OÜ Antegenes (“Antegenes”, “We”, “Service Provider”) values transparent and reliable handling of personal data. This document describes the principles of our data policy and provides an overview of the nature of collected data, the bases for processing, storage and security measures, as well as the rights of the persons involved.
The most important legal acts, which form the basis of personal data processing in Antegenes are the Health Care Services Organization Act, the Health Insurance Act, the Medicinal Products Act, the Personal Data Protection Act and the GDPR.
1.1 Antegenes” / “We” / “Service Provider” – OÜ Antegenes (registry code 14489312), Raatuse 77, Tartu, 50603, Estonia. Healthcare service provider in Estonia (EU) for outpatient medical genetics, outpatient oncology services and laboratory services (activity licenses L04685 and L04683) registered by the Estonian Health Board.
1.2 “GDPR” – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation).
1.3 “Personal Data” – Any information relating to an identified or identifiable person (“Data Subject”) who can be identified, directly or indirectly, including special categories of personal data. Personal data includes identifier attributes such as name, personal identification number, location information, network identifier or also data usable to link to a specific person based on physical, physiological, genetic, mental, economic, cultural or social characteristics.
1.4 “Special Categories of Personal Data” – also known as sensitive personal data is data revealing person’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, biometric data used for the unique identification of a person (fingerprints, palmprints and physical images) or sexual orientation. For Antegenes service provision, the most important Special Categories of Personal Data are health and genetic data.
1.5 “Healthcare Service” – The activities of a healthcare professional to prevent, diagnose and treat an illness, injury or poisoning with an aim of alleviating a person’s ailments, preventing their deterioration or worsening of their illness and restoring their health.
1.6. “Service” – Healthcare or any other services provided by Antegenes (e.g., genetic risk testing, genetic consultation or user management in the Information System) and products.
1.7 “Applicable law” – All applicable legislation of the European Union and all applicable legislation of the Republic of Estonia, including, but not limited to, the Personal Data Protection Act or other domestic implementing legislation of the GDPR and legislation regulating the provision of healthcare services.
1.8 “Data Subject” / “Customer” / “Patient” – A natural person who addresses, has approached or is directed to Antegenes for any Services.
1.9 “Processing” – An automated or non-automated operation or a set of operations done on personal data, such as collecting, documenting, organizing, structuring, storing, adapting, modifying, inquiring, reading, using, transmitting, distributing, merging, restricting, deleting or destroying the data.
1.10 “Data Controller” – A natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of data processing. For the purposes of these Privacy Terms, the Data Controller of Personal Data and Special Categories of Personal Data is Antegenes.
1.11 „Data Processor” – Any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the Data Controller.
1.12 “Partner” – A natural or legal person who resells or offers the Services provided by us and is, in accordance with applicable agreements, either the Data Controller or the Data Processor involved in the provision of services.
1.13 “Information System” – Antegenes’ Personal Data Management Information Register and related user environment MyAntegenes
2. General Settings
2.1 Antegenes provides a variety of health care and other types of services. Antegenes processes Personal Data to provide these services.
2.5 Antegenes ensures the processing of Personal Data is in accordance with the Applicable Law.
2.6 During order processing, the parties participating in the service do not incur any financial obligations other than those specified in the Antegenes Terms and Conditions of Service and the agreed price list on which the service is based.
2.7 Antegenes’ quality management system is ISO13485 certified. Antegenes follows procedures, guidelines and approaches to data processing described therein to ensure the quality and control of the services provided.
2.8 This policy may be periodically updated. To stay aware of any changes to this Policy, we recommend visiting the site from time to time. Any modifications to the Policy will be made available through this site with indicated of the latest revision.
3. When and for what purposes Antegenes processes Personal Data?
3.1 The purpose of personal data processing is to support the provision of services, the main purpose of which is to support the evaluation of the genetic risks of various types of tumors and other complex diseases, and to support specific follow-up actions based on their results.
3.2 The Data Subject will be asked for separate permission in the voluntary consent form(s), which can be filled in electronically or on paper, to process, store and, if necessary, transmit of Special Categories of Personal Data to a Data Processor (such as an authorized doctor offering consultation services). Special Categories of Personal Data, including genetic data, will not be processed without a consent form from the Data Subject or some other legal basis.
3.3. Antegenes processes Personal Data only for specified purposes and in accordance with applicable law. The following objectives may apply to different data sets and services:
3.4 Provision of health care services. When providing our services as a health care service, in addition to contractual activities, Antegenes documents the process in accordance with the current Estonian and EU law together with all associated data processing conditions.
3.5 Service provision. The aim is to support order fulfillment, monitoring and other related activities of all parties participating in the service, including the management of the services and ensuring access to and usability of the data for the duration of the service. Sections below describe specific order related processing scenarios.
3.5.1 Service-related management of Personal Data – this is performed either by physical or by electronic means in the Information System. This requires management of the genetic and other types data generated in the processing activities and includes management of the results and support of User access to current and related services. Such activities also include personal identification of Data Subjects; management and organization of genetic and other data, review and collection of consent forms and other Personal Data necessary for or supporting the provision of the Service (such as medical consultation).
3.5.2 Compliance and implementation of legally enforceable enquiries related to the Data Subject, including the fulfillment of payment obligation.
3.5.3 Communication supporting the provision of the service – In the course of service, we may send the Data Subjects descriptive and explanatory e-mails or other materials that support order fulfillment processes and guide User access to activities required on their behalf. Processing under this aim may also support responding to User enquiries or other referrals.
3.5.4 To enable re-use of uploaded/published/lab-genotyped genetic data to support provision of other Services (especially supplementary genetic risk tests) with the Data Subject’s genetic data.
3.6 Customer Communication – Based on a separately given (revocable) consent, Antegenes may send the Customer materials introducing its services, campaign messages, information, invitations, notices and requests for (legal) approval of the services and initiatives for other purposes.
3.7 Legal Obligations – Processing of Personal Data in order to fulfill the rights and obligations arising from the various legal acts related to and applicable to the provision of the services, which obligate the processing of Personal Data in accordance with the request.
3.8.1 Service improvement and management – Mainly analytical activities that support improvement of customer services and related support activities and their performance metrics. This may involve collection and aggregation of general statistics, creating overviews of the use of the services and users, activities related to improvement of quality (ensuring the reliability and usability of the Information System, improvement of the user experience and customer service), security (eg, data backup, monitoring and promoting information security), communication (based on feedback), availability (expansion of the scope of the service offering and analysis of customer base characteristics) and reliability (fixes of software bugs, testing, improvements of analysis workflows and optimization of service processes) of service related processes;
3.8.2 For the purpose of analyzing and evaluating customer satisfaction, Antegenes may solicit and analyze written feedback data,
3.9 Management, handling and execution of legal and judicial inquiries.
3.10 Research and development – The right to use Personal Data for research and development activities is specified through separate (revocable) informed consent form. No Personal Data shall be included in any not service-related research projects without explicit consent of the Data Subject.
3.11 New Cause – Similarly to reasons of Legitimate Interest, the admissibility of processing and the possible impact on the Data Subject are assessed in accordance with the applicable law and the Data Subject’s interests. When defining New Causes, we consider the following aspects:
3.11.1 The relationship between the old and new data processing purposes, and the de-tailed purpose of the new processing aim.
3.11.2 The context of the data processing and the relationship between the Data Subject and Antegenes.
3.11.3 Type of data to be processed, especially concerning processing of Special Catego-ries of Personal Data.
3.11.4 Possible consequences for the Data Subject.
3.11.5 Use of security measures for data processing, especially pseudonymization and encryption.
4. What type of data does Antegenes collect
4.2 Data may also be collected and processed by Partners of Antegenes for the purpose of offering Antegenes Services on their behalf. If the Partner and the Data Subject have a separate contractual agreement, then any separate terms agreed between the Data Subject and the Partner may also affect Service-related data processing.
4.3 Sources of personal data.
4.3.1 Self-published data – Personal data entered to forms, applications, consent forms and electronic and paper forms throughout the Service. It also includes health and genetic data transmitted to Antegenes after reviewing and accepting related informed consent forms.
4.3.2 Data created as a result of customer communication – Customer inquiries and responses, e-mails and files generated in the course thereof, etc.
4.3.3 Personal Data generated during any Service processes. This includes the Personal Data, analysis results and process log etc. created during the provision of the Service.
4.3.4 Information published in our communication channels – blogs, comment areas, communication apps, informational emails, etc.
4.3.5 Service usage and technical data collected by Antegenes online from environments that are used to manage some part of the service. These types of data include the timestamps, location data, visited pages, activity and device information.
4.3.6 Personal data transmitted by Data Processors – Data processors may be transmitting data as part of their responsibilities in the service pipeline. These may include personal data used for personal identification. For example, we use the services of Veriff or eID (Dokobit UAB) to verify the identities of Data Subjects with active orders. Within these processes, Personal Data such as personal identification code, citizenship, date of birth and place are queried from their databases.
4.3.7 Personal Data from Partners. The Partners may transmit Personal Data to Antegenes if there is an established relationship Data Subjects with an aim to provide services delivered by Antegenes, and when the related Data Processing is legally covered with supplementary Service Agreements, Consent Forms, Terms of Service, Privacy Policies, etc.
4.3.8 Derivatives of Personal Data– Derived data from any combination and transformation of raw data, which are primarily used to improve the quality of provided Services.
5. Personal Data transmission principles
5.1 Antegenes transmits or grants access to the Personal Data of Data Subjects to Data Processors and / or Partners only in cases when it is necessary and legal for the fulfillment of the purposes permitted by the provision of the Service and / or permitted by the Applicable Law.
5.2 Under the Applicable Law, Antegenes may use the services of external Data Processors in some limited scope of Personal Data processing activity as deemed by the specifics of the task.
5.4 Data Processors utilized by Antegenes are institutions providing various healthcare services (eg general or specialist healthcare partners), our Service resellers, IT partners (various server service providers, IT support and IT-development providers, research and development institutions (eg. University of Tartu), communication services providers, other types of information technology service providers), marketing partners, payment service providers (eg. Maksekeskus AS), personal identification service providers (eg Dokobit UAB and Veriff OÜ), medical or laboratory service partners.
5.5 The scope of Antegenes Data Processors is not limited to the Data Processors explicitly mentioned.
5.6 Inclusion of Data Processors is based on the following considerations:
5.6.1 The purpose and aim of the data processing are lawful.
5.6.2 The Data Processor is presumed to be able to perform any required data processing activities securely and with high-quality within the full scope of their activities.
5.6.3 Antegenes signs separate “Personal Data Processing Agreement of a Data Proces-sor“agreements with Data Processors of major significance (eg the University of Tartu which is the basis of our computation infrastructure).
5.6.4 All data processing of Personal Data by a Data Processor shall be carried out ex-actly in the scope of activities required to perform a specific activity in accordance with the agreement between the parties.
5.7 Any transmission of data in the Special Categories of Personal Data to the Data Processors and/or Partners shall only take place on the basis of explicit consents of the Data Subjects, except for reasons based on legal grounds.
5.8 Laws and regulations may oblige Us to respond to legal inquiries. Antegenes will share information about these cases with the Data Subject, if we are allowed to do so on the basis of applicable law.
5.9 Personal data may be transmitted to third parties as part of the general process of structural changes in ownership of company’s assets changes through a merger, acquisition of assets, loan refinancing, acquisition of the company, bankruptcy, insolvency or a similar financial process.
5.10 Data of EU citizens are processed primarily by Data Processors located within the EU. In other cases, Data Processors must be able to show adherence to data protection principles based on the GDPR or similarly enforced data protection legislation.
6. Retention of Personal Data
6.2 In determining the proper retention period, we take into account the quantity, nature, sensitivity and purpose of the Processing for the specific type of Personal Data. We must also consider possible external obligations, such as legally required time until which we need to be able to respond to any data related legal inquiries.
6.3 Personal data will be stored for longer than the duration of the Service in cases where Antegenes has been provided with separate and valid consents (eg. Research and Development consent, Marketing consent), there are legal reasons for retention arising from applicable law or Legitimate Interests within the meaning defined above.
6.4 After the expiry of the retention period of the Personal Data, these will be deleted or com-pletely anonymized.
6.5 If the Data Subject has not made an agreement with a Partner supplying Antegenes Services that designates otherwise, then the laboratory services and genotyping of the Data Subject’s DNA sample shall be performed in a Europe based laboratory. The biological sample on which the extracted DNA data is based shall be destroyed within 3 months after the successful transmission of the data to the Data Controller.
7. Security of Personal Data
7.1. Antegenes undertakes to ensure the secure processing of Personal Data. Our aim is to protect Personal Data from unintentional or unauthorized Processing, disclosure or inadvertent destruction.
7.2. Antegenes shall implement appropriate technical and organizational measures to ensure the security of Personal Data whilst considering the latest scientific and technological developments and the aim, scope and nature of Personal Data processing in context with the possible magnitude and severity of the risks to the rights and freedoms of Data Subjects.
7.3 All networked data traffic is encrypted in accordance with the standard security standards. All at-rest Special Categories of Personal Data and Health Data is either stored as encrypted or pseudonymized.
7.4 Data security in Antegenes is monitored by a designated data protection officer.
7.5 Electronic data exchange and storage will always entail some risk. Therefore, Antegenes cannot fully rule out the possibility of the loss, misuse or alteration of Personal Data even when following all the appropriate security measures. If you have information about any data leaks or incidents, please contact us immediately at email@example.com
8. Rights of the Data Subject
8.1 As an EU citizen, you have all the rights arising from the Applicable Law related to Personal Data processing.
8.1.1 right of access: At any time, you have the right to enquiry Antegenes about the contents of Personal Data about you held by Antegenes and to receive information about the processes with your Personal Data
8.1.2 right to rectify Personal Data: You have the right to request Antegenes to clarify or correct your Personal Data if it appears incomplete or incorrect
8.1.3 right to object: You have the right to object to Antegenes’ processing of your Personal Data
8.1.4 right to request the deletion of Personal Data: You have the right to request the deletion of Personal Data, for example if the Personal Data is processed with your consent and if you have withdrawn your consent
8.1.5 right to Restrict Processing: You have the right to restrict the data processing by Antegenes under applicable law, for example if processing purposes do no need your Personal Data or if you object to some type of processing
8.1.6 right to withdraw your consent to the processing of Personal Data: if the processing of Personal Data is based on your consent, you have the right to withdraw your consent at any time
8.1.7 right to data transfer: The Customer has the right to request access to Personal Data held by Antegenes that has been collected from the customer for servicing the contract. The data can be provided in writing or in an electronic format used in standard practice to support portability to a third party, if technically feasible
8.1.8 right to filing a complaint: If you find that your Data Subject rights have been violated when processing your Personal Data, you have the right to file a claim or complaint with the Data Protection Inspectorate or in court.
8.2 Your rights listed in this chapter with respect to the processing of Personal Data are not complete rights. In certain cases, the rights of other Data Subjects or Antegenes’ legal obligations may limit the individual Data Subject’s rights.
8.3 In order to exercise the rights associated with the Personal Data processing or to submit requests or complaints related to the processing of personal data, please contact us using the contact details provided in the section “Contacts” below or, if necessary, with the Data Protection Inspectorate.
9.1 The website uses different types of cookies and similar technologies (eg, pixel tags) to ensure the technical functioning of web environments, sustainable development practices and to provide you with a better service.
9.2 Data collected in web-based environments is processed with analytics tools (eg Matomo, Facebook Pixel) that help manage data about how visitors interact with Antegenes website and Services. For example, Matomo collects information about the location of visitors, the version of the browser and operating system, the time and duration of the visit, and the number of visits to and movement between websites. They help us to provide better and more targeted Services to our user base.
9.3 You can opt out of website cookies at any time by changing the browser settings of the device you are using. If you block all cookies from your browser settings, you may not be able to access our Website or some part of it.
10. Contacts and more
10.1 If you have any questions regarding the Processing of Personal Data or to make requests related to the Processing of Personal Data, please contact Antegenes by telephone, e-mail or post.
10.2 If you have any further questions or requests, you can contact us using the contact details below.
Antegenes contact information:
Business Name: OÜ Antegenes
Address: Raatuse 77, Tartu 50603
Phone: Tel: +372 5377 8141
Date last changed: 05.01.2020