This notice applies to all use of the Vitacam smartphone app (‘the app’).
Personal data submitted through the use of the app is processed by NE Device SW (‘the company’) as the ‘data processor’, on behalf of a health or social care provider who is the ‘data controller.’
The company complies with General Data Protection Regulation 2016/679.
The regulations for processing personal data for health or social care apply:
GDPR 2017 Article 6 1E
The lawful basis we rely on to process this personal data is article 6(1)(e) of the GDPR, which allows the processing of personal data when necessary to perform a duty of care.
GDPR 2017 Article 9 Paragraph 2H
To lawfully process special category data, it is necessary to identify both a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9. This covers the provision of health or social care or treatment. In addition, the company complies with regulations on privacy and data protection in the national jurisdiction applying to the data controller.
The intended purpose of Vitacam is to measure and monitor the vital signs, including respiratory rate and heart rate, of a single patient/client or group of patients, by analyzing a video feed obtained from a mobile camera on a cloud server. The software is intended for healthcare professionals and professional carers as a measuring and monitoring tool that provides inputs for clinical decision making.
Within the scope of using the Vitacam app for its intended purpose, personal data is collected, processed, and stored permanently or temporarily as follows:
Log-in events are recorded on the server when the user logs in on the app. Log-in credentials are never stored on the app.
A user can only log in to view and measure residents/clients that are authorised by the data controller. A new user cannot register on the app but must be added by an admin.
A list of residents/clients that the user is authorised to view and measure is stored on the server and not available on the app without a data connection. With a data connection, it is temporarily stored on the app. The list of residents/clients cannot be modified in the app by any user.
The user can record a video of residents/clients on the app. This recording is temporarily stored on the app until it has been uploaded to the server or is over 30 minutes has passed since recording, in which case it is deleted from the app.
The video is processed on a server instance, approved by the data controller, in accordance with both national and European data protection regulations. It is deleted programatically immediately upon processing and cannot be viewed by any human.
The user may manually record measurements from other measuring devices into the app. These measurements are stored temporarily in the app, until 24 hours has passed since they were sent to the server or until app is launched again.
The measurements are stored on a server and deleted according to the data controller’s policy.
The server returns a National Early Warning Score (NEWS) to the smartphone app. The last score is visible in the app, if the user is logged in. The NEWS score is used to group residents/clients into risk groups.
The following data or data categories are collected:
username, first name, last name, id, e-mail address (permanent as defined by data controller)
first name, last name, health id, gender, age or date of birth (permanent as defined by data controller)
Resident/client biometric data
- Date & time of video recording, physiological measurements and date & time, NEWS score (permanent as defined by data controller)
- Videos (temporary – deleted once uploaded to the server, or in case of upload has not been possible, after 30 mins whenever the app is launched)
We promise to follow the following data protection principles:
Processing is lawful, fair and transparent. Our Processing activities have lawful grounds. We always consider your rights before Processing Personal Data. We will provide you information regarding Processing upon request.
Processing is limited to the intended purpose. Our Processing activities fit the purpose for which Personal Data was gathered.
Processing is done with minimal data. We only gather and Process the minimal amount of Personal Data required for any purpose.
Processing is limited with a time period. We will not store your personal data for longer than needed.
We will do our best to ensure the accuracy of data.
We will do our best to ensure the integrity and confidentiality of data.
Both users and residents/clients are considered as Data Subjects with the lawful rights:
Right to information
You have the right to know whether your Personal Data is being processed; what data is gathered, from where it is obtained and why and by whom it is processed.
Right to access
You have the right to access the data collected from/about you. This includes your right to request and obtain a copy of your Personal Data gathered (a “Subject Access Request”). If you would like to know more, please contact our DPO using the details above.
Right to rectification
You have the right to request rectification or erasure of your Personal Data that is inaccurate or incomplete.
Right to erasure
In certain circumstances* you can request for your Personal Data to be erased from our records.
Right to restrict processing
Where certain conditions apply*, you have the right to restrict the Processing of your Personal Data.
Right to object to processing
In certain cases* you have the right to object to Processing of your Personal Data.
Right to object to automated Processing
You have the right to object to automated Processing, including profiling; and not to be subject to a decision based solely on automated Processing. This right you can exercise whenever there is an outcome of the profiling that produces legal effects concerning or significantly affecting you.
Right to data portability
You have the right to obtain your Personal Data in a machine-readable format or if it is feasible, as a direct transfer from one Processor to another.
Right to lodge a complaint
In the event that we refuse your request under the Rights of Access, we will provide you with a reason as to why. If you are not satisfied with the way your request has been handled please contact us.
Right for the help of supervisory authority
You have the right for the help of a supervisory authority and the right for other legal remedies such as claiming damages.
Right to withdraw consent
You have the right withdraw any given consent for Processing of your Personal Data.
*If the right to erase, restrict or object to processing is in conflict with your local legislation in relation to e.g. healthcare and patient record data holding, then legislation will be followed and you will be informed of the outcome
To exercise your rights, or to get in touch, contact our Data Protection Officer, Mr Miikka Kirveskoski.
If you have any questions or comments on our data protection policy, please contact us at: firstname.lastname@example.org
NE Device SW Oy
VAT no. FI26513007
Moyeen Ahmad (CEO)
Revision 1.0 – 26th of April 2022