The MEDICINEONE GROUP is committed to ensuring confidentiality and privacy in the collection and processing of data from its Clients, Employees, Suppliers, and Users, in compliance with its obligations under the General Data Protection Regulation (GDPR) – EU Regulation 2016/679 of the European Parliament and Council – and other current data protection laws. To that end, this Privacy Policy has been established.

  1. Policy Purpose

This Privacy and Data Protection Policy is implemented to demonstrate our commitment to privacy and respect for data protection rules in force under European law, and represents the commitment of MEDICINEONE leadership to comply with the principles of data processing and rights of the holders, as stated in Reg. (EU) 2016/679, General Data Protection Regulation (hereinafter referred to as “GDPR”), and in Law No. 58/2019, of 8 August, which ensures the implementation of the above-mentioned regulation in the Portuguese context.

  1. Policy Scope

2.1. This document applies to all companies within the MEDICINEONE GROUP – MedicineOne SGPS, Legattus Unipessoal Lda., and MedicineOne S.A. – hereafter referred to as MEDICINEONE.

2.2. This policy applies to the processing of all personal data of natural persons, being considered as personal data the following:

  • “any information, of any nature and independently of the respective support, including sound and image, related to an identified or identifiable natural person”;
  • -“(…) information relating to an identified or identifiable natural person («data subject»), given that “(…) an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” (Article 4, GDPR).

2.3. According to article 2 of the GDPR, this Policy applies “(…) to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system” conducted within the Portuguese territory, as well as outside this context (Art. 2, Law No. 58/2019), either by public or private entit

  1. Data processing scope and purpose

3.1. This Privacy Policy applies to all personal data processing performed by MEDICINEONE, such as:

  • Registration on the platforms by completing the respective forms;
  • Implementation of the Contract for use, including the platform use, invoicing, satisfaction questionnaires, and communication with customers;
  • Statistical analysis;
  • Processing information/support requests and complaints;
  • Marketing, through newsletters on promotional campaigns or new functionalities;

2.3. The processing of the information collected is intended to ensure the highest levels of excellence in customer services and to continuously improve the ability to meet the public needs.

2.4. The data collected through website forms is intended for the processing of user requests and will not be used for any other processing. If you do not allow the processing of your data, we will not be able to accept your registration.

  1. Responsabilities

4.1. This Privacy Policy establishes obligations for the following recipients:

  • (a) All employees of MEDICINEONE, which are responsible for complying with the defined rules and for reporting to the DPO any irregularities or violations of this Policy and of data protection.
  • (b) Data Protection Officer at MEDICINEONE, responsible for the definition and implementation of this Policy, and for ensuring, among other aspects, compliance of data processing with the legislation in force and verification of compliance with this Data Protection Policy.

It is also the responsibility of the DPO to collaborate with the National Commission for Data Protection (Comissão Nacional de Proteção de Dados, [CNPD]) “(…) at its request, in the pursuit of its duties.”, mainly on issues related to the processing of information that the company has in its possession and that is considered sensitive.

  • (c) Board of Directors of MEDICINEONE, responsible to comply with the principles of data processing and rights of the holders, as stated in Reg. (EU) 2016/679, General Data Protection Regulation (hereinafter referred to as “GDPR”), and in Law No. 58/2019, of 8 August, which ensures the implementation of the above-mentioned regulation in the Portuguese context.
  1. Definitions

a) Personal Data: Any information relating to an identified or identifiable individual; an individual is identifiable if they can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an ID number, location data, electronic identifiers, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.

b) Special Categories of Personal Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data uniquely identifying a person, health data, or data concerning sexual orientation.

c) Processing: Any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, comparison, restriction, erasure, or destruction.

d) Data Controller: A person or entity who, alone or jointly with others, determines the purposes and means of personal data processing.

e) Personal Data Breach: A security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

f) Processor: A person or entity that processes personal data on behalf of the data controller.

g) Third Party: Any person or entity other than the data subject, data controller, processor, and those authorized by the data controller or processor to process personal data.

h) Supervisory Authority: Independent public authority established by a Member State.

i) CNPD: National Data Protection Commission.

  1. Data Collection and Processing

6.1. In the context of MEDICINEONE employees’ duties, data collection, recording, organization, storage, usage, and consultation of personal data occurs. Additional operations defined as “personal data processing” under the GDPR may also occur.

6.2. Collected data includes information related to employees, suppliers, clients, MyM1 solution users, and users accessing the MEDICINEONE website or other promotional pages.

6.3. MEDICINEONE provides data subjects with detailed information on the nature, purpose, and processing of the personal data collected, as well as information regarding data access rights.

6.4. MEDICINEONE collects personal data of customers through:

  • Completion of registration forms on the respective websites;
  • Completion of forms/templates, regarding requests of contacts, support services, on MEDICINONE websites;
  • Demonstration requests;
  • Filing a complaint via email or telephone;
  • Communications via email, telephone or platform;

6.5. MEDICINEONE assumes that the data collected was submitted or made available by its respective holder and that its inclusion was authorised by him/her, being considered as true and accurate.

6.6. Holders of personal data shall be informed if the collection thereof constitutes a legal or a contractual obligation, or a necessary requirement to conclude a contract, as well as whether the holder is committed to provide personal data and the consequences of not providing that data.

6.7. It should also be highlighted that only data strictly necessary for the provision of the services concerned will be collected and requested according to the explicit information on the platform and the users options.

6.8. MEDICINEONE may collect and enter personal data of customers in automated database with the aim to conduct activities included within the scope of its collection and processing.

  1. Subcontracted Entities

7.1. MEDICINEONE may use third-party entities, subcontracted to process personal data on its behalf, strictly in compliance with the law and this Privacy Policy.

7.2. These subcontractors may not transfer data to others without prior, written authorization from MEDICINEONE and are prohibited from contracting other entities without prior consent.

7.3. MEDICINEONE commits to subcontract only entities providing adequate technical and organizational security measures.

7.4. At the time of personal data collection, MEDICINEONE provides data subjects with information about the categories of subcontracted entities that, in specific cases, may process data on behalf of MEDICINEONE.

  1. General Principles for Data Processing

8.1. In terms of general principles regarding the processing of personal data, MEDICINEONE is committed to ensuring that the data it collects and processes is:

a) Processed lawfully, fairly, and transparently with respect to the data subject;

b) Collected for specific, explicit, and legitimate purposes, and not further processed in a way that is incompatible with those purposes;

c) Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;

d) Accurate and, where necessary, kept up-to-date, with all appropriate measures taken to ensure that inaccurate data, in light of the purposes for which it is processed, is deleted or rectified without delay;

e) Retained in a form that permits identification of the data subject only for as long as necessary for the purposes for which the data is processed;

f) Processed in a manner that ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, with appropriate technical or organizational measures in place.

  1. Lawfulness of Data Processing

9.1. The data processing carried out by MEDICINEONE is based on at least one of the following conditions:

a) The data subject has given explicit consent for the processing of their personal data for one or more specific purposes;

b) Processing is necessary for the performance of a contract to which the data subject is a party, or to take pre-contractual steps at the request of the data subject;

c) Processing is necessary for compliance with a legal obligation to which MEDICINEONE is subject;

d) Processing is necessary to protect the vital interests of the data subject or another natural person;

e) Processing is necessary for the purposes of the legitimate interests pursued by MEDICINEONE or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data).

9.2. MEDICINEONE is committed to ensuring that the processing of the data subject’s data is carried out only under the conditions listed above and in compliance with the general principles outlined in clause 7.

9.3. When data processing is carried out by MEDICINEONE based on the data subject’s consent, the data subject has the right to withdraw their consent at any time.

9.4. The withdrawal of consent, however, does not compromise the legality of the processing carried out by MEDICINEONE based on the consent previously provided by the data subject.

9.5. The retention period for the data varies according to the purpose for which the information is processed, particularly for compliance with legal requirements that mandate the retention of data for a minimum period.

9.6. For processing activities without a specific legal requirement, data will be stored and retained only for the minimum period necessary for the purposes that justified its collection or subsequent processing, after which it will be deleted or irreversibly anonymized.

  1. Data Use and Purposes

10.1. MEDICINEONE uses the data of the data subject for the following purposes:

a) Actions necessary for the execution of supply contracts for the software and solutions it develops, namely for invoicing and billing;

b) Compliance with obligations toward regulatory entities such as SPMS (for CLP requests, ACC activation);

c) Support and maintenance for users of products/solutions;

d) Responding to inquiries following direct contact by users of the products/solutions;

e) Marketing, for the promotion of services and products.

10.2. The data collected by MEDICINEONE is not shared with third parties without the data subject’s consent, except in the situations outlined in the following paragraph.

10.3. For services that must be activated with the Regulatory Entity – Shared Services of the Ministry of Health – such as:

(i) Electronic Prescription of Medicines

(ii) Complementary Means of Diagnosis and Examination

(iii) Certificates for Driver’s License,

the data of the data subject may be accessed or communicated to these entities as necessary for the provision of these services and as required by the regulations imposed by the regulator for this purpose.

10.4. In accordance with applicable law, MEDICINEONE may transmit or communicate the data of the data subject to other entities if such transmission or communication is necessary for the execution of the contract established between the data subject and MEDICINEONE, for pre-contractual steps at the request of the data subject, for compliance with a legal obligation to which MEDICINEONE is subject, or if necessary to pursue legitimate interests of MEDICINEONE or a third party.

10.5. When data is transmitted to third parties, reasonable efforts will be made to ensure that the recipient uses the data in a manner consistent with this Privacy and Data Protection Policy.

  1. Technical and Organizational Security Measures

11.1. MEDICINEONE treats personal data with the highest confidentiality, following internal policies and security procedures updated periodically, and adopting all technical and organisational measures required to protect the personal data entrusted to it, in accordance with Art. 35 of the Constitution of the Portuguese Republic, the General Data Protection Regulation 2016/679, of 27/04/2016 and with the implementation of this regulation in the Portuguese territory, through Law No. 58/2019, of 8 August.

11.2. Depending on the nature, scope, context and purpose of the data processing, as well as the risks to the data subject’s rights and freedoms that arise from said processing, MEDICINEONE commits to implement all the technical and organizational measures necessary to comply with the relevant data protection legislation.

11.3. Furthermore, MEDICINEONE is also committed to processing only the necessary personal data required for each specific processing purpose and that such data is not made available to anyone who should not have access to it.

11.4. In general, MEDICINEONE may adopt the following technical and organizational measures:

(i) Pseudonymization and encryption of personal data, when applicable

(ii) Mechanisms to ensure the permanent confidentiality, integrity, availability and resilience of information systems;

(iii) Mechanisms to restore the availability of information systems and access to personal data in a timely manner in the event of a physical or technical incident;

(iv) Regular testing to assess the effectiveness of the technical and organizational measures implemented.

(v) Use of information encryption mechanisms, both in its storage and its transmission, based on secure protocols and algorithms;

(vi) Personal or confidential data collection forms require the use of encrypted connections;

(vii) Adoption of physical and logical security measures that we believe are essential for the protection of personal data of our customers, at the level of the physical infrastructure provided by the DataCenter used to store the information managed by MEDICINEONE.

11.5. MEDICINEONE will make its best efforts to ensure and maintain in operation all technical and organizational measures at its disposal to prevent the loss, misuse, alteration, unauthorized access, and misappropriation of personal data. MEDICINEONE makes its best efforts so that the Website does not carry any type of virus or other malicious software to your computer or mobile device. Without prejudice, since MEDICINEONE is unable to fully control the flow of information over the Internet, it is not possible to guarantee that it does not contain any type of virus or other elements that could damage your device, strongly recommending to keep operating systems up to date and using protection software such as antivirus or, where applicable, firewall.

11.6. MEDICINEONE declines any responsibility for damages suffered by Users caused or not by third parties, including loss or damage of data, resulting from the use of materials, contents or information provided, in any way, by MEDICINEONE.

11.7. Users of MEDICINEONE platforms are responsible for maintaining access and codes in a personal and non-transferable manner, in order to avoid unintended access by third parties. MEDICINEONE must be immediately informed in case of any unlawful behaviour or access violation involving your customer session;

11.8. The full content of our systems is owned by MEDICINEONE, which holds the copyright and industrial property rights over the same, with the exception of contents provided by advertisers or business partners who are identified as such.

11.9. In the event of a security failure, MEDICINEONE leadership, together with the DPO, will inform the national supervisory authority (Article 51 GDPR) and will request support from this authority to minimize the damages arising from the breach.

  1. Data Transfer

12.1. MEDICINEONE may transmit your personal data to third parties, provided that:

a) It has the unequivocal consent of users;

b) As the result of the compliance with a legal obligation, or by a decision of the National Commission for Data Protection (Comissão Nacional de Proteção de Dados [CNPD]), or a court order;

c) It is required for the protection of vital interests of users or any other legitimate purpose provided by the legislation, in which case the user will be duly informed, giving him/her the identity of the recipients and the purpose of the processing of the transferred data.

12.2. Only duly authorised users, defined in accordance with the principles of need to know and least privileges , will be able to access the resources and information available in the applications managed or developed by MEDICINEONE.

12.3. The user is only authorised to use the contents of our application solely and exclusively for the intended purposes, and it is expressly prohibited to reproduce, publish, publicly disclose, distribute or, by any means, make the contents accessible to third parties, for purposes of public communication or marketing, being further prohibited to make any alteration to the contents.

12.4. It is expressly forbidden to the user to create or introduce in our application any type of virus or programs that may damage or contaminate it, or advise third parties to do so.

12.5. MEDICINEONE ensures the deletion of data, once it is no longer required in legal, financial and accounting terms.

13. Data Subject Rights

Data Subjects have the rights outlined in the following points:

13.1. Right to Information

Data Subjects have the right to request and receive pertinent information regarding the processing of personal data carried out by MEDICINEONE.

For this purpose, the data subject should consult the present Privacy and Data Protection Policy or, in case of doubt, contact the Data Protection Officer through the following means, and in both cases, proof of identity must be provided:

a) By letter to:

IPND, Edf. D, MedicineOne S.A
Rua Pedro Nunes, Qta da Nora
3030-199 Coimbra

b) By email to:

juridico@medicineone.net
si@medicineone.net

13.2. Right of Access to Personal Data

13.2.1 MEDICINEONE guarantees means to allow the data subject access to their personal data.

13.2.2 The data subject has the right to obtain confirmation from MEDICINEONE as to whether or not their personal data is being processed and, if so, the right to access their personal data and the following information:

a) The purposes of data processing;
b) The categories of personal data in question;
c) The recipients or categories of recipients to whom the personal data has been or will be disclosed, including recipients established in third countries or belonging to international organizations;
d) Where possible, the expected retention period of the personal data;
e) The existence of the right to request from MEDICINEONE the rectification, erasure, or restriction of processing of personal data, or the right to object to such processing;
f) The right to lodge a complaint with the CNPD or another supervisory authority;
g) If the data was not collected from the data subject, available information about the origin of the data;
h) The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and expected consequences of such processing for the data subject;
i) The right to be informed about the appropriate safeguards associated with the transfer of data to third countries outside the EU or to international organizations.

13.3. Right to Rectification of Personal Data

The data subject has the right to request, at any time, the rectification of their personal data and, likewise, the right to have incomplete personal data completed, including by means of an additional statement.

13.4. Right to Erasure of Personal Data (“Right to be Forgotten”)

13.4.1 The data subject has the right to obtain the erasure of their data by MEDICINEONE when one of the following reasons applies:

a) The data is no longer necessary for the purpose for which it was collected or processed;
b) The data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
c) The data subject objects to the processing under the right to object, and there are no overriding legitimate grounds justifying the processing;
d) The data has been unlawfully processed;
e) The data must be erased for compliance with a legal obligation to which MEDICINEONE is subject.

13.4.2 Under applicable legal terms, MEDICINEONE is not required to erase the data of the data subject insofar as processing is necessary for compliance with a legal obligation to which MEDICINEONE is subject or for the establishment, exercise, or defense of legal claims by MEDICINEONE in a judicial process.

13.4.3 If MEDICINEONE has made the data subject’s data public and is obliged to erase it under the right to erasure, MEDICINEONE commits to taking reasonable steps, including technical measures, considering available technology and the cost of implementation, to inform other controllers processing the personal data that the data subject has requested the erasure of any links to, or copies or replications of, that personal data.

13.5. Right to Restriction of Processing of Personal Data

The data subject has the right to obtain from MEDICINEONE a restriction on the processing of their data if one of the following situations applies (restriction may consist of marking the stored personal data to limit future processing):

a) If the accuracy of the personal data is contested, for a period enabling MEDICINEONE to verify its accuracy;
b) If processing is unlawful, and the data subject opposes the erasure of the data, requesting instead the restriction of its use;
c) If MEDICINEONE no longer needs the data for processing purposes, but it is required by the data subject for the establishment, exercise, or defense of legal claims;
d) If the data subject has objected to the processing, pending verification that MEDICINEONE’s legitimate grounds override those of the data subject.

When the data of the data subject is subject to restriction, it may only be processed, aside from storage, with the consent of the data subject or for the establishment, exercise, or defense of legal claims, the protection of the rights of another natural or legal person, or for reasons of important public interest as defined by law.

13.6. Right to Data Portability

13.6.1 The data subject has the right to receive the personal data concerning them, which they have provided to MEDICINEONE, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller if:

a) The processing is based on consent or on a contract to which the data subject is a party;
b) The processing is carried out by automated means.

13.6.2 The right to data portability does not include inferred or derived data, i.e., personal data generated by MEDICINEONE as a consequence or result of the analysis of data being processed.

13.6.3 The data subject has the right to have the personal data transmitted directly between controllers where technically feasible.

13.7. Right to Object to Processing

13.7.1 The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on the legitimate interests pursued by MEDICINEONE or where processing is conducted for purposes other than those for which the personal data was collected, including profiling or statistical purposes.

13.7.2 MEDICINEONE will cease processing the data of the data subject unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims by MEDICINEONE.

13.7.3 When data is processed for direct marketing purposes, the data subject has the right to object at any time to processing for such marketing, including profiling to the extent it is related to direct marketing. If the data subject objects to processing for direct marketing, MEDICINEONE will immediately cease processing for this purpose.

13.7.4 The data subject also has the right not to be subject to any decision based solely on automated processing, including profiling, that produces legal effects concerning them or similarly significantly affects them, unless the decision:

a) Is necessary for entering into or the performance of a contract between the data subject and MEDICINEONE;
b) Is authorized by law to which MEDICINEONE is subject;
c) Is based on the explicit consent of the data subject.

13.8. Procedures for Exercising Data Subject Rights

13.8.1 MEDICINEONE will respond in writing (including by electronic means) to requests from data subjects.

13.8.2 If the data subject’s requests are manifestly unfounded or excessive, particularly due to their repetitive nature, MEDICINEONE reserves the right to charge administrative fees or refuse to act on the request

  1. Personal Data Breaches

14.1. MEDICINEONE will notify data subjects of any breach posing a high risk to their rights without undue delay.

14.2. Under legal terms, communication to the data subject is not required in the following cases:

a) When MEDICINEONE has applied appropriate protection measures, both technical and organizational, and these measures have been applied to the personal data affected by the breach, particularly measures that render the personal data incomprehensible to any unauthorized person accessing them, such as encryption;

b) When MEDICINEONE has taken subsequent measures to ensure that the high risk to the data subject’s rights and freedoms is no longer likely to materialize;

c) When communication to the data subject would require disproportionate effort on the part of MEDICINEONE.

14.1. In the event of a data breach, MEDICINEONE leadership, together with the DPO, will inform the national supervisory authority (Article 51 GDPR) and will request support from this authority to minimize the damages arising from the breach.

  1. Cookies

15.1. MEDICINEONE websites use cookies to analyse customer’s behaviour, to manage the site and to collect information about users, with the aim to customise and enhance your experience with us.

15.2. A cookie is a small text file stored on your computer or mobile devices. Cookies store information that is used to help Web sites work. We can only access the cookies created by our site. You can control cookies at the browser level. Disabling cookies may prevent the use of certain functions.

15.3. We use cookies for the following purposes:

  • Essential cookies – they are necessary to allow the use of some important features of our website, such as login. These cookies do not collect any personal data.
  • Functionality cookies – they provide functions that enhance the use of our website and enable the provision of custom features. For example, they can remember your name and email in forms.
  • Analytical cookies – they are used to monitor the use and performance of our website and services.
  • Session cookies – these are temporary cookies that remain in your internet browser until you leave the website. The information obtained enables to identify problems and to provide a better browser experience.

15.4. Users can set their browser to refuse cookies; however, in this case, the website or parts of it may not function properly.

  1. Privacy Policy Amendements

16.1. MEDICINEONE reserves the right to amend this Privacy Policy to comply with new legislation and commits to update and disclose changes on its websites that alter the consent previously agreed, being at their discretion the continuity of the contract.

16.2. If substantial changes are made to this policy, customers will be notified by e-mail or through a notice on our website.

  1. Privacy Policy Acceptance

17.1. The use of this system implies your consent and acceptance of the terms of our Privacy Policy. In the event of any dispute related to the terms and conditions of use, the Portuguese law will be applicable.

17.2. The collection and processing of personal data shall be carried out in accordance with the legislation applicable and in force, and in line with the guidelines of the National Commission for Data Protection (Comissão Nacional de Proteção de Dados, [CNPD]).

17.3. Any issue regarding the collection and processing of data of MEDICINEONE customers will be governed by the legislation in force.

17.4. To learn more about how MEDICINEONE process your personal data, or to clarify any uestion, submit a complaint or a comment about this Privacy Policy, please contact us through the contact mentioned below.

  1. DPO Contacts

MEDICINEONE is the entity responsible for collecting and processing your personal data for the purposes aforementioned in this privacy policy.

Adress: Rua Eng. Jorge Anjinhos, Lote 8, n.º 115, 3030-482 Coimbra

E-mail: juridico@medicineone.net