Privacy Policy

Protecting your privacy and personal data is very important to us. Personal data, that you provide, are processed and protected by us in accordance with applicable legal regulations, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (the "GDPR"). In the text below, you will find the information, which personal data are processed, for what purpose and what are your rights.

1. Who processes your personal data

The company DCVT s.r.o., a limited liability company established under the laws of the Slovak Republic, with its registered seat at Panenská 18, 811 03 Bratislava – Staré Mesto, Slovak Republic, Company ID: 54 840 937, registered in Commercial Registry of Municipal Court Bratislava III, Sec. Sro, Insert Nr. 163703/B is the operator of the application called MELIOVIT designed for computers and mobile devices, in particular smartphones, which provides the information for the subjects of clinical trials and facilitates the delivery of investigational medicinal products and non-medicinal products from hubs (sites or other designated points) to the subjects of clinical trials (hereinafter referred to as "the Application") and the controller of the personal data of users obtained through the Application (hereinafter referred to as "the Controller").

2. Which data we process

The Controller processes personal data of the following categories of data subjects:

  1. users of the Appolcation – subjects of clinical trials
  2. investigators and other medical personnel at the site
  3. hub operators at the hub

(A) In relation to the users of the Application (subject of clinical trials), the Controller processes only the contact information: name, surname, address, phone number and e-mail address and the information on scheduled appointments, if available. No personal health information is being processed by the Controller.The Controller does not process special categories of personal data within the meaning of Article 9 of the GDPR.

(B) In relation to the investigators and other medical personnel at the site, Controller processes: name, surname, address of the workplace (site), phone number and e-mail address.

(C) In relation to the hub operators at the hub, Controller processes: name, surname, address of the workplace (hub), phone number and e-mail address.

3. For what purposes we process the data

(A) The purpose of processing users' personal data is to register in the Application, to enable the delivery of investigational medicinal products and non-medicinal products from hubs to the user of the Application (subject of the clinical trial) without the need of the site visit, to provide the user of the Application with information on clinical trial he or she participates in, possibly including schedules medical appointments and to handle requests from data subjects in accordance with the GDPR.

(B) The purpose of processing personal data of investigators and/or other medical personnel is to provide the users of the Application with contact information to the site for obtaining further information and answers to their as well as to send relevant delivery process notifications to investigators and/or other medical personnel.

(C) The purpose of processing personal data of hub operators is to provide the users of the Application with a means of notifying these hub operators of any delivery process changes and updates.

4. What is the legal basis for the processing of personal data

The legal basis for the processing of your personal data is:

  1. the performance of a contract pursuant to Article 6(1)(b) of the GDPR, which is the procurement of the delivery of investigational medicinal products and non-medicinal products from hubs to the user of the Application (subject of the clinical trial) without the need of the site visit,
  2. legitimate interests pursuant to Article 6(1)(f) of the GDPR, which are, in particular, to improve the service, to improve the functionality of the Application and to prevent misuse of the Application or use of the Application in breach of the Terms of Use.

5. How we protect your data

To protect your data against unauthorized access or manipulation, we have taken the necessary technical and organizational measures. These measures include the necessary software and hardware security, including firewall protection, data encryption, and restricted private key access only by authorized persons. These security measures are regularly tailored and continuously optimized to keep up with the latest technological developments.

6. Storage Period

Your personal data is stored only for as long as necessary to fulfil the purpose of processing personal data:

  1. in the case of personal data processed for the purpose of registration in the Application, the personal data is stored for the period of the user's registration in the Application and is subsequently deleted without delay, unless the same personal data is also processed for another purpose at the same time,
  2. in the case of personal data processed for the purpose of concluding contracts as defined in Sec. 4 a) of this Article Information for the period necessary to fulfil the purpose (procurement of the delivery) and subsequently they are registered in the user's account for the duration of the user's account, including through the user's delivery history,
  3. in the case of personal data of investigators and other medical personnel the personal data is stored for the period for which the institution they work at is registered as clinical trial site, or until their employment or other similar relationship with this institution terminates, whichever occurs first,
  4. in the case of personal data of hub operators the personal data is stored for the period for which the institution they work at is registered as clinical trial shipments hub, or until their employment or other similar relationship with this institution terminates, whichever occurs first,
  5. in the case of personal data processed for the purpose of processing and registering requests from data subjects to exercise their rights under the GDPR, the personal data shall be stored for a maximum period of one year from the date of processing the request and shall be deleted thereafter.

Please, note that the storage period of your data within the clinical trial you participate in (either as the subject, investigator or hub operators) can be different and is not affected by the use of the Application.

Information on the existence of automated decision-making, including profiling: Your personal data shall not be used for automated decision-making or profiling.

7. Recipients of personal data

  1. The Controller only provides personal data of the user of the Application only to the hub operators procuring the delivery of investigational medicinal products and non-medicinal products from hubs to the user of the Application and to the courier company providing the delivery. The hub operators and courier company will have access to the personal data necessary for the performing of these activities but may not use them for any other purpose and they are required to process such personal data in accordance with applicable legal regulations. Personal data of the Application users shall not be disclosed to any other person.
  2. The Controller provides personal data of the investigators to the Application users (clinical trial subjects), to the hub operators procuring the delivery of investigational medicinal products and non-medicinal products from hubs to the user of the Application and to the courier company providing the delivery. The hub operators and courier company will have access to the personal data necessary for the performing of these activities but may not use them for any other purpose and they are required to process such personal data in accordance with applicable legal regulations.

8. Cross-border transfer of personal data

Your personal data is processed primarily in the member states of the European Union. The data processing shall take place in more than one EU member state.

The Controller does not intend to transfer your personal data to a third country or international organisation. However, the Controller may, if necessary, transfer personal data to a third country or an international organisation on the basis of adequacy decisions in accordance with Article 45 of the GDPR, or after taking appropriate safeguards in accordance with Article 46 of the GDPR and provided that the data subjects have enforceable rights and effective legal remedies, or in the case of exceptions under Article 49 of the GDPR. In the event of a transfer of personal data to third countries or to an international organisation, the Controller is obliged to inform the data subject thereof.

9. Cross-border transfer of personal data

When using the Application, the Controller collects technical data from users, namely:

  1. the type and model of the mobile device,
  2. the mobile device's unique identifier uuid,
  3. identification of the mobile device's operating system,
  4. a push token for sending push notifications,
  5. information about the use of the app.

The technical data collected may be considered as personal data of users. The purpose of processing technical data is to ensure the functionality of the Application, to improve the functionality of the Application, to check compliance with the Terms of Use of the Application, to obtain data for further development of the Application, to obtain data on the use of the Application and to protect against misuse of the Application. The legal basis for the processing is Controller´s legitimate interests in accordance with Article 6(1)(f) of the GDPR, which are to ensure the functionality of the Application, to improve the functionalities of the Application, to check compliance with the terms of use of the Application, to obtain data for the further development of the GDPR, to obtain data on the use of the Application and to protect against misuse of the Application. Special categories of personal data within the meaning of Article 9 of the GDPR are not subject to processing.

Personal data is provided to companies that provide push notifications (Firebase) and email and sms notifications (Amazon Web Services).

The user is entitled to block the sending of push notifications at any time on his/her mobile device, however, the User acknowledges that some functions and notifications may be fully or partially restricted.

10. What are your rights vis-a-vis the Controller

You as the data subject have the following rights in relation to the processing of your personal data:

Right of access to personal data

Upon request, you have the right to obtain confirmation from the Controller as to whether personal data about you are being processed. Where that is the case, you have the right to request copies of your personal data and to information related to the processing.

Right to the rectification of personal data

Should you consider your personal data at our disposal are incorrect, inaccurate or incomplete, please, do not hesitate to ask us to amend, update or complete such information.

Right to erasure of personal data

You have the right to request erasure of your personal data, e.g. in case if the obtained personal data are no longer necessary for original purpose of their processing. However, your right to erasure shall be assessed according to all relevant circumstances. For instance, we may have some legal and regulatory obligations concerning your personal data, which means we may not be able to satisfy your request.

Right to restriction of processing

You have the right to demand from the Controller the restriction of the processing of your personal data in certain cases, e.g. if you have doubts about the correctness of your personal data or if you believe we no longer need to use your personal data.

Right to personal data portability

In certain cases, you have the right to request the transfer of personal data you provided to us to third party according to your choice. However, the right to transfer relates only to those personal data which we have obtained based on your consent or based on the contract you are a party to.

Right to object

You have to right to object the processing of personal data which is based on our legitimate interests. If we have no substantial legitimate reason for processing of personal data and you make an objection, we will no longer process your personal data.

Right to lodge a complaint

If you consider that we have breached data protection legislation, you may lodge a complaint with the respective supervisory authority in your country: https://edpb.europa.eu/about-edpb/about-edpb/members_en

11. How to contact us

If you have any queries regarding the collection and use of your data as part of your use of the Application, or regarding your rights or if you wish to invoke your rights, please contact our Data Protection Officer (DPO):

Goran Unkovski; DCVT s.r.o., Panenská 18, 811 03 Bratislava – Staré Mesto, Slovak Republic; contact@meliovit.com