Rerad.io is a web-based service that enables fast, simple and accurate consultation between radiologists, clinicians, doctors and other specialists (“User”) to diagnose radiological findings. The service functions around cases depending on their clinical and educational value, allowing each User to build their own user-defined library of cases and knowledge. All Users are verified prior to registration to ensure authenticity.
RERAD and its services collect, process and store three distinct sets of personal data. We will process the following personal data on the Services:
contact details (e-mail address, telephone number, address, country of residence, nationality);
position, title and workplace;
medical doctor’s license;
social network references.
Pseudonymous patient case information;
pseudonymized DICOM images including embedded metadata;
content that you post, upload and/or contribute to the Services;
Technical usage data
such as the URL you are accessing the Services from, your IP address, unique device ID, network and computer performance, browser type, language and identifying information and operating system;
information about your use of the Services, such as what you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs), consultation length(s), recurrence of visits and other interaction information, methods used to browse away from the page.
We are unable to provide you with the Services unless you provide us with the personal data listed in point (a) above. The processing of the personal data above is necessary to enter into the Terms of Service with us and is necessary to maintain the contractual relationship between you and us.
Purposes of Processing
We will process the personal data set out above for the following purposes:
To enable you to verify your account, to administer your account, to enable and provide the Services and integration with third party services, and to provide, personalize and improve your experience with the Services, and to otherwise provide the Services according to the Terms of Service;
to send you alerts or messages by email or otherwise, including to provide you with marketing of our and our related parties’ products and services;
to inform you about updates of the Services or the terms of Service;
to improve and develop the Services or new services and to analyse your use of the Services;
to ensure the technical functioning of the Services and to prevent the use of the Services in breach of the Terms of Service;
to enforce the Terms of Service, including to protect our rights, property and safety and the rights, property and safety of third parties if necessary;
to respond to any queries you raise with us and to provide customer support; and
to fulfill requirements by law.
Fulfillment of contract. By accepting RERAD’s Terms of Service, we process your personal data to be able to fulfill our agreement with you for the purposes listed above in points (1), (3) and (6).
Legal obligation. RERAD will process personal data if it has a legal obligation to do so to fulfill requirements by law as pointed out in point (8) above.
Legitimate interest. The processing of your personal data for the purposes listed in points (4) (5), and (7) above is conducted on the basis of the legitimate interest of RERAD. Our legitimate interest for the processing is maintaining sufficient IT security through logging data when you use our Services and to evade fraud and to protect the Services from cyber threats. We also log data for the maintaining and improvement of our Services.
Disclosure of Personal Data
We do not commercially exploit or distribute personal data to any third party for commercial purposes. We share and disclose your personal data to companies with which we have contracts in place. These companies mainly provide data storage, data analytics, advertising, IT support and other services to be able to run and improve our Services.
Responding to Legal Requests and Preventing Harm
We may access, preserve and share your personal data in response to a legal request (like a search warrant, court order or a subpoena or the like), or when necessary to detect, prevent and address fraud and other illegal activity, to protect ourselves, you and other Users, including as part of investigations.
Cookies, Pixels and other System Technologies
Personal data about registered Users will be retained for as long as the User has an active profile on the Services. Users who have not used our Services will have all personal data deleted after 2 years of inactivity on the Services.
If you agree to be added to our mailing list, we will keep your personal information for that purpose unless and until you tell us that you want to unsubscribe or be removed from the list. If you advise that you do not want to be added to our mailing list or you ask to be removed, we will delete your personal data (aside from keeping a record that you have asked us not to send you marketing information).
The Services are not directed to persons under the age of thirteen (13). If you are a parent or guardian of a person under the age of 13 and you become aware of that the child has provided personal data to us without your consent, please contact firstname.lastname@example.org to exercise your access, rectification, erasure, limiting of processing and objection rights.
The importance of security for personal data is of great concern to us. At RERAD, we have gone to great lengths to manage the security and integrity of the Services and to ensure that we use best–in-class services when providing secure transmission of information from your device. Personal Data collected via the Services is stored in secure environments that are not available or accessible to the public; only those duly authorized people, officers, employees or agents of RERAD who need access to your information in order to do their jobs are allowed access.
Anyone who violates our privacy or security policies is subject to disciplinary action, including possible termination of their contract with RERAD and civil and/or criminal prosecution. RERAD uses the latest technologies to ensure utmost security, including utilizing several layers of firewall security and encryption of personal data to ensure the highest level of security.
You have an absolute right to object to the processing of your personal data for direct marketing. You also have the right to recall your prior given consent. The withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal, and we may continue processing your personal data based on other legal grounds, except for direct marketing.
You have the right to request access and further information concerning the processing of your personal data, or request that we correct, rectify, complete, erase or restrict the processing of your personal data. You have the right to obtain a copy of the personal data that we process relating to you free of charge once (1) every calendar year. For any additional copies requested by you, we may charge a reasonable fee of 10€ based on administrative costs.
If the processing is based on the legal grounds consent or fulfilment of contract you have the right to data portability. Data portability means that you can receive the personal data that you have provided to us, in a structured, commonly used and machine-readable format, and have the right to transfer such data to another data controllers.
To exercise your rights, or if you have any questions regarding our processing of your personal data, please contact us our Data Protection Officer (DPO) at the following address: email@example.com or A25P1T0, Republic of Kazakhstan, Almaty, Medeusky district, Dostyk av., 192/2. In your letter/email please state your full name, your username (if you are a user) and which institution you are linked to. Note that you should sign the request to receive information of the processing of your personal data yourself.
If you have any complaints regarding our processing of your personal data, you may file a complaint to the competent data protection authority. You can find out more about the local data protection authorities under the following link http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.
About the Services
The core of our Services is to help radiologists (our “Users”) to find a diagnosis to a radiological finding in radiology images. We store pseudonymized images together with descriptions of radiology findings within these images (“Cases”). A stored Case is shared with other users with the purpose of solving a specific radiological finding. The description of the radiological finding is done by the user uploading the images with the support of other users.
In the scope of providing the Services, pseudonymized patient data contained in the Digital Imaging and Communications in Medicine (DICOM) images and embedded metadata is processed. RERAD processes this data in the capacity of a data processor, whereas the respective clinics or otherwise independent radiologists act as data controllers for the processing.
All patient health data (DICOM images) are pseudonymised at its source within the clinic’s private network or through an encrypted link provided to the independent radiologists. The objective of the pseudonymization is to remove any data which can be traced back to an individual person. Nevertheless, a unique identifier is kept within each case to enable linking back to the original patient. This linking is only to be possible by the source clinic or the independent radiologist and which enables them to fulfill their data protection obligations towards each patient.
The process of pseudonymization removes all attributes such as name, birth date, phone number, etc. from the DICOM images. The process goes even deeper and removes any metadata tag which could indirectly enable the tracing back to the original patient. For this purpose, we use the de-identification method described in the DICOM standard 2017c. The specific tags which are removed or replaced can be found in Table E.1-1 from PS 3.15 of the DICOM standard 2017c.
In order to correctly provide our Services, the following tags are retained as these play a vital role in the diagnosis work of our users and do not directly identify the patient.
Contrast Bolus Agent
The following tags are converted into groups, such as: Patient Weight 70-80 kg, as required by policies at multiple large hospitals.
Once a Case has been finalized and a suggested diagnosis has been established, RERAD continues to provide educational services based on these historic cases. The objective here is to help establish diagnosis in other Cases, train radiologists to become even more efficient and develop radiology services to become more precise than today. A Case will be deleted three (3) months after it has fulfilled this purpose.
RERAD, as a data processor, is committed to assisting the participating clinics and the independent radiologists with their data protection obligations as data controllers. Therefore, if a patient wishes to exercise their data subject rights, RERAD will assist the clinics or the independent radiologists with this obligation to the extent that RERAD has the relevant personal data available and that the clinic or the independent radiologist provides the pseudonymization key to RERAD for the purposes of correctly identifying the patient and fulfilling its duties as a processor.