Data Subject Rights
Itamar Medical Ltd. and its affiliates value the privacy rights of individuals. As required under applicable privacy legislation and data protection laws, including without limitations, the EU General Data Protection Regulation (“GDPR”), the Health Information Portability and Accountability Act (“HIPAA”), the upcoming California Consumer Privacy Act (“CCPA”) and the Israeli Protection or Privacy Law, 5741-1981 (“Israeli Privacy Law”) individuals have certain rights regarding the processing of their personal data (depending on the applicable jurisdiction, individuals relationship with us (e.g., business partners, their patients or visitors of our website, etc.). We have prepared this overview so you are aware of some of these rights.
RIGHT TO BE INFORMED
DATA SUBJECT ACCESS REQUEST (“DSAR”)
You have a right to request us to confirm whether we process certain personal data on you, as well as a right to obtain a copy of such personal data, with additional information regarding how and why we use this personal data. After we receive such request, we will analyze and determine the veracity and appropriateness of the access request and provide you with the applicable confirmation of processing, the copy of the personal data or a description of the personal data and categories of data processed, the purpose for which such data is being held and processed, and details about the source of the personal data if not provided by you. Our response detailed above will be provided within the period required by law.
If personal data held by us is not accurate, you may require us to update such data so it is accurate. Furthermore, in the event that we passed on incorrect information about you to a third party, you also have a right to require us to inform those third parties that the applicable information should be updated.
ERASURE (“RIGHT TO BE FORGOTTEN”)
You have the right to require us to erase certain personal data, subject to the fulfillment of specific conditions. We are required to comply with a request to exercise the right to be forgotten, and delete the requested personal data if: (i) the applicable personal data is no longer needed for the original purpose for which it was collected and in addition, there is no new lawful basis for continued processing; (ii) the lawful basis for processing is consent, and you requested to withdraw the consent that was initially provided by you; (iii) you have exercised your right to object to the processing of your personal data by us, and we have no overriding grounds for the processing of such personal data; (iv) the personal data is processed by us unlawfully; or (v) the erasure of your personal data is necessary to comply with applicable laws. In addition, in the event we have passed on your personal data to a third party, you have the right to request that those third parties erase such information. Please note that, this right to erasure is not absolute. Even if you fall under the aforesaid conditions, we are entitled to reject your request to erase the data in the event that we find it (subject to applicable laws): (i) necessary to comply with legal obligations; (ii) necessary to establish, exercise or defend legal claims; or (iii) necessary for scientific purposes, etc. In addition, in some cases, where we are not the controller of the personal data, we will share your request with the applicable third party controller.
With regards to personal data processed by us under the lawful basis of our legitimate interests, you may object to our processing on such grounds. However, even if we receive your objection, we will be permitted to continue processing the personal data in the event that (subject to applicable laws and regulations): (i) our legitimate interests for processing override your rights, interests and freedoms; or (ii) the processing of such personal data is necessary to establish, exercise or defend a legal claim or right.
You may request to limit the purposes for which we process your personal data in the event that: (i) the accuracy of the data is contested; (ii) restriction is requested instead of erasure where the processing is considered to be unlawful; (iii) we no longer need the personal data for its original purpose, but the data is still required to be processed by is in order to establish, exercise or defend our legal rights; or (iv) the consideration of overriding grounds in the context of an erasure request is relevant.
You may request that we send or “port” certain personal data held by us to a third-party entity, however you may only do so when: (i) you have provided us with the personal data; (ii) the personal data was processed automatically; (iii) the personal data was processed on the legal basis of either consent or fulfilment of a contract.
RIGHTS OF PATIENTS UNDER HIPAA
Our business partners’ patients have certain rights regarding their protected health information (as defined under the HIPAA) as follows: (i) to access and receive a copy of their medical records; (ii) to rectify their information that is incorrect or add information to their records; (iii) to know who their information is being shared with (e.g. us) and how it is being shared; (iv) not to share their information with certain individuals or entities; (v) to file a complaint with their provider, health insurer or the U.S. Department of Health and Human Services if they feel that their rights are being denied or their health information is not being protected properly.
Last updated: September 18, 2019