General Terms and Conditions

Lyra International Luxembourg SARL
General Terms and Conditions / Contract

Download General Terms and Conditions / Contract (pdf)

1. DEFINITIONS

“Employees”:

All persons that are in an employment relationship with your company and have an employment contract that has not been terminated for longer than 3 months.

“Immediate family members”:

Immediate family members are people who live in the same household with the employee (e.g. spouses, partners, siblings, parents, etc.).

“Services”:

Services are all of the services provided by Lyra for your company.

2. SERVICES TO BE PROVIDED BY LYRA

Lyra is obliged to provide the following services for your company:

2.1. Advice services for employees and their immediate family members:

2.1.1. Telephone services
2.1.2. Face-to-Face Counseling
2.1.3. Introduction
2.1.4. Management Feedback

2.1.1. Telephone services

The Employee Assistance Program EAP from Lyra is available to all employees and their immediate family members. It offers direct, unlimited and confidential access free of charge to telephone advice on emotional topics, around the clock, as well as practical life skills and legal questions, which are researched and answered during office hours. The calls are taken by professional and experienced advisors who carefully clarify the needs of the caller in order to provide the necessary support to the caller.

The Lyra Support Center can be reached 365 days a year, around the clock. Calls are answered in English, French, and German on the corresponding toll-free number*.

Advice calls on mental health topics can be conducted directly with the psychologist who takes the call. Questions about practical life skills and legal questions will be forwarded to our qualified lawyers. Often, counseling discussions arise from simple requests for information.

*Attention: Some mobile phone providers in Switzerland charge network usage fees for toll-free numbers. With some providers, it is possible that depending upon the subscription contract, no toll-free numbers can be called. Lyra has no influence over these providers or their subscription

contracts. In these cases, Lyra can be reached around the clock on the international number. In order to keep the cost down for the caller, Lyra is happy to call back.

Telephone advising for emotional/mental issues

If a personal counselling session is desired, this can be conducted directly with the psychologist who takes the call. Thus, there is no delay for the caller. In this way, it is also assured that an employee who is currently in a crisis or needs courage to call need not be transferred before a specialist hears his issue.
All calls are taken by psychologists with university degrees and life experience. These also have additional knowledge in various topic areas, such as, e.g. handling grief, debt questions, anxieties, stress, performance problems, harassment, burnout, mobbing, family and relationship conflicts, divorce or lack of self-confidence/feeling of self-worth. They help the employees to analyze their issues and develop concrete solutions.
There are professional and proven procedural protocols in order to guarantee the supervision and active handling of risk situations. Depending on the starting point and the gravity of the case, appropriate readiness systems and measures will be initiated.
The telephone advisors can also offer the callers face-to-face counselling sessions with a state-recognized psychotherapist, if this is indicated.

Practical life skills and legal issues / Life Management

The Lyra advisors are lawyers and attorneys that are also versed in obtaining information.
According to the experience of Lyra, specialized and useful information for the employees that must deal with multi-faceted work-related and personal questions is of inestimable value. Financial problems, legal problems, consumer issues, concerns such as moving, looking for housing, restructuring or personal events such as a death or loss of a job are undoubtedly taken into the workplace and impair the worker’s performance ability and productivity.
These expert advisors from Lyra are also trained in psychology. They are attentive, empathetic and impartial listeners. They know that behind a factual question there is often a hidden emotional need that the employee would like to address. The free discussion and expression of feelings such as frustration, anger, excitement, pain or loss allows the affected person to become calmer internally and to seek solutions constructively.
Lyra has data banks, brochures and reference works and can reach out to technical specialists in the fields of law, finance, insurance and medical issues.
Information can be obtained on the following topics, among others:

Law	Housing	Insurance
Wills/Inheritance	Finances	Family questions
Taxes	Debt	Education
Social security	Personal issues	Consumer rights

Support for managers / HR / Staff association (Managerial Consultancy)

The Employee Assistance Program EAP also serves the supervisors and human resources staff as a sparring partner in complicated management situations, organizational changes, conflicts or in the handling of difficult events such as sexual harassment, bullying, violence, serious accidents, crises, disaster.

Although the employee as a rule turns to Lyra on his own initiative, it is possible that supervisors, HR managers or team leaders refer an employee to Lyra – as an effective and well-meaning measure to reinstate the performance ability of an employee.

There are three different types of referral:

Self-referral – the most common.
Informal referral by a supervisor or HR – these encourage employees to use the Lyra EAP, but the performance of the employee, however, is not in question.
Formal referral – Supervisors recommend the Lyra EAP in cases where work performance is affected.

The decision to make contact with Lyra ultimately remains with the employee, however. The decision is always voluntary. In a formal referral, where performance is the problem, the party making the referral only receives as feedback the information whether the employee has contacted Lyra or not.

2.1.2. Personal counseling sessions (Face-to-face Counseling)

By more complex emotional problems, the callers have the possibility to arrange for personal counseling sessions in the form of a clarifying, solution seeking, crisis counseling and/or shortterm therapy (up to a maximum of 8 sessions). These take place with federally licensed psychotherapists nearby the workplace. If desired, these sessions can also be conducted on the telephone.

Qualifications of the Lyra Advisor Network

Lyra has available in Switzerland its own network of psychologists who meet strict selection criteria. The qualifications include a recognized degree in psychology and psychotherapy, many years of experience in practice as well as membership in a Swiss specialist association. They have the right, according to the Swiss Federal Law on the Psychology Professions (PsyG) of April 1, 2013, to treat mental disorders.
The Lyra advisors have experience in different disciplines and can provide help with issues in areas such as relationships, alcohol or drug addiction, grief, debts or trauma.
All advisors must organize their own supervision pursuant to the requirements of the professional associations and must have liability insurance. They work in their own practice rooms, which are inspected by Lyra before they are accepted into the network.
To the extent possible, in distributing the advisors, Lyra takes into account the preferences of the employee, e.g. with regard to age, gender, cultural background, experience and availability.
In line with the Lyra guidelines, these advisors are available near each of the employer’s business locations. For that reason, Lyra invests a substantial amount of time and expense in building out and caring for this professional advisor network.

2.1.3. Introduction

It is the experience of Lyra that the introduction and the communication to the employees are among the most important elements of the Employee Assistance Program EAP. They determine the extent of acceptance and enthusiasm of the employees about the service. Lyra does all it can to make the introduction successful for the business.

Based on many years of experience, Lyra recommends that the introduction be undertaken with the following measures:

Sending of an informational letter/e-mail to the employees (template can be made available by Lyra).
Hanging Lyra EAP posters in breakrooms, dressing rooms or on bulletin boards – the posters with changing themes are sent 5x per year to the person responsible for EAP in your business.
Posting of the EAP introductory film on your intranet page – the film is available in English, French, Italian and English and will be made available to you at no charge.
Introductory presentation by Lyra via webinar or on site for the employees (the presentation, including the question and answer period usually lasts about 30 minutes). The introductory presentation is not included in the EAP Pure online service package, but it can be purchased separately.
Distribution of four-color information brochures to all employees. Printed EAP flyers are not included in the EAP Pure service package (only digital flyers), but they can be purchased separately for the EAP Pure All service.

Lyra will add the contact person on the customer side to the distribution list of the Manager Newsletter. We recommend that the Manager Newsletter is then forwarded internally by the contact person to the managers so that they can register themselves on their own.

2.1.4. Usage statistics and reports

Lyra provides your company annually after each contract period with the following information in Excel format:

The number of employees and immediate family members that have contacted Lyra
The nature of the services used
The topics of the enquiries, divided into private and work-related topics

3. DUTIES OF LYRA

Lyra provides its services to its best knowledge and belief a representative of your company and in so doing applies the necessary care. Lyra thereby safeguards the legitimate interests of your company in good faith.

4. DUTIES OF YOUR COMPANY

4.1. Your company is obliged to provide compensation pursuant to No. 5 below.

4.2. Your company is further obliged to make available to Lyra all of the information and documents that are necessary for Lyra to fulfill its contractual duties.

5. COMPENSATION

For the consulting services to be provided by Lyra to the employees and their immediate family members in accordance with section 2.1., your company pays an annual amount that depends on the number of employees and the selected product (EAP Pure All or EAP Pure Budget).

Number of employees	10 – 49 employees (Costs per employee/year in €, plus VAT)	50 – 99 employees (Costs per employee/year in €, plus VAT)	100 – 249 employees (Costs per employee/year in €, plus VAT)	250 – 499 employees (Costs per employee/year in €, plus VAT)
EAP Pure All (including counseling for practical life skills and legal questions)	€ 73	€ 50	€ 31	€ 25
EAP Pure Budget (without counseling for practical life skills and legal issues)	€ 63	€ 40	€ 21	€ 15

Introductory presentation for your employees via webinar	€ 350	€ 350	€ 350	€ 350
Printed flyers for your employees (Cost per flyer)	€ 2	€ 2	€ 2	€ 2

6. PAYMENT TERMS

6.1. The payment for the Employee Assistance Services by your company pursuant to No. 2.1. is made directly in the online shop via Paypal or, if the payment method chosen is “advance payment”, within ten days of receipt of invoice. The contract commences on the 1st of the month following receipt of payment.

6.2. If invoices have to be mandatorily placed in tools such as Ariba, Coupa, Tradeshift, etc., the resulting costs (usage fee) and effort will be invoiced separately and additionally.

6.3. Any change in the number of employees shall be communicated to Lyra by your company one month before the end of the annual invoicing period.

7. CONFIDENTIALITY

7.1. Lyra provides its services with the reservation that all contacts by the employees and immediate family members with Lyra are completely confidential and are to be handled in accordance with professional ethics and rules. Information that could identify a specific individual will only be provided to your company or a third party with the prior express written consent of the person or in a situation of acute danger for your company with regard to its workforce. If there is a situation of acute danger, Lyra is obliged to provide only the information that is absolutely necessary. The decision whether information that is absolutely necessary will be provided shall be made by Lyra upon the recommendation of a “Senior Clinician” pursuant to clear clinical procedural rules that have been communicated to the affected person in advance.

7.2. Both parties are mutually obliged, both during and after the end of the contract, to maintain confidentiality about all business secrets, confidential information and data that they have perceived during the duration of the contract.

8. INSURANCE

8.1. Lyra is obliged at its own expense to obtain liability insurance coverage in the amount of € 8.300.000 to cover any damages that Lyra could cause your company in exercising its duties under this contract.

9. LIABILITY

9.1. Lyra is liable for the trustworthy and careful exercise of the services assigned to it. Lyra expressly refuses, however, to make any guarantee of the success of a service with regard to workforce turnover, illness and absences, productivity and other organizational issues.

9.2. Lyra is liable for damages that are incurred to your company in the course of providing the services. Indirect damages and consequential damages are excluded.

10. INTANGIBLE PROPERTY RIGHTS

10.1. Copyright and other intangible property rights as well as all know-how in connection with the design or materials from Lyra are owned by Lyra.

10.2. Your company is exclusively limited to the internal use of the trademark “Lyra” or other materials from Lyra. Your company is obliged to protect the trademark rights of Lyra and to obtain prior written consent before public usage of the trademark “Lyra”. Use of the trademark or also just the name of your company as a reference for other marketing purposes is only allowed for Lyra if the use is approved in advance by your company.

This duty exists both during the contractual term as well as after the contract ends.

11. DATA PROTECTION AND INFORMATION SECURITY

Both parties are mutually obliged to acknowledge and comply with the provisions of the General Data Protection Regulation GDPR as of May 25, 2018. Details regarding the technical and organizational measures regarding data protections are listed in Appendix 1.

12. FORCE MAJEURE

12.1. All cases of force majeure suspend the duties under this contract for both parties for the duration and to the extent of the disturbance.

12.2. The affected party shall notify the other party immediately that because of a force majeure, the notifying party is prevented from providing its services and the approximate time when it is expected that the services again will be possible.

12.3. If the force majeure situation lasts more than 30 days, each of the parties has the right to terminate the agreement upon the giving of two weeks‘ notice.

13. START AND END OF THE CONTRACT

13.1. The contract comes into force on the 1st of the month following the receipt of payment. It is entered into for an indeterminate term, the invoice is issued annually. The contract can be terminated at the end of a contract year by giving 6 months’ notice.

If the contract is not continued, your company is obliged to inform its employees about the end of the service and to require them not to make any more calls.

If employees or immediate family members call anyway, the support calls will be refused by Lyra. After the end of the contract, Lyra will do no more advising. If there are repeated calls by employees or immediate family members after the end of the contract, Lyra reserves the right to invoice for its expenses (time, telephone tolls).

13.2. Each party is entitled to immediate written termination of the contract if:

13.2.1. One of the parties is responsible for a material breach of the contract, and the breach is not cured within 30 days after receipt of a written demand from the other party that the contractual breach be cured.

13.2.2. A party files for bankruptcy or is liquidated.

13.2.3. Continuance of the contractual relationship has become objectively unreasonable.

13.3. If the contract is ended, Lyra shall finish all advice sessions with an employee that were started before termination of the contract, including the necessary number of face to face counseling sessions.

14. SEVERABILITY CLAUSE

If part of the foregoing contract should become ineffective, the validity of the remaining provisions shall not be affected thereby. The parties shall make an effort to replace the ineffective provision with a valid provision that corresponds to the recognizable will of the parties.

15. CHANGES

This contract includes all agreements between the parties. Any earlier oral or written agreements between the parties are hereby moot. Changes and additions to the foregoing contract must be in writing to be valid.

16. ADDRESS CHANGES

Each party shall notify the other immediately, and in any case within 48 hours, in writing of any change of address or telephone number.

17. VALIDITY AFTER CONTRACT END

Nos. 7, 10 and 11 continue to apply after the contract ends.

18. WAIVER OF ASSERTION OF A RIGHT

The waiver of a party to assert a right under this contract does not constitute a waiver of the right to assert other rights under this contract.

19. ASSIGNEMENT

Rights under this contract may be assigned to a third party only with the prior written consent of the other contracting party. Lyra has the right, however, to bring in subcontractors in order to fulfill its contractual services. The liability of Lyra for those subcontractors shall be the same as its liability for Lyra itself.

20. APPLICABLE LAW AND JURISDICTION

The contract is subject exclusively to Luxembourg law. Jurisdiction shall be Luxembourg.

Appendix 1 – Data Protection and Information Security, Organizational and Technical Measures

INTRODUCTION

1.1 General

This Annex constitutes an integral part of the contract concluded between Lyra and your company. It governs the details of the provision made in clause 11 on “Data protection and information security”.

1.2 Agreement

Lyra undertakes to use all data, information and materials received by it and its employees in relation to the provision of the services defined under the contract or that become accessible to it in relation to the contractual relationship exclusively for the specific purpose of providing the services agreed to under contract, which data, information and materials it shall treat in the strictest confidence and may only make accessible to third parties to the extent agreed.

The contractual parties agree to organizational and technical measures in order to offer appropriate guarantees to protect privacy, compliance with data protection law and to uphold information security.

1.3 Definitions

The following definitions shall apply:

a) for the purposes of the contract, Lyra is the “controller” of data or “personal data” that Lyra is processing and shall have the status of “Contractor”;

b) for the purposes of the contract, the customer company is the “Principal”;

c) the terms “personal data”, “particularly sensitive data”, “controller“ and “processing” shall have the meaning set forth in the Federal Act on Data Protection (FADP) of 19 June 1992, or respectively from 25 May 2018 the EU General Data Protection Regulation (GDPR);

d) data shall be deemed to be “anonymized” if it is not possible on the basis of the data available to associate these data with an identified or identifiable person.

DETAILS OF PROCESSING

2.1 Scope

Lyra will carry out in particular the following types of data processing:

a) the provision of advice over the telephone

b) the recording of information in the Lyra database

c) the transfer of information to third parties (in accordance with the terms of the Contract)

d) the preparation of anonymized reports for the Principal

2.2 Data Processing Agreement

The “Contractor” warrants that data will be processed in the following manner:

a) No telephone calls will be recorded.

b) No personal data will be collected, or any personal data will be anonymized unless necessary for case handling purposes. This means that no information will in general be collected during telephone conversations that would enable the individual to be identified.

c) The principle set forth in letter b shall not apply if personal advice is subsequently provided (over the telephone or with a psychologist/therapist) or in the event that precautionary action is necessary.

d) If any personal data are collected in accordance with letter c, these will be deleted or anonymized after the advice has been provided or the treatment has been completed, with the result that they no longer constitute personal data.

2.3 Territorial scope & requirements

Data processing shall occur exclusively within the territory of Switzerland.

Lyra shall use a Swiss data center for this purpose, which has been certified according to ISO27001, ISO27017, ISO27018, and ISO9001.

2.4 Sub-contracting

The placing by the Contractor with subcontractors of any orders in relation to the activities falling under this Agreement shall be conditional upon the application of technical and organizational measures in order to provide an analogous guarantee of data protection and information security.

Lyra shall inform the Principal of its subcontractors.

Relations with the following subcontractors exist upon conclusion of the contract:

Name

Registered address

Short despcription

OpenCircle

Zurich, Switzerland

IT Infrastructure Provider

Certificates: ISO27001, ISO27017, ISO27018, and ISO9001

[Psychotherapists and lawyers in a direct contractual relationship with Lyra are not regarded as subcontractors].

TECHNICAL AND ORGANIZATIONAL MEASURES

3.1 Overview

This chapter describes how to ensure the confidentiality, integrity, availability, and resilience of the data-processing systems and services as well as the organization as required by Article 32 of the GDPR (General Data Protection Regulation). Moreover, the procedures for periodic review, assessment and evaluation according to the SQS certifications GoodPriv@cy and ISO 9001 are explained. The certifications are enshrined in all management, personnel, service provision, and support processes.

3.2 Confidentiality

3.2.1 Physical Access Control

Access to the various rooms (administration and support center) is only possible with a key. The keys are numbered, logged and personally assigned to each employee. A lost key must be reported immediately.

Visitors must sign a confidentiality agreement. Visitors are not allowed to enter the support center.

3.2.2 System/Data Access Control

The following principles apply to the use of accounts and are technically and organizationally implemented:

Access to all devices is password protected.
Access to the infrastructure requires a 2-factor authentication.
The password for the 2-factor authentication is secret and must not be passed on.
All access to the infrastructure takes place centrally via the cockpit.
Access to the database requires an additional username and password.
Access rights are organized by occupation and they are logged. Access rights are checked regularly.

3.2.3 Data Carriers and Notes

Data carriers with personal data never leave the company premises.
Offers, customer reports and presentations that are stored for customer visits on a USB data carrier must be anonymized. Each employee must ensure that data on rewritable data carriers is deleted (wiped) irrevocably according to applicable standards before the hardware is reused.
After the work is completed, notes of consultation sessions must be disposed of in a sealed paper container. This container must be picked up by a specialized company on a monthly basis and disposed of in compliance with data protection laws.
No data is ever stored on the disks of local devices.

3.2.4 Integrity

All client data is classified as strictly confidential. Emailing information (information material, links, contact information of psychotherapists, etc.) must always be encrypted. The password for opening the document must be communicated to the client over the phone or via SMS.
If customers or clients provide us with unencrypted confidential information, it is their responsibility.
Extended support measures can be individually checked and implemented with each customer.

3.2.5 Availability

The following section describes the central measures necessary to ensure availability of our service:

A business continuity plan for dealing with various emergency scenarios is available and regularly reviewed and supplemented. The business continuity plan is tested annually as part of vulnerability management.
Lyra has two telephone systems using different technology. If one system fails, it is possible to switch to the second system within a few minutes.
Our infrastructure systems are designed redundantly. They are located in a certified data center.
All systems and data are backed up daily. Periodic backup restore tests are performed to verify the availability and recoverability of the data.

3.2.6 Procedures for Periodic Review, Assessment and Evaluation

Lyra has a comprehensive ISO 9001 quality management system as well as the GoodPriv@cy data protection certification, which are managed by our dedicated quality and data privacy officer.

A comprehensive safety risk analysis is frequently performed to be able to ensure protection of all information that can be adapted to the current circumstances at all times.
All employees are properly trained and can correctly identify incidents and report them to the right positions for further review.
All processes and guidelines are aligned with data protection and quality measures and are conveyed to employees in training courses.
Regularly scheduled internal and external audits by certification bodies enable neutral assessment of all processes and ensure that we comply with external requirements.

3.2.7 Notification Obligation

Data security threats or security incidents (in particular unauthorized processing of data, compromised integrity or loss of data) must be reported to the client immediately (at the latest within 48 hours).

DOCUMENT OBLIGATION

Lyra documents its data processing in accordance with the applicable data protection regulations.

CONTACT

Our EU Representative for data protection according to Art. 27 GDPR is:
Christian Weyer
Lyra Deutschland GmbH
Taunustor 1 – TaunusTurm
60310 Frankfurt am Main
E-Mail: dpo.eu@lyrahealth.com (preferred method of contact for timely processing)
We recommend contacting us by email to avoid delays caused by postal delivery. Delivery by post to the address mentioned above is also possible.

Appendix 2 – Statement Regarding the Processing of Personal Data

The parties also add the following conditions to the Personal Data Processing Agreement. Guidance seekers can access these provisions on the Lyra website: https://lyrawellbeing.lu/en/lyra-international-global-privacy-policy/

Purpose of Processing

The purpose of processing is the provision of services, defined by Lyra in the main contract (hereinafter referred to as the “Main Contract”), by the provider to the client.

Contract Term

The duration of the processing is derived from the main contract.

Purpose of Processing

The processing takes place continuously over the term of the main contract. Lyra must take appropriate measures to ensure safe and lawful processing of personal data. Lyra has therefore developed policies and procedures to ensure proper handling and compliance with these data protection laws, including the European General Data Protection Regulation (GDPR). This framework applies to all activities involving processing of personal data of Lyra Schweiz GmbH and its subsidiaries in Germany, Luxembourg, France, Austria, and Italy.

Use of Personal Data

Lyra uses personal data in order to provide clients seeking consultation with the services that are appropriate for the situation. When a consultation client comes to Lyra with a concern, Lyra makes sure that he or she can be supported with the proper network of service providers and specialists.

In accordance with data protection laws, Lyra must have a reason for the use and processing of personal data, which is referred to as the legal basis. Below are the main reasons why Lyra processes personal data as well as the applicable circumstances of when this is done.

If the personal data processed by Lyra is classified as sensitive personal data (e.g. information about health, sexual orientation or criminal offenses), Lyra must have an additional legal basis for such processing.

The processing is necessary to enable Lyra to provide the consultation client with the services he or she desires, such as identifying needs, setting up the services for him or her as a user, and generally for communicating with the consultation client.
When Lyra is legally or officially obligated to use this personal data, e.g. if supervisory authorities, data protection authorities and the data privacy officer require that the contact with the client be documented.
When Lyra has to use personal data in order to justify, exercise or defend its legal rights, e.g. if Lyra is confronted with legal claims or if Lyra itself wants to assert legal claims.
If Lyra must use personal data for reasons of significant public interest, e.g. to investigate fraudulent or criminal activities.
Generally, the Lyra Wellbeing EAP services can be used anonymously. If necessary, Lyra will ask the client for his or her consent regarding the processing of his or her sensitive personal data (e.g. health data), for example, if he or she works in a security-relevant capacity. In this case, Lyra will alert the client at the moment when he or she provides his personal data. Lyra will ask him or her for approval and explain why this is necessary. Without the consent, Lyra may not be able to provide the services.
If, from a business point of view, there is a legitimate need to use personal data, e.g. for management of business records, or development and improvement of products and services. This allows Lyra to ensure that these business requirements do not affect the rights and freedoms of the client or cause him any harm.

3.1 Privacy Policy Principles

The basic principles of data protection that Lyra must observe when processing personal data are summarized below.

Principle 1 – Lawfulness, Processing in Good Faith and Transparency

Lyra ensures that processing is always carried out in accordance with applicable laws.
Lyra informs and explains to individuals at the time their personal data is collected how their personal data is processed.

Principle 2 – Purpose Limitation

Lyra collects and processes personal data only for those purposes that are known to the data subject or are in line with his or her expectations and relevant to Lyra.
Lyra processes personal data only for specific, explicit and legitimate purposes. Such data will not be further processed in any way that is not in line with these purposes, unless such processing complies with the applicable law of the country in which the personal data was collected.

Collection of Personal Data

Lyra collects personal data directly from the client (employees of the client companies, relatives in the same household, prospects, etc.)

through the general use of the EAP services, by telephone, email, LiveChat, Internet, or in person
if the client enters into a contract with Lyra for the provision of services
via cookies
through feedback forms
if the client provides us with data either online or offline

Principe n° 3 – Accuracy

Lyra makes all efforts to record personal data correctly.

Principe n° 4 – Data Minimization

Lyra ensures that the collected and processed information is adequate, relevant and limited to just what is necessary for the purposes for which it is processed to begin with.

Principe n° 5 – Limited Storage of Personal Data

Lyra only stores personal data for as long as it is necessary for the purposes for which it is collected and processed and/or to meet our legal and regulatory obligations. The storage duration of personal data depends on the type of personal data and intended use. In some cases, e.g. in case of disputes or legal action, Lyra may be required to retain personal data for longer periods.
No personal data will be stored after completion of the case. Anonymized case information is solely processed for reporting, for archival purposes in the public interest, for scientific or historical research purposes, or for statistical purposes. This information is subject to the implementation of appropriate technical and organizational measures required by the General Data Protection Regulation (GDPR) to protect the rights and freedoms of the individual.

Principe n° 6 – Security and Confidentiality

Lyra takes appropriate technical and organizational measures to ensure the safety of personal data and not to limit the rights of data subjects.
Lyra ensures that service providers for Lyra also take appropriate safety measures.
Lyra complies with the data breach reporting obligations in accordance with applicable law.
Lyra takes appropriate technical and organizational measures to ensure that processing of personal data is carried out in a manner that ensures adequate protection, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.

Principe n° 7 – Rights of Data Subjects

Lyra complies with the procedures for the protection of the rights of data subjects and responds to all inquiries from persons who request access to their personal data in accordance with applicable law.
Lyra also processes claims for correction or deletion of inaccurate or incomplete personal data or cessation of processing of personal data in accordance with the data protection regulations on the rights of data subjects:

Right to information regarding personal data	The consultation client is entitled to receive a copy of the personal data we hold about him or her and to obtain specific information about how we use it. There is usually no charge for processing these requests. The personal data are usually provided to the data subject in writing, unless requested otherwise. If he or she has submitted the request electronically, we will transmit the information to him or her electronically, if possible. It should be noted that the cases are anonymized after completion. We therefore require a case number, information on the case and an ID card (passport or ID) to confirm that the requesting person has the right to gain access to the stored personal data.
The right to rectification	We take reasonable steps to ensure that the personal data we collect about the consultation clients is accurate and complete. However, if an consultation client does not believe that this is the case, he or she should contact us and ask us to correct or supplement the data if necessary.
The right to erasure	In certain circumstances, consultation clients have the right to ask us to delete their personal data, for example, if the personal data we collect is no longer required for the original purpose or if the consultation client revokes his or her consent. However, this must be weighed against other factors; for example, depending on the type of personal data we have stored about the consultation client and the reason why we collected it, there may be legal and regulatory obligations that prevent us from fulfilling the request. It should be noted that we may not be able to provide the requested services in case of revocation of consent.
The right to restriction of processing	In some circumstances, consultation clients may ask us to stop using their personal data, for example, if they believe that the personal data we have about them may be incorrect or if they believe that we no longer need to process their personal data.
The right to data portability	Under certain circumstances, consultation clients have the right to request that we disclose the personal data they have provided to us to another third party of their choice. After the transfer, this third party is responsible for the safekeeping of the personal data.
The right to object to direct marketing	You can ask us at any time to stop sending you marketing information.
The right not to be subject to automated decisions including profiling	None of our decision-making is automated.
The right to revoke consent	We will ask for your consent for certain uses of personal data. In this case, the consultation clients have the right to revoke their consent to further use of their personal data. It should be noted that in some cases we may not be able to provide the requested services, if consent is revoked.
The right to complain	Consultation clients have the right to complain to the Data Privacy Officer at any time if they object to the way in which we use their personal data. They can submit any of the above inquiries through the contact information contained in this privacy policy. It should be noted that in some cases, for reasons such as our own obligation to meet other legal or regulatory requirements, we may not be able to fulfill a specific request. However, we will always respond to all inquiries; if we cannot comply with a request, we will provide the necessary justification. In certain circumstances, exercising some of these rights (including the right to erasure, the right to limit processing and the right to revoke consent) means that we will be unable to continue to provide the services requested by the consultation client.

Principle 8 – Ensuring an Adequate Protection Level of Personal Data Transmitted to Third Countries

Lyra does not transfer personal data to third parties outside the European Economic Area (EEA) without adequate protection.Aucunes données à caractère personnel ne sont communiquées à des tiers sauf en cas de danger de mort ou de menace pesant sur la sécurité. Sauf aux fins décrites dans la présente déclaration sur la protection des données, Lyra ne communique aucunes données à caractère personnel.

Principle 9 – Protected Use of Sensitive Personal Data

Lyra will only process sensitive personal data if a person chooses to disclose it, or if there is a legitimate basis for doing so; this will always be done in accordance with the applicable law of the country in which the personal data was collected.
Additional safety measures and protective measures are in place to ensure that sensitive personal data remains confidential and is deleted as soon as possible.

Legal Validity of this Privacy Policy

Lyra and its employees who process personal data are required to observe and respect this privacy policy whenever they process personal data as data controllers and/or data processors, regardless of the country in which they are located.

Data Categories

The data categories affected by the processing depend on the use of the Lyra service by the client. The data categories eligible for processing are:

Données à caractère personnel

Adresse électronique, numéro de téléphone – UNIQUEMENT si ces informations sont pertinentes pour traiter un cas (p. ex. indications des coordonnées du thérapeute du réseau, mot de passe pour ouvrir des documents cryptés). Après la clôture du cas, toutes les données à caractère personnel sont supprimées, ce qui anonymise intégralement le cas.
Informations spécifiques relatives à l’identité physique, physiologique, économique, culturelle ou sociale ;
Informations que nous avons obtenues en recourant à des cookies.

Personal Data

Email address, telephone number – ONLY if this information is relevant for handling of a case (e.g. provision of contact details of a network therapist, password for opening encrypted documents). All personal data will be deleted after the case has been completed, rendering the case completely anonymous.
Specific information on physical, physiological, economic, cultural, or social identity;

Sensitive personal data

Information on current or past physical or mental health conditions;
Details about criminal offenses, including alleged offenses, criminal cases, court Decisions, results, and judgments;
Information on sexual lifestyle or sexual orientation, e.g. marital status.

Company data

Company, incl. address
Branches, incl. address
Language
Country
Number of employees
Bank details

Categories of Data Subjects

The categories of data subjects affected by the processing depend on the requested use of Lyra services by the client. Possible categories of data subjects are:

Customers
Employees
Relatives of the employees
Retired employees
Interested persons

Subcontractors

Assignment of orders for tasks covered under this agreement to subcontractors by the contractor implies the use of technical and organizational measures for data protection and information security measures.

Lyra must inform the client about the use of subcontractors.

At the beginning of the contract, the following subcontractors are in use: