The GDPR applies to organizations located within the EU and organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects of the European Union, regardless of the company’s location. The goal of GDPR is to ensure protection of the fundamental privacy rights of Data Subjects, such as ensuring the security and confidentiality of Personal Data, but also ensuring proper notice, choice, right of access, rectification and erasure of data collected on EU Data Subjects. With the implementation of the GDPR, it is our goal to increase the knowledge and transparency of how your personal data is stored and processed. To see a full list of key changes instituted by the GDPR, click here.
In order to enable Data Subjects to exert their rights under the GDPR, we are making the following disclosures for data received directly from an individual and data received from third parties. For purposes of this disclosure document, references to “we”, “us” or “our” mean Magnus Health and its appropriate affiliates, and references to “you” and “your” mean the Data Subject.
I. HOW WE USE PERSONAL DATA
We use Personal Data for purposes related to collecting, storing, and tracking protected health information collected on behalf of your school. The services we provide include, but are not limited to: Student Health Form Collection, Student Health Management, Parent Communication, Emergency Response System, and Software Integrations. Please review the applicable Notice of Privacy Practices for additional information.
II. WHO RECEIVES PERSONAL DATA?
We understand the importance of keeping your student and parent data secure, therefore, we do not share personal health information of students or parents with any third party, with the exception of our third party service providers. These third party services providers are for support and business purposes, and help us better assist your parent and student community. Each service provider that may have access to the Protected Health Information (PHI) of your student and parent data are upheld with service agreements.
There are three types of service providers that we utilize to ensure the best product and experience to our users: Student Information System Integration Partners, Health Information Partners, and Business Support Partners.
III. HOW LONG IS DATA STORED?
We store data for as long as is necessary to provide the services and for a reasonable retention period. To comply with federal regulations, such as HIPAA, we are required to store student and parent data for a minimum of seven years. At any time, you can request the data of a particular account to be removed.
IV. YOUR RIGHTS WITH RESPECT TO YOUR PERSONAL DATA
You have the right at any time to request access to and rectification or erasure of personal data that we hold. You can also request restriction of processing of your Personal Data, and you have the right to data portability. If you would like to exercise any of these rights, please send a written request to our Privacy Team at the address listed below. Not all requests can be granted. If your request is denied, you will be provided with the reason for the denial.
V. WITHDRAWAL OF CONSENT
You have the right to withdraw consent at any time. You must withdraw your consent in writing, addressed to the Privacy Team listed below. In order to ensure timely and accurate processing of your withdrawal, you must include your name, address, your school name, and the specific processes for which you no longer consent in your request. Withdrawing consent will not affect the lawfulness of processing that took place based on the consent you provided before the withdrawal.
You have the right to lodge a complaint with the appropriate data protection authority.
VII. SOURCE OF DATA AND LEGAL BASIS FOR OUR DATA PROCESSING
In order to provide services to you, we receive Personal Data from you, from your providers of medical care, from your employer, and from other third parties. We need access to your Personal Data, such as name, address, and medical information, regardless of who provides it, in order for us to provide the services described above.
VIII. IS PERSONAL DATA USED FOR AUTOMATED DECISION-MAKING OR PROFILING?
We use automated decision-making processes and profiling in the performance of our provided services. For example, account creation through auto roster import or an integration is essentially an automated process. We also use profiling to identify individuals and track the specific features they are utilizing provided by Magnus Health. By doing so, we use profiling to identify opportunities for training and communication.
IX. LOCATION OF DATA PROCESSING
All Personal Data is processed in the United States.
X. ADDITIONAL PROCESSING
XI. PROCESSORS AND CONTROLLERS
Depending upon the engagement and purpose Magnus Health is the Data Processor with respect to your Personal Data. Our address is 323 West Martin Street, Raleigh, NC 27601.
Our Data Protection Officer can be reached at Magnus Health, 323 West Martin Street, Raleigh, NC 27601 or via email at firstname.lastname@example.org.