PRIVACY POLICY

Privacy Policy for Certific Platform

Applicable as of 4 May 2022        27 April 2022

We are Certific OÜ, a private limited company, incorporated under the laws of Estonia, registration code 16050394, registered address Tööstuse st 47d-69, Tallinn 10416, Estonia, holding an Estonian license for provision of healthcare services no L05410 (“Certific”, “we”, “us” or “our”). 

Certific operates the website http://www.certific.co/ and its subdomains (“Website”), applications (“App” or “Apps”) and the software, databases, interfaces, associated media, documentation, updates, new releases and other components or materials incorporated therein or integrated therewith (all together the “Platform”).

Certific is committed to protecting and respecting your privacy upon use of our Services. This privacy policy document (“Privacy Policy”) describes our privacy practices and how we process personal data in connection with provision of our Services.

Please read the following carefully to understand our practices regarding your personal data and how we will collect, use and disclose your personal data. If you have any questions about how we process your personal data specifically or if you wish to submit an application for exercising your rights related to processing your personal data, please contact us through the contact information provided in the section "Contacts" below.

1. DEFINITIONS

App” or “Apps

defined in the preamble;

Certific

defined in the preamble;

Certificate

means the digital document expressing the medically certified Test result from Test verification after the Customer has used the Test Kit approved by Certific. It is usually in a PDF format issued by Certific on behalf of the Healthcare Provider or by us acting as a Healthcare Provider, and signed by the Healthcare Provider;

“Customer”, “data subject” or “you”

means a natural person who uses Certific’s Services and has thereby entered into agreement with us in accordance with Certific’s Terms and Conditions, and whose personal data is processed by Certific;

data controller

means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of this Privacy Policy, data controller means Certific, unless explicitly stated otherwise;

data processor

means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;

“GDPR”

means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

Healthcare Provider

means the authorised healthcare service provider or medical laboratory who is providing the testing services (as defined in the Terms and Conditions) which may be ordered by the Customer under the testing agreement (as defined in the Terms and Conditions) and on behalf of whom, and under whose medical supervision and regulatory licences, Certific is issuing a Certificate, or another type of documentation confirming Test results as further stated on the Platform for each specific Service, to the Customer. Healthcare Provider is stated on the Platform and on the Order confirmation. Depending on the jurisdiction and the Service, Certific may act as a Healthcare Provider itself;

Platform

means any channel of Certific through which the Customer may order Services from the Healthcare Provider, the main channels being the App(s) and Website;

Service” or “Services

mean the healthcare services that the Customer may order from Certific directly or from Certific on behalf of a third-party Healthcare Provider through the Platform (e.g. COVID-19 testing services and test-to-treat services). Further Service details are available at the purchase of the Services on the Platform;

“joint controller”

means data controller who jointly determines the purposes and means of data processing with other controller;

personal data

means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular on the basis of such a record as the name, personal identification code, place of location information or network identifier, or on the basis of one or more physical, physiological, genetic, mental, economic, cultural or social identities;

processing

means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Privacy Policy

defined in the preamble;

special category data

means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. In the context of this Privacy Policy, special category data mostly refers to health data. 

Terms and Conditions

Terms and Conditions for using Certific Services, available at  https://www.certific.co/gb/terms-and-conditions/ 

Test” or “Tests

means a type of test, approved by Certific and further described on the Platform, that the Customer will take at the location of his/her choosing while using the Services;

Test Kit

special testing equipment necessary for the Customer to self-conduct any ordered Test;

We”, “us”, “our

defined in the preamble;

Website

defined in the preamble;

2. WHAT PERSONAL DATA WE MAY PROCESS?

2.1. When you have opted to use Certific’s Services, Certific needs to process your personal data to enable the Services via the Platform.

2.2. Personal data Certific may process may include the following data:

2.2.1. general personal information: name (first name, last name); date of birth, personal identification code, social security number or other relevant identifier, such as passport or ID document number;

2.2.2. identification information: ID document and information included in the ID document (including photo) [captured by using device’s camera];

2.2.3. contact information: e-mail address; mailing address; phone number;

2.2.4. account related details: login details; password;

2.2.5. self-declaration or questionnaire: answers the Customer provides to self-declaration or questionnaire through use of the Services which include health related information;

2.2.6. Test result: result of Test (COVID-19 or similar) and other information on the Certificate or other documentation confirming Test result, such as information about the Test (date and time of Test sample; Test ID; name of Test; validity time of the Test, etc.); Test result (positive / negative / invalid / uncertifiable) [captured by using device’s camera];

2.2.7. Video recording: video recording by using device’s camera of the test taking process, which includes the procedure of taking of the Test;

2.2.8. payment information: payment data related to the use of the Services, such as card details and amounts paid;

2.2.9. usage information: information on how our Services and Platform are used, including feedback provided;

2.2.10. technical information: technical information collected during use of the Services (please also see Certific Cookie Policy for further information about data collected through the use of cookies);

2.2.11. other (consent information): on the basis of specific voluntary consent granted by you (if and when applicable) we may also process other data about you not listed above as and if specified in the specific consent you may, but are not obligated to, grant to us;

2.2.12. audio recording: audio recording (by using device’s microphone) of the Test taking process, which includes the procedure of taking of the Test or doing video consultation with Certific's healthcare worker.

2.3. More detailed overview of the personal data Certific processes is provided in the Section 5 below.

3. ON WHAT LEGAL BASIS WE RELY WHEN PROCESSING PERSONAL DATA?

3.1. Certific may process personal data of the Customer for the purpose of being able to provide the Services in accordance with Certific’s Terms and Conditions. Legal basis for such data processing is GDPR Article 6-1-(b), i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Certific may rely on performance of a contract as a legal basis when transferring your personal data to third parties. For example, Certific may collaborate with clinics, who may need to know the health information of the Customer for providing additional services to the Customer connected to or as a result of the Service and in accordance with their terms and conditions.

3.2. Certific may process personal data based on the consent granted by the Customer. Legal basis for such data processing is GDPR Article 6-1-(a). In those situations, we process personal data on the terms as provided in the consent that has been granted to us by each Customer and on the explicit consent condition in GDPR Article 9-2(a). For example, Certific may rely on explicit consent as a legal basis when processing special category data (health related data, such as the results of Test). In certain specific cases, Certific may rely on the consent as a legal basis also when transferring your personal data to third parties. For example, Certific may collaborate with scientific researchers, as well as, for example, event organizers, who may need your specific voluntary consent to obtain relevant personal data about you (for example, to do research on COVID-19 or to allow you to enter an event you wish to attend). In such situations, the types and categories of personal data we transfer, the specific recipient(s) of the personal data and other appropriate and relevant information are provided in the specific consent that may be asked from you.

3.3. Certific may process personal data when processing is necessary for compliance with a legal obligation to which Certific is subject. Legal basis for such data processing is GDPR Article 6-1-(c). As an example, Certific may need to process the personal data when the competent authorities require Certific to provide certain personal data pursuant to the applicable law, such as on the basis of valid court order or on the basis of the valid request by the law enforcement agency or on the other basis in accordance with applicable law. Please note that, healthcare related legislation applicable in different jurisdictions may require Certific to provide information on Test results (e.g. COVID-19 or similar) to responsible government agencies, such as to Health Board in Estonia or to Public Health England in the UK. Certific may also need to process personal data to comply with the applicable accounting legislation.

3.4. In certain specific situations Certific may also process personal data where processing of personal data is necessary for the purpose of legitimate interests pursued by Certific or other controller, if appropriate. For example, we may process statistical and/or aggregated data on how our Services, App or Platform are used to improve and further develop the Services so that we can provide a better user experience in future. Legitimate interest may also be used to ask for Customer feedback with the option for the Customer to object. Legal basis for such data processing is GDPR Article 6-1-(f). In such a case Certific shall ensure that processing is proportionate and that we have carried out legitimate interest impact assessment. For example, for the purpose of our legitimate interest Certific may analyse how our Services and Platform are used by our Customers so we can provide better service.

3.5. More detailed overview of the legal bases Certific relies on when processing personal data is provided in the Section 5 below.

4. HOW LONG IS PERSONAL DATA RETAINED? 

4.1. Certific does not retain personal data longer than it is necessary for the purposes of processing personal data or pursuant to applicable law. As a general rule, Certific applies to the following retention periods.

4.2. Personal data related to contracts can be retained during the term of the contract and based on Certific legitimate interest pursuant to Article 6(1)(f) of the GDPR until the end of the statutory limitation periods under applicable law. Accordingly, as a general rule Certific retains Customer data collected in relation to the provision of the Services as long as it is necessary for the provision of the Services during the term of the Agreement concluded between Customer and Certific and for 3 years after the term of the Agreement. In this regard, as a general rule, if the Customer has not used the Platform for 3 years (Customer has not logged in to his/her profile on the Platform for 3 years), Customer’s profile and all personal data therein will be deleted, unless Certific has a legal basis for retaining personal data for longer time period such as for meeting legal obligations. 

4.3. Personal data collected on the basis of the consent will be retained until the withdrawal of the consent, unless there may be events that require personal data to be retained to meet any applicable legal obligations. If the Customer has not withdrawn from the consent, as a general rule Certific applies the same retention period to the personal data collected on the basis consents as to personal data collected to ensure the Services. In this regard, as a general rule, if the Customer has not used the Platform for 3 years (Customer has not logged in to his/her profile on the Platform for 3 years), personal data collected on the basis of the consent will also be deleted.

4.4. Personal data related accounting source documents and accounting journals must be retained in accordance with the relevant accounting laws. Therefore, e.g. pursuant to the Estonian Accounting Act, Certific retains accounting documents and possible personal data related to it for 7 years.

4.5. More specific details about the retention periods are provided in Section 5 below.

5. FOR WHAT PURPOSES DO WE PROCESS YOUR PERSONAL DATA

Certific processes personal data mainly for the following purposes:

Purpose of processing

Types of personal data* 

How have we obtained personal data

Retention period applied by Certific

Legal basis for processing

EE & UK**: Enabling the user account via Platform (provision of the Services)

Name (first name, last name), phone number, date of birth to enable the Customer to create account to use the Platform

Directly from each data subject

During the term of the Agreement with the data subject under Certific’s Terms and Conditions.


After the termination of the Agreement with the data subject under Certific Terms and Conditions 3 years based on our legitimate interest until the end of the limitation periods under applicable law

GDPR Article 6(1)(b); GDPR Article 6(1)(f)

EE & UK: Sending the Test Kit (provision of the Services)

Name (first name, last name), mailing address (if applicable), phone number to send the Customer the Test Kit or other materials needed for test taking by post or courier

Directly from each data subject

During 3 years after posting the test kit based on our legitimate interest until the end of the limitation periods under applicable law

GDPR Article 6(1)(b); GDPR Article 6(1)(f)

EE & UK: Answers to self-declaration or questionnaire (provision of the Services)  

Answers the Customer provides via the Platform to health-related questions (if applicable)

Directly from each data subject

3 months after the Customer have provided the answers

GDPR Article 6(1)(b) and GDPR Article 6(1)(a) and 9(2)(a) regarding special category data

EE & UK: Test verification video (provision of the Services)

Video the Customer records in the Platform to verify the test taking process, together with the personal information disclosed during the verification process

Directly from each data subject (video capturing by using device’s camera)

3 months after the video is recorded on the Platform

GDPR Article 6(1)(b) and GDPR Article 6(1)(a) and 9(2)(a) regarding special category data

EE & UK: Test verification audio (provision of the Services)

Audio that is saved during the test-taking process (e.g. video consultation with the doctor or operator), together with the personal information disclosed during the verification process

Directly from each data subject (audio recording by using device’s microphone)

3 months after the audio is recorded on the Platform

GDPR Article 6(1)(b) and GDPR Article 6(1)(a) and 9(2)(a) regarding special category data

EE & UK: Processing Customer payment (provision of the Services)

Payment information the Customer provides, such as card number or bank account number

Directly from each data subject or from our third-party service providers through whom the Customer ordered the Services, such as Shopify and Maksekeskus. Please also see Privacy Policy of such service providers

During the term of the Agreement with the data subject under Certific’s Terms and Conditions.


After the termination of the Agreement with the data subject under Certific Terms and Conditions 3 years based on our legitimate interest until the end of the limitation periods under applicable law.


Please note that if the Customer has purchased the Services via third party service providers (such as Shopify and Maksekeskus for example), terms and conditions and privacy policies adopted by such service providers may additionally apply which may stipulate different retention periods applied by such service providers 

GDPR Article 6(1)(b); GDPR Article 6(1)(f)

EE & UK: Enabling the Customer to share Test result (provision of the Services)

Enabling the Customer to share Test result with third parties based on the Services

Directly from each data subject

3 months

GDPR Article 6(1)(a)

EE & UK: Retaining accounting related information (compliance with the legal obligation)

Legal obligation

Directly from each data subject

7 years

GDPR Article 6(1)(c)

EE & UK: Sharing with government agencies or when required by applicable law – please also see Section 6 below

Legal obligation

Directly from each data subject

3 months by Certific unless the legal obligation does not stipulate otherwise; retention periods as applied by the relevant competent government agencies when processing data as independent controller may apply additionally – for specific information the Customer shall contact the relevant government agency

GDPR Article 6(1)(c)

EE & UK: Informing event organizers of the barcodes of tickets which have not been issued with a required test result granting entry to the relevant event (mainly for the provision of a COVID-19 related Services)

Performing contract with event partners to enable them to perform contract with you and to fulfil their legitimate interests to operate a safe event

Directly from each data subject or from the application of our Services and Platform

3 months

GDPR Article 6(1)(b)

EE & UK: Answering the inquiries of the data subject

To comply with the requests that the Customer may send to us from time to time

Directly from each data subject

3 years

GDPR Article 6(1)(b)

EE & UK: Information on how our Services and Platform are used, including feedback that may be provided by the Customer

Improvement and development of the Services and the Platform

Directly from each data subject or automatically during your use of the Services and Platform

1 year

GDPR Article 6(1)(f)

EE & UK: Marketing and sales related activities

Name (first name, last name), email address, phone number [minimum amount of personal data necessary for the purpose]

Directly from each data subject or automatically during your use of the Services and Platform

3 months; Please note that third parties may retain personal data for a different period of time than Certific

GDPR Article 6(1)(f)

EE: Retention of the logs of information systems of healthcare provider

Content of the processing activity, data about the controller and processor, date and time of the processing activity

Directly from each data subject or automatically during your use of the Services and Platform

5 years

GDPR Article 6(1)(c)

EE: Data about the provision of healthcare Services offered to the patient (reply to doctor’s referral)

Data categories required by the annex 4 of “Compositions of the data of documents to be forwarded to the Health Information System and the conditions and procedure of submission thereof” (Estonian regulation)

Directly from each data subject or automatically during your use of the Services and Platform

5 years

GDPR Article 6(1)(c)

EE & UK: Technical data collected through cookies

Please see Cookie Policy

* the list of personal data categories may be non-exhaustive dependent on the Service. In the event where further personal data is processed in the course of specific Services offered by Certific, the Service flow will explain what additional categories are processed for the specific purpose.

** EE marks primary applicability in Estonia and UK marks United Kingdom. International service is linked to the Estonian standards. Further jurisdictions may be introduced.

6. WHEN DO WE SHARE YOUR PERSONAL DATA?

6.1. Certific may share Customer personal data with certain third parties service providers e.g. IT suppliers, logistics services providers, other service providers or co-operation partners.

6.2. Certific may also share Customer personal data with third parties if Certific is legally required to do so, for example if personal data is requested from us by any authority competent to ask such data, for example if the data is asked from us by the court or law enforcement agency or to competent government agencies and supervisory authorities in accordance with law. 

6.3. Certific may also share your personal data with third parties if you have granted your consent for that for specific transfer or based on other appropriate legal basis (for example, performance of a contract or legitimate interest). As an example, Certific may collaborate with scientific researchers who may need your specific voluntary consent to obtain relevant personal data about you (for example, to do research on COVID-19 or to allow you to enter an event you wish to attend). In such situations, the types and categories of personal data we transfer, the specific recipient(s) of the personal data and other appropriate and relevant information are provided in the specific consent that may be asked from you. Certific may also collaborate with event organizers, in relation to specific dedicated Services, in which cases we may share limited amount of personal data with the relevant event organizers, as permitted in accordance with our Terms and Conditions, Privacy Policy as well as the relevant terms and conditions of the respective event organizer.

6.4. Certific may transfer Customer personal data to third countries, i.e. countries outside the EU/EEA area, for the purposes explained in this Privacy Policy. When transferring Customer personal data to third countries, Certific will ensure that the transfer is subject to appropriate safeguards under the GDPR and that Customer rights are protected, such as the Commission’s model contracts for the transfer of personal data to third countries (i.e., the standard contractual clauses). Customer may request a copy of the safeguards we have put in place with respect to the transfer of personal data by contacting Certific via contact details below.

6.5. In relation to the use of the Services and the Platform, Customer personal data may be disclosed to following recipients:

Type of recipient

Purpose of disclosure

Location of the recipient

Applied safeguard 

Role of the recipient 

Providers of IT-services and servers

Providing IT-solutions and other related services (including servers) necessary for Certific daily business functions

EU/EEA/UK

Data processing agreements

Data processor to Certific

Service providers to Certific 

Providing services that are necessary for Certific to enable the Platform and Services, for example, but not limited to, service providers for evaluating the testing procedure and Test results or service providers who are delivering the test kits

EU/EEA/UK/USA

Data processing agreements

Data processor to Certific

Healthcare Provider

Provision of the Services in accordance with the Terms and Conditions and in order for Healthcare Provider to fulfil their legal obligation (for example documentation obligation under local healthcare legislation)

EU/EEA/UK

Data processing agreements

Joint controller with Certific or separate data controller, depending on the Service setup

Service providers to Healthcare Provider

Providing services, such as, but not limited to, IT-solutions and/or other related as necessary for business functions of Healthcare Provider

EU/EEA/UK

Data processing agreements

Data processor to Healthcare Provider

Provider of IT-services related to video-recording platform integrated to the Platform

Providing IT solution necessary for Certific Service functions

USA

Data processing agreements based on standard contractual clauses

Data processor to Certific

Marketing and sales related service providers

Marketing and sales related activities improving marketing analytics, including customer reach via marketing and social media platforms

EU/EEA/UK/USA

Data processing agreements

Data processor to Certific

National government agencies such as  to Health Board in Estonia or to Public Health England which will be reported through the Healthcare Services provider

Obligation to report and provide information on certain Test results (e.g. positive COVID-19 or similar test results) in accordance with the applicable law

EU/EEA/UK

N/A

Separate data controller

Event organizers (if you have used our Platform in relation to getting event pass)

Certific may share limited information with event organizers, if you have used our Platform in connection with obtaining an event pass to enter an event organized by the relevant event organizer. Certific may share information that allows event organizer to verify if the Customer has been verified as being approved entry to the event, mainly for the refund purposes if the ticket was issued with an event pass allowing entry to the event 

EU/EEA/UK

Controller-controller data sharing agreement

Separate data controller

6.6. Certific may also share anonymized Customer data and/or statistical data with third parties, for example for research purposes. Please be noted that in cases where we share anonymized Customer data and/or statistical data we make sure that no personal data is shared (which means that no Customer can be identifiable) and therefore personal data processing regulation and the GDPR shall not apply to such data sharing activities (as no personal data is shared).

7. HOW DOES CERTIFIC PROTECT YOUR PERSONAL DATA?

7.1. To protect Customer personal data from unauthorized access, unlawful processing or disclosure, accidental loss, modification or destruction, Certific uses appropriate technical and organisational measures that comply with applicable laws. These measures include but are not limited to the implementation of appropriate computer security systems, protection of paper and electronic format files by technical and logical means, controlling and limiting access to documents and buildings.

8. CUSTOMER RIGHTS

8.1. Certific is dedicated to ensuring that all data subject rights arising under applicable law are always guaranteed to the Customer. In particular, any Customer who is a data subject has:

8.1.1. the right to access the personal data processed about him/her;

8.1.2. the right to request that rectification of any inaccurate personal data about him/her;

8.1.3. the right to request erasure of personal data and/or restrict of processing of personal data if personal data is processed without a valid legal basis for processing. When exercising the “right to be forgotten”, the Customer is instructed by our customer service team and provided necessary information on the process;

8.1.4. the right to receive processed personal data in a structured, commonly used and machine-readable format and have the right to transmit personal data to another controller (subject to conditions from the applicable legislation);

8.1.5. the right to object to the processing of personal data.

8.2. If the Customer believes that his/her rights have been infringed, the Customer may contact and lodge a complaint to the supervisory authority applicable for the Customer jurisdiction (e.g. Data Protection Inspectorate in Estonia address Tatari 39, Tallinn 10134, info@aki.ee or Information Commissioner’s Office, address Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; helpline number: 0303 123 1113. More details available at: https://ico.org.uk/global/contact-us) or other competent authority in the Customer jurisdiction. List of national Data Protection Authorities in EU is available at https://edpb.europa.eu/about-edpb/board/members_en).

9. GOVERNING LAW AND JURISDICTION

This Privacy Policy shall be governed by the laws of the Republic of Estonia. Any disputes arising from these Privacy Policy shall be settled in the Harju County Court in the Republic of Estonia unless the Customer has a right to turn to the court of his/her residence pursuant to statutory law.

10. CONTACTS

If you have any questions about this Privacy Policy or if you have any concerns about how we use your personal or if you want to exercise your rights as described above, please contact Certific via e-mail or in writing using the following contact information: 

business name: Certific OÜ 

registration code: 16050394

address: Tööstuse st 47d-69, Tallinn 10416, Estonia

e-mail: dpo@certific.co 

website: https://certific.co/