v 0.1 August 2022
The Hit-n-Run 2 privacy statement is meant to inform you which personal data are collected by the GEMH Lab, for which purpose they are collected and on the basis of which principles they are collected, how your personal data are processed, which rights you have when your personal data are processed and who you can contact if you have questions or requests concerning your privacy.
What is personal data?
Personal data are data that relate to an identified or identifiable natural person.
The GEMH Lab only processes your personal data for specified, explicit and legitimate purposes. Collection and processing of personal data exclusively takes place for the purpose of ensuring that the Hit-n-Run 2 app functions as intended. Without your consent, your personal data will not be processed, and use of Hit-n-Run 2 will not be possible. As a user of Hit-n-Run 2, your personal data will be processed for the following purposes:
- Ecological Momentary Assessment (indicating your mood and smoking cravings at a given time of day) will be collected and processed for the generation of personalized motivating messages. The results thereof will be displayed in the Hit-n-Run 2 app as future self-goal objectives for you to interact with.
The GEMH Lab only processes your personal data if and in so far as at least one of the conditions referred to below is met:
- you have granted permission for your personal data being processed;
- the processing is required for the performance of a contract to which you are party, or it is required to take specific measures, on your request, before the contract is entered into;
- the processing is required to meet a statutory obligation we are subject to;
- the processing is required to protect your vital interests or the vital interests of other persons;
- the processing is required to perform a task carried out in the public interest or assigned to us by a public authority;
- the processing is required for the representation of our interests or a third party’s legitimate interests, except where the data subject’s interests or his fundamental rights and his fundamental freedoms that require the protection of his personal data should carry more weight than those interests, especially where the data subject is a child.
Processing of special categories of personal data exclusively takes place if the conditions explicitly mentioned in the law have been met or if one of the grounds for exception applies that is referred to in the current data protection laws and regulations. The privacy statement applicable for your category explains on which legal basis the processing of your personal data may take place.
When Hit-n-Run 2 requests you to provide personal data, we will make clear whether the provision of these data is necessary or mandatory and what the (possible) consequences are if the data are not provided. Our starting point is always that we do not process more personal data than necessary for the purposes described.
Data exchange with third parties
The Hit-n-Run app does not provide any personal data to third parties who will use these data for their own purposes, unless the Hit-n-Run 2 app should be under a legal obligation to provide the relevant data or if you have granted permission to do so.
Automated decision-making and profiling
At this moment the Hit-n-Run 2 app does not use profiling in combination with automated decision-making.
Your data will not be retained any longer than necessary. If the relevant personal data are subject to a statutory retention period, the Hit-n-Run 2 app will comply with that. If the statutory and agreed upon retention periods should differ, we will observe the longer retention period. If you should want your personal data to be erased at an earlier stage, this could be granted in specific circumstances. Please refer to the heading ‘right to rectification and erasure’.
Personal data security
The Hit-n-Run 2 app takes appropriate technical and organizational measures to secure your personal data against loss or any form of illegal processing. Measures that are applied in this context as much as possible include, amongst other things, encryption and anonymizing personal data, encrypted communication and confidential treatment of personal data.
The GEMH Lab respects the rights that you have pursuant to current data protection laws and regulations. Below we give you some more information about these rights and how you can invoke them.
- Right of access;
You have the right to verify which of your personal data the Hit-n-Run 2 app processes.
- Right to rectification and erasure;
In specific circumstances, you are entitled to have your personal data rectified or erased if the data are not – or are no longer – correct or if the processing is – or is no longer – legitimate.
- Right to object;
When the Hit-n-Run 2 app processes your personal data by reason of a legitimate interest or a task carried out in the public interest, you have the right to object to that processing.
If you object to your personal data being used to inform you about the Hit-n-Run 2 app’s activities and similar processing (“direct marketing”), we will always honour this objection. In that case, your data will no longer be used for direct marketing.
If you object to any other form of processing with respect to your personal data, we will verify if we can honour your objection. If your objection carries more weight than the interest we have in processing your personal data – and in continuing to do so, we will stop processing these data. If we are of the opinion that our legitimate interest to continue processing your personal data outweighs yours, we will explain our position.
- Right to restriction of processing;
In specific circumstances, you also have the right to restriction of processing your personal data. This means that the Hit-n-Run 2 app temporarily “freezes” the processing of your data. You can invoke this right while waiting for the assessment of a request for rectification, if the data should have to be erased because the processing is unlawful but you should request restriction of processing instead of erasure, if the Hit-n-Run 2 app no longer needs the data whereas you still need these data for legal proceedings – or the preparation of legal proceedings – or pending the assessment of an objection.
- Right to data portability;
If the Hit-n-Run 2 app processes your personal data on the basis of your consent or an agreement entered into, you have the right, with respect to these data, to receive (in return) the data you provided us with digitally, in a commonly used format. You are then free to transmit these data to any other party.
- Withdrawal of consent;
If the Hit-n-Run 2 app processes your personal data on the basis of your consent, you usually have the right to withdraw your consent. We will immediately stop the processing. Withdrawal of consent has no retro-active effect. Any processing that has taken place up to that moment will, therefore, remain lawful. Further use of the Hit-n-Run 2 app will not be possible from the moment of withdrawal onwards.
Exercising the rights referred to above
If you want to invoke one of the rights referred to above, you can contact the lead researcher, Suhaavi Kochhar, at s.kochhar[at]ru.nl. The Hit-n-Run 2 app does not charge any costs when you exercise the rights referred to above – except where rights are abused.
In principle, a member of Hit-n-Run 2 app team will respond to your request within a month. If answering your question should take more time, which we hope will not be the case, we will inform you about this within a month. The complexity of the requests and/or the number of requests could lead to the response time being delayed by a maximum of three months.
The Hit-n-Run 2 app team may request further proof of identity when you file a request. We apply this rule to prevent personal data being provided to the wrong person or being changed incorrectly and to prevent any changes in the way in which those personal data are processed by us. In order to be able to handle your request as efficiently as possible, we ask you to present your ID.
Balancing individual interests involved in a request
The GEMH Lab would like to point out that the rights described above do not constitute absolute rights. Specific circumstances may lead to a specific request not being honoured. We will assess each request on an individual basis. In the event we cannot honour a specific request, we will explain why not, stating reasons. The right to object to the use of data for direct marketing purposes is an absolute right, unsubscribing for possibly commercial forms of communication will in any event be honoured.
Under the data protection laws and regulations you can also file complaints with the national supervisor, the Dutch Data Protection Authority. You will find further details on the website of the Data Protection Authority: (www.autoriteitpersoonsgegevens.nl(verwijst naar een andere website)).