EU Privacy Statement
Think Research respects the privacy of our clients, business partners and employees. We recognise the need for appropriate protections and management of the personal data that you provide to us. As such, Think Research has established this Privacy Notice to assist you in understanding what information we collect and how that information is used. This Privacy Notice applies to Think Research (EU) Corporation, and its affiliates.
Compliance with the General Data Protection Regulation (GDPR) is of the utmost of importance to us, as we (the “processors”) process data on behalf of healthcare providers, (the “controllers”) that collect data as part of the services they provide. In matters where we collect data from you directly, we act as the controller for your data.
This Privacy Notice explains how personal data is processed for the healthcare products and services we provide to our clients, such as hospitals, family health clinics, long term care homes and other types of healthcare providers. This Notice also explains how data is processed through use of our website and our products and services.
We want to help you understand how your personal data is processed so that you may make informed decisions on your personal data.
This Privacy Notice covers:
- Who we are
- What is personal data? What personal data do we hold and how do we receive it?
- How do we use or disclose personal data — Lawful basis for processing
- How personal data is shared
- Data security
- Storage and transfer
- Data retention
- Your individual rights
- Changes to this Notice
- Contact Information for our EU representative and Data Protection Officer
Who We Are
For the purposes of this privacy notice, Think Research (EU) Corporation and its affiliates are referred to as Think Research. This privacy notice is issued on behalf of the Think Research and its affiliates, so when we mention “Think Research”, “us”, “we”, or “our”) in this privacy notice we are referring to the relevant company responsible for processing your data. Our parent company, Think Research Corporation is located in Toronto, Ontario, Canada and is responsible for many processing activities, acting as a sub-processor to Think Research (EU) Corporation.
Our registered office address is:
Think Research (EU) Corporation
7 Wilton Terrace Dublin 4, Ireland D02 KC57 01 488 5865
Think Research Corporation (Canada)
351 King Street East, #500, Toronto, Ontario, M5A 0L6
Our Irish company number is: 598172
Our Data Protection Officer is registered with the Irish Data Protection Commission
Our UK ICO registration is: ZA532575
What is personal data? What personal data do we hold and how do we receive it?
Personal data is any information relating to an identified or identifiable individual; this includes any information that could be used on its own or in combination with other pieces of information to identify a person. Personal data is not just a person’s name or email address, it can include information related to your location, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual.
Think Research may store personal data provided to us by our clients and business partners who use our products and services. Personal data may also be directly collected by you when you register and use certain products and services, and when you visit our website and request information.
As part use of our products and services, we store individuals’ personal health information, which may include treatments, symptoms, and healthcare provider notes. This information may come directly from you when you register and use specific products and services, to which we request your explicit consent. This information may also be obtained indirectly from your healthcare provider who is using our products and services, and it is the responsibility of your healthcare provider to obtain your consent.
We store and/or use the following categories of personal data:
Personal Identifier Details
To communicate with you and provide our products and services, you will be asked to provide basic contact information about yourself, such as name, email address, telephone number and physical address when registering with us. Individuals are responsible for the accuracy and completeness of the information they provide.
Some personal data is automatically collected (e.g. the type of web browser and operating system used by the website visitor) when you visit our website. Other personal data is not collected unless you choose to provide such personal data or indicate your consent to any cookies that our website may employ. On our website, you can request information, subscribe to marketing or support materials or apply for jobs at Think Research. The types of personal information you provide to us on these pages may include name, address, phone number, e-mail address, contact preferences, education and employment background and job interest data.
User Login Data
When creating a user profile with our products, you will be asked to provide your username and password, contact and demographic information about yourself, such as email address, gender, date of birth. This request is for identity purposes and to manage your individual user account.
As part use of our products and services, we store individuals’ personal health information, which may include treatments, symptoms, and healthcare provider notes. This information may come directly from you when you register and use specific products, to which we request your explicit consent. This information may also be obtained indirectly from your healthcare provider who is using our products and services, and it is the responsibility of your healthcare provider to obtain your consent.
We use financial information for payment purposes. However, we do not store credit card or debit card details.
When you visit our site, each time we may automatically collect the following information:
- Technical information, including the Internet protocol (IP) address, internet domain names, the web browser and operating system used to access the Think Research website, client support and to collect aggregate information for internal reporting purposes.
- Information about your visit to the site, including the full URL, any products you viewed or searched for, the files visited, the time spent in each file and the time and date of each visit.
Data processing is carried out in accordance with Art. 6 (1) point of GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. The data will not be passed on or used in any other way. However, we reserve the right to check the server log files subsequently, if there are any concrete indications of illegal use.
Human Resources Information
Think Research also collects personal data of its employees (human resources data) in connection with the administration of its Human Resources programs and functions. These programs and functions include compensation programs, performance appraisals, training, business travel, expense reimbursement, access to Think Research computer facilities and computer networks, employee profiles, internal employee directories, Human Resource record keeping and other employment related purposes. In addition, we may collect personal data that you provide us when applying for jobs at Think Research, such as name, address, phone number, e-mail address, contact preferences, education and employment background and job interest data. In these circumstances, we act as a controller.
How do we use or disclose personal data
Think Research is committed to protecting the privacy, confidentiality and security of all personal data that has been entrusted to us.
We do not use or disclose personal data except as may be necessary in the course of providing its product and service to its clients and business partners. When use or disclosure of personal data is necessary, it is used or disclosed strictly in accordance with the General Data Protection Regulation (GDPR), this includes:
- To perform or fulfil a contract we have with you
- If we have a legal obligation
- If it is within our legitimate interest
- If it necessary in order to protect the interests of an individual
- If there is a public interest reason for doing so
- If you have given your consent.
A legitimate interest is when there is a necessary business or commercial reason to use the data. However, it must not override an individual’s rights and freedoms. If we rely on our legitimate interest, we will specify this purpose.
|What we use personal data For||Lawful Basis For Processing||Legitimate Interest (Business or Commercial Purpose)|
|To provide our clients with a product or service, which may include:General communications and provide customer servicePersonalise your experienceImprove the ServicesAuditing Client InteractionsLegal, security and fraud complianceError reporting and bug detection||To deliver the contract we have with you (or at the client’s request, take necessary steps to entering into a contract with them)||N/A|
|To enable our clients in providing healthcare services to individuals in their care.||Where you may have provided explicit consent, your data may be shared with your healthcare provider for medical purposes. Where information has been obtained through your healthcare provider, the clients warrant and represent they have obtained any necessary consents, legal basis and/or approvals.||N/A|
|To communicate with potential and existing clients regarding occasional updates and marketing messages||With your consent (subject to your right to opt out at any time).||N/A|
|Proving and improving the quality of our products and services for our clients.||Based on our legitimate business interests, we analyse de-identified usage data, statistics and other aggregate and non-aggregate data to: troubleshoot errors, look for opportunities for internal quality development and internal product development purposes. This does not involve making decisions about you, it is only about improving products and services.Stringent privacy and security provisions apply all at time.||We review de-identified data to ensure we provide clients with the best possible service.|
|Analyse website use, improving the website services, stability and functionality of our website, and maintain website security||This is within our legitimate business interests to website functionality.||To improve website services and ensure we provide the best user experience for our visitors.|
|Email Marketing||With your consent (subject to your right to opt out at any time).||To communicate with you and to help us better understand your needs and interest.s|
|To consider candidates for employment opportunities||With your consent and our legitimate business interests (based on the information provided), we use the data to consider candidates for employment opportunities. For existing employees, it is with our legitimate business information to use personal data about our employees in connection with the administration of its Human Resources programs and functions and for the purposes of communicating with its employees.||We review the data to evaluate the qualifications of candidates, and to deliver our Human Resources programs and functions.|
|Payment for services/products (including invoicing)||To deliver the contract we have with you (or at the client’s request, take necessary steps to entering into a contract with them).||N/A|
|To de-identify and use de-identified personal data to generate depersonalised usage data, statistics and other aggregate and non-aggregate information.||To provide de-identified analytical reporting at the explicit instruction of the controller.||N/A|
Except as provided in this Notice, Think Research does not use or process your personal data for a purpose other in a way that is incompatible with the purposes for which it has been collected or subsequently authorised by the individual, as required by law.
How personal data is shared
We take your privacy very seriously and only share information where:
- We need to for the purposes of providing you with the service or products you have requested (e.g., you are using our VirtualCare application to communicate with your healthcare provider).
- We may share your personal data with companies that we have contracted with to provide services on our behalf, including those who act as a data processor on our behalf and acting in accordance with Article 28 of GDPR (e.g., our Cloud Service Provider). These data processors are bound by strict privacy and security provisions.
- We have a legitimate reason for doing so (e.g., to manage risk or assess your suitability for services).
- We have asked you for your permission to share it for a specified purpose, and you have agreed.
- We may display or share aggregate and anonymised data that does not personally identify individuals, but will show general trends, such as the number of users of our products and services.
- Human Resources data may be shared with third party vendors for the exclusive purpose of enabling the vendor to provide service and/or support to us in connection with these Human Resource programs and functions. personal data is not shared with third parties for non-employment related purposes.
Third parties receiving personal data are expected to apply the same level of privacy protection as contained in this Privacy Notice.
Except for the examples described above, Think Research will not share personal data with any other third parties without your permission, unless required by, or in connection with, law enforcement action, subpoena or other litigation or applicable law.
We will not sell, trade or lease your personal data to others.
Think Research is committed to taking reasonable efforts to secure the personal data you choose to provide us. To protect the privacy of any personal data you have provided, we employ industry-standard controls including physical access controls, internet firewalls, intrusion detection and network monitoring.
Where you communicate with us via our site, we cannot guarantee or warrant the security of any information that you transmit, as is the nature of the internet, no data transmission over the internet can be guaranteed to be 100% secure. While we have implemented reasonable safeguards to prevent unauthorised use or disclosure of the information, we cannot guarantee the security of any information transmitted via our site.
Links to Non-Patient Websites and Third Parties
The Think Research website may provide links to third-party web sites for your convenience and information. If you access those links, you will leave the Think Research website.
Think Research does not control those sites or their privacy practices which may differ from Think Research policy. We do not endorse or make any representations about third party web sites. The personal data you choose to give to unrelated third parties is not covered by the Think Research Privacy Notice.
Storage and Transfer
Personal data given to us may be transferred or stored on secure servers outside of the UK and the European Economic Area (EEA), in particular Canada. It may also be processed by staff working outside of the UK and EEA, specifically within Canada. However, it is always in accordance with applicable data protection laws, including having stringent privacy and security safeguards and appropriate mechanisms in place to allow for lawful transfer of data across borders.
For our products and services that we provide to healthcare providers, we will retain personal data in accordance with our client’s data retention policy and will destroy or return personal data at the end of the provision of services, unless European Law or law of a Member State of the European Union requires the storage of personal data. After such time, data may be stored in an aggregated and anonymised format.
Where we have collected your personal data directly (e.g., via the website or use of our VirtualCare product) and not from your healthcare provider, it shall not be kept for longer than is necessary for that purpose or those purposes. You may notify us at any time should you choose to deactivate your account and have your personal data deleted.
Your Individual Rights
Under the data protection laws, you have specific rights and we work with you and your healthcare provider to honour this.
Personal data collected by healthcare provider
Where your healthcare provider has collected personal data from you, and has provided it to us as the result of the product or service with the appropriate consents (e.g., ProgressNotes, eForms, Care Pathways), we encourage you to contact your healthcare provider directly regarding your request. These may include requests related to:
- Access to information
- Rectification or corrections
- Restriction of processing
- Inquiries or complaints
We will provide the data custodian with all the information necessary to respond to your request(s) and work with them to assist them fulfill their obligations as controllers and address your rights under the law. This includes supporting healthcare providers in complying with their obligations under the national data opt-out service with the UK National Health Service (NHS).
Personal data collected by us
Consent and Choice
As indicated in this Notice, whenever we rely on your explicit consent to process your personal data, you have the right to opt-out and withdraw your consent at any time.
We do not require that you provide us with personal data. The decision to provide personal data is voluntary. If you do not wish to provide the personal data requested, however, you may not be able to proceed with the activity or receive the benefit for which the personal data is being requested.
Except as expressly stated otherwise in this Notice, you may opt out of having Think Research share personal data with third parties as described in this Privacy Notice by notifying us in writing of your desire to do so.
If we have obtained your personal data directly with your express consent, in addition to the right to withdraw your consent, you may:
- Ask us to restrict our processing of your personal data or object to our processing;
- Ask for your data to be provided on a portable basis;
- Request a copy of information we hold about you;
- Make an inquiry and/or complaint
In the event that you wish to make a complaint about how we process your personal data, please contact us in the first instance at firstname.lastname@example.org and we will employ best efforts to deal with your request as soon as possible.
You may also contact the UK’s Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, telephone: 0303 123 1113.
Access to and accuracy of your information
Think Research strives to keep your personal data accurate. We have implemented technology, management processes and policies to maintain data accuracy. We will provide you with access to your information and the opportunity to change your information.
Any personal data you provide to us it is your responsibility to provide true, accurate, current and complete information about yourself, and notify us if there are any updates or changes to ensure it remains true, accurate, current and complete.
Think Research will engage in periodic self-assessment to verify that it continues to be in compliance with this Privacy Notice.
Changes to this Notice Think Research will review and update this Notice periodically.
How to Contact the Data Protection Officer and EU Representative For more information about the Think Research privacy practices or to raise a concern you have with our practices, contact us:
Chief Privacy Officer and Data Protection Officer 351 King St E #500, Toronto, ON, M5A 0L6 Tel: (416) 479-5428 email@example.com
EU Representative: Chris Collenette firstname.lastname@example.org