Privacy Policy

McRoberts Privacy Policy
Published online: 05/06/2020

Introduction

This policy defines what personal information is collected by McRoberts and to what end data is
processed. Please feel free to contact McRoberts to ask any questions via this link.

Terminology

Data Controller:
A natural or legal person, public authority, agency or other body which, alone or jointly with others,
determines the purposes and means of the processing of personal data.

Data Processor:
A natural or legal person, public authority, agency or other body which processes personal data on
behalf of the controller.

Data processing agreement:
A data processing agreement is a legally binding contract that states the rights and obligations of each
party concerning the protection of personal data.

Data subject:
A data subject is any person whose personal data is being collected, held or processed.

1. Collected personal data

The following personal identifiable information (PII) is collected by McRoberts

Registration information
Users of McRoberts’ products have to register and create a personal online account for gathering and
managing data. This online portal for product operations is called My McRoberts. During this procedure
first name, surname and email address are collected.

Billing & shipment information
The following PII is collected from clients for billing and shipment:

a. Billing address
b. Bank account number
c. VAT number (if applicable)
d. BIC/SWIFT code (if applicable)
e. Shipping address
f. Shipping recipient
g. Phone number
h. Email

Data subject characteristics
The following PII is collected from data subjects for input to McRoberts’ proprietary software analysis
algorithms:

a. Year of birth
b. Gender
c. Body height
d. Body weight
e. Subject code. McRoberts recommends using actual codes or code names, in which case the
subject code will no longer be PII.

Database modifications to PII
With consent from the data subject, the data controller is authorized to request database modifications
to the PII. Under GDPR regulations, and after successful applicant identification, McRoberts is obligated
to implement the requested changes. All database modification requests, as well as the modifications
themselves, are logged for traceability purposes.

My McRoberts interaction data
Information on a user’s actions on My McRoberts is logged (e.g. adding a subject, starting
measurements, uploading data).

2. Reason for data collection

Invoicing
Billing information is collected for successful invoicing of purchased goods and recurring costs. Contact
details are used to send reminders when payment is due.

Shipment
An address for shipment is needed to successfully provide customers with products. Contact details are
required by the shipment company in order to contact the recipient if package delivery fails.

Contact clients & product users
Registration data is stored in order to contact users for provision of customer support, informing on
software release notes, informing on McRoberts news, informing on product maintenance and vigilance
reporting.

Traceability
In order to justify all actions taken and decisions made by both McRoberts and its clients, McRoberts
needs to be able to trace back to initiation of such an event. For that purpose, information on website
handling, database modification requests, support requests and issue reporting is collected.

Software analysis
Data subject characteristics are used as input variables for McRoberts proprietary algorithms to create
outcome variables.

3. Passing on personal data

Assessment and approval of McRoberts suppliers is described in the supplier approval standard
operating procedure. Data privacy, Data security and GxP compliance in general are taken into account
during these assessments. Furthermore, recurring supplier audits are performed to check whether
suppliers continue to comply with McRoberts’ standards.

The only supplier involved in PII security and privacy is McRoberts’ cloud server provider. Note that the
cloud server provider is not involved in PII processing. Their involvement merely concerns data storage
and hosting McRoberts’ proprietary analysis software algorithms. McRoberts cloud servers are located
in Amsterdam, the Netherlands. More information on cloud server security can be found here.

4. Rights of the data subject

Following the GDPR, McRoberts enables the data subject to exert his/her rights with regards to the
processed PII data. Please note that the same options are offered to clients who act as data controller
with consent from the data subject. Should McRoberts be contacted by a data subject or data controller
for insight or modifications to the PII, this person will be asked to identify him-/herself. McRoberts offers
2 methods for PII insight.

a. Signing in to the online platform for gathering and viewing data (My McRoberts).
The clinician or researcher has to create an online account on My McRoberts in order to start
data collection. By provision of username and password, the clinician or researcher can enter
the online portal in order to view PII. This PII can also be exported in PDF’s for provision to data
subjects.

b. Contacting McRoberts to request a summarized database export.
The clinician or researcher can fill out a Data Transfer File Request Form on which the required
data can be defined. Person identification is accomplished by the mandatory username and a
signature.

McRoberts offers one method to modify or delete data:

a. Contacting McRoberts to request a data correction.
The clinician or researcher can fill out a Data Correction Form on which the required database
changes can be defined. Person identification is accomplished by the mandatory username and
signature.

5. Data controller responsibilities

The data controller (i.e. McRoberts clients) is responsible for obtaining a data subject’s consent to
authorize McRoberts as a data processor as is described in the privacy policy. Furthermore, it is the
responsibility of the data controller to initiate a data processing agreement between data controller and
data processor.

6. Data retention time

Data may be archived for historical, statistical and scientific purposes. McRoberts typically processes
data for customers who intend to use data for scientific or statistical purposes. Consequently,
McRoberts archives data for 15 years by default. Data retention period can be altered should this be
required. In that case the required retention period should be defined in a data processing agreement or
a service level agreement.

7. Changes to this document

McRoberts reserves the right to modify the privacy policy at any time. All new issued versions will be
published online including publish date. Should you wish to get more detailed information on the
changes, we are available to answer questions during Dutch office hours.