Sciensus BV Support Programme and Study Privacy Notice


The following privacy notice explains how Sciensus BV intends to use the information you have provided to us and we have processed as part of your participation in this patient support programme/study, along with your rights our reasons for requesting it and who will have access to it.

The privacy notice below sets out how we process your personal information. This notice is regularly reviewed, and changes made from time to time. Any changes we make will be posted on this page.

This notice is regularly reviewed, and changes made from time to time. Any changes will be posted on this page.

We do not make decisions based solely on automated processing, unless such decisions are required or permitted by law.

If you have any questions relating to this Notice, please contact our Data Protection Officer on

The Data Protection Officer

107 Station Street


DE14 1SZ

United Kingdom


Where we get your information from:

To deliver our services to you, we collect and process information about you and receive them from a variety of sources such as:

Directly from the user (s) (The Patient or Legal Representatives)
From doctor/healthcare professionals/nurse or caregiver


Personal information we collect on you and the lawful grounds for us to process your information:

We only collect the minimum information from you that is necessary to provide the service. This information is set out below and may vary from a service to another.

Categories of Information and personal data

Type of Data Why do we need this data? What is our lawful ground for processing?

·        First and Middle Name

·        Surname

·        Email Address

·        Address

·        Date of Birth

·        Telephone number

·        City/Postal Code of School


·        To create and maintain a record of your care and communicate with patient/legal representative.

·        To facilitate appointments with healthcare professionals

·        Plan interventions within a school environment

·        For healthcare professionals to personalise the content you will receive.

·        Provide advice and adapted content.

·        The sharing of the User’s health data with the relevant Healthcare Professionals.

·        Optional data to improve the user experience but not essential.

·        For safety and efficacy of medication

GDPR, article 6 (1)(a) Consent  – The individual has given clear consent  to process their personal data for a specific purpose.


GDPR Article 6 (1)(f) Legitimate Interest




·        Medical History

Such as existing medical conditions, allergies, and current or past medications

·        Clinical metrics

Such as height, weight, vital signs, or any other relevant measurement.

·        Symptoms that you or your child may be experiencing.

As a result of a medical conditions or medicine side effect (diarrhoea, nausea, fatigue etc…)

·        Socioeconomic and environmental data

Such as information on family unit, hobbies and job.

·        Behavioural information pertinent to your / your child’s health and wellness

Such as information on diet, level of exercise and routine with taking medicines.

GDPR, article 9 (2)(A) Explicit Consent  The individual has given explicit consent to process their personal data for a specific purpose.



Categories of recipients

Depending on their respective needs:

  • The patient’s healthcare professionals to whom access has been authorized are recipients of all their data collected by the Sciensus patient support programme. The User is informed that they have the possibility to revoke at any time the access initially authorized to their data to one or more of the Health Professionals in charge of their follow-up.
  • The User is informed that an approved health data host ensures the secure hosting of health data collected and processed as part of the Application, in accordance with the provisions of Articles under the Federal Data Protection Act and GDPR. As such, the User has the right to object to the hosting of their personal data for a legitimate reason.The User is informed that their personal data transmitted to the technical service providers are accessible only for the purposes of technical management of the Application, by the specifically authorized technical service providers, in strict compliance with their missions and in compliance with the professional secrecy to which they are subject.

The Data Controller guarantees that the User’s personal data and those of the Patient will not be transmitted to any unauthorized third party.


Users’ data is kept for the duration of the program plus one month. After this, the data necessary to respond to a liability action is archived for a maximum of 10 years for evidentiary purposes, in a secured manner and in accordance with the country’s medical record retention directives.

If the User’s Personal Account remains inactive for 1 year, the user will be notified of account closure and the archiving of their data unless they express their wish to keep their Personal Account.

We may hold onto your data for longer, but we will ensure the data is fully anonymised and no individual will be identified. Please see section “Anonymisation of data” for the reasons why we would do this.

Transfers of data outside the EEA

No data transfer outside the European Economia Area.


Provided that they do not allow the direct or indirect identification of the User, data may also be used in order to improve the performance and quality of the programme and may be subject to anonymous statistical analysis.

 How we keep your information Safe

As part of our programmes, we collect lots of personal and sensitive information about you, and we take keeping your data safe very seriously. For this, we have our own expert teams and use a robust information security management system so that your data is treated appropriately does not end up in the wrong hands. To achieve this, we use a three-layered approach: People, Processes and Technology.

We use a number of technology systems to control how your data is accessed and secured. All our staff members are trained in personal data and confidentiality. They follow strict policies and procedures to ensure security is kept to a high level.

We operate function-based access control. Therefore, our staff members can only access your personal data if it is necessary for them to perform their tasks.

We evaluate our systems regularly using internal and external audits to identify possible weaknesses have rectified them.


You can access and obtain a copy of the data concerning you, object to the processing of this data, have it rectified or have it deleted. You also have the right to restrict the processing of your data.

When the Patient is a minor, the rights are exercised by the User who represents him.


The Data Protection Officer (DPO) is your contact person for any request to exercise your rights over this processing.

The Data Protection Officer

107 Station Street


DE14 1SZ

United Kingdom

Complaints to Data Protection Authority

You can log a complaint with the Data Protection Authority or other data protection authority competent for your country. Contact information for these authorities is available at

 For United Kingdom, you can contact the Information Commissioners Office: