Privacy policy.

01Preamble and commitment

Immo Med Services SRL, operating the CIRCAE — Sleep & Lifestyle Medical Care centre, attaches fundamental importance to respect for privacy and to the protection of the personal data it processes in connection with its medical activities and its website.

The purpose of this policy is to inform you, in full transparency, about the nature of the data collected, the purposes of its processing, the legal bases relied upon and the rights available to you under the applicable legislation.

It is drawn up in strict compliance with :

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data ("GDPR") ;
• the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data ;
• the Act of 22 August 2002 on patients' rights ;
• the Code of Medical Ethics and Article 458 of the Criminal Code relating to professional secrecy.

02Data controller

The controller of your data is :

03Data protection officer (DPO)

As a medical practice processing health data on a large scale within the meaning of Article 9 of the GDPR, the appointment of a data protection officer may be mandatory under Article 37 of the GDPR.

The DPO is your primary point of contact for any question relating to the processing of your data and the exercise of your rights.

04Data that we process

We distinguish several categories of data according to the context in which they are collected :

4.1 Identification data

• Surname, first name, date of birth, gender
• National identification number (only where necessary for INAMI billing / third-party payer arrangements)
• Health insurance fund membership number

4.2 Contact data

• Postal address
• Telephone number, email address
• Person to be contacted in case of emergency (if provided)

4.3 Medical data — special category (Article 9 GDPR)

• Relevant personal and family medical history
• Symptoms, reasons for consultation, diagnoses, ongoing treatments
• Examination results (polygraphy, polysomnography, oximetry, VO2max, nutritional assessments, etc.)
• Prescriptions and therapeutic recommendations
• Correspondence with other healthcare professionals involved
• Any information entrusted in the course of the care pathway

4.4 Appointment data

• Date, time and nature of the appointment
• Reason, where provided, when booking the appointment
• Consultation history

4.5 Administrative and billing data

• Care certificates, amounts, payment methods
• Data necessary for reimbursement by health insurance funds and the INAMI

4.6 Technical and browsing data

• IP address, browser type, operating system
• Pages viewed, duration of visit, source of the visit
• Data collected via cookies and similar technologies (see section 12)

4.7 Data from the contact form

• Identity of the enquirer, contact details for a reply
• Content of the request and communication preferences

05Purposes of processing

Your data is processed for the following strictly defined purposes :

• Medical care — organising consultations, examinations and treatments, multidisciplinary medical follow-up ;
• Administrative management — appointment booking, management of the patient file, consultation reminders ;
• Billing and third-party payment — issuing care certificates, transmission to the health insurance fund in connection with INAMI reimbursement ;
• Communication with other carers — correspondence with your general practitioner, specialists or physiotherapists, strictly limited to what is necessary for your follow-up ;
• Compliance with legal obligations — keeping the medical file, mandatory health declarations, responding to judicial requisitions ;
• Responding to your requests — handling requests sent via the contact form or by email ;
• Improving the site and our services — anonymised statistical analysis of audience and browsing ;
• Information system security — prevention of fraud, intrusions and security incidents.

No data is used for commercial prospecting, profiling or automated decisions producing legal effects.

06Legal bases

In accordance with Articles 6 and 9 of the GDPR, the processing of your data is based on the following legal bases :

• Performance of a care contract (Article 6.1.b GDPR) — medical care arises from a contractual relationship between the patient and the centre ;
• Compliance with legal obligations (Article 6.1.c GDPR) — keeping the medical file (Act of 22 August 2002), accounting and tax obligations, health declarations ;
• Protection of vital interests (Article 6.1.d GDPR) — in the event of a medical emergency or danger ;
• Legitimate interest (Article 6.1.f GDPR) — improvement of the site, IT security, insofar as it is not disproportionate to your rights and freedoms ;
• Explicit consent (Article 9.2.a GDPR) — for the processing of certain health data outside the strict framework of care ;
• Preventive medicine, diagnosis and care (Article 9.2.h GDPR) — a specific basis for health data processed by professionals bound by professional secrecy.

07Specific processing of health data

Health data constitutes a special category of data within the meaning of Article 9 of the GDPR. It benefits from enhanced protection and a strict legal framework.

Medical confidentiality

The medical data you entrust to us is covered by medical confidentiality, guaranteed by Article 458 of the Belgian Criminal Code as well as by the Code of Medical Ethics. Breach of this confidentiality is punishable by criminal and disciplinary sanctions.

Strictly limited access

Your health data is accessible only to :

• healthcare professionals of the centre involved in your care ;
• qualified assistants themselves bound by professional secrecy (medical secretariat, sleep technicians) ;
• other carers involved in your care pathway, with your consent or within the legal framework of care coordination.

No commercial use

No health data is used for commercial, advertising, profiling or resale purposes.

08Recipients of the data

Your data is accessible to the following recipients, strictly limited to a need-to-know basis :

Within the centre

• CIRCAE medical and paramedical staff taking part in your care ;
• Authorised administrative staff (secretariat, patient support).

Outside the centre

• Other healthcare professionals involved in your follow-up (general practitioner, specialists, physiotherapists), with your consent or within the legal framework of care coordination ;
• Paying bodies (health insurance funds, INAMI) for the billing and reimbursement of care ;
• Technical processors bound by a processing agreement compliant with Article 28 GDPR — in particular :
  • website host : OVH SAS (Roubaix, France) ;
  • publisher of the patient records management software : Corilus ;
  • online appointment-booking platform : Doctoranytime ;
  • professional email provider : Microsoft 365 Professional ;
• Public authorities in cases strictly provided for by law (health authorities, judicial authorities upon requisition).

No data is transferred, sold, rented or exchanged for commercial purposes.

09Retention periods

Your data is retained for the time necessary to fulfil the purposes described above, plus the applicable legal periods :

• Medical file — retained for 30 years from the last contact with the patient, in accordance with Article 35 of the Act of 22 August 2002 on patients' rights ;
• Accounting and billing data — 7 to 10 years, pursuant to Belgian tax and accounting obligations ;
• Data from the contact form — retained for the time necessary to handle the request, then archived or deleted within a reasonable period ;
• Data on missed appointments — deleted within a reasonable period after the scheduled date ;
• Technical data and cookies — see section 12 ;
• Requests to exercise GDPR rights — retained for 5 years for evidential purposes.

At the end of these periods, your data is either deleted or irreversibly anonymised for statistical purposes.

10Data security

We implement appropriate technical and organisational measures to guarantee the confidentiality, integrity and availability of your data.

Technical measures

• Encryption of connections to the site (HTTPS / TLS) ;
• Strong authentication of staff accounts ;
• Logging of access to the medical file ;
• Regular and encrypted backups ;
• Antivirus, firewall and systematic updates ;
• Medical software compliant with the security standards of the healthcare sector.

Organisational measures

• Access policy strictly limited to a need-to-know basis ;
• Ongoing staff training in confidentiality and data protection ;
• Confidentiality undertaking signed by each member of staff ;
• Rigorous selection of processors and processing agreements compliant with Article 28 GDPR ;
• Internal incident management procedures.

Data breach

In the event of a data breach presenting a risk to your rights and freedoms, we notify the incident to the Data Protection Authority within 72 hours and inform you without undue delay if the risk is high, in accordance with Articles 33 and 34 of the GDPR.

11Your rights

In accordance with Articles 15 to 22 of the GDPR, you have the following rights with regard to your data :

• Right of access (art. 15) — obtain confirmation that your data is being processed and receive a copy of it ;
• Right to rectification (art. 16) — correct any inaccurate or incomplete data ;
• Right to erasure (art. 17) — subject to legal retention obligations, in particular that of the medical file for 30 years ;
• Right to restriction of processing (art. 18) ;
• Right to portability (art. 20) — receive your data in a structured and commonly used format ;
• Right to object (art. 21), in particular to processing based on legitimate interest ;
• Right to withdraw your consent at any time, without affecting the lawfulness of processing carried out previously ;
• Right to set directives concerning the fate of your data after your death.

How to exercise your rights

Any request must be sent by email to vanholsbeeck@circae.be or by post to the registered office address, accompanied by a copy of an identity document in order to verify your identity.

We undertake to respond within one month, extendable by two months in the event of complexity or a high number of requests.

Complaint to the supervisory authority

If, after contacting us, you consider that your rights are not being respected, you may lodge a complaint with the competent authority :

12Cookies and trackers

A cookie is a small file placed on your device when you visit a website. Depending on its nature, it serves to ensure the operation of the site, remember your preferences or measure audience.

Categories of cookies used

• Strictly necessary cookies (technical) — essential to the operation of the site (security, load balancing, display preferences). They do not require your consent ;
• Audience measurement cookies (analytical) — placed only after obtaining your explicit consent via the cookie management banner ;
• Third-party cookies — certain third-party tools (appointment-booking platform, possibly Google Analytics) may place their own cookies, subject to their own policy.

Managing your preferences

You may at any time :

• change your choices via the cookie management module accessible from the site ;
• configure your browser to block or delete cookies (consult your browser's help — Chrome, Firefox, Safari, Edge).

Retention period

The retention period of cookies on your device does not exceed 13 months, in accordance with the recommendations of the Data Protection Authority.

13Transfers outside the European Union

Your data is, as a matter of principle, hosted and processed within the European Economic Area (EEA).

Where a transfer to a third country proves necessary (for example via a technical processor established outside the EEA), it is governed by the appropriate safeguards provided for in Articles 44 to 49 of the GDPR :

• an adequacy decision adopted by the European Commission ; or
• standard contractual clauses adopted by the European Commission ; or
• any other appropriate safeguard provided for by the GDPR.

No transfer outside the EU is carried out without prior legal framework and without transparent information to the persons concerned.

14Updates to the policy

This policy may be updated, in particular to reflect legislative, case-law, organisational or technological developments.

The applicable version is the one accessible online on the date of your consultation. Substantial changes are subject to adequate notice (for example, highlighting on the site).

We encourage you to consult this page regularly.

15Contact

For any question relating to the processing of your data or to this policy :