Data protection is our business! We'd like to inform you about how we handle your data, but without getting your brain in knots.
The aim of our policy is to explain to you, simply and in understandable terms, what is at stake when it comes to protecting your data.
This transparency is important for us, as it is for you, in order to create a sustainable and trustworthy ecosystem in this digital world.
Enjoy your reading!
Version 1.9 March 2025
Who is DrData?
Dr Data SAS (here in after referred to as “Dr Data”, “we” or “us”), a simplified joint stock company with a share capital of €7,402.64, registered with the Paris Trade and Companies Register under number 838 152 122, with its registered office at 81 rue Réaumur, 75002 Paris.
We specialize in the protection and ethical enhancement of healthcare data.
We are doctors of health data!
We work with hospitals and digital health companies on a daily basis to ensure that your data is protected and that healthcare players apply the regulations (GDPR and all that goes with it!).
We operate worldwide.
The purpose of this data protection policy is to inform you of the means we have put in place to guarantee the security of your personal data when you use the Dr Data Consent provided by Dr Data, on www.drdata-consent.com website or the “Dr Data Consent” Applications available on smartphones and tablets.
This Policy is an integral part of the General Conditions of Use of Dr Data Consent.
It may be revised when new features of the Solution or new activities are added, when personal data processing methods are modified, or when laws and regulations evolve affecting Dr Data's activity, Services and Solution.
In the event of a revision to this Policy, we undertake to publish the changes on the Solution and to update the publication date of the Policy in order to keep you up to date with the changes made.
Any revised Policy will apply both to personal data already being processed at the time of the changes, and to any other personal data collected and processed after the revised Policy comes into force.
For your convenience, a version number of this Policy has been defined, including the month and year of its last revision.
We encourage you to check this Policy regularly for any changes!
“Loi informatique et libertés”: Law no. 78-17 of January 6, 1978 relating to information technology, files and freedoms, amended by Law no. 2018-493 of June 20, 2018 relating to the protection of personal data.
“Regulation” or “GDPR”: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and repealing Directive 95/46/EC.
“Solution”: refers to Dr Data Consent solution for managing patient information, consent and opposition in the context of healthcare and research, particularly for data studies, data warehouses and clinical trials (“Consent” Module). Similarly, Dr Data Consent can be used by your healthcare professionals as a secure file-sharing space (“Wallet” Module).
“Controller” means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of processing of personal data; where the purposes and means of such processing are determined by Union law or by the law of a Member State, the controller or the specific criteria applicable to his designation may be provided for by Union law or by the law of a Member State.
“Processor” means the natural or legal person, public authority, department or other body that processes personal data on behalf of the controller.
“User” or “Data Subject” or “You” means any visitor to the Solution whose personal data is processed. This may include patients and professional users.
“Personal data” means any information relating to an identified or identifiable natural person; an “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Processing” means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Client Organization” means the legal person, entity, public authority or other organization with whom a Dr Data Consent license agreement has been concluded.
Blockchain is an innovative technology for managing and storing data in a secure, decentralized way. It takes the form of a distributed register that records all transactions carried out on a network.
We do not store your personal data on the blockchain, but only evidence of consents and objections without disclosing your direct identity.
This technology, patented in our solution, makes your decisions and actions unforgeable. We wanted to build a solution that can't lie.
So, with the Dr Data Consent and its blockchain technology, we guarantee that your personal data is safe from unwarranted consultation, modification and deletion, and that it is only accessible to the relevant players!
In the context of its activities, DrData processes personal data relating to the data subject in compliance with the provisions of the GDPR and the French Data Protection Act, in particular with regard to lawfulness, transparency and fairness.
Origin and collection of personal data
All data concerning you is collected directly from you, with the exception of :
Information sent by a client organization to DrData's support teams to create and activate its employees' accounts;
Information processed by DrData as data controller.
DrData undertakes to inform all data subjects registered on the Solution of the methods used to process their personal data and of their rights.
Depending on the purpose, DrData may act as a data controller or subcontractor.
DrData acts as data controller in the context of the creation and management of the User's account, functional analysis, technical security of the Service and its improvement, support, management of the Blockchain and training of Users.
The personal data collected is used within the framework of the services provided by DrData through our Solution.
We process your data mainly to provide you with our Services through the modules of DrData Consent, to which you have access, and to guarantee the technical security of the Solution.
Specifically for :
Enable you to navigate securely on the Solution;
Enable you to manage your account;
Give you access to the Solution modules;
Train you to use the Solution;
Enable you to exchange information with identified members of your teams for professional users;
Give you access to technical product updates;
Enable the client organization to manage access rights and authorizations to information, files or data stored on the Solution;
To enable DrData to guarantee the integrity and security of the data processed in the context of the use of the Solution.
We also process your personal data in order to provide you with the necessary support (only according to your requests) and in order to communicate about developments in our products and offers which are in our legitimate interest.
When we send these communications, we undertake to inform you of your rights regarding the protection of your personal data and we guarantee that you will be able to choose not to receive them, provided that this does not prevent you from using the Solution.
The legal basis for the processing of personal data is :
The General Terms of Use and the Data Protection Policy accepted by Users when they register on the Solution;
Dr Data's legitimate interest in informing data subjects of news about its services, ensuring better use of its services and improving the operation of its Solution and services and managing the Blockchain;
Dr Data's legitimate interest in carrying out optional satisfaction surveys on its services in order to improve them.
Patients contacted by the client organization via the Solution
Healthcare professionals who are members of the Customer Organization
Authorized user personnel who are members of the Client organization
Customer Organization account administrator
We undertake to collect and process only the personal data that is strictly necessary for the purposes of the processing and the purposes determined, in compliance with the principle of data minimization.
The personal data collected as part of the management of user accounts, monitoring and functional analysis, technical security of the Service and its improvement, support, management of the Blockchain and training of Users are:
Last name (used and birth), first name;
Date of birth, gender, (for patients);
Email address;
Phone number;
Login and password (encrypted);
If connected via e-CPS (ProSanté Connect) for healthcare professionals: Profession, title and specialty of practice, postal address of practice, RPPS number, cryptographic authentication data from the CPS;
User profile and rights;
IP address;
Blockchain identifier and technical logs;
Any data provided or authorized for processing by users, including health data in the administration of features, support, and their consent store (in the case of patients).
Dr Data may conduct satisfaction surveys: only the User's email address, first name and surname are processed.
Dr Data may carry out communication campaigns: only the user's email address, telephone number and postal address are processed.
When using Dr Data Consent, Users process personal data by collecting and exchanging information, files and data.
Users assume full responsibility for formalities prior to processing operations carried out on the Solution.
We process Users' personal data as a subcontractor of the Client Organization in connection with the provision of our Patient Information Management Solution and the collection of their consent/opposition and non-opposition.
We undertake to process personal data solely for the purposes specified by the client organization.
The legal basis for the processing of personal data is :
The contract concluded with a client organization includes a data processing agreement.
The General Conditions of Use and the Data Protection Policy accepted by Users when they register on the Solution expressing their consent to the processing of their personal data in the context of the creation and management of their account and consent store.
The legal obligation and/or legitimate interest of the Client Organization to contact patients to inform them of their rights and enable them to exercise them.
Users Health professionals / User personnel authorized by the Data Controller;
Patient Users.
For Healthcare Professionals Users / User Personnel authorized by the Data Controller :
Last name, First name;
Position, title, specialty;
User profile and rights;
Email address, phone number;
Login and password (encrypted);
If connected via e-CPS (ProSanté Connect) for healthcare professionals: Profession, title and specialty of practice, postal address of practice, RPPS number, cryptographic authentication data from the CPS;
IP address;
Blockchain identifier and technical logs.
For Patient Users:
Last name (used and birth), First name;
Date of birth (day, month and year of birth);
Place of birth (via France Connect) ;
Gender ;
National health identifier (if required and provided by the client organization) ;
Research inclusion number (if required and communicated by the client organization) ;
Email address ;
Phone number ;
Postal address ;
Identity and contact details of legal representatives (for minors and those under guardianship);
Name of the study / name of the medical procedure requiring his/her information, opposition or consent ;
Answers to informed consent/information questions ;
Scoring informed consent/information ;
Deceased or not (if enabled) ;
If videoconferencing (time stamp and duration) ;
Login and password (encrypted);
IP address
Blockchain identifier and technical logs ;
Identity document (for identity verification in clinical trials);
Electronic signature.
All personal data processed by the Solution are hosted in France by a certified health data host in accordance with the requirements of French regulations:
Host name : Claranet,
Postal address of host: 2 rue Breguet, 75011 Paris
Link to the hosting provider's compliance documents: https://www.claranet.com/fr/assets/2024-12-4205136-certificat-hds-12-12-2024_0.pdf
We will only keep your personal data for as long as is necessary for the purposes for which it was collected and in compliance with current regulations.
Personal data processed as part of the use of Dr Data Consent is kept for 5 years from the date of the last activity on the User account.
Data associated with the sending of information and requests for consent are kept for up to 15 years from the date of sending, for evidentiary purposes.
In the case of research involving the human person (RIHP), in accordance with current legislation, consent data is kept for at least 15 years after the end of the biomedical research.
We are committed to protecting the personal data processed via our services and our Solution.
We implement technical and organizational security measures to create an environment that preserves the quality, security, confidentiality and integrity of personal data processed.
We also use reasonable technologies to secure the processing of personal data processed for the purposes described in this policy, including:
Certified health data hosting ;
SSL (Secure Socket Layer) encryption;
Physical protection of premises, authentication procedures with nominative and secure access, policy of confidential identifiers and passwords, traceability and logging of connections, encryption of personal data;
Regular evaluation and improvement of our information technology systems, facilities and personal data collection, storage and processing practices.
However, we cannot ensure or warrant against all risks with respect to the security of such personal data. We do not guarantee that this data cannot be consulted, disclosed, modified or destroyed in the event of a breach of one of our guarantees, in the event of a breach or negligence on your part (if you share your login details, for example) or in the event of the failure of our data hosting provider.
You have rights when it comes to protecting your personal data, and we are committed to guaranteeing them!
In accordance with the French Data Protection Act of January 6, 1978, as amended, and the European Regulation on the protection of personal data of April 27, 2016, except where restricted, your data rights are as follows:
Right of access: the right to be informed and to request access to the personal data that DrData processes;
Right of rectification: the right to ask for personal data to be amended or updated if it is inaccurate or incomplete;
Right to erasure (right to be forgotten): the right to request the permanent deletion of personal data processed for the purposes described in this policy, in compliance with our legal data retention obligations;
Right to restrict processing: the right to request that the processing of all or part of personal data be temporarily or permanently discontinued;
Right to object: the right to refuse the processing of personal data at any time, in compliance with our legal obligations;
Right to data portability: the right to request a copy of personal data in electronic format and the right to transmit this personal data for use by a third-party service;
Right not to be subjected to automated decision-making: the right not to be subjected to a decision based solely on automated decision-making, including profiling, where the decision would have a legal effect on you or produce a similar significant effect.
You can also inform us of your wish to define the fate of your personal data after your death.
In such cases, we undertake to comply with the terms and conditions governing the processing of personal data within the limits of applicable legal obligations.
In the absence of specific instructions from you, we undertake to destroy the personal data concerned, unless its retention is necessary for evidentiary purposes or to meet a legal obligation.
First of all, we don't sell your data, and we never will! Your personal data will not be passed on to commercial or advertising entities.
Your personal data may only be accessed for the purposes set out above, and the main people likely to have access to your data are our own employees and only our authorized service providers to provide you with our services.
DrData may choose to share or transfer the personal information of its Users as described below:
DrData may share the data subject's personal data with third-party service providers, subcontractors in order to: provide the services offered on the Solution, perform quality assurance tests, provide technical support, and/or to provide other services (emailing, audience analysis) to Dr Data.
Dr Data undertakes to require from its subcontractors a sufficient level of security with regard to the processing of personal data that the latter carry out on its behalf. If these third-party service providers use servers outside the European Union, Dr Data concludes specific contracts with them and binding contractual clauses established by the European Commission to govern and secure the transfer of such personal data to these service providers. In such cases, all third parties undertake to approve and strictly apply this Policy. This obligation is set out in the contracts binding these third parties to Dr Data in accordance with the rules governing the protection of personal data.
Dr Data may disclose the data subject's personal data (a) to comply with a legal obligation, legal process, court order or legal process served on Dr Data, (b) as part of a legal investigation, (c) to protect or defend the rights or property of Dr Data or Users of the Solution, and/or (d) to investigate or help prevent any potential violation of the law, this Policy or our Terms and Conditions of Use;
Dr Data may share all or part of the data subject's personal data in connection with any merger, financing, acquisition or dissolution transaction or any proceeding involving the sale, transfer, assignment or disclosure of all or part of our business or assets. In the event of insolvency, bankruptcy or receivership, personal information may also be transferred as a business asset. If another company acquires our Dr Data company or its assets, that company will own the personal information collected by Dr Data and will assume the rights and obligations with respect to your personal information as described in this Policy;
Dr Data may share all or part of the data subject's personal data with subsidiary companies, joint ventures or other companies under common control (“Affiliates”), from whom Dr Data will require compliance with this Policy. Such personal data may only be processed for the purposes described in this Policy.
A “cookie” is a small data file sent to your browser and stored on your terminal (e.g. computer, smartphone), (hereinafter “Cookies”). This file includes information such as your domain name, your Internet service provider, your operating system, and the date and time of access. Cookies do not damage your computer!
Rest assured, we really do prefer chocolate fondants!
Can you refuse cookies?
Of course we do! When you visit Dr Data Consent for the first time, a banner will appear asking you to give your permission for cookies to be deposited. Simply refuse, and the cookie (other than those required for site operation) will not be deposited. If you accept, your consent will be valid for 13 months from the date of registration.
On Dr Data Consent, there are six cookies necessary for its proper functioning:
Cookie name | Purpose | Shelf life |
|---|---|---|
__Host-next-auth.csrf-token | Ensure the security of visitors' browsing by preventing the falsification of requests between sites. | Until the end of the session |
__Secure-next-auth.callback-url | Detect spam and improve site security | Until the end of the session |
CookieConsent | Store the user's permission to use cookies for the current domain | 1 year |
mtm_consent | Determine whether the user has accepted the cookie consent box | 399 days |
nextauth.message | Maintain user settings through page requests | Persistent |
pusherTransportTLS | Synchronize website and content management system | Persistent |
On Dr Data Consent, there are also two statistical cookies that help us understand how visitors interact with our Solution.
You are free to decide whether or not to accept these statistical cookies. If you agree, the following data will be collected and processed:
your partially anonymized IP address, with the last components removed so as not to identify you and therefore not to collect any geographical information;
date and time of request ;
the title and URL of the web page consulted and the one consulted before ;
the time in the user's time zone ;
files clicked and downloaded ;
links to external domains that have been clicked (outlink) ;
web page generation time ;
information about your browsing device (type of device, screen resolution, operating system, web browser and main browser language).
Cookie name | Purpose | Shelf life |
|---|---|---|
_pk_id# | Gather site traffic statistics (number of visits, average time spent, pages consulted) | 1 year |
_pk_ses# | Track visitor page requests during the session | 1 day |
In order to measure traffic and performance on Dr Data Consent and generate statistics, we use an audience measurement tool that respects your personal data and your rights, Matomo, a tool recommended by the CNIL, for which you can consult the confidentiality policy here.
If you have any questions or complaints about this Policy or our personal data collection or processing practices, if you wish to exercise your rights, or if you wish to report any security breach, please contact us at the following coordinates:
By email: [email protected]
By post: DrData, 81 rue Réaumur, 75002 Paris
In the event of a complaint, you may choose to refer the matter to the French supervisory authority responsible for compliance with personal data protection rules, the National Commission for Computing and Liberties (CNIL):
By post: 3 Place du Fontenoy TSA 80715, 75334 Paris, Cedex 07
Online: https://www.cnil.fr/fr/plaintes/