Introduction
The European Institute for Innovation through Health Data (i~HD) processes personal data to fulfil its purposes as a not-for-profit association for promoting innovations in health care. i~HD regards its protection of its members and interested parties with the highest priority and applies all possible effort to comply in full with the European Union General Data Protection Regulation (GDPR) and all other applicable laws.
As a not-for-profit member association, i~HD is both a data controller and data processor to fulfil its purposes, which are described in detail throughout this notice. To manage the services we offer, Vimexx hosts our website server. i~HD contracts with Microsoft to use Office 365 under license to handle our corporate systems including routine business, email and customer relationship management. Microsoft acts as a Data Processor under contract with i~HD. i~HD also uses remote collaboration platforms including GoTo Meeting and Zoom under license.
We describe in this Notice the activities i~HD engages with and the kinds of personal data we use to achieve these. Depending on the activity the personal data we process includes but is not limited to:
- your title, first names and surname
- your email address
- details of the organisation that you work for and its location
- your IP Address
- login details if you register for our online services
- and data relating to any events you attend including registration details as well as photographs and videos of you attending these events if you consent to this.
Full details or our processing activities are provided throughout the rest of this Notice. If you have any queries about i~HD’s personal data processing activities or about the exercising of your rights under GDPR, please contact the Data Protection Officer at dpo@i-hd.eu.
When does i~HD process personal data?
The activities where i~HD processes personal data are as follows:
- visiting our website;
- registering as a member;
- registering to receive our newsletter, event invitations and updates to our services and activities;
- registering to attend our events and the subsequent management of the events that you attend;
- sharing updates about our events, including speaker details, videos of presentations, photographs and interviews;
- details about our task force, committee and i~HD team members;
- participating in a survey;
- in handling any queries that you may have about i~HD, its work or any other matters you may wish to discuss with us;
- in running our services, including Data Quality Assessment, our data protection and security certification and the i~HD Academy;
- when participating in EU-funded projects.
i~HD does not share your personal data between our members, or any attendee of our events or visitors to our website beyond what we have specified in this notice.
In each case, we retain the data for as long as we need to fulfil the above purposes of its processing and any legal obligations where we are required to handle and retain the data. Please refer to our Data Retention Policy for full details.
Visiting our website
i~HD uses cookies on our website to improve your experience of using our website. You can review our cookies policy at www.i-hd.eu/cookie-notice/. Note that there are some cookies that are necessary to use the site (including your consent preferences for cookie use). Otherwise you can consent to the use of non-essential cookies from any of our pages, but you are not required to do so to use the site.
i~HD uses Google Analytics to help us improve our website by informing us which countries visitors are viewing the website from and which pages are of most interest to them. Google Analytics processes a visitor’s anonymous IP Address to provide i~HD this information but only if the user consents to this.
Where you have registered to use the features of the website, the personal data that is processed by the cookies includes your login details if you decide to accept cookies and to remain logged in, where you have been granted access to register on the site.
Registering as a Member of i~HD
When registering as a Member of i~HD via our website, we ask for your first and last names, your function in your company or institution, email address, the company or institution you belong to and the country in which you are based. Further, we ask for your website, if applicable, and VAT registered number as well as your institution’s registered address and postal code. We ask you to select which of our core stakeholder groups you belong to. We also ask you for your title, but this is optional.
The processing of personal data for registration is needed for performance of a contract or its preparation and is covered as a legal basis under Article 6(1)(b) of GDPR.
i~HD retains the data as long as you are a member, and should your membership end, i~HD retains it for legal obligation under Article 6(1)(c) of GDPR for audit purposes pursuant to Belgian Law.
Registering to receive newsletters, event invitations and updates to our services
When registering for our newsletter, event invitations and updates to our services via our website or directly with our offices, we ask for your first and last names, your function in your company or institution, email address, the company or institution you belong to and the country you are based in. We ask you to select which of our core stakeholder groups you belong to. We also ask you for your title, but this is optional. We do not ask for any other details, personal or otherwise.
Consent under Article 6(1)(a) is the legal basis under which i~HD processes your data to register you for these updates. If you wish to stop receiving communications from i~HD, you are always able to unsubscribe here. In that event, you will not be contacted again.
i~HD does not retain your contact details unless you have otherwise shared your details with us for the other purposes we outline in this notice or where a legal obligation must be met under Article 6(1)(c) of GDPR. You may always re-register to receive newsletters should you change your mind and wish to hear from us again.
Registering to attend an i~HD event and subsequent management of that event
When registering to attend an i~HD event via our website or directly with our offices, we ask for your title, first and last names, your function in your company or institution, email address, the company or institution you belong to, your role and the country you are based in. We ask you to select which of our core stakeholder groups you belong to. Furthermore, we ask you to provide us with your dietary preferences and any specific needs to cater for your attendance at our events. We do not ask for any other details, personal or otherwise.
When registering, i~HD processes your personal data to manage your attendance at our event with your explicit consent as a legal basis under Article 6(1)(a) of GDPR.
Once you have registered, we do not add you to a published attendance list unless we have obtained your explicit consent to do so under Article 6(1)(a) of GDPR.
i~HD retains your personal data to fulfil the purpose of managing your attendance at our event and for audit purposes after the event under Article 6(1)(c) of GDPR for legal obligation.
i~HD will add you to its contact list if you are not already on it to keep you informed on newsletters, further events and updates to i~HD’s services. i~HD processes your contact details as we believe it is in your and i~HD’s legitimate interests under Article 6(1)(f). Should you wish to unsubscribe from this list at any point, you can do so at your convenience by clicking here.
Sharing updates about our events
Where you have agreed to be a speaker, we process your personal data on our website to publicise our events and to share updates about the event once it has finished. The data we share will be your full name, your organisation, title, function, a photograph and a short bio that you will provide us. Should you share this with us, we will also share links to your social media platform profiles.
We process this personal data for the purposes of publicising the event and delivering it. The legal basis under GDPR is Article 6(1)(f) where in agreeing to be a speaker, i~HD has identified that it is in our and your legitimate interests for us to process the data for these purposes. You may of course object to or restrict this processing (as described in the rights section below) and if you prefer us to remove your personal data from the website or refrain from using it in newsletters, we will honour your rights as defined in GDPR to the fullest extent.
Should you decide to withdraw as a speaker prior to the event, we will destroy the personal data and if you prefer we withhold any of the data from the website we will of course refrain from putting it there.
Our events are recorded either through the filming of speakers, panels and audience members, audio recording or photograph for the purposes of updating our members and the wider public about our event. Under GDPR Article 6(1)(a) we seek the explicit consent from any participants that we record in any way for this specific purpose.
The consent is entirely freely given and you are free to grant it or not as you see fit without any impact on your participation in the event.
You may withdraw your consent for the recording and as soon as you do, we will remove the recording from public display immediately and provided we do not have to retain it under other legal obligation, destroy it without the need for any explanation from you at all. We cannot however remove names of speakers or panellists from a past agenda or meeting report as documenting a past fact where these are provided on our websites under events.
Details of our task force members, committees and core team members
Where you have agreed to become a member of one of our task forces or committees, we will share your name, organisation, title, function, a photo and a short bio, as well as links to your social media profiles on the relevant website pages and in our newsletters. Where you are a member of our core team, we will share personal data including your name, a short bio title, function, photo and email address on our website and newsletters.
In both cases, we will do this under Article 6(1)(f) where i~HD has identified that it is in both our and your legitimate interests to publicise this on the website and in newsletters. You may of course object to or restrict this processing (as described in the rights section below) and if you prefer us to remove your personal data from the website or refrain from using it in newsletters, we will honour your rights as defined in GDPR to the fullest extent.
Participating in a Survey
When i~HD invites you to participate in a survey, we will ask you for your full name, email address, role and organisation. We will use survey tooling run within i~HD’s infrastructure or under license from third party providers. Any survey will specify which provider is running the survey and processing personal data and provide you a link to their website and privacy policy where they wil act as a Processor under i~HD’s instruction.
Survey data will be held within the EEA and we will process data with your explicit consent under GDPR Article 6(1)(a). If in the event that we require you to add Special Category Data, this will be processed under Article 9.2(j) for Scientific Research. Data will be retained in line with i~HD’s Data Retention Policy below and for a period of at least five years after the survey has been completed and final analysis have occurred.
Should we deviate from the above, we will specify explicitly in the survey introduction and provide you full details in the survey.
Handling communications from you about i~HD
When you contact us either from our contact page or directly, we will process your personal data for the purposes of handling the reason for your contacting us.
Where your reason for contacting us is about your existing membership i~HD will handle your personal data under Article 6(1)(b) for the performance of a contract or its preparation.
If your query is general or with regards your rights under GDPR, this will be with your explicit consent under Article 6(1)(a) of GDPR. We will retain a record of your query for one year for audit purposes. We will also add your contact details to our contact list but only if you explicitly consent to this in accordance with Article 6(1)(a) of GDPR.
Running our services
i~HD will handle the contact details for clients we provide services to, which includes Data Quality and Data Security and Protection Assessments, the i~HD Academy and the preparation of Tutorials. For all these purposes unless otherwise specified, i~HD will process the contact person(s)’ name, email address, role and the details of the organisations they work for. Where i~HD conducts interviews as part of its services, we will retain the name and role of any interviewees. Where i~HD runs tutorials, we process the names and emails of attendees. For the Academy, i~HD requires your Full Name, email address, Town/City and Country of Residence to register for Moodle. Please note that you may if you wish add more details under your profile, you are free to do so according to the terms of enrolment in the Academy. Please note that i~HD does not require the processing of Special Category Data for these services so please bear this in mind when adding profile details to the Academy or engaging with us around the other services.
The legal bases under which we process personal data for these purposes will depend on the nature of the service and will be specified within the agreements we sign with you. The legal basis will be for either legal obligation under 6(1)(C) of GDPR or performance of a contract or its preparation and is covered as a legal basis under Article 6(1)(b) of GDPR. When handling special category data, specific Article 9(2) justifications will be provided as part of our agreements.
Where running Data Quality Assessments, i~HD will only receive anonymous data. For additional rigour and in the event of accidental re-identification of data subjects, i~HD acts as a data processor only under contract with the data controller where all data handled by i~HD will be securely transferred and held in an encrypted state using 256bit Advanced Encryption Standard encryption within an access controlled, dedicated and audited Office 365 Sharepoint Space.
When you register for the i~HD Academy, please note that we contract with Avetica to serve as a Data Processor under our instruction to configure and maintain the Moodle Platform we use to serve you with the educational and assessment materials. You may review Avetica’s details at https://avetica.nl and you will find out more about how Moodle handles your personal information at https://moodle.com/privacy-notice/.
Participating in EU Funded Projects
i-HD will handle personal data during its participation in EU Funded projects. In these cases, the categories, legal bases and Article 9 Justifications will be specified in the appropriate agreement documents and information leaflets.
What are my rights?
At all times, GDPR gives you the following rights which we will of course honour in full compliance with its provisions:
- the right to request access to any of your personal data that i~HD processes;
- the right to data portability where you can request a digital copy of the data for your own uses;
- the right to the rectification (correction) of your personal data where it is incorrect;
- the right to request erasure of your data as outlined by GDPR;
- the right to restriction of processing by i~HD including where you identify and raise a problem with the data processing until the problem is resolved;
- the right to object at any time to processing of your personal data including that which is based on Article 6(1) (f) of GDPR where we have identified a legitimate interest.
Where the processing of your personal data is based on your consent, you can withdraw your consent at any time and without any reason. Withdrawing your consent means that i~HD will not make use of your data any longer for the purposes that you consented to. This does not invalidate past uses of your personal data for which you gave consent and your personal data will continue to be processed in the event of any legal obligations that i~HD must meet.
Please send an email to the data protection officer at dpo@i-hd.eu to exercise any of your rights. i~HD must confirm your identity and will review your request to ensure that it can be honoured without compromising other legal requirements and pursuant to the limitations provided by GDPR. We aim to have replied within 30 days of your request except where you have withdrawn your consent, which shall be actioned immediately.
You may also write to the following address:
The European Institute for Innovation through Health Data (i~HD)
c/o Dept. Medical Informatics & Statistics
Ghent University Hospital
Building 5K3, 5th floor, Entrance 42
C. Heymanslaan 10, 9000 Gent, Belgium
Please note that you always have the right to lodge a complaint with the Belgian Privacy Commission at commission@privacycommission.be should you be unhappy with how we have handled your requests or any of your personal data.
Updates to how we process data and this notice
If we substantially change how we process your data (for example using a new tool or service provider) we will undertake a Data Protection Impact Assessment pursuant to GDPR Article 35. This would be the case if we identify that any changes require significant additional processing of your personal data and / or risks to your rights and freedoms.
Where we identify a clear need to update this notice we will inform you immediately.
Last updated 24th May 2024
Data Retention Policy
i~HD retains personal data according to the following guidelines:
1. i~HD processes personal data for specific purposes as defined in our Data Protection and Transparency Notice and will only retain personal data for as long as is necessary to complete these purposes and satisfy legal requirements.
2. Where we are required to retain data after the retention period for each purpose has expired, we will post a notice. These purposes may include dispute resolution, in the case of legal obligation (for example as ordered by a court or if it is used in a criminal investigation).
3. Where possible, we will retain data using pseudonymised data after we have completed the purposes for which it is being processed.
4. When retention requirements under law have expired, personal data will be destroyed using a secure deletion method as offered by Microsoft Office 365 licensing and where possible all data will be removed from any backups that have been created. Once deleted, any personal data will be irretrievable.