Roles as Data Controller and Processor
Novocam Medical Innovations (NMI) as Data Controller. NMI controls customer and employee data for the purposes of marketing, sales orders, and other core business operations.
NMI as Data Processor. When camera system data is stored on the MyDentalBook or Professional Cloud systems, NMI acts as Data Processor. The server hosts for the cloud services act as joint-processors. All data processors are EU-based, in the European Economic Area (EEA).
End Users as Data Controllers. The end user of a camera system is a data controller and may be located outside the EEA. The end user is responsible for deciding what data to collect and input in to the NMI products and services. End users are responsible for patient data collection consent:
Contact person for register matters
Names of registers
Customer and marketing register
Accounting system for sales order handling
MyDentalBook user account
Professional Cloud user account (ie, futudent recording software login)
What is the legal basis for and purpose of the processing of personal data?
Novocam is based in the European Union and as such complies to the EU General Data Protection Regulation 2016/679 (GDPR). The basis for processing personal data is the legitimate interest of the company based on a customer relationship and/or other connection or the performance of a contract.
The purpose of the processing of personal data is:
- To personalize user's experience and to allow us to deliver the type of content and product offerings in which you are most interested
- To improve our service in order to better serve you
- To allow us to better service you in responding to your customer service requests
- To administer a contest, promotion, survey or other site feature
- To quickly process your transactions
- To provide you an online service where you can upload and manage your recordings, communicate with patients and colleagues
What data do we collect?
As a data controller, we manage the following personal data of the customer or other data subject in connection with the customer register:
- basic information of the data subject such as name*, birth date, customer number, username* and/or other identifier, password*, gender, education;
- contact information of the data subject such as email address, phone number, business address*;
- information regarding the company and its contact persons, such as business ID and names and contact information of the contact persons;
- banking information*, such as IBAN, account number, account holder name, credit card information;
- possible direct marketing prohibitions and consents
- information regarding the customer relationship and contract, such as information of past and existing contracts and orders, other transactions such as user profile based on customer relationship, call recordings, correspondence with the customer/data subject and other contacts, cookies and information associated with them, as well as information voluntarily provided by the customer himself to the company system
Providing the information marked with a star is a prerequisite for our contractual relationship and/or customer relationship. We cannot deliver the product and/or service without the necessary information.
As data processors, NMI receives data from its end users to the Clouds and the server host stores the Clouds. This data includes:
- camera recordings stored locally, such as images and videos of treatments in the futudent recording software gallery and local PC, texts explaining the image or video, and information concerning treatment, status, outcome, diagnosis, prognosis or questions.
- shared recordings requiring colleague or patient information, recordings that the end user has decided to upload and/or share through the cloud service require the e-mail of the recipient, and accompanying message.
The end user is a Data Controller who decides on what data to collect and distribute from their customers.
From where do we receive information?
We receive data primarily from the data subject himself. We also collect information that your browser sends whenever you visit our service ("Log Data").
This Log Data may include information such as your computer's Internet Protocol ("IP") address, browser type, browser version, the pages of our service that you visit, the time and date of your visit, the time spent on those pages and other statistics.
In addition, we may use third party services such as Google Analytics that collect, monitor and analyze this data in order to improve the experience.
Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from the service and stored on your computer's hard drive. We use "cookies" to collect information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you are not able to use some portions of our service.
For the purposes described in this privacy notice, personal data may also be collected and updated from publicly available sources and based on information received from authorities or other third parties within the limits of the applicable laws and regulations. Data updating of this kind is performed manually or by automated means.
To whom do we disclose data and do we transfer data outside of EU or EEA?
We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information unless we provide you with advance notice. This does not include service hosting partners and other parties who assist us in operating our service, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others' rights, property, or safety.
We do not specifically market to children under 13.
We use subcontractors that process personal data on behalf of and for us.
We do not disclose personal data outside of EU/EEA. We have taken care of suitable safeguards for the transfer. We use standard contractual clauses accepted by EU.
How do we protect the data and how long do we store them?
The security of your Personal Information is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security. Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology.
We implement a variety of security measures when a user places an order, enters, submits, or accesses their information to maintain the safety of your personal information. All transactions are processed through a gateway provider and are not stored or processed on our servers.
Only those of our employees, who on behalf of their work are entitled to process customer data, are entitled to use a system containing personal data. Each user has a personal username and password to the system.
We store the personal data for as long as is necessary considering the purpose of the processing.
We regularly assess the need for data retention in light of the applicable legislation. In addition, we take reasonable measures to ensure that the personal data in the register is not incompatible, obsolete or inaccurate considering the purpose of the processing. We rectify or delete such information without delay.
What are your rights as a data subject?
As a data subject you have a right to inspect the personal data concerning yourself, which is stored in the register, and a right to require rectification or erasure of erroneous, outdated, unnecessary or illegal data. If you have access to your data, you may modify the data yourself. If the processing is based on your consent, you also have a right to withdraw or change your consent.
As a data subject, you have a right, according to EU’s General Data Protection Regulation to object processing or request restricting the processing and lodge a complaint with a supervisory authority responsible for processing personal data.
Insofar as a data subject you have provided the information in the customer register for processing on the basis of your consent or commission, you have the right to access such data mainly in machine-readable format and the right to transfer such data to another controller.
For specific personal reasons, you also have the right to object to profiling and other processing operations, when the processing of your data is based on our legitimate interest. In connection with your request, you will need to identify the specific situation, based on which you object to the processing. We can refuse the request of objection only on legal grounds.
As a data subject you have the right to object to processing at any time free of charge, including profiling in so far as it relates to direct marketing.
Who can you be in contact with?
All contacts and requests concerning this privacy notice must be submitted in writing or in person to the contact mentioned in section two (2) "Contact person for register matters".
Supplier Data Privacy Notice