Privacy policy

Purpose of the data processing


The information collected during your pre-admission, consultation, biological analyses, or hospitalization in our institution is subject to computerized processing intended to manage your medical appointments, create your medical record, and ensure your care. The legal basis for this processing is the necessity for the purposes of preventive medicine, medical diagnosis, health or social care, or the management of health care systems and services (cf. Article 9.2.h of the General Data Protection Regulation – GDPR), as well as the performance of a task carried out in the public interest (cf. Article 6.1.e of the GDPR), which is entrusted to our institution.

The information collected may also be used in a non-nominative or coded manner for research purposes. The legal basis is the necessity for scientific research or statistical purposes (cf. Article 9.2.j of the GDPR).

Finally, certain information must be collected, processed, or transmitted to various State bodies or health insurance organizations for the purposes of developing and revising the health care map and organization scheme, evaluating the quality of care, monitoring the activity of Lille University Hospital, and billing. The legal basis is the necessity for reasons of public interest in the field of public health or to ensure high standards of quality and safety of health care and medicinal products or medical devices (cf. Article 9.2.i of the GDPR), compliance with a legal obligation (cf. Article 6.1.c of the GDPR), or the legitimate interest pursued by our institution (cf. Article 6.1.f of the GDPR).

 

Categories of data


Depending on the purposes described above, our institution may collect the following categories of data:
  • Identification: birth and usual surnames and first names, date of birth, gender, address, telephone numbers, email*
  • Social security number (NIR)
  • Personal life: lifestyle habits, family situation, contact persons*
  • Professional life: employer
  • Economic and financial information: health insurance, type of coverage
  • Sensitive data: health data, biological samples, genetic, ethnic data, religion, sexual life

*Data whose collection is optional but helps improve the quality of care or exchanges between you and the Hospital Center

Sources of data


Some of this data may originate from information exchanges between health professionals or from exchanges within secure health care networks.

 

Recipients of the data


The data is reserved for hospital professionals bound by professional secrecy who are involved in your care and may also be made available to professionals who are members of care networks. In this context, information concerning you may be sent to an approved or certified health data hosting provider and processed by partner health care organizations.

Your episode of care may also require coordination between several institutions belonging to the Hospital Group to which Lille University Hospital belongs. For this purpose, your data may be transmitted to member institutions of this group involved in your care.

Your data may be transmitted to public bodies, health authorities, and regulated professions (Public Treasury, Regional Health Agencies, health insurance and complementary organizations, lawyers, statutory auditors, etc.) upon request and within the limits permitted by regulations.

Your data may be transmitted, subject to compliance with applicable legal provisions, to partner health care institutions, service providers, tool suppliers, and subcontractors performing services for the Hospital Center (online appointment booking via Doctolib, remote monitoring medical devices, hospitality services, etc.).

As part of research projects, the Hospital Center may also, after informing you individually and unless you object, transmit data that has previously been rendered non-nominative to other health professionals.

In accordance with the law, the diagnostic and therapeutic elements necessary for coordinating your care are transmitted to your shared medical record (DMP) at each act or consultation.

Providing your third-party payment certificate to the admissions services of the institution automatically entails consent to the processing of your personal data within the framework of the ROC system (Reimbursement of Complementary Organizations). In the event of refusal, electronic third-party payment for the complementary part cannot be implemented. For more information on the ROC system, you can consult the following page:
ROC: reimbursement of complementary organizations – Ministry of Health and Prevention (sante.gouv.fr)

Data retention period


The medical record is retained, in accordance with the French Public Health Code, for a period of twenty years from the date of the last visit, or at least until the patient’s twenty-eighth birthday, or for ten years from the date of death. Certain data may be retained longer if required by law. It is then archived in compliance with applicable legal conditions.

Information used for research purposes is retained until the final research report or until publication of the research results. It is then archived on paper or electronic media for a period in accordance with applicable regulations.

 

Artificial Intelligence


In compliance with the applicable legal framework, your information may also be processed using tools incorporating artificial intelligence algorithms in order to improve the accuracy and efficiency of medical diagnoses made by health professionals, contribute to the identification of appropriate treatments, and assist in the management and steering of the institution’s activity.

These AI-based tools are systematically used as decision-support tools and never replace human oversight. All medical decisions concerning you remain the responsibility of the health professionals involved in your care.

Our institution and its partners ensure that these systems are used in compliance with ethical and regulatory standards and that security measures in line with the state of the art are implemented.

 

Health Data Warehouse (EDS INCLUDE)


On September 5, 2019, the French Data Protection Authority (CNIL) validated the compliance of Lille University Hospital’s health data warehouse with the General Data Protection Regulation.

As part of the creation of this warehouse, your personal health data collected during your care at Lille University Hospital will be brought together in a database enabling processing by the hospital on the basis of public interest. Your data will be coded, meaning identified by a different number for each research project.

It will be accessible to the investigators of the research, coordinators, and potential research partners. The data will be retained for 20 years from the date of collection. The database will then be archived for the legally authorized period. After this period, the database and all documents relating to the research will be permanently destroyed.

In accordance with the French Data Protection Act of January 6, 1978, and Regulation (EU) 2016/679 of April 27, 2016, you have the right to access, rectify, erase, restrict processing, and object to the processing of your personal data.

You may be informed of subsequent research projects and exercise your right to object to participation in these studies at the following address:
https://chu-lille.fr/rgpd-recherche.

 

National Rare Diseases Data Bank


As part of your care within a rare disease center accredited by the Ministry of Health, our institution uses specific software called BaMaRa to ensure your medical follow-up and analyze the center’s activity in order to better assess patient care and improve the census of rare diseases in France. In this context, regulatory reports are regularly sent to the General Directorate for Health Care Provision (DGOS) of the Ministry of Health. For more information on this data processing, please click
this link.

In addition, the data may be reused for research purposes, particularly within the National Rare Diseases Data Bank (BNDMR) managed by AP-HP. To learn more about research projects, partnerships, and how to exercise your rights, you can consult the BNDMR information portal at:
http://www.bndmr.fr

 

Data subject rights


You may at any time access your data, withdraw your consent, or request the deletion of your data. You also have the right to object, subject to legitimate grounds, the right to rectification, and the right to restrict processing. You may also set directives regarding the retention, deletion, and communication of your data in the event of death (cf. www.cnil.fr for more information on your rights).

To exercise your rights, you may contact the Hospital Center’s Data Protection Officer, enclosing proof of identity, at the following address:
dpo@chru-lille.fr

Or by postal mail at the following address:
Data Protection Officer (DPO) – Public Hospitals Group of Greater Lille
General Management
Lille University Hospital
2 avenue Oscar Lambret
59037 Lille

To obtain your medical record, you can submit your request directly online:
click here

If you believe, after contacting us, that your data protection rights are not respected or that access control mechanisms do not comply with data protection rules, you may lodge a complaint with the CNIL (cf. www.cnil.fr).