Privacy Notice for Patients usingthe Empatica Health Monitoring Platform (EHMP)
Last updated: v1.0 Jan, 2026
This Privacy Notice (“Notice”) explains how Empatica S.r.l., with registered offices at Via Stendhal 36, 20144 Milan, Italy (“Empatica”, “we”, “our”, or “us”), processes the personal data of patients of hospitals or clinical centers that are customers of Empatica (“Customers”) located in the European Union (EU), the European Economic Area (EEA), and the United Kingdom who use the Empatica Health Monitoring Platform (“EHMP”) and its related components and services (together, the “Services”).
Empatica provides digital-health and medical-device technologies that enable the remote collection, transmission, and analysis of physiological data from patients with Parkinson’s disease(“Data Subjects”, “you” or “your”) under the control of the Customers.
The Customers act as data controllers with respect to the processing of Data Subjects’ personal data necessary for diagnosis, care, and treatment. In this context, all processing activities carried out by Empatica in support of these purposes are performed by Empatica in its capacity as a data processor, on behalf of the Customers. Accordingly, any processing activities carried out for diagnosis, care, and treatment purposes are not covered by this Notice.
However, Empatica also acts as an independent data controller for certain purposes related to the Services in respect of which Empatica determines the purposes and means of the processing, as described in this Notice. Accordingly, through this Notice, Empatica provides Data Subjects with the information regarding the processing of their personal data, as required under applicable data protection laws.
1. Who is this Notice intended for?
Age groups
2. Data Sources and Categories
3. Purposes and legal grounds for the processing of personal data
4. Sharing Your Personal Data with Others
a) Affiliates
b) Service providers
c) Legal, regulatory, and safety disclosures
d) Corporate transactions
5. Your Data Subject Rights and Data Protection Officer
This Notice describes how Empatica processes the personal data of patients of the Customers who use the Services.
If the patient is a child, Empatica may process limited non-special category data relating to the patient’s parent, guardian, or authorized healthcare professional. Accordingly, in such cases, the term “Data Subjects” should be interpreted to include these individuals.
Age groups
Children over the age of 6 but under 18: may use the Services only under the supervision of a parent, guardian, or authorised healthcare professional. They may not register as users of the Services directly; registration and consent must be completed by their parent, guardian, or the responsible investigator or clinician.
Children under the age of 6: the Services arenot intended for children under 6 years of age. Therefore, Empatica will not process any data relating to children under 6 years of age.
2. Data Sources and Categories
Empatica mainly collects personal data from Data Subjects through their use of the Services. However, Empatica may collect Data Subjects' data from the Customer in the course of post-market monitoring or technical support.
Empatica may process:
Identifiable contact data such as name, surname, date of birth, age, gender, email address;
Device and technical information, online identifiers and device usage data, such as IP address, device identifiers, device operational metrics, device calibration and validation reports, firmware and app version, timestamps, operating system, connectivity logs, technical logs, mobile device identifiers (e.g., IMEI/device ID);
Health-related data such as physiological signals, wearing time, movements, sleep, Parkinson’s related scores (e.g. tremor, bradykinesia, dyskinesia) , medication logs, and other device performance data.
However, the specific data processed may vary, depending on the EHMP configuration chosen by the Customer and the device used by the Data Subjects.
3. Purposes and legal grounds for the processing of personal data
The table below sets out the purposes of the processing activities carried out by Empatica when acting as an independent data controller in relation to Data Subjects’ personal data, together with the corresponding legal bases and other relevant details.
Purpose of Processing
Categories of Personal Data
Examples
How Collected
Legal Basis and potential consequences of not processing the data
Safeguarding – monitoring and assessing the performance and safety of the EHMP, including diagnostics, remediation, and responding to adverse-event reports.
Health-related information, device identifiers, and operational metrics.
Generated automatically by the device or provided by the Customer in the course of post-market monitoring or technical support.
Compliance with safety and vigilance legal obligations, based on Art. 6(1)(c) of GDPR for non-special category data and Art. 9(2)(i) of GDPR for health-related data. The processing activities described herein are mandatory, as otherwise Empatica would be unable to comply with the applicable legal obligations.
Regulatory and quality-management compliance.
Health-related information and device information as required for applicable laws and quality assurance.
Device usage data, calibration, and validation reports.
Generated automatically or provided by the Customer to meet regulatory obligations.
Compliance with a legal obligation to which Empatica is subject under applicable laws, based on Art. 6(1)(c) of GDPR for non-special category data and Art. 9(2)(i) of GDPR for health-related data. The processing activities described herein are mandatory, as otherwise Empatica would be unable to comply with the applicable legal obligations.
Analytics and research (if authorised by the Data Subject) – Conducting analytics and research on pseudonymised or aggregated data to improve algorithms and support future regulatory and clinical submissions.
Data derived from personal, device, activity, including health-related information, processed in pseudonymised or aggregated form.
Aggregated or de-identified datasets used to validate algorithms or improve device performance.
Derived within Empatica’s secure environment using pseudonymisation procedures.
Data Subject's consent, based on Art. 6(1)(a) of the GDPR for non-special category data and Art. 9(2)(a) of GDPR for health-related data. The processing activities described herein are optional. Data Subjects are free to withhold or withdraw their consent at any time, without this affecting their ability to use the Services or causing any other adverse consequences. In the event of withdrawal, the lawfulness of any processing carried out prior to the withdrawal remains unaffected.
Marketing and advertising – Promotion of Empatica products and services through marketing communications via electronic communications. Distribution of educational content through channels managed by Empatica; market research and analysis; measurement and analytics.
Identification data and contact details, geographical data, demographic data, marketing preference data, communication interaction data.
First and last name, email addresses, date of birth, age, gender, opt-in/opt-out status, country/region of residence, language.
Collected directly from the Data Subject via Empatica channels (web form / in-app).
Data Subject's consent, based on Art. 6(1)(a) of the GDPR. The processing activities described herein are optional. Data Subjects are free to withhold or withdraw their consent at any time, without this affecting their ability to use the Services or causing any other adverse consequences. In the event of withdrawal, the lawfulness of any processing carried out prior to the withdrawal remains unaffected.
Establishment, exercise or defense of legal claims
The personal data processed may vary on a case-by-case basis, depending on the subject matter of the legal dispute.
First and last name, email addresses, device data usage
Personal data is collected in accordance with the data collection methods described in the relevant rows of this table.
Processing is necessary for the pursuit of Empatica's legitimate interest in establishing, exercising or defending legal claims, based on Art. 6(1)(f) of the GDPR for non-special category data and Art. 9(2)(f) where health-related data is involved. The processing is not mandatory, and the Data Subject may object to it. In such a case, Empatica may only continue processing the personal data if it has an overriding legitimate interest or if the processing is necessary for the establishment, exercise or defence of legal claims.
Corporate transactions - Assess the feasibility of and carry out corporate transactions, such as mergers, restructurings, acquisitions of companies or sale of assets involving Empatica, and other related operations.
The personal data processed may vary depending on the specific transaction.
Personal data may be transferred to the acquiring or successor entity as part of that transaction.
Personal data is collected in accordance with the data collection methods described in the relevant rows of this table.
Processing is necessary for the pursuit of Empatica's legitimate interest in conducting possible corporate transactions, based on Art. 6(1)(f) of the GDPR for non-special category data and Art. 9(2)(i) where health-related data is involved. The processing is not mandatory, and the Data Subject may object to it. In such a case, Empatica may only continue processing the personal data if it has an overriding legitimate interest or if the processing is necessary for the establishment, exercise or defence of legal claims.
4. Sharing Your Personal Data with Others
Empatica may share or disclose personal data with the following data recipients as necessary to fulfil the above-mentioned purposes of the processing for which the personal data are intended.
a) Affiliates
Empatica may share personal data with its affiliates:
Empatica Inc., located in the United States; and
Global Kinetics UK Corporation Limited, located in the United Kingdom.
b) Service providers
Empatica engages carefully selected third-party service providers that perform specific functions on Empatica’s behalf and process personal data only according to Empatica’s documented instructions.These include providers of:
secure cloud-hosting and data-storage infrastructure;
device-connectivity and communication services;
maintenance, calibration, and quality-assurance support;
audit and certification services; and
customer-support and incident-management systems.
security monitoring, logging/observability, and vulnerability-management service
identity and access management / authentication services (to manage user accounts, access controls, and login security).
Empatica ensures that all service providers are bound by written agreements imposing appropriate confidentiality, data-protection, and security obligations.
c) Legal, regulatory, and safety disclosures
Empatica may disclose personal data to competent authorities, regulators, or other public bodies where required to:
comply with obligations under the EU Medical Device Regulation (EU) 2017/745 (MDR) or other applicable laws;
report or investigate device-safety incidents or adverse events;
demonstrate conformity during regulatory audits or inspections;
respond to lawful requests by law-enforcement or supervisory authorities; or
defend or exercise legal claims.
Such disclosures are limited to what is strictly necessary to fulfil Empatica’s legal obligations.
d) Corporate transactions
In the event of a merger, acquisition, restructuring, or sale of assets involving Empatica, personal data may be transferred to the acquiring or successor entity as part of that transaction.Any such transfer will occur only under conditions ensuring continuity of equivalent data-protection safeguards.
5. Your Data Subject Rights and Data Protection Officer
At any time, you can exercise the rights granted to you by the Data Protection Laws regarding your personal data by writing to privacy@empatica.com or using the contact details set out in Section 11 below.
In accordance with the Data Protection Laws, you have the right to:
Access your personal data - You have the right to obtain confirmation as to whether or not your personal data is being processed, and, where that is the case, access to your personal data and the information on the relevant processing by Empatica;
Rectify or erase your personal data - You have the right to obtain the rectification of inaccurate personal data concerning you, or the erasure of your personal data. However, Empatica is not obligated to delete personal data that is necessary to comply with applicable laws;
Restrict the processing of your personal data - You have the right to obtain restriction of processing where one of the following applies: (i) you contest the accuracy of the personal data, for a period enabling Empatica to verify the accuracy of the personal data; (ii) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead; (iii) Empatica no longer needs the personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defence of legal claims; or (iv) you have objected to processing pending the verification whether Empatica's legitimate grounds override yours;
Withdraw your consent, where previously given. However, the lawfulness of any processing carried out prior to the withdrawal remains unaffected;
Transfer your personal data to another controller (“data portability”) - You have the right to receive your personal data, which you have provided to Empatica, in a structured, commonly used and machine-readable format and transmit this data to another controller, where the processing: (i) is based on your consent; and (ii) is carried out by automated means;
Object to the processing of your personal data justified on legitimate interest grounds - You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Article 6(1)(f) of the GDPR. Empatica will no longer process your personal data unless Empatica demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims;
Automated decision-making - You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision is: (i) authorised by applicable law to which Empatica is subject and which also lays down suitable measures to safeguard yours rights and freedoms and legitimate interests; or (ii) based on your explicit consent;
Obtain information and/or a copy of the safeguards used for international data transfers outside the EU/EEA.
We may ask you for additional information to confirm your identity and for security purposes before disclosing any personal data. We reserve the right to charge a reasonable fee if a request is manifestly unfounded or excessive.
You can exercise your rights by using the contact details set out in Section 11 below. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly and, in any case, within the timeframes set out by the Data Protection Laws. If further information is required to fulfil your request, we will inform you accordingly.
Please note that we may not always be able to fully address your request—for instance, if we are legally required to handle the request differently.
Empatica has appointed a Data Protection Officer (DPO) who is responsible for monitoring compliance with data-protection regulations and acting as a point of contact for data-subject requests and supervisory authorities. The Data Protection Officer, appointed by Empatica pursuant to Article 37 of the GDPR, can be contacted at: privacy@empatica.com
You also have the right to lodge a complaint with your local supervisory authority (i.e., the Data Protection Authority of the country of your habitual residence, place of work, or place of the alleged infringement) if you believe your rights have been infringed. The contact details of the supervisory authorities of the EU Member States are available at www.edpb.europa.eu/about-edpb/about-edpb/members_en. In the UK, the relevant data supervisory authority is the ICO who can be contacted through this webform, by live chat here, or by phone at 0303 123 1113.
6. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes for which it was collected. In particular, the following retention periods apply:
Safeguarding, regulatory and quality-management compliance – For the period prescribed by applicable law, including for post-market surveillance, diagnostics and remediation, vigilance reporting, and other regulatory-compliance activities, which may require Empatica to retain certain pseudonymised data for up to twenty-five (25) years.
Research and analytics – Personal data processed for research or analytics purposes are retained for up to twenty-five (25) years where necessary to support future regulatory and clinical submission, in accordance with applicable medical-device and research-record-keeping obligations.
Marketing and advertising – Until you withdraw your consent to such processing or, in any event, for no longer than twenty-four (24) months from the last interaction related to marketing communications (e.g opt in event)
Establishment, exercise or defense of legal claims – Personal data processed for this purpose may be retained until the expiration of the applicable statutory limitation period.
Corporate transactions – Personal data processed for this purpose is retained for the period applicable to the specific processing activities described above.
After the applicable retention period expires, Empatica securely deletes or irreversibly anonymises the data in accordance with its Information-Security and Data-Retention Procedures. No specific retention limit applies to data that have been permanently anonymised.
7. Processing of Children’s Personal Data
We are committed to protecting the privacy of children who use our Services. This section provides supplemental information regarding our processing of personal data relating to children applicable laws.
Empatica does not use children’s data for any independent purpose, marketing, or profiling activities, and applies the same or stronger technical and organisational security measures to children’s data as to all other personal data.
8. International Transfers of Personal Data
Empatica is headquartered in the United States and has operations, affiliates, and service providers in the United States, the European Union, the United Kingdom, and other jurisdictions around the world.As a result, personal data processed through the Services may be transferred to or accessed from locations outside the European Economic Area (EEA).
Such transfers are carried out in full compliance with applicable Data Protection Laws, and appropriate safeguards are applied to ensure that personal data remain protected at all times. In particular:
Personal data may be transferred only after the execution of the Standard Contractual Clauses approved by the European Commission (Decision No. 2021/914/EU) – together with the UK International Data Transfer Addendum or the International Data Transfer Agreement (IDTA) approved by the UK Information Commissioner’s Office (ICO), as applicable – or to countries that have been recognised by the Commission as providing an adequate level of data protection (“Adequacy Decisions”).
Transfers to the United States may rely on the EU–U.S. Data Privacy Framework, where applicable.
Empatica also implements technical and organisational safeguards, such as encryption and access controls, to protect personal data during transfer.
For further information about international data transfers or to obtain a copy of the relevant safeguards, please contact us using the details provided in Section 11 below.
9. Third-Party Links
The Services may contain links to third-party websites or applications. Any access to and use of such linked resources is not governed by this Notice but rather by the privacy notices of those third parties. Empatica is not responsible for the information practices or content of third-party websites or services.
10. Changes to this Privacy Notice
We may update this Notice from time to time to reflect changes in legal requirements or in the way we provide our Services. Any updates will be posted on our website and in the Mobile app, and the “Last Updated” date at the top of this Notice will indicate when the most recent revisions were made. If we make any material changes, we will endeavor to provide advance notice—for example, by email to Customers or by posting a prominent notice on our website.
11. Contact Us
Empatica welcomes your questions, comments, or concerns regarding this Notice or our privacy practices.You can contact us at:
📧 privacy@empatica.com
📍 Empatica S.r.l. Via Stendhal 36, 20144 Milan, Italy
Empatica’s Data Protection Officer (DPO) can also be reached at the same email address.
