DRAGON PROJECT – Personal Data Protection Policy

(version of 21/3/2022)

Maastricht University
Minderbroedersberg 4-6
6211 LK Maastricht

The DRAGON project is a European project funded by the Innovative Medicine Initiative (IMI) 2 Joint Undertaking (grant agreement No 101005122), supported by the European Union’s Horizon 2020 research and innovation program and the EFPIA. As part of this project, you are invited to participate in an observational study that aims to follow COVID-19 patients for a year using a web-based application, tPDA, developed by COMUNICARE SOLUTIONS (hereinafter ‘ COMUNICARE ‘) and the MAASTRICHT UNIVERSITY (hereinafter ‘MU’) to derive a more complete understanding of the condition and its varying symptoms.

Protection of your privacy and of your personal data is very important for COMUNICARE and MU. The objective of the present policy document is to inform you about the conditions under which your personal data is collected and processed when you use the tPDA application and its related services, hereinafter jointly called “application”.

This policy complies with the General Data Protection Regulation (GDPR) established by the European Parliament and the Council of the European Union, as well as all regulations related to the protection of privacy and personal data.

Your data is processed under the joint responsibility of the MU which determines the processing of health data.  

When enrolling in the application, you will be asked for your explicit consent for us to process your personal data as listed further below. By using the application, you confirm this authorization.      

GDPR requests that the information concerning your rights related to your personal data be communicated to you in a concise, transparent, understandable manner, and in simple terms. This policy document pursues this ambition.

If you are a child, you have the right to request that this is explained to you in a simple and understandable manner. Do not hesitate to ask us for this explanation.

The following topics will be explained further below:

  • What do we mean by personal data processing? 
  • What data is collected and how is it processed? 
  • For what purpose do we process your data? 
  • Who do we share your data with? 
  • Do we transfer your data abroad? 
  • What are your rights? 
  • How long do we keep your data? 
  • How do we secure your data? 
  • Links to other sites
  • Modification of this policy document
  • How to contact us ? 


What do we mean by the processing of your personal data ?

The term “personal data” is used here to refer to any information concerning an identified or identifiable individual (natural person).   

The term “processing” designates any operation or set of operations, carried out by an automated or a manual process, and applied to personal data or sets of data, such as the collection, the recording, the organization, the structuring, the storage, the adaptation or modification, the extraction, the consultation, the use, the transmission, the dissemination or any other form of provision, the reconciliation or interconnection, the limitation, the deletion or the destruction of data. 

What data is collected and how is it processed?

The application may collect and process the following personal data :

  • Identification data such as your name, first name, date of birth, sex, ethnicity;
  • Contact data: your email address and/or postal address;
  • Data related to your COVID-19 pathway: your feelings and your experience on your COVID-19 pathway, your drugs, your physiological parameters, your symptoms, your physical activity;
  • Data about your online behaviour when using our application: the links you click within the application, the internal pages you visit in the application, the external pages you visit from the application;
  • Data about the issues, the complaints and the remarks that you communicate to us about the usage of the application;
  • Cookies: we use only essential cookies (i.e. files with a small amount of data, which may include a unique and anonymous identifier, that are stored on your smartphone or computer) necessary for the proper functioning of the application (e.g. for the management of connection time and language preferences); we do not use other cookies (e.g. for commercial or marketing purposes).

We have set up the adequate measures to ensure that your personal data is processed in compliance with the security obligations that are imposed by applicable law.

For what purpose do we process your data?

We collect and use your personal data for specific, explicit, legitimate purposes, and we do not use this data for any further purposes that are not compatible with the following:

  • To provide relevant information to the authorized persons to derive a more complete understanding of the condition and its varying symptoms about the COVID-19; With anonymised data, to help improve the medical knowledge related to the disease and its evolution for the benefit of medical research (“anonymised” means that this data does not contain any identification nor contact information; hence it is not ‘personal data’ anymore).

The usage of your data is based on the following legitimacy:

  • The willingness to improve the medical knowledge about the COVID-19 and to help improve the quality and efficiency of treatments;
  • A better understanding of all relevant parameters, symptoms, and outcomes during your COVID-19 pathway;
  • Data processing is also necessary for the purposes of the legitimate interests pursued by that is to say, to develop, to improve and to maintain its software; anonymized statistics about the usage of the software may also appear in the application descriptions;
  • Consent: you have given your explicit consent so that we can use your personal data for the purposes set out above; we will ask for your explicit consent again should we have a need to go beyond these purposes. While we process your data on the basis of your consent, you have the right to withdraw this consent at any time. When we process your data on the basis of our legitimate interest, you may at any time inform us that your interest takes precedence over ours.

We process your personal data in the following circumstances:

  • The application collects your data during the registration process, namely your last name, your fist name, your email address, or any other contact data. We process this data in order to authenticate and secure access to your data, and to manage the data transfer with MU.
  • The application processes your medical data that is necessary for its operation, more precisely the information that you enter yourself, as well as data about your usage of the application.
  • We collect and process your data when you contact us for support or when you complete satisfaction surveys.

Who do we share your data with?

Your medical data and the information you enter in the application are made available to the personnel of MU for a better understanding of your COVID-19 pathway.

Your medical data, after anonymisation, may be shared with other partners of the DRAGON project.

The application and your data are hosted in Google cloud services with the protections described below (in the section “How do we secure your data?”). The storage is encrypted and this provider does not have access to your data. The provider is also bound by GDPR regulation and can only process the data in accordance with the instructions we give him.

Mandatory transfers

We may be required to transmit your personal data. This would be the case when a law, regulation or legal process (such as a court order) would oblige us, or when demanded by public authorities in action under the law. We may also find that it is necessary or desirable to disclose your data to protect your vital interests when you are unable to provide your consent.

Other cases of transmission

We also reserve the right to transmit any data we hold about you in the event of the sale or disposal of all or part of our activities or assets. We are committed in this case to do everything in our power for the transferee to use your data in accordance with this policy document. If such a sale or transfer should occur, you can contact the transferee, ask questions concerning the processing of your data and continue to exercise all your rights relating to your data.

Data transfer abroad

Certain data on the use of the application, completely anonymized (that is to say, not allowing them to be linked to your person) and without any medical nature, are analysed using Google data analytics services hosted in Europe to enable us to perform detailed usage statistics of the application.

Data retention period

Unless your right to erasure is applied (described in detail in the “Your rights” section below), your personal data will be kept during the study duration (one year) as long as you are considered as a user; hence you can resume using our services without having to re-enter your data even after a period of inactivity. 

Data received from third-parties

If it would be needed that we receive from a third party and process data concerning you, we would:

  • inform you about their nature, origin and the purpose of this transfer
  • protect and process this data in the same way as the data we collect

Your rights

You have the following rights related to your personal data that we process:

  • Right to access your data,
  • Right to rectify,
  • Right to erase and to object,
  • Right to restrict processing
  • Right to data portability

These rights are described in more detail below.

If you wish to exercise these rights, please contact us in writing by e-mail to : pm-dragon@maastrichtuniversity.nl

and by enclosing a copy of your identity document which will be destroyed by us as soon as your request was processed.

You also have the right to lodge a complaint with a supervisory authority.

Right to access

After your personal data have been collected and saved by us, we will provide you access to these data and any other additional information: purpose of the processing, data categories, potential third-party recipients, period of retention, and your additional rights relating to this data.

Right to rectify

In the event that your personal data is incorrect or incomplete, you have the right to have this data corrected and / or completed as soon as possible.

Right to erase and to object

Until your personal data has been used for statistical analysis, you may erase it directly from the application. After transmission, you can ask us to erase your personal data. Your request will be executed as soon as possible if one of the following conditions is met:

  • This data is no longer necessary with regard to the purpose (s) for which it was collected;
  • The data processing is based on your sole consent and you withdraw your consent;
  • You object to the processing of your data for a reason relating to your particular situation and we have no compelling legitimate reason to assert (for example a legal obligation) ;
  • If it has been established that your personal data has been unlawfully processed by us ;
  • Your data must be erased to comply with a legal obligation to which we are subject.

In this case, we will be obliged to inform the third parties to whom we have transmitted your personal data.

This right to erasure does not apply insofar as keeping the data is necessary for:

  • The exercise of the right to freedom of expression and information;
  • Complying with a legal obligation;
  • Exercising or defending any of our rights in court.

Right to restrict processing

You have the possibility to request the restriction of the processing of your personal data. Your request will be valid if one of the following criteria applies:

  • You dispute the accuracy of your data: the use of your data will then be limited to the time necessary to verify the accuracy of your data;
  • In the event of unlawful processing, you oppose the erasure of your data, but instead request the limitation of their use;
  • We no longer need your data but you need it for the establishment, exercise or defense of your legal rights;
  • When you have objected to the processing of your data for a reason relating to your particular situation, during the time necessary to check whether our legitimate grounds override yours.

Right to data portability

You have the right to ask us to provide you with your personal data that we hold in a structured machine-readable format (CSV format). You may then forward them to another entity for processing or ask us to forward them directly to that entity.

How do we secure your data?

Your data is encrypted and is kept locally on the mobile device on which you installed the application and in the secured database of our server(s) hosted by Google Cloud Services located in Europe. All data exchanges between the application and the server(s) are encrypted according to standard protocols. Google Cloud Service, more specifically Privacy and Security in Firebase is documented at the following URL: https://firebase.google.com/support/privacy.

Further information

The present data protection policy summarizes the rights and obligations related to the processing of your personal data in the context of the study. We remain at your disposal should you require any clarification.

The General Data Protection Regulation (GDPR) established by the European Parliament and the Council of the European Union as referred to at the beginning of this document can be accessed by one of the following links: display as HTML or download as PDF.

Modification of this policy document

In the future, we may be led to amend this document. If these changes imply a lesser protection of your personal data, we will inform you personally and explain the changes and the reasons for them. You will of course continue to be able to exercise your rights under the GDPR Regulation and national laws.

How to contact us?

By email:  pm-dragon@maastrichtuniversity.nl