Capitalized terms are defined in Section 11 of this Policy.
For all data protection requests, please contact:
951 Mariners Island Blvd #300
San Mateo, CA 94404
Phone: (650) 241-1741
Prior to a review, Aclarion shall conduct a self-assessment to ensure that its attestations and assertions about its treatment of Individual Patient Personal Data are accurate and that the company has appropriately implemented these practices. Specifically, as part of the verification process, Aclarion will undertake the following:
- Ensure that this Policy continues to comply with EU Data Privacy Principles
- Confirm that Individual Patients are made aware of the process for addressing complaints and any independent dispute resolution process (Aclarion may do so through its publicly posted website, Individual Patient consent form, or both)
Aclaron will prepare an internal verification statement on an annual basis to be signed by an authorized representative of Aclarion. This statement shall be made available upon request by EU Data Subjects, or in the context of an investigation or a complaint about non-compliance.
Physicians located in the EU may collect EU Personal Data from Individual Patients, subject to such Individual Patients’ lawful consent, and may forward this Personal Data to Aclarion for the purpose of providing a NOCIGRAM-LS™ report. The following data may be obtained and transferred with an Individual Patient’s MRI/MRS record: MRI/MRS images, name, medical record number (MRN), height, weight, and age/birthdate. Per the GDPR rules, this information may be considered sensitive information.
The Physician, as data controller, determines the purposes of processing, what EU Personal Data is relevant for the purposes of processing, and the means of the processing of the EU Personal Data, and Aclarion will process said Personal Data on behalf of and under a written data processing contract concluded between Aclarion and the Physician. Aclarion will use the Personal Data transferred to Aclarion by the Physician for the sole purpose of analyzing the MRI/MRS data and providing a NOCIGRAM-LS™ report.
Aclarion will take reasonable steps to help ensure the integrity of the EU Personal Data. Aclarion and the Physician will also take reasonable steps to ensure that the EU Personal Data is reliable for its intended use, accurate, complete, and current.
Aclarion may engage other data processors for carrying out specific processing activities with regard to the EU Personal Data transferred by the Physician only under appropriate data processing contracts, as required by EU-GDPR and mirroring the data protection obligations that Aclarion has accepted under the data processing contract concluded between Aclarion and the Physician. Such recipients must agree to abide by confidentiality obligations and treat EU Personal Data as required under the GDPR. Aclarion will take reasonable and appropriate steps to ensure that the data processors use the EU Personal Data in accordance with the agreement and consistent with the GDPR. Should Aclarion receive notice of any unauthorized processing by the data processors, Aclarion will take reasonable and appropriate steps to stop the unauthorized processing and remediate. Aclarion will maintain copies of all of its agreements with data processors to which it transfers EU Personal Data and provide copies of the agreements to the Department of Commerce or other authorities upon request.
Aclarion engage third party service providers (data processors) that provide data storage and transfer services for the purposes of transmitting results (which include EU Personal Data) to the requesting Physician. Aclarion may also engage third party service providers (data processors) to provide it with on-site and cloud data storage services. Such third party service providers may include: Ambra Health and Amazon Web Services.
Aclarion also may only disclose EU Personal Data for other purposes when a Data Subject has consented to or requested such disclosure. Aclarion is liable for appropriate onward transfers of Personal Data to third parties.
Please be aware that Aclarion may be required to disclose EU Personal Data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
Aclarion takes reasonable and appropriate measures to protect EU Personal Data from loss, misuse and unauthorized access, disclosure, alteration, and destruction. In so doing, Aclarion takes into account the risks involved in its processing of the EU Personal Data and the nature of the EU Personal Data it receives.
If Aclarion discloses EU Personal Data to a third party, Aclarion will contractually require that third party to provide the same level of protections to the EU Personal Data as required by the EU-GDPR. Aclarion requires valid SOC 2 Type II reports from all third parties that will transfer or maintain Personal Data.
Any Personal Data transferred by the Physician will be hosted by Ambra Health and AWS. The Ambra Health software transfers the data from the hospital/clinic PACS to the AWS servers where the Aclarion software also resides. The Aclarion software processes the data and Aclarion will perform a QA process on the generated report before releasing the report to be transferred back to the hospital/clinic PACS using the Ambra Health Dicom gateway software. The Ambra Health software associates the report with the patient and adds the report to the patient record. The data resides only on these third-party systems and are not downloaded by Aclarion Employees to any other computer systems.
Both, Ambra Health and AWS, are compliant with SOC 2. SOC 2 was set up to define the criteria for how external SaaS companies should manage their customer’s data and is commonly used to demonstrate data integrity and security in a cloud environment. SOC 2 defines criteria for managing customer data based upon five “trust service principles” – security, availability, processing integrity, confidentiality and privacy. These reports are independent audits to look at the effectiveness of the system design and if it’s operating as designed.
Aclarion personnel may access and use Personal Data only if they are authorized to do so and only for the purpose for which they are authorized.
We will not share your personal data with third parties other than our agents, or use it for a purpose other than for which it was originally collected or subsequently authorized, without your prior written consent.
In compliance with the Data Privacy Principles, Aclarion commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the current EU-General Data Protection Regulation. European Union individuals with Data Privacy inquiries or complaints should first contact Aclarion at:
951 Mariners Island Blvd #300
San Mateo, CA 94404
Phone: (650) 241-1741
Collegium Auditores GmbH
Tel: (+49) 2241 9575935
Aclarion’s Representative in the European Union can be contacted at:
GDPR AV Services UG (limited liability)
48153 Münster, Germany
Tel: (+49) 251 93266180
Aclarion will respond to EU Data Subject inquiries without undue delay and in any event within less than 5 days of receipt of the request. That period may be extended where necessary, taking into account the complexity and number of the inquiries
This Policy may be amended from time to time, consistent with the EU-GDPR and applicable data protection and data privacy laws and principles. Aclarion will make employees aware of changes to this Policy either by posting to our intranet, through email, or other means. Aclarion will notify Physicians if Aclarion makes changes that materially affect the way Personal Data that was previously collected is handled.
“Individual Patient” means an individual patient in the EU for whom a prescribing Physician intends to receive a NOCIGRAM-LS™ Report from Aclarion. This individual patient can also be considered a “Data Subject,” depending on the circumstance.
“Data Subject” means an identified or identifiable natural living person. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics.
“Employee” means an employee (whether temporary, permanent, part-time, or contract), former employee, independent contractor, or job applicant of Aclarion.
“Europe” or “European” or “EU” refers to a country in the European Union.
“Personal Data” as defined under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”, “GDPR”) means data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data does not include data that is de-identified, anonymous, or publicly available.
“Physician” means the healthcare provider providing or prescribing treatment to the patient in the EU; this includes a member of that prescribing healthcare provider’s team who is authorized to obtain consent.
“Sensitive Data” means Personal Data that discloses a Data Subject’s medical or health condition, race or ethnicity, political, religious or philosophical affiliations or opinions, sexual orientation, or trade union membership. Look also Art. 9 GDPR
“Third Party” means any individual or entity that is neither Aclarion nor an Aclarion employee, agent, contractor, or representative.