myOrb Privacy Policy & GDPR Statement
Privacy Policy and GDPR Statement
Last Updated 26/06/2021
Privacy Policy
Myorb Limited (“We”, “Our” and “Us”) are committed to protecting and respecting your privacy.
This policy includes our General Data Protection Regulation (GDPR) Statement and together with our Terms and Conditions sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
For the purpose of the Data Protection Act 1998 (the Act) and General Data Protection Regulation 2018, Myorb Limited provides its platform to Healthcare Organisations (NHS and Private Hospitals). In this capacity Myorb Limited acts as a Data Controller for its clinical users and Data Processor for Patients Data and the Data Subject is the Patient. These have been detailed in the ‘GDPR Statement’ within the Privacy Policy together with the GDPR rights of the Data Subject and how to exercise those rights.
Myorb Limited is incorporated and registered in England and Wales with company number 6851438 whose registered office is at Myorb Limited, The Surrey Technology Centre, 40 Occam Road, The Surrey Research Park, Guildford, Surrey, United Kingdom, GU2 7YG.
myOrb Users. Information we collect from you
We collect and process data about you only to enable your signup, login, access and usage of myorb.com (“Our Site”):
- To sign up and use our site we collect your email address, first name and last name.
- We also store information users may optionally wish to enhance their profile. This information is profile photograph, biography, gender and date of birth.
- When you report a problem (bug report) with our site we are notified by email of the screen size, browser type (Chrome, Firefox etc) and operating system (Windows, Mac OS, Android etc). We require this information to help identify the source of the bug. We do not store this information and the email is deleted once the bug has been fixed.
- If you contact us, we may keep a record of that correspondence.
- We may also ask you to complete surveys that we use to improve our site although you do not have to respond to them.
- Details of your visits to our site (logs) are kept in accordance with the Investigatory Powers Act 2016 for a period of one year. Logs stored are current sign in date, last login date, account created date, account confirmed date and last password reset date.
- When you login via Google we are sent information used to set up those accounts. From this information we only store email address, first name, last name and profile photograph which is the minimum amount of information we require to enable you to signup, login and access our site.
IP addresses
We may collect your current login IP Address. This data is retained for a period of one year as required in the Investigatory Powers Act 2016.
Cookies
Our website uses a ‘session cookie’ for which the sole purpose is to distinguish you from other users of our website and ensure that you remain logged in when using the service. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. We do not use cookies for tracking your location, behaviour, advertising or any purpose other than keeping you logged in.
Where we store your personal data
We store our data within the UK. In the event of a technical issue it may be needed to rely upon servers outside the UK for the period of the technical disruption. In this instance data may be transferred to, and stored at a destination outside the UK. It may also be processed by staff operating outside the UK who work for us or for one of our suppliers. Such staff will only be engaged in the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Even though our site encrypts all information in transit and at rest, the transmission of information via the internet is never completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures, encryption and security features to prevent unauthorised access.
Uses made of the information
We use information held about you in the following ways:
- Your profile will include your Name. Your profile information is not available to the public but only available to members of the Healthcare Organisation or medical professionals they select to share “spaces” with. To the extent that you choose to share personal information you do so at your own risk and your rights and how to exercise them are detailed in the ‘GDPR Statement’ below..
- To ensure that content from our site is presented in the most effective manner for you and for your computer.
- To carry out our obligations arising from any contracts entered into between you, your Healthcare Organisation and us.
- To allow you to participate in interactive features of our service, when you choose to do so.
- To notify you about changes to our service.
We do not disclose information either identifiable or anonymised to anyone internally or externally unless legally obliged to do so such as under the obligations of the Investigatory Powers Act 2016.
Disclosure of your information
We may disclose your personal information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006. Currently Myorb Limited is a standalone company with no subsidiaries or holding company.
We may disclose your personal information to third parties under the following circumstances:
- If Myorb Limited or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets. However data will continue to be subject to the usual legal protections.
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms and Conditions and other agreements; or to protect the rights, property, or safety of Myorb Limited, our customers, or others.
Your rights
Your rights and how to exercise them are detailed in the ‘GDPR Statement’ below. You can also exercise these rights at any time by contacting us by email at contactus@myorb.com or in writing at Myorb Limited, The Surrey Technology Centre, 40 Occam Road, The Surrey Research Park, Guildford, Surrey, United Kingdom, GU2 7YG.
Our site contains links to and from the websites of our partner networks and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Data Protection
MyOrb needs to collect and use certain types of information about staff, clients and other individuals who come into contact with the company in order to operate. In addition, it may be required by law to collect and use certain types of information to comply with statutory obligations of Local Authorities, government agencies and other bodies.
This personal information must be dealt with properly however it is collected, recorded and used – whether on paper, IT based, or recorded on other material – and there are safeguards to ensure this is within the Data Protection Act 1998.
We regard the lawful and correct treatment of personal information as very important to successful operations, and to maintaining confidence between those with whom we deal and ourselves. We ensure that our Organisation treats personal information lawfully and correctly.
Most businesses hold personal data on their customers, employees and partners. The explosion in the use of the Internet, electronic communication and computerisation of business data has led to an increase in the importance of privacy. Breaches of computerised data security have prompted the introduction of legislation on a national and European level.
These include:
- Human Rights Act 1998
- Freedom of Information Act 2000
- Privacy and Electronic Communications Regulations 2003
- Regulation of Investigatory Powers Act 2000
- Telecommunications (Lawful Business Practice) Interception of Communications Regulations 2000
- Data Protection Act 1998
- Computer Misuse Act 1990
- General Data Protection Legislation Act (GDPR) 2018
MyOrb will, through appropriate management, strict application of criteria and controls:
- observe fully the conditions regarding the fair collection and use of information
- meet its legal obligations to specify the purposes for which information is used
- collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
- ensure the quality of information used
- apply strict checks to determine the length of time information is held
- ensure that the rights of people about whom information is held, can be fully exercised under the Act. (These include: the right to be informed that processing is being undertaken, the right of access to one’s personal information, the right to prevent processing in certain circumstances and the right to correct, rectify, block or erase information which is regarded as wrong information)
- take appropriate technical and organisational security measures to safeguard personal information
- provide individuals that request it, within a maximum of 40 days from request, with access to personal information held about them for a maximum fee of £10
- correct or erase any information on an individual that is inaccurate or misleading
- not use information for a purpose which is incompatible with the original purpose for which permission was given by the data subject
- obtain clear, express permission for handling and using ‘sensitive’ personal data such as race, ethnicity, political opinions, religious beliefs, trade union membership, state of health both physical and mental, sexual life, criminal convictions and sentences and allegations of criminal behaviour
- treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information
- set out clear procedures for responding to requests for information
- allocate such resources as may be required to ensure the effective operation of the Policy
In addition, MyOrb ensures that:
- there is someone with specific responsibility for Data Protection within MyOrb
- everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice
- everyone managing and handling personal information is appropriately trained to do so
- everyone managing and handling personal information is appropriately supervised
- anybody wanting to make enquiries about handling personal information knows what to do
- queries about handling personal information are promptly and courteously dealt with
- methods of handling personal information are clearly described
- a regular review and audit are made of the way personal information is held, managed and used
- methods of handling personal information are regularly assessed and evaluated
- performance with handling personal information is regularly assessed and evaluated
- a breach of the rules and procedures identified in this Policy may lead to disciplinary action being taken against the members of staff concerned.
The Data Protection Act 1998
The Data Protection Act 1998 replaces and extends the 1984 Act and places a legal obligation on persons who record and process personal information relating to living individuals. Although this area of the law appears to be complicated, the Act simply requires that adequate controls exist to protect individuals from the consequences of poor quality information and/or the misuse of information held about them.
Whilst the 1984 Act dealt with automatically processed information including information processed on computer, the 1998 Act places additional obligations on those processing information contained in ‘structured manual files’. It also applies to the lawfulness and integrity of the CCTV systems operated by MyOrb.
The term ‘processing’ includes any function that can be performed using information and includes the actual disclosure of information. MyOrb has introduced this Data Protection Policy for the information and guidance of all employees.
Data Protection Act Principles
The Act applies to every organisation that handles (processes) personal information such as names (data) on living individuals (subjects). The Act has eight data protection principles, which are intended to guide the interpretation and implementation of the Act. These principles are:
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained only for one or more specified and lawful purpose(s), and shall not be further processed in any manner incompatible with that purpose or those purposes
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
- Personal data shall be accurate and, whenever necessary, kept up to date
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes
- Personal data shall be processed in accordance with the rights of data subjects under this Act
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Guiding Principles
Fair Obtaining and Processing
MyOrb will ensure that as far as practicable, all individuals whose details are processed by MyOrb are aware of the way in which that information will be obtained, held, used and disclosed. Whenever possible, individuals will be informed of the potential recipients of the information. Processing of personal information by MyOrb will be fair and lawful and, in addition, it is MyOrb’s Policy that individuals will not be misled regarding the purposes to which MyOrb will process the information.
Notification
MyOrb will not use or process personal information in any way that contravenes its notified purposes, or in any way that would constitute a breach of the Data Protection Act. When appropriate, MyOrb will notify the Information Commissioner of any amendments to the existing Organisation’s notified purposes or of new purposes to be added to the Notification Register entry.
Information Quality and Integrity
MyOrb will endeavour to process personal information, which is accurate, current and is of good quality. Information that is obtained by MyOrb will be adequate and not excessive for the purpose for which it is processed. In addition, information will be kept by MyOrb for no longer than is necessary for the purpose or purposes for which it was obtained.
Subject Access
MyOrb will respond positively to subject access requests, replying as quickly as possible, and in any event within the 40-day time limit. Whilst individuals have a general right of access to any of their own personal information which is held, MyOrb will be mindful of those circumstances where an exemption may apply.
MyOrb will only disclose personal data to those recipients listed in the Notification Register, or whenever it is otherwise permitted by law to do so. MyOrb will always endeavour to seek the permission of the data subject, where it is required by law to do so.
Technical and Organisational Security
MyOrb has in place appropriate security measures as required by the Data Protection Act. Information systems are installed with adequate security controls and company employees who use these systems will be properly authorised to use them for company business.
Computer misuse
The Computer Misuse Act 1990 makes it an offence to gain unauthorised access to a computer, even if no damage is done and no files are deleted or changed. Anyone who accesses a computer without authorisation, for example by guessing a password, faces a maximum six-month prison sentence, or a maximum fine of £2,000, or both.
If an individual gains unauthorised access with the intent to commit a further offence, for example access your bank account online to transfer money, they face five years’ imprisonment and/or a fine.
This Act also makes it an offence to purposefully change files on a computer with intent and without authorisation. This could include deleting files or even changing computer settings. Anyone who does so, even if there is no intent to defraud or do damage, faces a maximum prison sentence of five years and/or an unlimited fine.
Controlling access
MyOrb has tightened physical access to data by restricting access to data by restricting this to employees needing to access specific data in order to carry out their jobs. MyOrb takes steps to prevent accidental loss or theft of personal data by using server backup processes and increased security at our offices.
Safeguarding data
Our business relies on computers to store data, so it was necessary to introduce the following electronic safeguards:
- We have up-to-date antivirus software to protect against viruses damaging our data and computers
- We protect our computer network from hackers with a firewall
- We have housekeeping measures by regular backups and disabling people’s accounts as they leave the business
- We have a clear strategy for managing all our computer security tools.
E-mail and Internet privacy
The inappropriate use of e-mail and the Internet by employees, e.g. using the Internet for non-work purposes, can have significant consequences for our Organisation. This can be in terms of:
- Embarrassment/damage to MyOrb’s reputation
- Loss of productivity
- Increased risk of liability and legal action e.g. for sexist or racist e-mails
- Increased virus risk
To avoid inappropriate usage, we have introduced security electronic safeguards. A firewall checks, guarantees and manages e-mail attachments. MyOrb has installed filtering software that searches e-mails for specific words or phrases, normally obscene or discriminatory, and monitors which websites our employees are accessing as well as filtering which types of websites our employees can access.
Acceptable use of E-mail and the Internet
Please see the E-mail and Internet Acceptable Usage Policy.
In addition, MyOrb’s employees will be kept fully informed about overall information security procedures and the importance of their role within these procedures. Similarly, manual filing systems are held in secure locations and only authorised employees can access them.
General Data Protection Legislation (GDPR) Statement
General Data Protection Regulation (GDPR) came into force during May 2018. Put simply, the old rules of data privacy and consent no longer apply. Explicit consent to store and use personal data is now required, and this means a tick box whether pre ticked or not to store sensitive data is no longer sufficient.
GDPR means you have to be informed what information is being collected about you, who is collecting it, how they are collecting the information, how it is being used and who it is being shared with.
myOrb is a privacy focused service built for the new GDPR environment which defines users as Data Subject, Data Controller, Data Processors and Joint Controllers.
Data Subject, Data Controller, Data Processors and Joint Controllers. What does that mean?
- Data Subject
A Data Subject is the patient whose personal data is being stored. Everyone is a patient and nearly all patients have a medical record meaning their personal data is stored. This means everyone is or will be a Data Subject and protected by GDPR.
- Data Controller
A Data Controller is an individual or organisation which exercises control over any processing of data for a data subject through the normal course of their activities. For example myOrb requires certain information from users to be able to set them up, log in and use myOrb. myOrb is a controller for this personal data.
Users of myOrb are storing the personal data of their patients who are data subjects within myOrb and are also Data Controllers for this personal data. Where a user is storing patients personal data within myOrb they act as the Data Controller as myOrb does not control, see or have access to the patient data. For personal data stored in myOrb by its users myOrb acts as a Data Processor.
- Data Processor
A Data processor is an individual or organisation providing a service where the personal data of the Data Subject i.e. the patient, will be stored by a Data Controller. This personal information must only be stored if it is for the usual purposes of their work.
myOrb provides a system to manage clinical workflows healthcare organisations. In doing so, myOrb and its employees act as Data Processors for the users of the healthcare organisation who have procured and are using myOrb to store the personal medical record for their patients as part of the usual purposes of their work.
Employees of the healthcare organisations using myOrb to store personal data are Data Processors for their organisation which serves as the Data Controller for any personal information they are storing on myOrb for their data subjects.
- Joint controllers
GDPR sets out the compliance requirements where there are joint controllers of a patient’s data for example when a medical record is shared between two hospitals or between the GP and hospital for the benefit of the patient care.
Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the data subject’s information, by means of an arrangement between them and should arrange a designated contact point for data subjects.
A data Subject’s right to access their data
GDPR is clear that a data subject should have the right of access to personal data which have been collected concerning them and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.
This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing.
Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.
How does myOrb comply with GDPR
- myOrb as a Data Controller
myOrb acts as a Data Controller for its users to ensure they can be set up and login to use myOrb. myOrb follows the Data Minimisation principles advocated by the Information Commissioner’s Office which are designed to ensure that only the minimum amount of personal information that is required is requested and stored to enable them to use myOrb. myOrb is a privacy focussed service and does not use any personal data for any purpose other than ensuring users can be set up, login and use myOrb.
All of the information myOrb stores on users is available to view from their account. Simply go to My Account and select the Confidential Details option. Enter your password and all data that we hold can be viewed.
- Where are your payment details stored?
Some users of myOrb will pay for their licenses using Direct Debit (DD) as the method for payment. myOrb uses GoCardless as its payment service provider. GoCardless is an FCA Authorised Payment Institution, fully registered under the Data Protection Act and compliant to ISO 27001:2013. GoCardless has the most stringent compliance and security arrangement in place and details can be found at GoCardless and GDPR
myOrb does not see, store or have access to the payment details provided by our users.
- Healthcare Organisations (myOrb’s customers) as a Data Controller
Healthcare Organisations who are storing the personal information of Data Subjects on myOrb act as Data Controllers for that data. As the Data Controller Healthcare Organisations have specific legal obligations under GDPR.
Ordinarily Healthcare Organisations storing personal data must be confident that they have the explicit consent of the Data Subject for any data they are holding and storing on myOrb. Furthermore they must be confident that any data providers they work with also have a highly robust approach to data protection and understand and meet the obligations of GDPR. It is important to understand that as a Data Controller no provider can relinquish their GDPR obligations.
Healthcare Organisations have a special derogation to enable them to store personal data on myOrb without consent, for example a patient has been injured in an accident and requires urgent medical attention. In this scenario it is in the public interest for the Healthcare Organisation to create and store personal information for the benefit of the patients health.
Where a Healthcare Organisation has obtained personal data from a data subject they must:
Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) the categories of personal data concerned;
(e) the recipients or categories of recipients of the personal data, if any.
As a patient If you believe that a Healthcare Organisation is storing your personal data in myOrb you can request from them directly that they inform you of what data they hold, where it came from and the purpose they are storing it for. If a Healthcare Organisation fails to act when you request details of the personal data they are holding on you then please email contactus@myorb.com and we will also request that the Healthcare Organisation informs you of the data they hold.
Healthcare Organisations acting as Data Controllers and storing personal data on myOrb who fail to respond to requests from Data Subjects may have their account suspended or terminated.
Where personal data is processed by a Healthcare Organisation for scientific research purposes, GDPR regulation should also apply to that processing. For the purposes of GDPR, the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research.
Scientific research purposes should also include studies conducted in the public interest in the area of public health. To meet the specificities of processing personal data for scientific research purposes, specific conditions should apply in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes. If the result of scientific research in particular in the health context gives reason for further measures in the interest of the data subject, the general rules of GDPR should apply in view of those measures.
- Conditions for consent for use of patients personal information for scientific research
a Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
b If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
c The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
d When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
- Conditions applicable to child’s consent in relation to information society services
a The processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
b The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
- myOrb as a Data Processor
myOrb does not process its users’ data in any way. User personal data is used only for the purposes of enabling the user to be set up and login to myOrb. myOrb does not track its users location nor does it use cookies for any other purpose than to keep a user logged in. myOrb does not share its user data either internally or with any outside organisations or individuals. myOrb has robust controls to ensure that its employees are unable to access any user data. myOrb is a privacy focused service where users can feel safe that their personal data is not used for any other purpose than being able to login to the service.
- Data Subject’s Right to Rectification
As a patient If you believe that a Healthcare Organisation is storing incorrect personal data in myOrb you can request from them directly to rectify the personal information that they hold. If a Healthcare Organisation fails to act when you request rectification of your personal data then please email contactus@myorb.com and we will also request that the Healthcare Organisation rectifies the information they hold which in due course will be rectified in myOrb.
- Data Subject’s Right to be Forgotten.
As a patient you have the right to be forgotten. If a Healthcare Organisation fails to act when you request for your information to be deleted then please email contactus@myorb.com and we will also request the Healthcare Organisation delete your data which in due course will be deleted in myOrb. The Healthcare Organisation may be required to retain your information for your own safety and will communicate the basis on which they believe they cannot act upon your request to have your data deleted.
- Data Subject’s Right to Restrict Processing.
As a patient you have the right to obtain from the Healthcare Organisation controller the restriction of processing your data where one of the following applies:
a The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c The Healthcare Organisation no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the patient’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the Healthcare Organisation before the restriction of processing is lifted.
If a Healthcare Organisation fails to act when you request a restriction of processing then please email contactus@myorb.com and we will also request the Healthcare Organisation complies with the request if they are able to do so.
- Data Subject’s Right to Data Portability
As a patient you have the right to receive your personal data, which has been provided or originated by the Healthcare Organisation, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Healthcare Organisation without hindrance where:
a The processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
b The processing is carried out by automated means.
In exercising your right to data portability pursuant to paragraph 1, you have the right to have the personal data transmitted directly from one Healthcare Organisation to another, where technically feasible.
The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17.
That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.