MONSENSO SOLUTION PRIVACY POLICY
MONSENSO A/S
Version 1.0.7 EU, 3. February 2024
Introduction
The Monsenso Solution is designed to support the treatment of individuals with a mental disorder by collecting health-related data and sharing it with their clinician. As the purpose of the Monsenso Solution is to collect and share personal data of its users, below we have described how we process such personal data. As a general rule we process personal data of our users to facilitate the Monsenso Solution, and out intent is to ensure that data minimisation principles are met. Please also be aware that Monsenso only collects and stores personal data and Monsenso will not make any analyses of the personal data collected by the Monsenso Solution. It is your responsibility how you use the Solution and what personal data you want to share with third parties.
PRIVACY NOTICE
The protection and confidentiality of your personal information is important and Monsenso A/S ("Monsenso", "we" and "us") is determined to protect it. Monsenso has, therefore, drafted this document in order to be perfectly clear about our policy on collecting, using and protecting personal data and other information managed by the Monsenso Solution.
If you do not find the answer to your questions in this document, feel free to contact us though this email: support@monsenso.com.
Monsenso A/S is a Danish company with registered offices located at: Rosenørns Allé 31, 2. , DK-1970 Frederiksberg, Denmark, and is represented by Chief Executive Officer, Mr. Thomas Lethenborg.
The Monsenso Solution is designed to enable the Individual (usually a patient in a clinic), the Carer (any person supporting the Individual, for instance relatives or a social worker) and the Care Provider (any professional provider, for instance a clinician or therapist) to share information relating to the treatment and managing of mental wellness of the individual.
The Monsenso Solution may be used in three scenarios. In all three scenarios Monsenso is merely making the Solution available to its users.
‘CLINIC SCENARIO’
In this scenario, the Clinic buys a license to the Solution and invites the Individual, Carer and Care Provider to use the Solution. All users are given access to the Solution by the Clinic.
When you as Individual, Care Provider and Carer have been given access to the Monsenso Solution in the Clinic Scenario, the Clinic determines the purposes and means of the processing of your Personal Data, i.e. the Clinic acts as a data controller. When submitting your personal data using Monsenso Solution, Monsenso is obligated to follow the instructions provided by your Clinic (the data controller) and shall process your personal data only for the purposes of providing you with the Monsenso Solution, i.e. Monsenso acts as a data processor. Monsenso have signed a data processing agreement with the Clinic complying with the requirements in the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”)). If you want to know more about how the Clinic processes your personal data, please contact the clinic.
In the Clinic Scenario, Monsenso will not use any Personal Data uploaded to or generated by the Solution for its own means and purposes unless set out in this Privacy Policy.
‘CLINICAL STUDY SCENARIO’
In this scenario, the sponsor of a clinical study buys a license to the Solution, which is used in the clinical study. All users are given access to the solution by the investigational site.
When you as an Individual, Care Provider or Carer have been given access to the Solution in the Clinical study Scenario, the Sponsor of the clinical study determines the purposes and means of the processing of your Personal Data, i.e. the Sponsor acts as a data controller. When submitting your personal data using the Solution, Monsenso is obligated to follow the instructions provided by the Sponsor (the data controller) and shall process your personal data only for the purposes of providing you with the Solution, i.e., Monsenso acts as a data processor. Monsenso have signed a data processing agreement with the Sponsor complying with the requirements in the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”)). If you want to know more about how the Sponsor processes your personal data, please contact your principal investigator at the investigational site, in accordance with the informed consent you signed when enrolled in the clinical study.
‘INDIVIDUAL SCENARIO’
In this scenario, the Individual, Carer and Care Provider signs up for the Solution, and invites other users (i.e. Individuals, Carers and Care Providers) to see its profile. Monsenso will only disclose your personal data to other users (Carer, Care Provider and/or Individual) to the extent that you have instructed us to do so. It is your decision who you want to connect with and share your personal data with. If you no longer want to share your personal data with a user you can simply remove the connection to that user.
In the Individual Scenario, when you sign up and use the Monsenso Solution and provide Monsenso with your personal data as part of the use of the Solution, Monsenso is considered the data controller. Below we have described in further detail how we process your personal data.
1. PROCESSING ACTIVITIES WHERE MONSENSO IS THE DATA CONTROLLER
Below you can read more about when Monsenso is a data controller, including when Monsenso will use your personal data for its own means and purposes, and how Monsenso will process your personal data as a data controller. As indicated below, some processing activities are only relevant for the Individual Scenario.
If nothing is indicated, the processing activity applies to all three scenarios.
2. PROTECTION OF PERSONAL DATA ACCORDING TO LAW
Monsenso’s collection and processing of Personal Data, when you use the Monsenso Solution, are carried out according to the GDPR and any applicable data protection law, including the Danish Data Protection Law no. 502 of 23 May 2018.
3. THE PERSONAL DATA THAT MONSENSO COLLECTS, THE PURPOSE AND LEGAL BASIS FOR PROCESSING
When you interact with us through the Monsenso Solution, Monsenso process different types of Personal Data, as detailed below.
Note that when you as Carer or Care Provider use the Monsenso Solution, Monsenso’s collection of Personal Data is limited to the following types of Personal Data: Identity Data, Technical Data and Communication Data (see the description below). In this case Monsenso does not collect any other Personal Data, including sensitive Personal Data such as Health Data.
Technical Data: Monsenso gathers technical data through browsing and app usage information. Monsenso also collects technical information associated with your mobile phone and computer (such as IP addresses, access provider, usage data, hardware configuration, software configuration, country of origin, etc.), or associated with the Monsenso Services (such as log and history of all data exchanges, log and history of connections). The purpose of the processing is to provide the Monsenso Solution to you. We also use technical data to improve our products and services and ensure the availability of our platform. The legal basis for processing is GDPR art. 6(1)(b) and (f). Processing is necessary to perform a contract with you and for our legitimate interest to ensure running our business, provision of administration and IT services and network security. Other than described above, Monsenso never work with your technical data when it identifies you directly unless you have given us your consent, for example in order to resolve a problem that you have pointed out to us.
Identity Data: Monsenso collects Personal Data when you create an Account to use the Monsenso Solution. This data may include information about your identity (such as name, address, email, etc.), demographic (such as age, gender, occupation, etc.). Monsenso will use your Identity Data to provide you with access to and use of the Monsenso Solution. This includes engaging Individuals in self-care, engaging Carers in informal care to support Individuals, and giving Care Providers a remote monitoring tool to make better clinical decisions. Processing of Personal Data for this purpose is necessary for the performance of the Monsenso Solution. The legal basis for processing is GDPR art. 6(1)(b) and (f). Processing is necessary to perform a contract with you and for our legitimate interests to deliver our services.
Monsenso may also process your Identity Data in order to offer surveys, competitions, discount coupons or events in which you are free to participate. We may also use your Identity Data to provide you information on our products, such as new features, sale offers from Monsenso or our partners, or to announce new products. The legal basis for processing is GDPR art. 6(1)(f). Processing is necessary for our legitimate interests to develop our business and to market our services. You may at any time withdraw your consent. Please note that if you withdraw your consent, we may not be able to provide the Monsenso Solution to you.
Self-reported Data, including Health Data (only in the Individual Scenario): If you are an Individual, Monsenso collects Personal Data via self-reported data, including data about your general health, when you create an account or use the Monsenso Solution. Health data may include information such as symptoms, diagnosis, medication, hospitalisations, etc.
It is your decision which data you want to self-report and upload to the Solution. Monsenso will only process your Self-reported Data for the purpose of presenting your data to you and any other user(s) you have invited to see your profile. The legal basis for processing is GDPR art. 6(1)(b). Processing is necessary for the performance of a contract with you. If Health data is processed, we will only process such Health data based on your explicit consent, c.f. GDPR art. 9 (2)(a). You may at any time withdraw your consent. Please note that if you withdraw your consent, we may not be able to provide the Monsenso Solution to you.
In both the Clinic, Clinical Study and Individual Scenario – if allowed – Monsenso will anonymise your health data in order to produce statistics and/or aggregated data analysis. Personal Data will be anonymised through generalisation before further data processing to assure your privacy to be protected. Data is used in particular to: (i) improve Monsenso’s products and services through continued research and development; (ii) demonstrate, document, and publish the effectiveness of personal health technology for mental health; (iii) health research into clinical evidence for treatment and care of mental health. We will only anonymize your health data based on your explicit prior consent, c.f. GDPR art. 9(2)(a). You may at any time withdraw your consent. Please note that such withdrawal will not affect any anonymization of health data already performed.
For the avoidance of doubt, in the Clinic and Clinical Study Scenarios, Monsenso does not use your health data for any other purpose than to anonymize it as described above.
Behavioural Data (only in the Individual Scenario): One of the functionalities of the Solution is to collect behavioural data on the Individual, including, but not limited to, data on location, phone usage, app usage, call frequency, messaging frequency, voice data, and sensor data (accelerometer, GPS, etc.).
The data produced are displayed on the Individual’s profile. Data may be indicated as raw data (number of steps, mood score, etc.), or after processing (aggregate score for physical activity, correlations, etc.). Some function or services you may want to use do request specific data processing. As an example, when setting a trigger, Monsenso may use data collected from your self-assessment or automatically collected behavioural data.
The sole purpose of the processing is to present such data to the Individual and any user(s) the Individual has connected to assist such users in gaining a better insight into the Individual’s data. The legal basis for processing is GDPR art. 6(1)(b). Processing is necessary for the performance of a contract with you. If health data is processed, we will only process such Health data based on your explicit consent, cf. GDPR art. 9 (2)(a). You may at any time withdraw your consent. Please note that if you withdraw your consent, we may not be able to provide the Monsenso Solution to you.
Communication Data (only in the Individual Scenario): When you use the Monsenso Solution, Monsenso collects communication data, such as messages between the Individual, Carer and Care Provider. NOTE that only communication data that originate from within the Monsenso Solution is collected. Monsenso will only process your Communication Data for the purpose of presenting your data to you and any other user(s) you communicate with. The legal basis for processing is GDPR art. 6(1)(b). Processing is necessary for the performance of a contract with you. If health data is processed, we will only process such Health data based on your explicit consent, cf. GDPR art. 9 (2)(a). You may at any time withdraw your consent. Please note that if you withdraw your consent, we may not be able to provide the Monsenso Solution to you.
Record of operations conducted in log form. We are required by law to retain a full transaction log. The legal basis for processing is GDPR art. 6(1)(c). Processing is necessary to comply with a legal obligation.
4. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES
Personal Data will not be sold, leased, transferred, shared, or otherwise accessed by or to any third parties other than to Monsenso who processes the data.
In the Individual Scenario you may invite other users (i.e. Individuals, Carers and Care Providers) to see your profile. Monsenso will only disclose your personal data to other users (Carer, Care Provider and/or Individual) to the extent that you have instructed us to do so. It is your decision who you want to connect with and share your personal data with. If you no longer want to share your personal data with a user you can simply remove the connection to that user.
5. RIGHT TO BE FORGOTTEN
You may ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
6. RIGHT TO ACCESS YOUR DATA
On written request, you are at any time entitled to receive information regarding our processing of your personal data, e.g. which of your data we have registered, the purpose of processing, the categories of personal data concerned and the recipients to whom the data has been or will be disclosed. Please see section 17 for contact details.
7. RIGHT TO DATA PORTABILITY
You have a right to receive the personal data provided to us in a structured, commonly used and machine-readable format and to transfer these data to another data controller if our processing of the data, for instance, is based on your consent or the processing is carried out by automated means. Please send a request using the contact details provided section 17.
8. RIGHT TO RECTIFICATION
You have the right to have incorrect personal data about you rectified by us without undue delay. If you become aware that there are errors in the data we have registered about you, we urge you to contact us in writing in order for us to rectify the data. Please see section 17 for contact details.
You can also correct the data you have provided when creating an account via log-in to your user profile.
9. RIGHT TO RESTRICTION
You have a right to restrict our processing of your personal data, e.g. if you contest the accuracy of your personal data. Please send a request using the contact details provided section 17.
10. RIGHT TO OBJECT TO YOUR DATA BEING PROCESSED
You may for legitimate reasons object to your Personal Data identifying you being processed for one or more processing purposes by contacting us in writing, using the contact details provided in section 17.
You also have a right not to be the subject of a decision based exclusively on automated processing, including profiling, which has legal effect on you or similarly affects you significantly.
If you object to the processing, Monsenso will no longer process your Personal Data unless we can demonstrate compelling, legitimate reasons for continued processing which precede your interests, rights and freedoms or the processing is necessary to establish, exercise or defend a legal claim.
11. THE RIGHT TO WITHDRAW CONSENT
You are at any time entitled to withdraw your consent to our processing of your Personal Data. If you wish to withdraw consent, please use the contact details provided in section 17.
12. THE RIGHT TO COMPLAINT
a. You are at any time entitled to file a complaint to any relevant supervisory authority – in particular in the Member State of your habitual residence, place of work or place of the alleged infringement –, about our processing of your personal data. You may also file a complaint to the Danish supervisory authority (in Danish "Datatilsynet"). Find more information and contact details at https://www.datatilsynet.dk/kontakt/.
b. (only for France) If you are subject to the French Data Protection Act, you are at any time entitled to issue directives relating to the fate of your Personal Data after death.
13. PROFILING (only in the Individual Scenario)
If you are the Individual, Monsenso uses your Personal Data for profiling, and presenting this information to you and any user(s) you have invited to see your profile with the sole purpose of assisting you, your Carer and your Care Provider in gaining a better insight into your data. The profiling consists of data aggregation from one or more sensors and/or self-reported questionnaires, and calculates aggregated scores based on this.
Examples of this could be information regarding your physical or social activity, mobility or phone usage, and is presented to you in the visualisation section of your profile. The data is aggregated for an interpretable value (e.g. Low – High), such as the Physical Activity index. This index indicates how physically active you are based on information collected from the step counter and the accelerometer of your smartphone, which outputs a Physical Activity score (a value between 0 – 5).
14. SECURITY
Monsenso goes to great length to protect the data collected in the Monsenso Solution.
Your data are stored on encrypted servers located in a European Union Member State. The personal data collected by Monsenso is protected by organisational, physical and logical security measures and are not communicated to unauthorised persons. Remote access to the servers is highly restricted and controlled.
Data in the Monsenso App on your smartphone can be protected by a PIN code.
All data communication in the Monsenso Solution is protected by strong encryption. Hence, data traffic via the Internet between the Monsenso App and the Monsenso servers is encrypted.\n Anonymisation techniques (hashing) on the telephone numbers you call or text are applied. The content of any phone conversations or text messages are not recorded. Statistical analysis on messages and voice data is done on the mobile phone before transmitted to Monsenso.
Note, however, that your use of an Internet Service Provider (“ISP”) will be subject to the separately-provided terms of use of such services. In particular, note that any data processing and/or transmission of data by the ISP are outside the scope of this policy and not the responsibility of Monsenso.
15. LINKS TO OTHER SERVICES
This Privacy Policy applies only to the Monsenso Solution. The Monsenso Solution may contain links to other 3rd party services, such as web sites, applications, or apps that are not controlled by Monsenso. This document's privacy rules do not apply to these 3rd party services.
16. DELETION OF PERSONAL DATA
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. As an overall ground rule, we retain your personal data as set out below:
Technical data, including the transaction log, is retained for 6 months. Hereafter it is deleted.
Identification Data, Self-reported Data, Health Data, Behavioral Data and Communication Data is retained for as long as you have an active account. Please note that Personal Data may be retained for a period of 6 months after you have deleted your account within the security backups that Monsenso regularly make.
If you do not use Monsenso Solution over a consecutive period of 24 months, we will automatically delete the information we have registered about you although we for establishment, exercise of defence of legal claims and in case we are obliged hereto according to law may store certain personal data for a longer period.
As described above we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you. Monsenso applies anonymization through randomisation, which according to “Opinion 05/2014 on Anonymization Techniques” from the EU Data Protection Working Party Article 29, is an anonymization technique that alters the veracity of the data in order to remove the strong link between the data and the individual.
17. CONTACT INFORMATION
If you have questions or comments to this Privacy Policy, security questions or concerns, knowledge of unintended use, or requests regarding your data, please contact:
Monsenso A/S
Rosenørns Allé 31, 2. ,
DK-1970 Frederiksberg,
Denmark
E-mail: support@monsenso.com
Phone: +45 3025 1580
18. CHANGES TO THE PRIVACY POLICY
Monsenso reserves the right to modify all or part of this Privacy Policy without notice. You will be informed of such changes by a notice on the Monsenso Solution. If you have any question whatsoever concerning Monsenso's Privacy Policy, do not hesitate to contact us.