Legal Information MVID Patient Registry

Explanatory note on the use and storage of personal health data by the Association Cure MVID

The purpose of this notice is to provide clear and precise information on the use and processing of personal health data by the Association Cure MVID, in compliance with current legislation.

The MVID Cure Association ensures the transparency of processing carried out using data from the MVID patient register in accordance with the General Data Protection Regulation (GDPR) (EU 2016/79) and the amended French Data Protection Act of January 6, 1978. Patients and relatives of patients, you have the right to object to the reuse of this data.

1. Legal status of health data warehouses :

Health data warehouses, such as the one used by the Cure MVID Association, are subject to a specific legal framework. They are designed to collect and store large quantities of data relating to the medical management of patients, as well as socio-demographic data and information from previous research. The main aim of creating these databases is to facilitate studies, research and evaluations in the healthcare field. This approach, which is supervised by the CNIL in certain cases, enables the creation of large databases while guaranteeing data protection in accordance with the French Data Protection Act and the RGPD.

This approach has been adopted by the CNIL, for example, for the AP-HP's "Banque Nationale de Données Maladies Rares" warehouse(https://www.bndmr.fr/).

Within a protective framework that complies with the French Data Protection Act and the RGPD (notably through the principle of data minimization, information to individuals, etc.), it enables the creation of major databases.

As the MVID Patient Register of the Association Cure MVID falls within this legal framework, no formalities are required with the CNIL(more information).

2. Data controller :

The Association Cure MVID, represented by its President Ganesh Mamodaly, is the data controller. Health data is collected directly from the patient or his/her legal representative via an online form, with explicit consent.

3. Purpose of data processing :

The legal basis for data processing is the association's public interest mission. Data is used for research, studies and evaluation in the field of health, and particularly in the field of rare pediatric digestive diseases such as Microvillous Inclusion Disease (MVID).

4. Data access :

The only persons authorized to access data include members of the Association's Executive Committee and members of the Scientific Advisory Board.

5. Data transfer :

No data will be transferred internationally, or to other private or public organizations, without the consent of the persons concerned.

6. Data retention period :

Data is kept for a period of 20 years from the date of collection via the online form.

7. Rights of persons concerned :

The persons concerned by the processing of health data have several rights, in particular:

- The right of access to personal data concerning them.
- The right to rectification of inaccurate, incomplete or ambiguous data.
- The right to erasure or limitation of data processing.
- The right to object to the re-use of data for research purposes.
- The right to withdraw consent at any time.
- The right to lodge a complaint with the competent supervisory authority, in this case the CNIL.

8. Specific information for minors :

Minors aged 15 or over have the right to object to their parents or legal guardians having access to their personal health data. They may also object to their parents or legal guardians being informed of the processing of their data in certain specific situations.

9. Data storage and security

MVID Patient Registry data is stored on Brevo platform servers and is processed in accordance with Brevo's privacy policy.

Brevo has taken all necessary precautions to protect the security of personal data and, in particular, to prevent it from being distorted or damaged or accessed by unauthorized third parties.

These measures include the following:

• Multi-level firewall,
• Proven anti-virus and intrusion detection,
• Encrypted data transmission using SSL/https/VPN technology,
• PCI DSS-certified Tier 3 data centers

In addition, access to processing by Brevo's recipient departments requires authentication of the persons accessing the data, by means of an individual access code and password that are sufficiently robust and regularly renewed.

Data transmitted via unsecured communication channels is subject to technical measures designed to render it incomprehensible to any unauthorized person.

Any questions regarding the security of the Brevo website can be addressed to support@brevo.com.