious, and Deliberate Threats, which may include unauthorized internal system access, unauthorized data transfer, equipment and software quality deterioration, direct threats to system physical components.
- Incidents classified as data protection breaches or those with justified suspicions of personal data protection, including the security of the information system in which personal data is processed, include:
- Random situations resulting from unforeseen external factors’ impact on system resources (e.g., fire, room flooding, construction disaster, etc.).
- Gross violations of work discipline regarding information security procedures, including personal data (e.g., working with personal data for personal purposes, leaving rooms containing computers or equipment for storing personal data, particularly project documentation, unlocked, etc.).
- Inadequate environmental parameters for computer equipment operation (e.g., excessive humidity or high temperature, electromagnetic field interference, industrial device-originated shocks or vibrations, etc.).
- Hardware or software malfunctions or failures or equipment or device components for storing personal data, particularly medical documentation, that clearly indicate intentional actions to breach security or data protection, and improper service operation.
- Data quality in the system or any deviation from the expected state indicating system disruptions or extraordinary and undesirable system modifications.
- A breach or an attempt to breach system or database integrity within the system.
- Attempted modification or modification of data or changes in data structure without proper authorization.
- Unauthorized handling of personal data within the system.
- Unauthorized disclosure of personal data or processing procedures to unauthorized individuals or other guarded elements of security system.
- Deviations from the established work rhythm indicating a breach or omission of personal data protection, including work on a computer or network by an individual not formally authorized to operate it, persistent unauthorized login attempts, etc.
- The presence of unauthorized access accounts to data.
- Data protection breaches also include detected irregularities in the security of places and equipment (cabinets, racks, safes) used for storing personal data on paper media, printouts, or other electronic external data carriers.
§ 4.
- The primary method of securing data processed in the IT system and access to it is the system for defining logins and passwords for individuals authorized to process personal data. These are software (logical) security measures embedded in the exploited systems that prevent unauthorized access to the system.
- Access to the IT system requires entering a login and password.
- On every computer with internet access within the system, the appropriate antivirus program is installed.
- Printouts containing personal data should be stored in a location that prevents access by unauthorized individuals.
Information About Cookies and Data in the localStorage Object
- Cookies, commonly referred to as “cookies,” are computer data, particularly text files, stored on the User’s end device, designed for use on the website’s pages. Cookies usually contain the website’s name of origin, the time they are stored on the end device, and a unique number.
- The Service uses two main types of cookies: “session” cookies and “permanent” cookies. “Session” cookies are temporary files stored on the User’s end device until the User logs out, leaves the website, or turns off the software (web browser). “Permanent” cookies are stored on the User’s end device for the time specified in the cookie parameters or until the User deletes them.
- The localStorage object allows the storage of computer text data on the User’s end device. Similar to cookies, it usually contains the originating website’s name. However, unlike cookies, localStorage has no expiration date, and it is not sent to the server by the User’s end device. This data is stored solely on the User’s end device.
- The Service Owner is the entity saving data to the localStorage object and accessing it. The entities that place cookies on the User’s end device and access them are the Service Owner and Trusted Partners (see “External Libraries” section).
- Advertising ID is a unique identifier provided by Google Play and used in the Android mobile application.
- Cookies, data stored in the localStorage object, and Advertising ID are used within the Service for the following purposes:
- Remembering User-selected settings and customizing the User interface; for example, remembering the last map location or automatic planning selection to provide a sense of continuity during subsequent visits.
- Maintaining the User’s Service session (after login), allowing the User to navigate the Service without having to re-enter their login and password on each website’s subpage.
- Creating statistics to understand how Users use the website and mobile applications, helping improve their structure and content.
- Providing interest-based advertisements to Users based on their browsing behavior (e.g., based on data on clicks on other banners); a list of advertising providers is available at this link.
- Usability interface research.
- The Service Administrator uses external cookies to collect general and anonymous statistical data via Google Analytics (administered by Google Inc. based in the USA).
- For information on how Google uses data collected when using the Service and how you can control information sent to Google, please visit https://firebase.google.com/support/privacy
- You can grant/withdraw consent to use data to collect statistical data in the settings for consents (Profile > User Settings).
- In many cases, web browsing software (web browser) allows cookies to be stored on the User’s end device by default. Service Users can change cookie settings at any time. These settings can be changed to block automatic handling of cookies in the User’s web browser settings or to inform about their every placement on the User’s Service end device. Detailed information about the possibilities and ways of handling cookies is available in the software settings (web browser).
- The Service Administrator informs that cookie usage limitations may affect some functionalities available on the Service’s websites.
External Libraries
- In mobile applications, the Firebase Crashlytics library is used for failure analysis. Detailed information regarding the data collected can be found at this link.
- In mobile applications, the Amplitude and Google Analytics for Firebase libraries are used for resolving issues reported by users and for the statistical analysis of user traffic and behavior. These libraries utilize the device ID. The device ID is a random string of characters assigned during the installation of the mobile application on the user’s device. It is reset when the application is uninstalled and then reinstalled.
- In the Service, libraries such as the Facebook SDK and Google SDK are utilized to display social media plugins.
Server Logs
- Information about certain user behaviors is logged at the server level. This data is used exclusively for the administration of the Service and to ensure the most efficient operation of hosting services.
- Viewed resources are identified by their URL addresses. Additionally, the following information may be subject to logging:
- Time of the incoming request.
- Information about errors that occurred during HTTP transaction execution.
- URL address of the previously visited page by the user (referer link) – in cases where access to the Service was initiated through a referral link.
- Information about the user’s browser.
- Information about the user’s IP address.
- The above data is not associated with specific users browsing the pages.
- This data is used solely for the administration of the Service.