Privacy Policy

The company MédecinDirect (hereinafter « MEDECINDIRECT« ), gives primary importance to the respect of the privacy of its customers and prospects, and the privacy of its website and mobile application users, which manages confidential personal data.

MEDECINDIRECT agrees to process data in compliance with applicable regulations such as Law No. 2018-493 of 20 June 2018, amending the Data Protection Act of 6 January 1978 related to data processing, files and freedoms and the general regulation on the protection of personal data (hereinafter the Data Protection Act).

The MEDECINDIRECT Application is accessible through a web application at www.medecindirect.fr and a mobile application, published by MEDECINDIRECT.

It allows Users to access the teleconsultation Service provided by MEDECINDIRECT’s Health Professionals in the context of a written online exchange, in real time via videoconference or telephone, under conditions which guarantee the security and confidentiality of their data, after creating a Personal Account.

The purpose of this Privacy Policy is to inform Users and Health Professionals who provide the teleconsultation Service of:

  • The procedures for implementing the processing of personal data concerning them in the context of the Application;
  • The rights they have over their personal data;
  • The means implemented to secure sensitive data;
  • The means implemented to store information relating to their navigation within the Application that may be stored in « cookie » files (hereinafter referred to as « Cookies »).

It is an integral part of:

  • The General Terms and Conditions of Use of the Application governing the MEDECINDIRECT Teleconsultation Service, for the User; and
  • The professional work contract, for the Health Professional.

1) Définitions

  • Personal data: any information relating to a physical person allowing them to be identified, directly or indirectly.
  • Processing of personal data: Any operation, or set of operations, relating to such data, whatever the process used, automated or not (collection, recording, organisation, storage, adaptation, modification, extraction, consultation, use, communication by broadcast transmission or any other form, comparison or interconnection, blocking, erasure or destruction, etc.).
  • Cookie: A cookie is a small computer file, a tracker, deposited and read when visiting a website, reading an email, installing or using software or a mobile application, regardless of the type of device used (computer, smartphone, tablet connected to the Internet, etc.).

2) Data controller and subcontractors

MEDECINDIRECT is a simplified joint-stock company, whose registered office is located at 1 Chemin de Saulxier, in LONGJUMEAU (91160), FRANCE, with a capital of 87,100 €, registered with the Trade and Commerce Register of Evry under the number B 508 346 673.

MEDECINDIRECT is operational since 2010, and is responsible for the processing of data, with respect to the Data Protection Act, on the basis of personal data concerning Users and Health Professionals with regard to access and use of the Application.

The main subcontractor involved in the processing of personal data is COREYE in its capacity as an approved database hosting company in accordance with Article L. 1111-8 of the Public Health Code.

The automated processing of personal data for the purpose of teleconsultation acts was authorised by the French Data Protection Authority (CNIL) by Resolution No. 2016-184 on June 16th, 2016.

This activity and its organisation are the subject of a special contract concluded between the Director General of the Île-de-France Regional Health Agency and MEDECINDIRECT, in accordance with Article R. 6316-6 of the Public Health Code.

3) Use of personal data

The purpose of the data processing by MEDECINDIRECT is to manage Users and Health Professionals who participate in a Personalised Teleconsultation Service and associated services.

The User and the Health Professional are informed that the personal data collected and processed through the Application are necessary for the use and provision of the Teleconsultation Service and for evaluating the quality of the service.

The User and the Health Professional are also informed and accept that once anonymized and aggregated, their data may be subject to statistical analyses. When applicable, this use is in compliance with the formalities defined by the French Data Protection Authority (CNIL).

4) List of personal data that is collected and processed

When collecting data, the User and the Health Professional are informed whether or not the collection of their personal data is mandatory. As part of the collection and processing of health data, MEDECINDIRECT maintains a register that describes the purpose of the data processing, which data is collected and for which User, information concerning the recipients of the data, the storage periods and a description of the protection measures currently is use.

For Users, the following data, identified by an asterisk, is mandatory for the creation of a Personal Account allowing access to a private and secure space in order to provide/benefit from the Teleconsultation Service:

  • Last name, first name, sex, telephone number, email, address, date and place of birth, membership number proposed by the third-party payer in order to verify with the latter whether the User is a beneficiary of the MEDECINDIRECT service,
  • Authorization of the webcam device, messaging, microphone.

And mandatory medical data:

  • Lifestyle habits;
  • Health data: diseases, family history, treatment information, risky situations or behaviours.

For Healthcare Professionals, the following data, identified by an asterisk, are mandatory for the creation of a Personal Account allowing access to a private and secure space in order to provide/benefit from the Teleconsultation Service:

  • Last name, first name, national and regional physician identification numbers (RRPS and ADELI in France), mobile phone number or email to receive a six (6) digit code allowing them to access their workspace, professional address, medical specialty;

Otherwise, the User and the Health Professional cannot access the Teleconsultation Service.

5) Sensitive and confidential data

When using the Teleconsultation Service, data relating to the User’s health are collected and processed.

In this respect, the User and the Health Professional acknowledge that the personal health data collected and any information exchanged as part of the Personalised Teleconsultation Service is sensitive data/information and is protected by medical confidentiality. They therefore require particular vigilance.

For this reason, the User and the Healthcare Professional are invited to implement, under their responsibility, all useful and relevant security measures to protect access to their computer, smartphone and/or tablet or any other terminal used to access the Application, in particular towards third-parties. (Article 11 – Safety instructions)

In particular, the User and the Health Professional are informed and acknowledge that their authentication details on the Application, including their password, are strictly personal and confidential.

As such, they are fully responsible for their authentication details and agree to take all necessary measures to ensure their protection and to not communicate, transfer or make them available to a third-party.

In addition, priori to engaging in the Teleconsultation Service, the User is encouraged to find an appropriate area to ensure the utmost confidentiality of his/her exchanges with the Health Professional.

MEDECINDIRECT regularly conducts audits to ensure compliance in terms of security and data protection in order to comply with the obligations of the regulations related to personal data.

6) Information and collection of the users' informed consent

The use of the Application involves the collection and processing of the User’s personal data, including personal health data.

Personal health data are sensitive data under the Data Protection Act. Collecting this data requires the User’s informed consent that he/she gives, after authentication, by clicking on the « validate » button associated with an agreement contained in the General Terms and Conditions of Use of the Teleconsultation Service.

The User is informed and acknowledges that by clicking on the « validate » button, he/she will give his/her express, active and unequivocal consent to the collection and processing of his/her personal health data in connection with the use of the Teleconsultation Service and the purposes and objectives of the processing, after having read the information and consent notice made available to him/her.

Otherwise, the User will not be able to benefit from the Teleconsultation Service offered by MEDECINDIRECT. However, this will not affect his/her care within the health system insofar as he/she may use the services of any other competent health professional of his/her choice.

As such, the User may withdraw his consent at any time by contacting MEDECINDIRECT directly or by sending a request by email to: dpo@medecindirect.fr.

In this case, he/she is informed that his/her Personal Account will be closed and that he/she will no longer be able to access the Application.

7) Data protection officer

MEDECINDIRECT has appointed a Data Protection Officer to ensure compliance with the regulations and rules described in this Privacy Policy. The Data Protection Officer shall in particular ensure:

  • To maintain a register of the processing of personal data carried out in the company,
  • Practices comply with regulations and any evolutions,
  • To raise awareness among team members of the requirements and best practices relating to the protection of personal data,
  • The effective exercise of the rights of the persons concerned.

The Data Protection Officer is Vincent WABLE, he can be contacted by email at: dpo@medecindirect.fr.

8) Data recipients

The personal data of Users and Health Professionals are intended exclusively:

  • To Health Professionals, specifically authorised and in compliance with the rules relating to medical confidentiality;
  • To members of the MEDECINDIRECT staff, authorised under Chief Physician of MEDECINDIRECT in strict compliance with their duties, and who are subject to confidentiality;
  • To the staff members of technical service providers specifically authorised and subject to secrecy, in strict compliance with their duties, solely for the purpose of the technical management of personal accounts;
  • To the strictly authorized administrators of the approved health database host, under Article L. 1111-8 of the Public Health Code, within the limits of their respective powers;
  • To the persons authorised on behalf of authorised third-parties (the courts concerned, arbitrators, mediators, ministries concerned, etc.).

MEDECINDIRECT guarantees that the User’s/Health Professional’s personal data will not be transmitted to any unauthorised third-party without their consent.

9) Rights to user data

In accordance with the Data Protection Regulations, the User and the Health Professional have rights regarding the personal data that is collected and processed within the framework of the Application:

  • Right of access: the user has the right to ask MEDECINDIRECT whether it holds any personal information about him/her and to access this data;
  • Right of rectification: the user has the right to request to rectify, complete or delete information in the event of errors, inaccuracies or presence of data whose collection, use, communication or storage is prohibited;
  • Right of objection: the user has the right to refuse on legitimate grounds to appear in a file, except in the context of commercial prospecting, in which case a motive is not required.
  • Right to erase: the user has the right, under certain conditions, to obtain the erasure of their data from MEDECINDIRECT;
  • Rights to post-mortem data:
  • The user has the right to define general guidelines regarding the storage, erasure and communication of personal data after one’s death, which may be registered with a trusted third-party certified by the French Data Protection Authority (CNIL);
  • The user has the right to define specific directives, concerning the processing of personal data mentioned by these directives, which may be registered with the dedicated service of MEDECINDIRECT, and which are subject to the specific consent of the subject.
  • Right to portability: the user has the right to recover part of their data in an open-source or other computer-readable format.
  • Right to limit data processing: the user has the right to suspend the processing to which it is subject while keeping the data processed (under certain conditions).
  • Right to object to the appeal of an automated decision: the user has the right to not be the subject of a fully automated decision (under certain conditions). MEDECINDIRECT informs Users/Healthcare Professionals that no automated decisions are made by the Application.

To exercise these rights and in particular to request the closure of their Personal Account, the User and the Health Professional must contact the support service available on the website www.medecindirect.fr or by sending a request by:

  • Email: dpo@medecindirect.fr, or by
  • Mail: MédecinDirect, 2 rue de Choiseul, 75002 Paris.

Or by sending a request directly to the approved health database host by:

  • Email: contact@coreye.fr, or by
  • Mail: Coreye, 50 rue de Paradis, 75010 Paris,  France

The User’s/Health Professional’s request must (i) specify his/her last name, first name, postal address, (ii) be signed and (iii) be accompanied by a photocopy of an identity document bearing the holder’s signature.

A register of requests for access, rectification and opposition is kept by MEDECINDIRECT’s dedicated service in electronic and paper format and contains the various dates and a description of the exchanges with the applicants. It is stored and backed up in compliance with security and confidentiality requirements.

The processing of requests from Users and Health Professionals takes place within a maximum period of one (1) month following the request.

10) Security measures deployed

a) Authentication of Users and Health Professionals

The User and Health Professional’s connection to their Personal Account is controlled by a two-factor identification and authentication system: once the password is entered, for each connection, a six (6) digit code is sent to the User and Health Professional’s phone or email.

The authentication of the User/Health Professional in the context of his/her access to the Application, is irrefutably imputable to the User/Health Professional for the operations carried out by means of his authentication elements.

In other words, any action carried out by the User/Health Professional via his Personal Account, based on his authentication details, will be deemed to have been carried out by the User/Health Professional and under his exclusive responsibility.

As such, the User/Healthcare Professional agrees to keep his/her authentication elements secret. It is understood that MEDECINDIRECT cannot be held liable for any loss or damage occurring in the event of failure to comply with this obligation, any use of the aforementioned elements being made under the sole responsibility of the User/Healthcare Professional.

In the event of loss or theft of its authentication elements, or suspicion of their use by an unauthorized third-party, the User/Health Professional agrees to inform MEDECINDIRECT without delay, at the following e-mail address: dpo@medecindirect.fr.  

The notification of the User/Health Professional will systematically lead to the deactivation by MEDECINDIRECT of the User/Health Professional’s compromised authentication elements as soon as possible and will generate a procedure allowing the creation of new authentication elements in compliance with the French Data Protection Authority’s (CNIL) recommendations.

In accordance with the recommendations of the French Data Protection Authority’s (CNIL), a technical device encourages the User/Health Professional to change their password periodically, every twenty-four (24) months.

The User/Healthcare Professional also has the possibility to renew his/her password  by clicking on the « lost password » link. An email will be sent to the User/Healthcare Professional with a temporary link, he/she will be asked to enter his/her old password followed by a new password, that is to be chosen in accordance with the recommendations of the French Data Protection Authority (CNIL).

The User/Healthcare Professional agrees, in general, to take all necessary measures to ensure the complete confidentiality of his authentication details and agrees not to communicate, transfer or share with a third-party.

If applicable, MEDECINDIRECT agrees to notify the breach of the User’s/Health Professional’s password or renewal data as soon as possible after the breach is detected. The User/Healthcare Professional will be asked to change their password the next time they log in.

In the event of leaks, losses, data modifications, MEDECINDIRECT will inform the French Data Protection Authority (CNIL) within a period not exceeding seventy-two (72) hours.

This obligation to provide legal information cannot be interpreted as an acknowledgement of liability or negligence on the part of MEDECINDIRECT or its subcontractors.

The User/Healthcare Professional is also aware that it is recommended to change their password for other services if they have used the same password for those services.

b) Other safety measures

MEDECINDIRECT, in its capacity as a data controller under the Data Protection Act, sets up enhanced security measures to enable the collection and processing of personal data (including administrative and health data of Users) under conditions that guarantee their confidentiality, integrity and, more generally, their security in compliance with the provisions of the Data Protection Act and applicable legal provisions.

In particular, the data collected and processed within the framework of the Application are hosted by an approved database hosting company under Article L. 1111-8 of the French Public Health Code, COREYE.

(http://esante.gouv.fr/services/referentiels/securite/hebergeurs-agrees).

The User is informed and acknowledges that he/she may object to the hosting of his/her data with the approved database hosting company for any legitimate reason by contacting directly:

  • The MEDECINDIRECT service specifically in charge of exercising access rights, at the following e-mail address: dpo@medecindirect.com;
  • Either directly to the approved health database host at the following postal address: Coreye, 50 rue de Paradis, 75010 Paris – France or by email: contact@coreye.fr.

MEDECINDIRECT implements procedures for securing data transport and recipient or « server » authentication, including the use of the most up-to-date version of the TLS encryption protocol.

The connection dates and times concerning access to the Application and any consultation, creation, updating and deletion of data, as well as the time limits and durations of responses to beneficiaries are recorded in order to track the use of the Teleconsultation Service.

A supervision tool allows all access to data to be tracked in the database. In particular, it records successful and failed connection attempts, account name, and public IP addresses. It is possible for the administrator to extract a log of this information.

All traces of medical exchanges are thus stored in the file of the User, and will be stored actively for five (5) years, plus five (5) years as archived.

11) Safety instructions

With respect to the sensitivity of the personal data collected by using the Application, the User/Health Professional agrees to the following:

  • The User/Healthcare Professional agrees to comply with the safety instructions and in particular the rules relating to the definition and modification of his/her authentication details;
  • The User/Health Professional agrees to respect access management, and in particular, not to use the identifiers of another User/Health Professional, or to seek this information;
  • The User/Healthcare Professional agrees to keep his/her identifiers strictly confidential and not to disclose them to third-parties, and, in general, to any third-party whatsoever, regardless of his/her professional qualities and activities;
  • The User/Healthcare Professional agrees to notify MEDECINDIRECT of any technical malfunction observed and any anomaly discovered, such as any intrusions.

In particular, it is the User/Healthcare Professional’s responsibility to take all appropriate measures to protect their own data and equipment from contamination by viruses or other forms of attacks that may circulate through the Application.

The User/Health Professional is informed that technical interventions within the Application are carried out in compliance with the provisions of the Data Protection Act and all the provisions of the Public Health Code.

The User/Healthcare Professional acknowledges the existence of risks inherent to the use of telecommunications, even in the presence of secure access as implemented in the Application, and in particular:

  • The unreliability of the Internet network, particularly in the transmission of data;
  • The discontinuity of the Application and its Contents;
  • Unstable performances (e.g. in terms of volume and speed of data transmission if applicable) due to computer viruses;
  • Any other technical constraint that is not under the control and responsibility of MEDECINDIRECT.

In no event shall MEDECINDIRECT be liable for these risks and their detrimental consequences, regardless of their extent, to the User/Health Care Professional.

In addition, the User is warned that saving his/her identifiers and passwords using Internet browsers is not recommended. This is not recommended due to security reasons and the sensitive and confidential nature of the data contained in his/her Personal Account.

12) Storage time of personal data

The User/Healthcare Professional is informed that his or her personal data is stored for a period of five (5) years in an active database and then archived for five (5) years by MEDECINDIRECT under the required security conditions. Beyond that, only non-identifying aggregated statistical data are kept.

The MEDECINDIRECT service allows beneficiaries to print a copy of a prescription signed by doctors following a teleconsultation.

Pharmacists can verify the authenticity and integrity of a prescription by contacting the health professional or administrative staff from MEDECINDIRECT who are authorized by the Chief Physician to access medical records (with the consent of the beneficiary).

Each member of MEDECINDIRECT’s administrative staff authorized to access the data has signed a confidentiality agreement.

The User/Healthcare Professional is informed that the closure of his Personal Account will not result in the automatic destruction of his personal data, which will be stored for technical reasons regarding database consistency, in compliance with the requirements of the Data Protection Act, as well as the legal and regulatory obligations of MEDECINDIRECT, which the User/Healthcare Professional accepts.

The User/Healthcare Professional is informed that at the end of this action, he/she will no longer be able to access the Application and Content.

13) Transfer of data beyond the european union

MEDECINDIRECT does not transfer the personal data of Users/Health Professionals outside the European Union.

14) Cookie management

The Application uses cookies. Information on cookies, how they are used and how the User/Healthcare Professional can control their use is presented below.

a) Definition and use of cookies

The Application uses both session cookies, which are deleted upon closing the User’s/Health Professional’s browser, and permanent cookies, which remain on the computer, smartphone, digital tablet used by the User/Health Professional to access the Application, for a specified period of time.

The cookies used in the Application are used exclusively to:

  • Improve navigation within the Application in order to be able to use its various functionalities, including authentication to the Personal Account;
  • Establish statistics of the activity of various elements of the Application (page visited, content read,…).

You will find below the list of cookies used on the Application:

Name of the Cookie used : session cookie
Function : management of the functional aspects related to a website visit
Category : cookie strictly necessary
Session/permanent cookie : session

Name of the Cookie used : Google Analytics
Function : records the number of visits made to the site, including the first visit, as well as the most recent
Category : performance cookie
Session/permanent cookie : permanent

b) Cookies and consent

With regard to the use of audience measurement cookies (Mobile Application), an information banner is displayed when the User/Healthcare Professional connects to his/her Personal Account, in order to inform him/her of the storage before the cookies are stored to obtain his/her prior consent.

By continuing his/her navigation, the User is presumed to have given his/her agreement i.e. when the User has clicked on an element of the Application (content, link, « search » button etc.) or has gone to another page of the Application.

The agreement given by the User is only valid for a period of thirteen (13) months from the first deposit in the User’s terminal equipment, following the User’s consent.

At the end of the thirteen (13) month period, the User’s consent needs to be renewed.

In order to configure the audience measurement cookie, Users/Healthcare Professionals can use the tracking opposition tools offered by Google Analytics, the audience measurement cookie used within the Application by clicking here.

At any time, the User may choose to express and modify his/her wishes regarding cookies.

15) Changes to the privacy policy

MEDECINDIRECT reserves the right to change this Privacy Policy at any time. Modifications can be made based on changes in applicable laws and regulations.

Users and Health Professionals will be notified of changes via the website www.medecindirect.fr or by email.

At any time, Users and Healthcare Professionals can review the Privacy Policy regarding their personal data by accessing this document.