Skip to content

Privacy policy

Curewiki™ and your personal data

1. Purpose and introduction of the data processor

This Privacy Policy (hereinafter“this Policy”) is established by the company Curewiki (hereinafter “we/us” or “Curewiki”) whose registered office is located at Rue d’Angoussart 79, 1301 Bierges, Belgium, a company to be incorporated which will be registered at the Crossroads Bank of Enterprises under number (to be determined).

Curewiki is a Belgian company which aims, through the use of its website, to connect all currently available clinical trials with patients whose type of disease might be compatible with their selection criteria.

To do this, Curewiki relies on mutual cooperation between health professionals, scientists, patients and their families and, if possible, pharmaceutical laboratories and manufacturers.

The purpose of this Privacy Policy is to inform the users of the website ( (hereinafter referred to as “the website”) of the way in which their personal data is collected and processed in the context of our business activities.

In general, this Policy is part of our intention to act transparently and in compliance with national regulations, including the law of 30 July 2018 on the protection of individuals with regard to the processing of personal data, and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter “the GDPR”).

In the light of these texts, Curewiki is to be understood as a data processor when it determines alone, or in agreement with the healthcare organisations, the means and purposes of processing the personal data of the patients concerned.

In all cases, we wish to emphasise that we pay particular attention to the protection of privacy and that we undertake to take reasonable precautions to protect the personal data collected against loss, theft, disclosure or unauthorised use.

“Personal data” is defined as  all personal data  relating to the user, i.e.  any information that directly or indirectly identifies  the user as a natural person.

2. Processing of personal data

What operation(s) are we going to carry out on your data ?

The GDPR defines processing as any operation or set of operations, whether or not by automatic means, which is performed on personal data or sets of personal data.

Processing covers a wide range of actions, such as :

  • Registering;
  • Erasure or deletion;
  • The organisation;
  • Storage;
  • Use;
  • Collection;
  • Adaptation or modification;
  • Structuring;
  • Consultation;
  • Limitation;
  • Communication by transmission;
  • Distribution or other form of making it available;
  • Matching or linking.

In the context of the use of our website, it is therefore possible that we may process personal data in one of the above-mentioned ways.

3. Categories of processed data

What categories of data do we process?

We process both “classic” personal data (point a) and health data (point b). The latter require a more detailed analysis as they involve a specific legal framework.

a. “Classic” categories of data

Our website ( leads us to process a certain amount of personal data.

The main “classic” data we collect are the following :

  • Identification data of the patient (and/or a relative of the patient): (name, first name, postal address, date of birth, etc).
  • Identification data of the patient’s referring doctor (name, first name, practice address, etc);
  • Telephone and e-mail data (e-mail address and telephone number);
  • Any other information that the user voluntarily gives us.

In the event that non-personal data is combined with personal data in such a way that it is possible to identify the persons concerned, we will treat this data as personal data until it is impossible to link it to a specific person.

b. Special categories: health data

In addition to “classic” data, we also process certain health data.

More specifically, we process:

  • Data relating to your current illness (previous and current diagnoses, any interventions performed, etc.);
  • Data relating to any medication you are taking;
  • Data relating to your general physical condition (disability, pregnancy, etc.);
  • Data on your general psychological state (mental illness, behavioural problems, etc.);
  • Any other medical information necessary to establish whether you are eligible for the clinical trial;
  • Any other information you voluntarily give us.

Article 4.15 of the GDPR defines health data as any personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveals information about that person’s state of health.

Health data, due to their intrinsic nature, are considered as “special data” by Article 9 of the GDPR, the processing of which is, in principle, prohibited.

This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data data concerning health or data concerning the sex life or sexual orientation of a natural person.

However, Article 9 (2nd paragraph) of the GDPR provides for a number of exceptions, allowing the processor to proceed with the processing of these particular data in certain legally defined circumstances.

Among these exceptions, the GDPR allows the processing of special data, including health data, if the data subject has expressly consented to it

The processing of your health data via our website falls within this exception in that we do not collect any of your health data without your prior and explicit consent.

Your consent is the sole legal basis, within the meaning of Article 6.1 a) of the GDPR, on which we base the processing of your health data. We refer here to what is explained in point 6 of this Policy.

In all cases, the health data you are asked to provide will be processed in a limited manner, in order to comply with the principles of data limitation and minimisation, as set out in Article 5.1 c) and e) of the GDPR.

Indeed, the data we collect is limited to the information that health organisations strictly need to determine whether or not a patient falls within the selection criteria of the clinical trial concerned. You will not be asked for any unnecessary health data.

4. Collection methods

We collect your personal data through the answers you provide when you register on our site (direct collection method).

In order to provide you with clinical trials relevant to your medical condition, our website asks you a series of questions about your health status. The purpose of these questions is to determine whether you meet (or do not meet) the selection criteria for clinical studies of which Curewiki is aware.

Your answers will necessarily contain personal data about you and it is precisely through these answers that we will collect your personal data.

It is also possible, subject to your consent, that we may  collect your health data directly from your doctor (indirect collection method).

Indirectly collected data will only be processed if it is not possible for us to determine from the information you have provided directly whether you meet the selection criteria for a particular clinical trial (or not).

However, contact with your doctor is also only made on the basis of your explicit consent.

5. Purposes of the processing

We process your personal data only for the purposes mentioned below, namely :

  • To ensure that the patient is uniquely identified;
  • To organise the registration of interested patients;
  • Linking the various medical parameters of a patient with the selection criteria of a particular clinical trial;
  • Determining their eligibility in clinical trials;
  • Linking patients with institutes that can offer them clinical trials relevant to their disease;
  • Notifying patients by e-mail of existing trials.

6. Legal basis for processing

For the processing of personal data to be legitimate, it is necessary that it is based on one of the 6 legal grounds listed in Article 6 of the GDPR.

The legal bases are the following :

  • Your explicit consent for one or more specific purposes;
  • The need to implement a contract with you to which we are a party or the implementation of pre-contractual measures taken at your request;
  • The need to comply with a legal obligation to which we are subject;
  • The need to safeguard your vital interests or those of any other individual;
  • The need to perform a mission in the public interest or in the exercise of official authority which we are entrusted with;
  • The need to pursue our legitimate interests or those of any other third party, provided that these interests do not override your interests or fundamental freedoms.

With regard to the purposes for which we process your personal data, we process your personal data exclusively on the basis of your consent. Indeed, apart from the information that would be found in the public area, your registration on the website and the information that you provide are only transmitted to us on a voluntary basis.

You have the right to unsubscribe from the list of interested patients at any time.

7. Duration of data retention

In accordance with the principle of limited retention, the period of retention of data will be strictly for the period necessary for the fulfilment of the purposes for which the processing is justified, not beyond. Under no circumstances will your data be kept for an unlimited period.

We keep all data for a period of 15 years, starting from the completion of your registration on our website.

When data is no longer required for the purposes for which it was processed or if you withdraw your consent and no other legal basis can be proven, the data must be destroyed so that it is impossible for anyone to trace your identity.

8. Recipients of the data

a. Communication to internal recipients

We only give access to your personal data to internal persons whose function requires it. Access to your data is strictly limited to them. We regularly check these accesses and secure the information provided, as far as possible.

b. Communication to third party recipients

In the course of our activities, we may disclose certain personal data to “recipients” outside our internal organisation.

The GDPR defines recipients as the natural or legal person, public authority, department or other body that receives the communication of personal data, whether or not it is a third party.

Curewiki commits itself to only communicate to third parties aggregated and anonymised data, with the explicit consent of the patient.

Curewiki will NEVER sell or provide personally identifiable information to anyone without the patient’s express and specific consent. This can only happen, with the patient’s express and specific consent, in the event that we identify a match with a clinical trial for which the patient has passed the eligibility criteria. In this case, we inform the patient and, after receiving approval for that specific trial, we put the patient in contact with the investigation site or sponsor of the clinical trial.

To be completely transparent, when patients register on Curewiki, they provide data that Curewiki uses and shares in an aggregated and de-personalised way with research partners working on future treatments and cures. This is another way, besides participating in the trials themselves, in which the Curewiki community contributes to the advancement of scientific research.

By virtue of the laws that apply to them and their public duties, certain authorities and/or institutions may require Curewiki to provide them with some of your personal data.

When such a case arises, it is therefore possible that Curewiki may be obliged to pass on your personal data to these “third party authorities” without asking for your prior consent. On the other hand, Curewiki commits itself to transmit to them only the data that these authorities/institutions strictly need for the exercise of their missions, and this by application of the principle of minimisation.

In any case, no transfer of personal data outside the European Union is made.

9. Rights regarding GDPR

The GDPR expressly provides for a series of rights that are entirely at your disposal. We inform you, through this Policy, of how you can exercise your rights. These rights allow you to maintain a form of control over the use of your personal data.

There are 7 such rights and they can be listed as follows :

  • Right of access, information and copy of data;
  • Right to rectify data;
  • Right to object to the processing;
  • Right to erasure (right to be forgotten);
  • Right to restrict processing;
  • Right to portability of your data;
  • Right to withdraw your consent.

a. The right of access, information and copy of data 

You have the right to obtain confirmation from us that your data is being processed.

VYou also have the right to access a range of information: the purposes justifying the processing, the categories of data concerned, the third parties to whom the data will potentially be disclosed, where and for how long the data will be stored, the existence of the rights of rectification, limitation or opposition, the right to lodge a complaint with the competent authorities, information on the origin of the data if it is not collected from you directly, the existence of automated decision-making and finally any relevant information concerning the logic, meaning and potential consequences of such processing on you. Translated with (free version)

We must make available a copy, electronic or otherwise, of the data being processed, free of charge, on simple request from you.

If you wish to have additional copies, we may ask you to pay a reasonable charge for the administrative costs of making such copies.

b. Right to rectify data

You have the right to inform us, without delay, of your wish to rectify the accuracy of certain data relating to you where you believe it to be inaccurate, incomplete or obsolete.

In view of the purposes of the processing, you have the right to have your incomplete personal data completed, including by providing an additional declaration.

c. Right to object to the processing

Where we process your data on the basis of one of our legitimate interests, you have the right to object to the processing of your personal data at any time and on grounds relating to your particular situation.

We will then have to stop the processing unless we can prove that other grounds for further processing override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

In addition, you have the right to object at any time to communications made for commercial prospecting purposes.

d. Right to erasure (right to be forgotten)

You have the right to obtain from us, under certain conditions, the deletion of your personal data without delay.

You can obtain the deletion of your personal data when one of the following reasons applies:

  • The data are no longer necessary for the purposes of the processing;
  • You withdraw your consent to the processing of your data and we base this processing only on the legal basis of your consent;
  • You object to the processing;
  • We have processed your personal data unlawfully;
  • The data we hold is incomplete, inaccurate or out of date;
  • We need to erase your personal data in order to comply with a legal obligation (under EU or Member State law) to which we are subject.

If we have made your data available to other entities, we are obliged to take all necessary steps to inform those entities that you have requested to have your data erased.

e. erased. Right to restrict processing

You have the right to obtain from us the limitation/restriction of the processing of your personal data. This right can be activated in various cases and may complement the application of other rights.

If the restriction of processing no longer applies, we will inform you of this.

f. Right to the portability of your data

If we process your personal data on the basis of a contract or your consent and the processing is carried out by automated means, you can ask us to transfer all of your personal data to you or to transfer them to another processor.

g. Right to withdraw your consent

Where processing is based on your consent, you have the right to withdraw it at any time. However, such withdrawal does not affect the lawfulness of processing based on your consent that we carried out before the withdrawal.

10. Exercise of rights

To exercise your rights, you can send us a written, dated and signed request either by post to 79 Rue d’Angoussart, 1301 Bierges or by e-mail to (

In order to help you ensure that your rights are respected, we need to verify that your request concerns your personal data.

We may ask you for additional information if it is not realistically possible to identify you with the information we have.

We are obliged to provide you with information on the action taken in response to your request as soon as possible and in any event within one (1) month of receiving your request.

If necessary, this period may be extended by two (2) months if justified by the complexity or number of requests submitted. In the latter case, we shall be obliged to inform you of such an extension within one month of receiving the request.

If the request is refused, you will have the right to submit a complaint to a supervisory authority or to seek legal assistance.

11. Data security

We commit ourselves to taking all appropriate technical and organisational measures to ensure that the processing of your data is carried out with a level of security appropriate to the risks it presents. Due to the fact that we process some of your health data, we undertake to provide a framework for the processing of your data with increased security.

We undertake, to the best of our ability, to do everything in our power to prevent your data from being distorted, damaged or accessed by unauthorised third parties.

Because we process some of your health data, we may need to ask you to provide us with proof of your identity before we can give you access to the processed data. This is to ensure that no unauthorised third party can gain access to your data without your permission, due to the sensitivity of the information involved.

We make our staff members who have access to personal data aware of the risks and consequences of data leakage (e.g. hacking, theft of a work computer, sending an attachment containing data from another client, etc.) and of the need to secure their processing.

If these hypotheses should occur while we have control over your data, we undertake to act quickly to identify the cause of the problem and to take the appropriate measures. If we are required by law to do so, we will also ensure that you are notified if such an incident occurs.

12. Contact

We are your first point of contact if you have any questions about this Policy or about data protection.

Please do not hesitate to contact our DPO, (name, first name), available at (postal address) or by e-mail at (e-mail).

13. Claims and complaints

You can also submit a complaint to the Data Protection Authority at the following address:

Data Protection Authority
Rue de la Presse, 35
1000 Brussels, Belgium
Telephone + 32 2 274 48 00
Fax + 32 2 274 48 35

14. Modification

We reserve the right to amend this Policy in order to adapt it to new legal requirements. Such changes will take effect immediately after this Policy is updated and will be published on the website (

15. Applicable law and jurisdiction

This Policy is governed by Belgian law.

Any dispute relating to the interpretation or execution of this policy falls under the exclusive jurisdiction of the courts of the judicial district of Nivelles.