This Policy also contains certain information required by the European Union (“EU”) Regulation No. 2016/679 of 27 April 2016, known as the General Data Protection Regulation (“GDPR”), and mirroring legislation (with the GDPR, the “European Data Privacy Laws”) of the other countries (Norway, Iceland and Liechtenstein) forming with the EU Member States the European Economic Area (the “EEA”), which apply when we process personal data about individuals located in the EEA in relation to (i) the offering of goods and services to these individuals or (ii) the monitoring of their behaviour in the EU or EEA – at the moment we consider that only processing of personal data about individual surveyors in the EEA would fall within the scope of European Data Privacy Law.
We, the Organization, are the data controller of the processing activities described in this Policy for the purposes of European Data Privacy Laws and can be contacted by mail at 1150 Cyrville Road, Ottawa, ON, K1J 7S9 Canada or by email as indicated under XII below. Our representative in the EU is Health Assessment Europe ASBL, a Belgian-law association sans but lucratif registered under No. 0537.718.906 and having its registered office at Rue d’Egmont 11, 1000 Bruxelles, and it can be contacted by mail at its registered office or by email at Communications@healthstandards.org.
This Policy explains how we will collect, use, disclose and store Personal Information. We urge you to read the Policy carefully in order to gain a clear understanding of how the Organization may collect, use or disclose Personal Information.
“Personal Information” means any information, in any form, about an identified individual or an individual whose identity may be inferred or determined from such information, other than business contact information (e.g. name, title, business address).
Please note that this Policy does not cover business contact information, anonymous aggregate information or data from which the identity of an individual cannot be determined. Subject to any agreement between the Organization and you (or between the Organization and your employer) otherwise, the Organization retains the right to use and disclose such information and data in any way that it determines appropriate.
This Policy applies to all Personal Information collected by the Organization including Personal Information we collect from you through our website (when you register for an account or visit anonymously), our Client Portals, Partner Portals, Surveyor Portals, as well as Personal Information provided to the Organization by individuals who are, represent or work for its clients, contractors (including surveyors), service providers, agents, partners, and affiliated entities participating in the Organization’s licensed accreditation processes.
The Organization and its agents, partners, contractors or service providers that may collect Personal Information on behalf of the Organization, will not collect any Personal Information without obtaining the consent of the individual to whom it belongs prior to the collection of the information to the extent required by applicable law. By using our websites, or providing us with your Personal Information over the telephone, by email, in writing, by fax or in person, you provide your consent for the Organization to collect, use, disclose and store your Personal Information in accordance with the terms of this Policy to the greatest possible under applicable law.
In most cases and subject to legal and contractual restrictions, you are free to refuse or withdraw your consent to – or if consent is not required object to – the collection, use, disclosure and storage by the Organization of your Personal Information at any time upon reasonable, advance notice to the Organization. However, the withdrawal of your consent or objection is not retroactive. It should be noted that in certain circumstances, our products or services can only be offered if you provide us with your Personal Information. Consequently, if you choose not to provide us with the required Personal Information, we may not be able to offer you these products or services. We will inform you of the consequences of the withdrawal of consent as appropriate. Notwithstanding anything in this Policy, we may, from time to time, seek consent from you – or if consent is not required inform you of our intention to – to use and disclose your Personal Information collected for a purpose other than the purposes set out herein.
If you are a client, supplier or partner of the Organization and you provide us with the Personal Information of other individuals, you are responsible for obtaining the consent of the individuals from whom you collect any Personal Information at the time of collection in accordance with all applicable laws.
III. Collection of Personal Information and Categories of Personal Data Concerned
What Personal Information Do We Collect?
We may collect the following types of Personal Information: your name, email address, and credit card information.
Surveyors: We collect the following Personal Information from surveyors: address, emergency contact information, information about allergies, place of employment, SIN, and similar information collected in the context of entering into a contractual relationship between the Organization and the surveyor. The terms and conditions for the collection, use and disclosure of this information are set out in the contractual agreements between the Organization and the surveyors. The Organization does not disclose any of the surveyor’s information without the surveyor’s prior consent, unless permitted to do so by law.
We collect only such Personal Information as we deem to be reasonably required in the circumstances for the purpose(s) for which it is collected.
Except as set out in this Policy (or unless otherwise permitted by the applicable laws), the Organization does not collect Personal Information without first obtaining the consent of the individual concerned to the collection of such Personal Information.
How Do We Collect Your Personal Information?
We collect Personal Information from individuals who create accounts with our website or who create (or are provided) accounts with any Client Portal, Partner Portal or Surveyor Portal operated by the Organization.
We also collect Personal Information from individuals who place orders through the website for goods and services, who respond to online or email surveys, or provide information to us in person, in writing, by fax or over the telephone when asked for such information (including proof of any accreditation process).
We may also indirectly collect and store in our systems Personal Information which is uploaded by clients and contractors of the Organization pursuant to our accreditation processes or which is provided to us indirectly by clients, contractors (including surveyors), service providers, agents, partners, and affiliated entities participating pursuant to any of our licensed accreditation processes.
We collect Personal Information from surveyors at the time of entering into a contractual relationship with the surveyor.
We use only fair and lawful methods to collect Personal Information.
IV. Use of Personal Information
What Do We Use Your Personal Information For?
We use Personal Information for the following purposes:
- For the performance and delivery of accreditation services and related services;
- For the performance and delivery of education and training sessions and webinars;
- To process transactions for the purchase of goods and services;
- To perform activation services and generate reports;
- To improve our products and services;
- To improve our website;
- To enter and maintain a contractual relationship with a surveyor;
- To inform or offer goods or services or seek donations;
- To comply with our statutory obligations or any judicial order or judiciary rule of procedure;
- To provide information reasonably required by debt or equity investors envisaging investing or who have invested, directly or indirectly, in any of our entities, businesses or assets, or by our potential or existing donators;
- To generate statistical data that, to the extent that anonymized data ceases to be
Unless permitted or required by the applicable laws, the Organization does not use Personal Information for other purposes
Surveyors that perform surveys on behalf of the Organization as part of the accreditation process may have access to the Personal Information in the custody or control of our clients. Surveyors do not collect any Personal Information, do not remove it offsite and do not disclose it to the Organization or any third party. The surveyors’ use of any Personal Information of the Organization’s clients is limited to the purposes of assessment and provision of recommendations by the surveyors to the Organization during the survey process. Personal Information that may be accessed by surveyors is further protected by contractual means.
We also use information collected from surveyors about themselves in order to enter into and manage the contractual relationship between the Organization and the surveyor.
How do we use your data for marketing?
We may, occasionally, send you information by electronic means (this includes email, telephone, text message (SMS) or automated calls about our products and services, competitions and special offers which may be of interest to you as well as appropriate for soliciting donations.
Other entities within our group or which we have selected carefully may also send you similar marketing messages, depending on what you agree with us or as appropriate.
We will also regularly send you information via email/SMS/other automated means to ask about your marketing preferences. We will also ask you to confirm whether you would like us and other businesses to send you marketing messages when you tick the relevant boxes when you, for instance, complete a survey or application online.
If you have consented to receive marketing from our group or other businesses, you can opt out at any time. See ‘Your Rights’ for further information.
What’s the legal basis for these uses under European Data Privacy Laws?
When European Data Privacy Laws apply and you are an individual in the EEA, we inform you that we are allowed to process your personal data on the following legal bases.
(i) Legitimate interests. We are permitted to process your personal data if it is based on our ‘legitimate interests’ i.e. we have good, sensible, practical reasons for processing your personal data which is in our interests. To do so, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible. The following personal data processing activities are based on this ground:
contacting or verifying the authority of an individual representing an organisation in relation to the execution or performance of a
contract with that organisation and keeping exchanges with that individual as evidence in case of a possible dispute with that organisation;
- contacting or verifying the authority of an individual representing an organisation in relation to the execution or performance of a contract with that organisation and keeping exchanges with that individual as evidence in case of a possible dispute with that organisation;
- anonymising personal data for generating statistics that can be used for, amongst others, improving our products and services and our website;
- improving our products and services and our website when this cannot be done without first anonymising the data;
- providing information to debt or equity investors or donators in order to incite them to invest or donate or continue to do so;
presenting or communicating on our good or services or requests for donations when we do not need consent;
(ii) Contract. We are also permitted to process your personal data every time it is necessary for the entry into or the performance of the contract you have agreed to enter with us. If you do not provide the necessary personal data, we will not enter the contact for which it is necessary or we will not be able to carry out our obligations thereunder in case of personal data necessary for its performance.
(iii) Legal obligation. We are also permitted to process your personal data every time it is necessary for the purposes of complying with applicable regulatory, accounting and financial rules, health and safety and to make mandatory disclosures to government bodies and law enforcements.
(iv) Consent. Your consent may be asked for the presenting or communicating on our goods or services or requests for donations when this cannot be done on the sole basis of our legitimate interests, You can withdraw this consent at any time.
(v) Public interest or official authority. We are also permitted to process your personal data when necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us by the relevant authorities, namely accreditation of health organisations when laid down by applicable EU or EEA country laws.
- Disclosure of Personal Information and Categories of Recipients of Personal Data
The Organization may disclose your Personal Information between its related entities, as well as to third party individuals or organizations who are our trusted partners, service providers, contractors or agents who assist us in delivering or performing our services, conducting our business, operating our website, doing marketing (as indicated above), so long as those parties agree to use, disclose and store the Personal Information disclosed to them solely for the purpose(s) such Personal Information was provided to them, and to otherwise keep your Personal Information confidential and have appropriate safeguards for the protection of the information.
Unless permitted or required by the applicable laws, the Organization does not disclose Personal Information for other purposes.
It is important that you note that if you are an employee, contractor, surveyor or consultant of a health services organization that is a client of the Organization, Personal Information you provide to the Organization as part of the accreditation process or use of other services provided by the Organization may be provided to and used by related companies of the Organization engaged by the Organization to provide such services, and/or contractors and consultants of the Organization and its affiliates for the purpose of allowing such persons and entities to perform and deliver such services to your organization.
Except as set out otherwise in this Policy, or except as you may permit from time to time in the manner set out herein, the Organization will not sell, exchange, transfer or give your Person Information to any other person or entity for any reason whatsoever.
Where Disclosure Can Be Made Without Consent
Please note that there are circumstances where the use and/or disclosure of Personal Information may be justified or permitted without your consent or where the Organization is obliged to disclose Your Personal Information without consent. Such circumstances may include, without limitation and subject to applicable laws:
- where use or disclosure of Personal Information is required by applicable law or by order or requirement of a court, administrative agency or governmental tribunal;
- where the Organization believes, upon reasonable grounds, that the use or disclosure of Personal Information is necessary to protect the rights, privacy, safety or property of an identifiable person or group;
- where the use or disclosure of Personal Information is necessary to permit the Organization to pursue available remedies or limit any damages that we may sustain;
- where the Personal Information is public as permitted by applicable law;
- where the use or disclosure of Personal Information is reasonable for the purposes of investigating a breach of an agreement, or actual or suspected illegal activity; or
- where the use or disclosure of Personal Information is necessary for the purpose of a prospective business transaction (including any equity or debt investment in our entities, businesses or assets) or donation if use or disclosure of such Personal Information is necessary to determine whether to proceed with the transaction or donation or to complete the transaction or donation, or a completed business transaction where the information is necessary to carry on the activity that was the object of the transaction;
- or where the disclosure is to an affiliate or a third-party service provider acting on our behalf
Where obliged or permitted to disclose Personal Information without consent, the Organization will not disclose more Personal Information than is necessary for the relevant purposes of such disclosure.
VI. Storage and Transfer of Personal Information
Hard copies of your Personal Information are stored by the Organization in Ontario, Canada. Electronic copies of your Personal Information are stored on servers and/or operated by or for the Organization in Ontario, Canada. Personal Information collected from or about you offline may also be stored in Canada.
However, in certain circumstances, unless prohibited by applicable privacy legislation, Personal Information may also be accessed, transferred and stored outside of Canada by the Organization’s contractors, service providers and affiliates. Where Personal Information is accessed, transferred or stored outside of Canada where privacy laws may offer different levels of protection from those in Canada, your Personal Information may be subject to access by and disclosure to law enforcement agencies under the applicable foreign legislation.
Individuals in the EEA are hereby informed that we may transfer and store their personal data in the EEA, Canada and other countries deemed to offer an adequate level protection according to the European Commission as well as the United States of America, provided that any recipient of personal data based in the United States of America adopted corporate binding rules or entered into a data transfer agreement containing clauses offering an adequate level protection according to the European Commission or benefits from the U.S. “Privacy Shield” accreditation.
VII. Protection of Personal Information
How Do We Protect Your Personal Information?
We employ a variety of physical, technical and organizational security measures to maintain the safety of Personal Information.
We offer the use of a secure server. All sensitive financial (e.g. credit card) information, any information provided via the Organization’s websites, Client Portal and Surveyor Portal is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our payment gateway providers’ database, where it is only accessible by those authorized with special access rights to such systems, and who are required to keep the information confidential.
What Do We Do In Case Of A Security Breach?
A “breach of security safeguards” is defined as the loss of, unauthorized access to or unauthorized disclosure of Personal Information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards. In case of a breach of security safeguards involving Personal Information under the Organization’s control, we will notify you and the appropriate federal or provincial Privacy Commissioners in Canada if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to you, including physical, financial or reputational harm. We will also notify any other organization or government institution that can reduce the risk or mitigate the harm from the breach.
Individuals in the EEA are hereby informed that we will also comply with the documentation and notification requirements of articles 33 and 34 of the GDPR in case of a personal data breach as defined in the GDPR.
VIII. Cookies and Embedded Scripts
|Universal Analytics (Google)||_ga|
|These cookies are used to collect information about how visitors use our website. We use the information to compile reports and to help us improve the website. The cookies collect information in an anonymous form, including the number of visitors to the website and blog, where visitors have come to the website from and the pages they visited.|
Read Google’s overview of privacy and safeguarding data (https://support.google.com/analytics/answer/6004245)
|maximum period of 2 years.|
|Web Analytics (ClickDimensions)||cusid|
|These cookies are used to collect information about how visitors use our website. We use the information to compile reports and to help us improve the website. The cookies collect information in an anonymous form, including the number of visitors to the website and blog, where visitors have come to the website from and the pages they visited.||maximum period of 2 years.|
|DoubleClick||__ar_v4||This targeting/advertising helps with tracking conversion rates for ads.||1 day|
|We embed videos from our official YouTube channel using YouTube’s privacy-enhanced mode. This mode may set cookies on your computer once you click on the YouTube video player, but YouTube will not store personally-identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode.|
Read more at YouTube’s embedding videos information page. (http://www.google.com/support/youtube/bin/answer.py?hl=en-GB&answer=171780)
|PREF – * Expires after eight months|
VSC – * expires at the end of your session
VISITOR_INFO1_LIVE – *expires after eight months
remote_sid – * expires at the end of your session
|Hotjar cookie||_hjClosedSurveyInvites||This cookie is set once a visitor interacts with a Survey invitation modal popup. It is used to ensure that the same invite does not re-appear if it has already been shown.||365 days|
|Hotjar cookie||_hjDonePolls||This cookie is set once a visitor completes a poll using the Feedback Poll widget. It is used to ensure that the same poll does not re-appear if it has already been filled in.||365 days|
|Hotjar cookie||_hjMinimizedPolls||This cookie is set once a visitor minimizes a Feedback Poll widget. It is used to ensure that the widget stays minimizes when the visitor navigates through your site.||365 days|
|Hotjar cookie||_hjDoneTestersWidgets||This cookie is set once a visitor submits their information in the Recruit User Testers widget. It is used to ensure that the same form does not re-appear if it has already been filled in.||365 days|
|Hotjar cookie||_hjMinimizedTestersWidgets||This cookie is set once a visitor minimizes a Recruit User Testers widget. It is used to ensure that the widget stays minimizes when the visitor navigates through your site.||365 days|
|Hotjar cookie||_hjIncludedInSample||This session cookie is set to let us know whether that visitor is included in the sample which is used to generate funnels.||365 days|
ii. Adjusting cookie settings on your browser: By default, most browsers will automatically accept cookies. However, you can disable cookies completely, or be prompted prior to a cookie being loaded, by adjusting your browser’s settings. Consult each individual browser’s “help” feature for more information.
Find out how to manage cookies on popular browsers:
To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout.
We are planning to enhance our cookie tool to allow users to more easily change their cookie settings after their initial choice.
An embedded script is a programming code that is designed to collect information about your interactions with our website, such as information about the links on which you click. The code is temporarily downloaded onto your device from our web server or a third-party service provider. The code is active only while you are connected to our website, and is deactivated or deleted once you disconnect from the website.
IX. Access and Correction of Personal Information and other Rights
How Can You Access Or Correct Any Inaccuracies In Your Personal Information?
The Organization endeavors to ensure that all Personal Information provided by or about you and in its possession is accurate, current and complete as necessary for the purposes for which we use that Personal Information. If we become aware that Personal Information is inaccurate, incomplete or out of date, we will revise the Personal Information and, if necessary, use our best efforts to inform third party service providers or contractors which were provided with inaccurate information to enable those third parties to also correct their records.
The Organization permits the reasonable right of access and review of Personal Information held by us and will endeavour to provide the Personal Information in question within a reasonable time, generally no later than 30 days following the request subject to applicable law. To guard against fraudulent requests for access, we may require sufficient information to allow us to confirm that the person making the request is authorized to do so before granting access or making corrections.
We will provide copies of the Personal Information in our possession in a form that is easy to understand or in a summary form where appropriate. The Organization reserves the right not to change any Personal Information but will append any alternative text the individual concerned believes to be appropriate. The Organization will not charge you for verifying or correcting your information, however, to the extent permitted by applicable law, there may be a minimal charge imposed if you need a copy of records.
Rights of individuals in the EEA.
When European Data Privacy Laws apply and you are an individual in the EEA, we inform you that you have the rights set out below.
You may exercise these rights by contacting us at the email address indicated in this Policy. We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months.
Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with the European Data Protection Laws.
1 Right to object to processing of your personal data
You may object to us processing your personal data where we rely on a legitimate interest as our legal grounds for processing. If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so.
In particular, you can ask us to stop contacting you for direct marketing purposes. If you would like to do this, please:
- email, call or write to us (at Communications@healthstandards.org). You can also click on the ‘unsubscribe’ button at the bottom of the email newsletter. It may take up to 14 business days for this to take place.
- provide proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
- provide us with details of your preferred method of contact (for example, you may be happy for us to contact you by email but not by telephone).
2 Right to access personal data relating to you
You may ask to see what personal data we hold about you and be provided with:
- a copy of the personal data;
- details of the purpose for which the personal data is being or is to be processed;
- details of the recipients or classes of recipients to whom the personal data is or may be disclosed, including if they are outside the EEA and what protections are used for those transfers;
- the period for which the personal data is held (or the criteria we use to determine how long it is held); and
- any information available about the source of that data.
To help us find the information easily, please provide us as much information as possible about the type of information you would like to see.
3 Right to correct any mistakes in your information
As indicated above, you can require us to correct any mistakes in your information which we hold. If you would like to do this, please let us know what information is incorrect and what it should be replaced with.
4 Right to restrict processing of personal data
You may request that we stop processing your personal data temporarily if:
- you do not think that your data is accurate (we will start processing again once we have checked whether or not it is accurate);
- the processing is unlawful but you do not want us to erase your data;
- we no longer need the personal data for our processing, but you need the data to establish, exercise or defend legal claims; or
- you have objected to processing because you believe that your interests should override our legitimate interests.
5 Right to data portability
You may ask for an electronic copy of your personal data which we hold electronically and which we process on the basis of a contract with you or with your consent.
6 Right to withdraw consent
You may withdraw any consent that you have given us to process your personal data at any time. This means that we will not be able to carry out any processing which required use of that personal data.
7 Right to erasure
You can ask us to erase your personal data:
- should we not need your data anymore in order to process it for the purposes set out herein;
- if you had given us consent to process your data, you withdraw that consent and we cannot otherwise legally process your data;
- if you object to our processing and we do not have any legitimate interests that mean we can continue to process your data; or
- if your data has been processed unlawfully or have not been erased when it should have been.
8 Rights in relation to automated decision making
You have the right to have any decision that has been made by automated means and which produces legal effects or has a similar significant effect on you reviewed by a member of staff, it being noted that our processing activities do not fall in that category.
9 France only – directives for handling personal data after death
If you are in France, we inform you that you may write directives about the handling of your personal information after your death.
10 Complaints to a European supervisory authority
X. Retention of Personal Information
How Long Do We Retain Your Personal Information?
We keep your Personal Information only as long as we believe it is required to be used and kept in view of the reasons for which it was collected and purposes for which it will be used. The length of time we will retain Personal Information varies depending on the purpose(s) for which it was collected and the nature of the Personal Information. This period may extend beyond the end of your relationship or contract with us (or the relationship or contract of your organization with the Organization, or its affiliates and licensees, as applicable) but it will be only for so long as we believe it to be necessary for us to have sufficient Personal Information to respond to any issues that may arise at a later date.
Storage period of personal data of individuals in the EEA for processing activities falling within the scope of European Data Privacy Laws
The following provisions apply only to personal data of individuals in the EEA for processing activities falling within the scope of European Data Privacy Laws:
1 As regards customers, surveyors and other persons with whom we have a contractual relationship as well as their individual representatives, we will hold all personal information for so long as we are in a contractual relationship. We may then (i) archive the data up to one year after the applicable limitation period has expired or final settlement of any dispute whichever is last and (ii) keep contact details for the purposes of direct marketing for a period of up to 3 years after termination of the contract or last contact made by the relevant individual.
2 As regards prospects, we keep their contact details for the purposes of direct marketing for a period of up to 3 years after time of collection or last contact made by the relevant individual.
3 As regards website/app/email users who do not provide us with their contact details, we maintain a log during 18 months before anonymising the data; as regards expiration of cookies, please see above.
XI. Links to Other Websites
The Organization cannot and does not guarantee, represent or warrant that the content or information contained in such third-party websites and resources is accurate, legal, non-infringing or inoffensive. The Organization does not endorse the content or information of any third-party website or resource we cite and, further, the Organization does not warrant that such websites or resources will not contain viruses or other malicious code or will not otherwise affect your computer. By using any of the Organization’s systems or websites to search for or link to a third-party website, you agree and understand that the Organization shall not be responsible or liable, directly or indirectly, for any damages or losses caused or alleged to be caused by or in connection with the use of, or reliance on, the website of the Organization to obtain search results or to link to a third-party website.
XII. Resolving Your Privacy Concerns
In the event of questions about: (i) access to Personal Information; (ii) our collection, use, disclosure or storage of Personal Information; or (iii) this Policy; please contact the Organization’s Privacy Officer by sending an e-mail to Privacy@healthstandards.org.
The Organization will investigate all complaints and if a complaint is justified, we will take all reasonable steps to resolve the issue.
XIII. Changes to This Policy
If you do not agree to the terms of this Policy, you should exit the website, Client Portal, Partner Portal or Surveyor Portal, and cease use of all Organization services immediately, or contact the Organization to withdraw your consent where applicable. Your continued use of the Organization websites, any Organization Client Portal, Partner Portal, Surveyor Portal or the Organization services following the posting of any changes to this Policy means you agree to be bound by the terms of this Policy to the greatest extent permitted by law.
This Policy is drafted in English however we have provided translations of the Policy into other languages. To the extent of any conflict between the Policy in English and any version in another language, the English version shall prevail.
Effective Date: This Policy was last updated on May 25, 2018.