AirView Privacy Notice
Last updated: January 2024
About this Privacy Notice
ResMed (“ResMed,” “we,” “our,” “us”) is committed to protecting the privacy and security of your Personal Data (as defined below) and wishes to be transparent about the types of Personal Data that the company collects about you and how it uses them. This Privacy Notice of the AirView application (hereinafter the “Notice”) explains how we collect, use and share any information collected about you (“Personal Data”) through your use of ResMed’s AirView application (hereinafter the “Application”) and aims to inform you of the rights and freedoms that you can exercise with regard to our use of your Personal Data. This Notice also describes the measures we take to protect your Personal Data.
This Application is managed as defined in AirView’s Terms of Service. For more information about this Application, see the Terms of service section of the Application.
If you do not wish for ResMed to process your Personal Data through this Application, as set out in this Notice, do not use the Application. Note that some services can only be provided through the Application and therefore, subscription to these services involves use of the Application.
The types of Personal Data we collect and why
When you use the Application, we collect the following types of Personal Data about you, which we will process for the purposes described below:
| Types of Personal Data | Purpose of Data Processing | Legal Basis |
|
Management of user accounts related to AirView services |
||
|
Identification data: first name, last name, sex. Contact details: email address, phone number. Professional information: company, billing address. Account data: user identification, username, password, preferences. |
To enable you to create your account
To enable you to have access to information about your patients To provide you with on-demand reports To enable you to create patient profiles on your Application. |
Contractual necessity (Art. 6(1)(b), GDPR) |
|
Identification data: first name, last name. Contact details: email address, phone number. Professional information: company, job title. Account data: username, password, preferences. Log data: date and type of request. Device data: serial number and type of device used by your patient. |
To manage our relationship with you and to provide you with our assistance and support regarding your use of the Application | Contractual necessity (Art. 6(1)(b), GDPR) |
| Application management, maintenance and security | ||
|
Identification data: first name, last name. Contact details: email address. Account data: username, password, preferences. Device data: serial number and type of device used by your patient. |
The management, maintenance, improvement and security of our Application;
To inform you of any technical updates of the Application. |
Our legitimate interest in offering, maintaining and improving our Application (Art. 6(1)(f), GDPR) |
| Online tracking and marketing | ||
| Information collected through non-essential cookies and other online tracking devices: traffic data, IP address, device, user access to screens, time spent on a screen, event and type of AirView launch (email notification, etc.), login/logout events, email opening events. |
Strictly necessary cookies: These cookies are essential for allowing you to navigate around the website and use its features, such as accessing secure areas of the site. Performance cookies: These cookies collect information about how visitors use a website, for example, which pages visitors consult most often and whether they receive error messages from web pages. All the information these cookies collect is aggregated and it does not directly identify visitors. This information is only used to improve the functioning of a website. Functional cookies: These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. |
Your consent as the legal basis for storing or accessing information on your device (Art. 5(3) of the Privacy and Electronic Communications Directive) For more information on our use of cookies and the conditions under which we are required to obtain your consent, refer to the Cookie Notice. |
| Statistics and analytics | ||
|
Professional information: company, billing address, country. Connection: type of device used. |
To perform data analytics, statistics, and audience measurements regarding the use of our Application and our services.
To perform data analytics on how to improve our products and services. |
Our legitimate interest in helping us understand how our Application is used, in helping us to personalize our Application and in measuring our Application’s audience (Art. 6(1)(f), GDPR) |
| Administrative and legal obligations | ||
|
Identification data: last name, first name, date of birth, sex, username, country. Contact details: email address. Administrative and accounting documents |
For the establishment, exercise and defense of legal rights
To respect our legal declarations to public authorities To comply with our legal obligations (including tax and accounting laws) |
Compliance with our legal obligation (Art. 6(1)(c), GDPR) |
What is the legal basis for processing your Personal Data?
General reasons for processing
– Depending on the purpose for which we process your Personal Data (see table above), the legal basis for processing your Personal Data may be either the need to perform our contractual or pre-contractual obligations with you or our obligation to comply with the laws and regulations applicable to us, ie, the pursuit of our legitimate interests.
– Note that the information you provide through our Application may be necessary for contractual purposes and to enable us to comply with our legal obligations. Without this information, we may not be able to process your order or answer your questions.
Processing based on your consent
In some cases, we rely on your consent to process your Personal Data.
Cookies and other tracking technologies
– We automatically collect certain information from your device through cookies and other similar technologies. Specifically, the information we collect automatically may include information such as your IP address, device type, unique device identification numbers (eg, the IMEI number), operation system version, the dates you access and use the Application, user behavior (such as your interactions with the Application), geographic location (eg, country or city) and other technical information.
– Collecting this information allows us to better understand how you use our Application, where you are from and which content in our Application is most relevant to you. Where applicable, we will ask for your consent before accessing or storing any information on your device. For more information on the types of cookies and similar tracking technologies we use, read our Cookie Notice.
Who we share your Personal Data with
We may disclose your Personal Data to the following categories of recipients:
• to our group of companies based in the European Union for purposes consistent with this Notice. We take precautions to only allow access to Personal Data to staff members who have a legitimate business need and with a contractual prohibition on using Personal Data for other purposes.
• to our suppliers, service providers and third-party partners who provide us with data processing services or who process Personal Data for the purposes described in this Notice or who are notified to you when we collect your Personal Data. This may include disclosures to third-party vendors and other service providers that we use in connection with the services they provide us, including to assist us in areas such as IT platform management or support services, infrastructure and Application services, marketing and data analysis. Additional information on our secondary Subcontractors is available at ResMed.com/AirViewSubProcessors.
• to any law enforcement agency, regulatory body, government agency, court or other competent third party where we believe disclosure is necessary (i) under applicable laws or regulations, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
• to our auditors, advisers, legal representatives and similar agents in connection with the advisory services they provide to us for legitimate business purposes and under the contractual prohibition against using Personal Data for other purposes;
• to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we advise the buyer to use your Personal Data only for the purposes disclosed in this Notice;
• to any other person if you have given your prior consent to the disclosure.
How we protect your privacy
We will process Personal Data in accordance with the following principles:
• Fairness: We will process Personal Data fairly. This means we are transparent about how we handle Personal Data.
• Lawfulness: We will process Personal Data for legal reasons only.
• Purpose limitation: We will process Personal Data for explicit and legitimate purposes specified, and we will not process Personal Data in a manner inconsistent with those purposes, except as permitted by applicable data protection laws.
• Data minimization: We will process Personal Data which is adequate, relevant and limited to what is necessary to achieve the purposes for which the data is processed.
• Data accuracy: We take appropriate steps to ensure that the Personal Data we hold about you is accurate, complete and, where applicable, up to date. However, you are also responsible for ensuring that your Personal Data is as accurate, complete and current as possible by notifying us promptly of any changes or errors. You must notify us of any changes to the Personal Data we hold about you (for example, a change of address).
• Data security: We use appropriate technical and organizational measures to protect the Personal Data that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your Personal Data. In particular, all data is protected according to the different levels of risk by physical measures, such as secure areas, technical measures, such as encryption, and organizational measures, such as employee security through control and supervision.
• Retention period: We retain your Personal Data in a form that enables us to identify you for as long as necessary to achieve the purposes for which we are processing your data and we do not retain it any longer, unless we need to comply with applicable legislation.
Storage, retention and deletion of data
– The Personal Data that we collect from you are stored respectively in Germany and in France (main system and backup).
– If you no longer wish to use the Application, you can ask the primary administrator of your company to deactivate your account. If you are the primary administrator, you can ask us directly to deactivate or archive your account. Once your account is deactivated, we will continue to store your Personal Data for a limited period of time, on paper or in electronic form, to comply with applicable laws and regulations.
– At the point in time when we no longer need to retain your Personal Data, we will delete it.
Technical and organizational measures
– We use various data security and privacy measures to protect your Personal Data and to comply with applicable data protection laws.
– Your Personal Data is hosted in a secure data center by a certified HDS (“hébergeurs de données de santé” [health data host] ). Our data processor operates according to our strict and precise instructions. The above data processor is regularly audited by ResMed and by independent third-party auditors, and this includes in particular, penetration testing and certification audits. Our hosting provider is responsible for the maintenance of ResMed’s systems and for our physical and network security.
– AirView requires two-factor authentication. AirView can be accessed by the user only after two levels of security authentication to prevent abuse or identity theft.
– A confidentiality agreement has been signed by all ResMed employees who are also trained in security and privacy protection in various ways (e-learning, Privacy Champion training, etc.). By implementing these training programs, ResMed can demonstrate that its security and privacy protection processes are well understood and followed by all of its employees who process European Personal Data.
– The confidentiality and integrity of your data is protected through encryption controls, which secure data that is stored, in transit or in use. Adequate encryption policies have been put in place to ensure the effectiveness of the controls implemented.
– Backup procedures have been put in place to ensure the availability of your data. Backup operations are controlled, secure and documented. In addition, a disaster recovery plan and a business continuity plan have been implemented and tested.
– Protection against malware and malicious attacks has been put in place by implementing firewall solutions and anti-malware/anti-virus solutions, as well as through vulnerability scanning and operating system patching. In addition, a secure disposal process has been put in place to ensure the secure deletion of your data.
– Access to system components and applications is restricted to authorized service personnel based on the principles of least privilege, need-to-know and segregation of duties. AirView applies logical controls at the Application, database and system levels to ensure that the data from one organization can never be viewed or changed by another organization.
– An auditing mechanism has been put in place to examine logs and detect malicious activity using appropriate tools.
– ResMed has implemented a change management process to ensure that a security check is performed prior to any significant change.
– A security incident response plan has been implemented and tested. In addition, ResMed has implemented a security incident and event management tool that aims to report accesses and to alert if a prohibited action has occurred, enabling a quick and efficient response.
– Despite the high level of security measures that we have applied, be aware that it is impossible to guarantee an absolute level of security for data transmitted over the internet. If we confirm that your Personal Data has been subjected to a data breach, we will comply with all relevant legal provisions regarding notification of data security breaches.
Transfers of Personal Data outside the EU/EEA
– Your Personal Data may be transferred to other entities of the ResMed group or to our suppliers, service providers and third-party partners and, therefore, processed in countries other than the one in which you reside and which are located outside the European Union (EU) and the European Economic Area (EEA) to perform data analyses. These countries may have data protection laws that differ from those in your country.
– Whenever your data is transferred outside the EU/EEA, we will ensure that it is transferred to a third country deemed appropriate by the European Commission or, if this is not the case, we will take the appropriate safeguarding measures to ensure that your Personal Data will remain protected in accordance with this Notice and in accordance with data protection law. For example, ResMed or its service providers may receive orders from governments outside of the EEA requiring disclosure of your Personal Data, ResMed and its service providers will ensure that such orders are valid and binding before allowing data to be disclosed and will require governments outside of the EEA to take measures to protect data to an equivalent level to those in the EEA. You have a right to request a copy of any safeguards used to transfer your Personal Data outside of the EEA (which you can do by contacting us using the contact details set out in this notice).
Minors
The services that we offer on this Application are not intended for persons under eighteen (18) years of age. If you are under 18, do not use this Application.
Your data protection rights
You have the following data protection rights:
– If you wish to access your Personal Data, you may do so at any time by contacting us using the contact details set out in the How to contact us section below.
– If you wish to correct or update your Personal Data, you may do so directly in your AirView profile.
– You can erase Personal Data from your profile by deleting it directly from your AirView profile. You can also contact the primary manager of your company who can archive your account. Note that once your account is archived, you will no longer be able to use the Application.
– In addition, in certain circumstances, as provided for by applicable data protection laws, you may object to the processing of your Personal Data or make a request to the primary manager of your company to restrict the processing of your Personal Data. You can also request the portability of your Personal Data by contacting us at the contact details indicated in the How to contact us section below.
– If we have collected and processed your Personal Data with your consent, you may withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we carried out prior to your withdrawal, nor the processing of your Personal Data carried out on the basis of legal processing grounds other than consent.
– At any time, you have the right to refuse commercial communications that we send you. You can unsubscribe from our emails, communications and newsletters at any time by clicking the unsubscribe link at the bottom of any newsletter or email we send you.
– If you have a complaint or concern about the way we process your Personal Data, we will endeavor to address such concerns. If you believe that we have not sufficiently addressed your complaint or concern, you have the right to complain to a data protection authority about our collection and use of your Personal Data. For more information, contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and some non-European countries (including the United States and Canada) are available here.
You may exercise any of the above rights at any time by contacting us as described in the How to contact us section below. We will respond to your request in accordance with applicable data protection laws.
We answer all requests received from people wishing to exercise their data protection rights in accordance with applicable laws.
External links
Where any part of this Application provides links to third-party websites, the latter are consequently not subject to this Notice. We encourage you to review the Privacy Notices of those websites to understand their procedures for collecting, using and disclosing Personal Data.
Updates to this Notice
We may update this Privacy Notice from time to time based on legal, technical or business developments. Once we update our Privacy Notice, we shall take appropriate steps to notify you, based on the significance of the changes.
You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.
How to contact us
If you have any questions, concerns or complaints about this Notice or the way we process your Personal Data, or if you want to exercise your rights as described above, contact our privacy office as follows: by sending an email to the following email address: privacy@resmed.eu or by post: ResMed SAS, 292 Allée Jacques Monod, 69791 Saint-Priest, France.
You may also contact our data protection officer as follows: by sending an email to the following email address: privacy@resmed.eu or by post: Délégué à la protection des données, ResMed SAS, 292 Allée Jacques Monod, 69791 Saint-Priest, France.
RH-302023/2 2024-01
