Accu-Chek SmartGuide App Privacy Notice

1. Controller Identity, Data Protection Officer, Contacts

The Accu-Chek SmartGuide app ("App") is operated by Roche Diabetes Care GmbH ("Roche" or "we"). In case of any questions or suggestions, you can contact us at:

Roche Diabetes Care GmbH
Sandhofer Strasse 116
68305 Mannheim, Germany
Tel: +49 (0) 621 / 759- 0
www.accu-chek.com

Register court: AG Mannheim HRB 720251
VAT Reg. (ID): DE 297138554

You may contact our data protection officer at [email protected].

2. How we use your personal data

Protecting your privacy is very important to us and we understand that information about your health is sensitive. We are committed to processing your personal data in compliance with applicable laws.

This Privacy Notice explains how we use any personal data we collect about you:

2.1. When you register for and use an account
2.2. When you use the App
2.3. If you consent to processing of your data for product improvement
2.4. If you communicate with us by telephone, e-mail or webforms
2.5. For statutory purposes
2.1 Register for and use an account

To use the App, you will first need to register for an account and then log into your account. We use accounts wherever we process sensitive data such as in particular your health related personal data. We also use accounts wherever we process your personal data with your consent. This is because accounts allow us to better protect your personal data in access-controlled systems and to establish your identity in order to obtain and manage your consents.

When you install the App and register for an account, we will collect your personal contact details, such as

and potentially other identifying information that you will see on the registration form. In addition, we will collect any optional data you fill out during registration (date of birth, gender, ZIP code, city). We will also process the health information that you provide to us as listed in section 2.2. We use this information to provide the App service for you and for troubleshooting purposes.

2.2 Use of the App

The App will process the following data in the course of providing the App services as described in the App terms and conditions:

All these data are associated with your account and will be stored locally on your mobile device and, as soon as you are online, within your account as backup. We use the data to provide the App service for you and for troubleshooting purposes. The legal basis for this data processing is your consent.

2.3 Consent to processing of your data for product improvement

If you provide us with an additional, optional product improvement consent, we and the mySugr GmbH, Vienna, Trattnerhof 1, Austria, will process your data beyond the necessary usage described in section 2.1 and 2.2 above to improve our products and services.

As a result of fast-moving technological progress, we and the mySugr GmbH have to continually analyze, develop, test, and improve our products and their interactions, in order to ensure that our content benefits users in the most effective way and to improve and innovate our portfolio. To achieve this, we gather insights, detect patterns and develop predictive algorithms from patient and population health data. Such innovations will be used for decision support with the objective to further improve medical outcome and the quality of life of people with diabetes.

2.4 Communicate with us by telephone, e-mail or webforms

If you communicate with us by telephone, e-mail, webforms or similar, we will process your contact details and the personal data you give to us. We will process such data only to the extent required to answer your enquiry, and will delete the data when no longer required as evidence (normally three years).

2.5 For statutory purposes

As required for the establishment, exercise or defense of legal claims. We may process your personal data as required to prepare or protect against legal claims; including litigation, anti-fraud measures, and technical and organizational measures to protect our networks and technology against attacks. The legal basis for this data processing is Art 9 (2) f EU General Data Protection Regulation ("GDPR").

For research. We may process your personal data for scientific research purposes or statistical purposes in accordance with applicable law, provided it is proportionate to the aim pursued, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard your fundamental rights and interests. As a rule, we will still ask for your consent when we would like you to participate e.g. in a study. The legal basis for this data processing is Art 9 (2) j GDPR in combination with applicable EU or EU member state law.

For regulatory purposes. As manufacturer, respectively distributor of the App, which qualifies as a medical device, we are subject to increased requirements for monitoring the functionality of the App. These regulatory monitoring and reporting requirements may also result in the processing of personal data. The legal basis for this data processing is Art 9 (2) i GDPR.

3.Analytics

Whenever possible, we analyze your data in anonymized form. In case analytics do not make sense on anonymized data and if you have provided us your optional consent under section 2.3, your data will be analyzed in pseudonymized form.

4.Security

Roche takes appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Besides, for the purposes of data security and minimization, Roche uses processes for the encryption and pseudonymization of personal data.

5.Who receives your personal data?

Roche shares your personal data with your consent and further as necessary in relation to the above purposes, as required by applicable laws, court orders, or government regulations. Roche uses affiliated companies and other third parties as providers and agents e.g. for IT systems operation, access management, and maintenance or to fulfill business transactions, such as providing customer services, or sending communications. In all these cases, access to unencrypted data is restricted to those who have a need to know. In addition, Roche has entered into data processing agreements in order to ensure that providers and agents process the personal data only on Roche’s behalf and subject to appropriate technical and organizational measures.

Roche will not sell or otherwise transfer your personal data to any third parties for their own use unless with your explicit consent.

6.Transfers to other countries

6.1 We primarily select cooperation partners who are based in or whose servers are located in the European Union (EU) or European Economic Area (EEA). Data transmission within the EU and EEA is unobjectionable because the GDPR applies in all member states.

6.2 In exceptional circumstances, we appoint third-party suppliers who are located in or who have servers outside the EU. However, even in these cases your personal data is subject to a high protection level in line with the GDPR – either through an EU adequacy decision, which considers data protection in certain third-party countries to be appropriate (e.g. Switzerland, Israel, and New Zealand), or through certain standard contractual clauses approved by the EU, which the contractual relationships with our contracted data processors are based on, or through comparable legal instruments permitted under the GDPR. In any case, all Processors are subject to the obligations in this privacy notice.

6.3 In addition, we ensure that our partners have additional security standards in place, such as individual security measures and data protection provisions.

7.Storage and deletion

7.1 Your data is stored on your device and within your account on servers that meet GDPR requirements.

7.2 As a rule, we only store your personal data for the duration of you having an account. In exceptional cases, longer storage may be required in order to fulfill post-contractual obligations or to comply with statutory storage obligations or disclosure duties, or to assert, exercise, or defend legal claims (limitation periods).

8.Your Rights and how to exercise them

You may, in accordance with applicable data protection law,

If you have an account, you can exercise your rights by visiting your account and adjusting your privacy preferences, manage your consents, download and upload corrected data

If you do not have an account or have difficulties or other enquiries, please approach us or our data protection officer using the above contact details (see section 1 above).

If you are not satisfied with the way Roche handles your data or responds to your requests, you may also complain to a competent data protection authority in the country of your habitual residence.

9.Privacy of Children

Our App is intended to be used by people of at least 18 years of age. We do not knowingly collect any personally data from anyone we know to be a child without the prior, verifiable consent of his or her legal representative.

10.Updates to Privacy Notice

We keep this Privacy Notice under regular review and we will place any updates on the App. When we change any processing that is based on consent, we will ask you for a new consent.