PREVIA MEDICAL designs and manages software solutions for healthcare facilities, including PREVIA SEPSI SCORE. As such, the protection of personal data and respect for medical confidentiality are at the heart of our approach.

We apply all applicable rules regarding the protection of personal data, particularly the General Data Protection Regulation (GDPR – No. 2016/679) and the amended French Data Protection Act.

1. Data Controller and Data Protection Officer (DPO)

Unless otherwise communicated to partner healthcare facilities, PREVIA MEDICAL acts:

• as data controller for data necessary for managing its website, commercial relationships, and communications,
• as processor on behalf of healthcare facilities when processing patient data as part of providing its software solutions (e.g., PREVIA SEPSI SCORE), in accordance with contracts concluded with these facilities.

PREVIA MEDICAL’s Data Protection Officer (DPO) is currently Bart Arribe. He ensures compliance with processing activities, respect for the rights of data subjects, and proper consideration of data protection requirements in the design of our products.

2. Main Processing Purposes

At a macro level, PREVIA MEDICAL may process personal data for the following purposes:

• Website and communication: Website management (technical logging, audience measurement), contact forms, information request management, institutional or product-related communications.
• Commercial and contractual relationships: Management of prospects and clients (healthcare facilities, partners), contract monitoring, billing, support and assistance.
• Software solution provision: Provision and operation of PREVIA solutions (including PREVIA SEPSI SCORE), including: data processing necessary for algorithm functioning and decision support modules, logging, traceability, access security, performance monitoring and continuous product improvement, in compliance with contracts concluded with healthcare facilities.

In the context of patient care, PREVIA MEDICAL accesses health data only under the conditions and limits agreed upon with healthcare facilities, which remain responsible for care pathways and medical decisions.

3. Legal Bases and Protection Principles

Depending on the case, the processing operations implemented by PREVIA MEDICAL are based on:

• contract execution (provision of software services to healthcare facilities, account and access management, support),
• compliance with legal or regulatory obligations (particularly regarding security, traceability, and archiving),
• PREVIA MEDICAL’s legitimate interest (improving service quality, securing information systems, activity management),
• and, when required, the consent of data subjects (for example, for certain electronic marketing operations conducted via the website).

PREVIA MEDICAL applies the principles of data minimization (we only collect strictly necessary data), limited retention periods, security, and confidentiality of processing.

4. Health Data and Pseudonymization

When PREVIA MEDICAL’s solutions process health data on behalf of a healthcare facility, such processing is governed by:

• GDPR-compliant data processing agreements,
• appropriate pseudonymization and security measures,
• documented procedures for access management, logging, and supervision.

Statistical or performance analyses may be conducted using pseudonymized data or, when possible, aggregated or anonymized data, to limit re-identification risks.

5. Data Recipients and Transfers

Personal data processed by PREVIA MEDICAL is accessible only to:

• PREVIA MEDICAL’s internal teams who need access as part of their duties,
• technical and hosting service providers acting on our behalf and subject to contractual confidentiality and security commitments compliant with GDPR,
• and, where applicable, competent authorities when required by legal obligation.

PREVIA MEDICAL prioritizes processing and hosting within the European Union. In case of data transfer to a country outside the EU, we implement appropriate safeguards provided by regulations (standard contractual clauses, additional security measures, etc.).

6. Rights of Data Subjects

In accordance with GDPR, any person concerned by processing carried out by PREVIA MEDICAL has, under the conditions provided by the regulation, the following rights:

• right of access to their data,
• right to rectification,
• right to erasure (within the limits of legal retention obligations),
• right to restriction of processing,
• right to object,
• right to data portability when processing is based on consent or contract and is automated,
• right to withdraw consent at any time when processing is based on consent,
• right to define directives regarding the fate of their data after death.

Practical methods for exercising these rights (contact address, DPO email, possible online form) are specified in PREVIA MEDICAL’s detailed privacy policy. Data subjects may also file a complaint with CNIL (www.cnil.fr).

7. Security and Continuous Improvement

The security of personal data and information systems is integrated into the lifecycle of our products (“privacy by design” and “security by design” approach). PREVIA MEDICAL implements:

• technical measures (access control, encryption, logging, monitoring) and organizational measures (internal procedures, awareness training, incident management),
• regulatory compliance approaches aligned with frameworks applicable to medical software devices,
• continuous improvement of protection measures, consistent with evolving risks, security standards, and authority recommendations.