Last updated: July 26th 2021
1. About this Policy
1.2 This device is managed by ResMed SAS, headquartered at 292 Allée Jacques Monod, 69791 Saint-Priest, France, who is the data controller for all Personal Data that is collected via this device. For more information about this App, please refer to this User guide.
1.3 If you do not want ResMed to process any of your Personal Data through this device, as set out in this Privacy Notice, please do not activate the “connectivity” functionality on this device (please contact your care provider if you would like to ensure that the “connectivity” functionality on your device is not activated).
2. The types of Personal Data we collect and why
2.1 When you use the App, we collect the following types of Personal Data about you, which we will only process for the purposes described below:
2.2 Sleep data
The Device enables us to collect information about your sleep pattern and disorders. Sleep-related data is considered health-related (health data) when it is used to analyse your state of health and to assess your health risks. This is the case, for example, where our analysis of your sleeping disorders is based on the high number of apneas per hour measured over a certain period of time.
❶ ResMed will process your health data for the following purposes:
(i) to improve the usability, performance and security of its medical devices.
(ii) to run post market clinical follow-up of our medical devices.
(iii) to perform materiovigilance.
❷ Your health data may also be re-used under the responsibility of ResMed, researchers or ResMed’s partners for the purposes of retrospective studies of public interest in the field of health and aimed at improving knowledge. Under the General Data Protection Regulation, this processing requires us to obtain your prior explicit consent for this purpose.
This Privacy Notice will be updated on a regular basis. We recommend that you regularly consult it in order to inform you of all the studies undertaken by ResMed, researchers or ResMed’s partners based on the re-use of your data.
Those health studies implemented from the reuse of your personal data:
(i) aim to improve scientific knowledge,
(ii) will have to provide a public interest in accordance within the meaning of current legal and regulatory provisions,
(iii) will be conducted by ResMed, researchers, or ResMed’s partners, who have previously completed the required formalities before the authorities, and in particular the CNIL,
(iv )will be approved by the Scientific Committee of ResMed.
3. How we obtain your Personal Data
3.1 Most of the information we process is obtained directly through the ResMed device which monitors your sleep.
3.2 ResMed processes Customer Personal Data on the Customer’s behalf as a Processor in relation to its provision of the ResMed HI Services.
4. ResMed processes your Personal Data as a Controller to comply with its quality and regulatory obligations under applicable laws.
5. Who we share your Personal Data with
5.1 We may disclose your Personal Data to the following categories of recipients:
(a) to our European Union-based third party vendors, services providers and partners who provide data processing services to us, or who otherwise process Personal Data for purposes that are described in this Policy or notified to you when we collect your Personal Data. This may include disclosures to European Union-based third party vendors and other service providers we use in connection with the services they provide to us, including to support us in areas such as IT platform management or support services, infrastructure and application services, marketing, and data analytics.
(b) to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
(c) to our auditors, advisors, legal representatives and similar agents in connection with the advisory services they provide to us for legitimate business purposes and under contractual prohibition of using the Personal Data for any other purpose;
(d) to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your Personal Data only for the purposes disclosed in this Policy;
(e) to any other person if you have provided your prior consent to the disclosure.
6. How we protect your privacy
6.1 We will process Personal Data in accordance with the following principles:
(a) Fairness: We will process Personal Data fairly. This means that we are transparent about how we process Personal Data.
(b) Lawfulness: We will process Personal Data only on lawful grounds.
(c) Purpose limitation: We will process Personal Data for specified explicit and legitimate purposes and will not process it in a manner that is incompatible with those purposes, unless permitted by applicable data protection laws.
(d) Data minimization: We will process Personal Data that is adequate, relevant and limited to what is necessary to achieve the purposes for which the data are processed.
(e) Data accuracy: We take appropriate measures to ensure that the Personal Data that we hold about you is accurate, complete and, where necessary, kept up to date. However, it is also your responsibility to ensure that your Personal Data is kept as accurate, complete and current as possible by informing us promptly of any changes or errors. You should notify us of any changes to the Personal Data that we hold about you (e.g. a change of address).
(f) Data security: We use appropriate technical and organisational measures to protect the Personal Data that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your Personal Data. In particular, all data is protected according to the varying levels of risks through physical measures, such as secure areas, technical measures, such as encryption, and organisational measures such as employee security through vetting and supervision.
(g) Limited Retention: We keep your Personal Data in a form that allows us to identify you for as long as necessary to achieve the purposes for which we are processing your data and do not store your data for longer, unless we must comply with applicable laws.
7. Data storage, retention and deletion
7.1 The Personal Data we collect from you is stored in our servers located in a country in the European Economic Area (currently in France and/or in Germany).
7.2 Customer Personal Data shall be retained in archive by ResMed for ten (10) years from receipt of that Customer Personal Data by ResMed. ResMed has a legal obligation to comply with this ten (10) year retention period pursuant to applicable laws (including but not limited to the Medical Device Regulation (EU) 2017/745 of 5 April 5th, 2017), acting as Data Controller.
The following table resumes the different data retention period pursuant to the purposes for processing.
8. Technical and organisational measures.
8.1 We use various data security and privacy measures to protect your Personal Data and to comply with applicable data protection laws.
8.2 Your personal Data is hosted in a secure data center in France or Germany by an HDS Certified Health Hosting Provider. Our subcontractor operates under our strict and precise instructions. The subcontractor is audited on regular basis by independent 3rd party auditors including penetration testing and certification audits. The Hosting Subprocessor is responsible for maintenance, physical hardware and network security for the Customer Personal Data hosted by them.
8.3 A confidentiality agreement has been signed by all ResMed’s employees who are also security and privacy trained in various ways (e-learning, privacy champions training, etc.). By implementing those trainings, ResMed can demonstrate that their privacy and security processes are well understood and followed by all of its employees processing European personal data.
8.4 Your data is protected in terms of confidentiality and integrity by using, partitioning (meaning the test and production environments are separated), pseudonymisation, strong authentication, encryption controls, securing the data at rest, in transit. Adequate encryption policies are put in place in order to ensure the adequacy of the implemented controls.
8.5 Backups are implemented in order to ensure the availability and integrity of your data. The backup operations are monitored, secured, and documented. Additionally, a disaster recovery plan and a business continuity plan are implemented and tested.
8.6 Automatic security updates are regularly applied to avoid any risk of vulnerability on the infrastructure Protection against malware and malicious attacks is put in place through the implementation of next generation firewall solutions and antimalware/antivirus solutions, as well as vulnerability scanning and system patching. Moreover, a secure disposal process is put in place in order to ensure the secure deletion of your data.
8.7 The access to system and application components is limited to the authorized maintenance personnel based on the principles of least privilege, need to know and segregation of duties. myAir applies logical controls within the application, database and system tier to ensure that data from one organization can never be viewed or altered by any other organization.
8.8 An audit mechanism is put in place in order to review logs and to detect for malicious activities using the appropriate tools.
8.9 ResMed has a change management procedure in place which aims to ensure that before any significant change a security check is performed.
8.10 A security incident response plan is implemented and tested. Moreover, ResMed has implemented a security incident and events management tool that aims to report accesses and alert if a forbidden action occurred, allowing timely and effective response actions.
8.11 Despite the high standard of security measures we apply, you should keep in mind that it is impossible to guarantee an absolute level of security for data transmitted over the Internet. If we have confirmation that your Personal Data has been breached, we will comply with any relevant legal provisions regarding data security breach notification.
9. Transfers of Personal Data outside the EU/EEA
9.1 Your Personal Data will at all times be hosted on data centers within the European Economic Area (“EEA”). However, in limited circumstances it may be necessary for your Personal Data to be remotely accessed by, or temporarily transferred to, ResMed or its service providers in countries outside of the EEA (for example, in order to provide technical support or for data security reasons).
9.2 Also, ResMed or its service providers may receive orders from governments outside of the EEA requiring disclosure of your Personal Data. These countries may not have data protection laws that are equivalent to those in the EEA.
9.3 Where we allow your Personal Data to be transferred to service providers or ResMed companies outside of the EEA, we will put in place appropriate safeguards (such as the EU Commission’s Standard Contractual Clauses) and take any other steps necessary to ensure your data is protected in accordance with data protection law. You have a right to request a copy of any safeguards used to transfer your Personal Data outside of the EEA (which you can do by contacting us using the contact details set out in this notice).
9.4 Where orders are received from foreign governments, ResMed and its service providers will ensure that such orders are valid and binding before allowing data to be disclosed.
10. Your data protection rights
10.1 You have the following data protection rights:
(a) You may exercise your right of access which includes the right to information in order to understand how ResMed processes your personal data as well as the right to instruct ResMed to provide you with a copy of the personal data that we hold, including a copy of the Standard Contractual Clauses we have in place.
(b) If you wish to correct, update of your Personal Data, you can do so at any time by contacting us using the contact details below.
(c) You may request us to delete your Personal Data, however ResMed is only processing your Personal Data to comply with its quality and regulatory obligations under applicable laws. As a result, ResMed won’t be able to delete your Personal Data on request.
(d) In addition, in certain circumstances, as stipulated in the applicable data protection legislation, you can object to processing of your Personal Data, ask us to restrict processing of your Personal Data or request portability of your Personal Data. Again, you can exercise these rights by contacting us using the contact details below.
(e) If we have collected and are processing your Personal Data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Data conducted in reliance on lawful processing grounds other than consent.
(f) If you have a complaint or concern about how we are processing your Personal Data then we will endeavour to address such concern(s). If you feel we have not sufficiently addressed your complaint or concern, you have the right to complain to a data protection authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries (including the US and Canada) are available here.
10.2 You may exercise any of the rights above at any time by contacting us as described under the “How to contact us” section below. We will respond to your request in accordance with applicable data protection laws.
10.3 We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
11. Updates to this Policy
11.1 We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make.
11.2 You can see when this Privacy Notice was last updated by checking the “last update” date displayed at the top of this Privacy Notice.
12. How to contact us
12.1 If you have any questions, concerns or complaints about this Policy or the way we process your personal data, or if you want to exercise your rights as described above, please contact our Privacy Office as follows: By email at: email@example.com. By postal mail: ResMed SAS, 292 Allée Jacques Monod, 69791 Saint-Priest, France.
You may also contact our Data Protection Officer as follows : By email at: firstname.lastname@example.org. By postal mail: Data Protection officer, ResMed SAS, 292 Allée Jacques Monod, 69791 Saint-Priest, France.