VERSION 2.0
PUBLISHED ON 29 September 2022
Privacy Notice
OBJECTIVE OF THIS PRIVACY NOTICE
This Privacy Notice of Abu Dhabi Health Data Services - Sole Proprietorship LLC (“ADHDS”, “we”, “us”, or “our”):
- governs the Processing of Personal Data that we collect from you (see sections 3.1 – 3.3) and your Protected Health Information (see section 3.4) that we receive from third party sources (together, “Personal Information”).
- explains how and why we collect, use, and disclose your Personal Information; and
- informs you of your rights under Applicable Laws in relation to your Personal Information.
It is important that you read this Privacy Notice, together with any other privacy notice we may provide on specific occasions when we are collecting or Processing Personal Information about you, so that you are aware of how and why we are using such information and what your rights are under the data protection laws.
CONTROLLER’S CONTACT DETAILS
ADHDS on several occasions where they collect data directly from you are the controller for such Personal Data we Process, however for other data provided to us by third parties we simply act as a Data Processor. We encourage use of our privacy email for all the communication, however as an alternate channel the address here will be our contact details:
Abu Dhabi Health Data Services – SP LLC
Level 10 – Mubadala Tower, Muroor Road,
P.O Box 52323, Abu Dhabi, UAE
E-mail: privacyoffice@Malaffi.ae
1 ABOUT US
ADHDS is the region’s first Health Information Exchange platform, that safely and securely connects public and private healthcare providers in the Emirate of Abu Dhabi. ADHDS enables the meaningful, real-time exchange of important patient health information between the healthcare providers, creating a centralized database of unified patient records, improving healthcare quality and patient outcomes (the “HIE”).
Management of Malaffi (ADHDS) is committed to preserve data privacy and the security of digital health information. Privacy is among our top priorities at ADHDS.
2 INTERPRETATION OF THE TERMS USED
Throughout this Privacy Notice, the following definitions shall apply:
| Term |
Definition |
| Applicable Law |
means all applicable laws and other relevant statutory, governmental, or quasi-governmental requirements as may be applicable on ADHDS from time to time.
For the purposes of this Privacy Notice, Applicable Laws shall include, but in no way be limited to, the DOH Standard on Patient Healthcare Data Privacy, UAE Federal Law No. (2) of 2019 (Health Data Law) and UAE Federal Law (45) of 2021 (Data Protection Law). |
| Consent or Consented |
means, in the context of a Data Subject, any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of personal/ sensitive personal data relating to him or her. |
| Data Processor |
means an entity (including, an individual human being) that processes Personal Information on behalf of ADHDS and subjected to strict contractual obligations and supervision where they are restricted from determining or changing the original purpose and means of Processing. |
| Data Protection Officer (DPO) |
means a representative of ADHDS (e.g. an employee) who will be designated as the single point of contact for all matters relating to data protection and privacy at ADHDS. He or she, either alone or jointly with other persons, will determine the control objectives for establishment and governance of data privacy to protect the fundamental rights of privacy afforded to each Data Subject under the Applicable Laws. |
| Data Subject |
means a living and natural person (individual) who is the subject of Personal Information; the person about whom Personal Data relates. |
| DOH |
means the Abu Dhabi Department of Health (DOH). |
| Personal Information |
shall mean Personal Data and Protected Health Information (PHI) together. |
| Personal Data |
means any identifiable information relating to an identified or identifiable person (Data Subject). Information which may lead to the identification of a person, either from such data or in conjunction with additional information, shall be considered as Personal Data. For the purposes of this Privacy Notice, Personal Data shall be considered to exclude Protected Health Information. |
| Process, Processing or Processed |
means any operation, whether manual or automated, performed on Personal Information, including but not limited to collecting, viewing, recording, organizing, storing, adopting, altering, retrieving, consulting, using, disclosing, transmitting, disseminating, making available, aligning, combining, blocking, erasing, or destroying. |
| Protected Health Information (PHI) |
means any past, present, or future physical or mental health or condition of a patient; the provision of health care to a patient; or the past, present, or future payment for the provision of health care to a patient. |
| Service Provider |
means any subcontractor, vendor, or other entity with whom we have an ongoing business relationship to provide products, services, or information. |
3 INFORMATION WE COLLECT ONLINE
3.1 When do we collect Personal Data?
We collect Personal Data from you in a variety of ways when you interact with our website, portals, and application (“Platforms”). For example, when you:
- Visit or create an account on any of our Platforms (via cookies and website analytics).
- Request customer service or contact us.
- Have given a third-party permission to share with us the information they hold about you.
- Participate in a promotion, or survey.
- Subscribe to our newsletter/updates
- Action or respond to a Platform push notification; and
- Otherwise submit Personal Data to us along with any related content of the communication.
3.2 What sort of Personal Data do we collect?
We may collect and Process the following Personal Data:
Information you give us:
- Contact details such as your Name, Email Address, Mailing/Delivery Address, Contact Telephone Numbers, Direct Identifiers (e.g., passport information or Emirates ID number).
- Demographic information such as your Age, Gender, Nationality, Interests, and Preferences.
- Credentials such as your passwords, password hints, and similar security information used for authentication and Account access.
- Your Social Media Username, if you interact with us through those channels.
- Web form information you provide in our web forms (forms that you choose to complete will indicate whether the information requested is mandatory or voluntary); and
- Feedback and rating information you provide to us such as customer survey feedback and product reviews you write.
3.3 Information we collect about you online:
About each of your visits to our Platforms, we may automatically collect the following information:
- Account history information related to our Platforms, and the activities associated with your account.
- Cookie and tracking information such as IP address, Device Identifier, Location Data, Browser Type and Language, Access Times, the Uniform Resource Locator (URL), other unique identifiers, and other technical data that may uniquely identify your device, system, or browser.
- Browse history information about the online pages you visit.
- Error reports and performance information of our Platforms and any problems you experience, including error reports; and
- Troubleshooting and help information when you contact us (including for customer support services, phone conversations, or chat sessions with our representatives which may be monitored and recorded).
3.4 Information we receive from other sources:
We may obtain Personal Information about you (including your Protected Health Information) from third party sources such as Healthcare Facilities (via the Abu Dhabi Health Information Exchange) and from other third parties who have your Consent (or are permitted by Applicable Law) to pass your details on to us.
As required by Applicable Law, Healthcare Facilities that have, or are currently providing you with, clinical care may share your Personal Information (including your Protected Health Information) with us and other Healthcare Facilities (via the Abu Dhabi Health Information Exchange) for the purpose of enabling such other Healthcare Facilities in the Emirate of Abu Dhabi and elsewhere (including the relevant Healthcare Professionals and other authorised users of such Healthcare Facilities) to provide you with clinical care.
Examples of the Personal Information we may receive from Healthcare Facilities include:
- Contact details such as your Name, Email Address, Mailing/Delivery Address, Contact Telephone Numbers, Direct Identifiers (e.g., passport information or Emirates ID number);
- Demographic information such as your Age, Gender, Nationality.
- “Protected Health Information”; this may include:
-
- information that relates to your past, present, or future physical or mental health or condition.
- information relating to provision of healthcare to you by a Healthcare Facility or a Healthcare Professional.
- information relating to past, present, or future payment by you for provision of healthcare by a Healthcare Facility or a Healthcare Professional.
- your medical reports / records (whether in electronic or paper format); and
- information relating to any donation made by you, or to you, of any body part or any bodily substance.
4 PURPOSES
4.1 How we use Personal Data?
We may use your Personal Data, if permitted or required by Applicable Law to:
- Deliver and maintain our HIE & Platforms, and support or carry out requests you have made.
- Establish and maintain your account.
- Facilitate your use of our Platforms, including any future features such as blogs.
- Offer Live Chat assistance to respond to your online inquiries.
- Provide account related services and information.
- Help you with customer service issues or questions.
- Authenticate you.
- Help us improve and personalize our Platforms.
- Detect and prevent fraud and other prohibited or illegal activities
- Enforce our Platforms’ terms of use.
- Manage and protect our Platforms and other users of our Platforms
- Provide you with marketing and promotional communications, and deliver targeted and relevant promotional content, which includes better predicting content that may interest you, including through post or electronic communications, such as SMS and email; and
- Respond to requests by government or law enforcement authorities investigating.
4.2 How we use Protected Health information (PHI)?
We may use your Protected Health Information (PHI), if permitted or required by Applicable Law:
- To operate the HIE between healthcare facilities connected to the HIE.
- To comply with a request of the DOH or a competent judicial authority.
5 LEGAL BASIS OF PROCESSING
Our legal basis for collecting and using your Personal Information as described in this Privacy Notice will depend on the Personal Information concerned and the specific context in which we collect it. In general, we collect and Process your Personal Information on one or more of the following bases:
- Your Consent, for example where we have obtained your Consent to Process your Personal Data for certain activities. You are free to withdraw your Consent at any time by contacting DSAR@malaffi.ae If you withdraw your Consent, it will not affect the lawfulness of any Processing based on your Consent before you withdrew it. Where applicable, we may ask for your Consent to Processing at the point where you provide your Personal Information.
- For example, you may have Consented for us to and our Service Providers to Process your Personal Information under the relevant Platform terms of use for the proper administration and operation of the Platform.
- To comply with a contractual obligation (for example, sending a notice to your email address as required under out Platform terms of use). We will advise you upon collection whether the provision of your Personal Information is mandatory and of the possible consequences if you do not provide us with your information.
- As permitted by, or to comply with, Applicable Laws, an order of the courts or the instructions of any governmental or regulatory authority in the UAE.
- For example, we may use and share your Protected Health Information for health purposes, and for non-health purposes (only in the following scenarios):
- For scientific and clinical research purposes (de-identified data only);
- For purposes of preventive and curative measures related to public health, or to maintain your health and safety or any other person that has been in contact with you.
- At the request of judicial authorities of UAE (only).
- At your written request if you are not a resident of the Emirate of Abu Dhabi and you have received or will be receiving non-emergency medical services as a medical tourist in a healthcare facility licenced by the DOH.
- At the request of health authorities for the purposes of inspection, supervision, and protection of public health; and
- Health information exchange between Healthcare Facilities that are participating in the Abu Dhabi Health Information Exchange program.
6 SHARING YOUR PERSONAL INFORMATION
We may share your Personal Information:
- With our affiliates or Service Providers for the purposes described in this Privacy Notice, including (without limitation) to action your service requests, or to make our services (or that of our affiliates) more responsive to your needs. Our affiliates and/or Service Providers may contact you with information about our Platforms, services or offers. We will only share your Personal Data with affiliates and Service Providers who agree to protect your Personal Information and use it solely for the purposes specified by us.
- With participants in our marketing chain, for the limited purposes of marketing the Platform and the services offered through it.
- With our professional Service Providers (such as legal, audit, finance, and insurance advisors) for the purpose of running our operations.
- If the whole or a part of our entity (i.e., Abu Dhabi Health Data Services - Sole Proprietorship LLC) is sold or merges with another company or entity.
- Governmental authorities in connection with law enforcement, fraud prevention, legal action, or as otherwise required by Applicable Law; and
- If we reasonably believe it is necessary to protect our operations, other users, or the public.
7 COLLECTION AND USE OF CHILDREN’S PERSONAL INFORMATION
We take children’s privacy seriously. We do not knowingly collect Personal Information from children through our Platforms. If you are a child, you are not authorized to use our Platforms and we request that you do not submit any Personal Information through our Platforms without the express Consent and participation of a parent or guardian.
8 RIGHTS OF DATA SUBJECT
8.1 Please note that these rights are not absolute and in certain cases are subjected to conditions as specified in Applicable Law:
- Access and Review: you have the right to request information about how we Process your Personal Information and request to obtain a copy of that Personal Information (in a commonly used electronic format or in any other reasonable format requested by you).
- Correction and Deletion: you have the right to request that inaccurate Personal Information (other than Protected Health Information) about you be corrected, completed, or deleted. If you believe there is any error or correction required to any data regarding you that has been provided by a third party (for example a Healthcare Facility), please contact the relevant Healthcare Facility who collected such records to Process a change or update.
- Selective Disclosure: If you wish for your Protected Health Information be disclosed only to Healthcare Facilities specified by you, please contact the relevant Healthcare Facility who collected such records to action your request.
8.2 In addition to the above, you have the right to withdraw at any time your Consent to the Processing of your Personal Data that is collected by us. Such withdrawal of Consent does not affect the lawfulness of the Processing prior to the time of such withdrawal.
If you have any questions about the type of Personal Information, we hold about you or if you wish to request correction of Personal Information we hold about you or exercise any other right, please send a written request to DSAR@malaffi.ae
While we will make reasonable efforts to accommodate your request, however we reserve the right to reject such access requests or to impose restrictions or requirements upon such requests if required or permitted by Applicable Law.
9 SECURITY
9.1 We use up to date information storage and security to hold your Personal Information securely in electronic and physical form to protect your Personal Information from unauthorized access, improper use or disclosure, unauthorized modification or unlawful destruction or accidental loss. Whilst we have put in place physical, electronic, and managerial procedures to secure and safeguard your Personal Information, we will not be held responsible for any unauthorized access by third parties, and we cannot guarantee that the Personal Information provided by you or that is transmitted via the Platform or by electronic messaging is totally secure and safe and you provide it at your own risk.
9.2 9.2 We encourage you to keep any passwords you use confidential and to be careful to avoid “phishing” scams where someone may send you an electronic message that appears to be from us and asks for your Personal Information. We will not request your ID or password through electronic messages.
10 CROSS BORDER TRANSFERS
10.1 We will not store, develop, or transfer your Protected Health Information outside the United Arab Emirates that is related to health services provided within Abu Dhabi, except in cases where an exception to do so is issued by the DOH in coordination with the Ministry of Health and Prevention.
10.2 10.2 We only transfer Personal Information to these countries, when it is necessary for the services, we provide you or subjected to appropriate safeguards that assure the protection of your Personal Information, such as contractual arrangements (as appropriate) or otherwise in accordance with Applicable Laws.
11 YOUR COMMUNICATION PREFERNCES, OPTING OUT OF MARKETING
11.1 You may choose to receive or not receive marketing communications from us by indicating your preferences. You can click “unsubscribe” in any marketing electronic communications we send you, or by sending us an email at comms@malaffi.ae
11.2 Any marketing by us, or any third parties on our behalf, will be conducted in accordance with Applicable Laws and include (where applicable) methods to allow you to express your preferences (including the possibility of being removed from our advertising and marketing lists as set out above).
11.3 Please allow up to 10 business days for your email preferences to take effect. As some promotional content, such as direct email campaigns, are developed in advance, you may sometimes receive marketing communications after we receive your preference request. If you opt out of receiving marketing communications, we may still communicate with you in connection with your request and/or service-related matters.
12 HOW LONG WE KEEP YOUR PERSONAL INFORMATION
12.1 12.1 We will retain your Personal Information for the length of time needed to fulfil the purposes outlined in this Privacy Notice unless a longer retention period is required or permitted by Applicable Law.
12.2 12.2 Your Personal Data that is Processed for marketing purposes will be stored until you exercise the right to withdraw consent, and once such right is exercised, your Personal Data will be kept only during the applicable statute of limitations period for any disputes or liabilities that may arise because of the Processing of that information (which is up to 15 years in the UAE). Your Personal Information that is Processed for non-marketing purposes (including in relation to any requests made by you under section 9 above) will be stored for a period of 25 years or as required by Applicable Law.
13 LINKS TO THIRD PARTY SITES, PLATFORM PERMISSIONS
Our Platforms may link to other, unaffiliated third-party websites or social media platforms. Please note that we do not, and cannot, control or be responsible for the content or privacy and confidentiality practices of any third-party websites or platforms. You must always carefully review the privacy and confidentiality notice of any third-party website that you may visit to understand how the operators of that website may collect, store, and use your Personal Information.
Use of our Platforms may require you to accept device permissions relating to the access of your Personal Information. When accepting such permissions, you do so at you own risk and acknowledge that we, nor our third-party suppliers, shall not be held liable for the access, use, disclosure, destruction or other tampering of your Personal Information when allowing a device to download or otherwise access your Personal Information via the Platforms.
14 CHANGES TO THE PRIVACY NOTICE
We may from time to time make changes to this Privacy Notice. Please check back regularly to keep informed of updates to this Privacy Notice. These changes are effective immediately, after they are posted on this page. If you do not wish to continue following such notice, you must cease to access and use the relevant Platform(s). Continued use of the Platform(s) will be deemed to be acceptance of the changes. We display an effective date and a latest revision date so that it will be easier for you to know when a change has taken place.
15 DATA PROTECTION OFFICER
We have a designated Data Protection Officer who is responsible for making sure the organization complies with Applicable Laws, addresses any complaints from clients about possible privacy breaches and deals with requests for access to Personal Information, and acts as the organizations’ liaison with the regulators.
To learn more about the role of our DPO or to contact them, please use the email address specified below
16 HOW TO CONTACT US
If you have any questions about this Privacy Notice, or our Processing of your Personal Information or questions for the Data Protection Officer please contact us at DSAR@malaffi.ae
Last updated on 29 September 2022