1. Privacy policy for medneo.com

This privacy policy explains the type, scope and purpose of personal data processing within our website and within the web pages, functions, content and external websites connected with it, e.g. our social media profile (hereinafter collectively referred to as the ‘website’).

Personal data includes all information relating to an identified or identifiable natural person, e.g. name, address, e-mail address, IP address. With respect to other terms used, e.g. ‘processing’ or ‘controller’, we refer to the definitions in Article 4 of the EU General Data Protection Regulation (GDPR).

 

1.   Controller and data protection officer

The controller pursuant to Article 4[7] of the GDPR is

     medneo GmbH

     Hausvogteiplatz 12

     D-10117 Berlin

datenschutz@medneo.com

     Phone: +49 (30) 814501-700

 

You can contact medneo GmbH’s data protection officer at

     medneo GmbH

     Datenschutz (Data Protection)

     Hausvogteiplatz 12

     D-10117 Berlin

 

2.   Informational use

If you use our website purely for informational purposes, the data outlined below relating to the website or access to a file is collected, stored and processed in a log file:

  • the IP address and accessing machine;
  • the date and time of access;
  • the name and URL of the file retrieved;
  • the browser type used;
  • the name of the internet access provider;
  • the number of bytes transmitted; and
  • the status of the page visit.

This data is collected and processed for the purposes of enabling the use of our website (establishing a connection), permanently ensuring system security and stability, and to facilitate the technical administration of the network infrastructure and the optimisation of our website (the legal basis is point [f] of Article 6[1] of the GDPR). Beyond that, this data is only used for internal statistical purposes and to improve the website (the legal basis is point [f] of Article 6[1] of the GDPR). For security reasons (e.g. to clarify any misuse or fraud proceedings), this data is temporarily stored and then erased provided that legal retention periods do not require it to be stored for longer. In these cases, data is suppressed for other uses. It is not otherwise used or shared with third parties.

 

3.   Further use

In addition to the purely informational use of this website, there is the option of getting in touch with us via the contact form. When doing so, we collect, store and process the following data:

  • name and title;
  • e-mail address;
  • and other personal data that is sent to us in your message.

This data is collected and processed exclusively for the purposes of correspondence with you and to process your issue (the legal basis is point [f] of Article 6[1] of the GDPR) and is then erased, provided that there are no legal retention obligations. This data is also not shared with third parties without your explicit consent. Your name is used exclusively for the purposes of addressing you personally.

 

4.   Sharing personal data

We do not share your personal data with third parties without your explicit consent. We only deviate from this if there is a legal obligation or if this is required for us to enforce our rights (point [f] of Article 6[1] of the GDPR).

We sometimes use external service providers to process personal data, such as IT service providers (THE BRETTINGHAMS GmbH, Kurfürstendamm 177, 10707 Berlin) and e-mail service providers (‘MailChimp’, Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA). These have been carefully selected by us and commissioned in writing. Service providers are strictly bound to our instructions and are regularly reviewed. Personal data is not shared with third parties, and service providers do not process personal data outside of the existing contractual relationship.

If we process data in a third country (i.e. outside the European Union [EU] or the European Economic Area [EEA]), or if processing takes place as part of us engaging third-party services or as part of the disclosure or transfer of data to third parties, this only takes place in order to fulfil our (pre-)contractual duties based on your consent, a legal obligation or our legitimate interests. Subject to legal or contractual permissions, we only process data in a third country, or allow data to be processed in a third country, if the particular conditions of Article 44 et seq. of the GDPR have been met. This means that processing takes place based on certain guarantees, for example, the officially recognised level of data protection in accordance with the EU (e.g. through the ‘Privacy Shield’ for the USA) or in compliance with officially recognised special contractual obligations (‘standard contractual clauses’). The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Agreement, which provides an additional guarantee of complying with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active).

 

5.   Storing personal data

Unless otherwise explicitly specified as part of this privacy policy, data stored by us is erased if it is no longer required for its specific purpose, and erasure is not subject to any legal retention periods. If data is not erased because it is required for other legally permissible purposes or because it is subject to legal retention obligations, the processing of such data is restricted accordingly. This means that data is locked and not processed for other purposes. As an example, this applies to data which must be stored for reasons pertaining to commercial or tax law.

In particular, based on the legal provisions in Germany, data is stored for 6 years pursuant to Section 257[1] of the German Commercial Code (Handelsgesetzbuch, HGB) (trading books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc.) and 10 years pursuant to Section 147[1] of the German Tax Code (Abgabenordnung, AO) (books, records, management reports, accounting documents, commercial and business letters, documents relevant for tax purposes, etc.) Other retention obligations remain unaffected by this.

 

6.   Your rights

You may assert the following rights against the above-mentioned controller:

  • a right to obtain information relating to the personal data processed that relates to you free of charge and to have a copy of this data compiled, as well as information relating to its origin and recipients, the purpose of data processing and the retention period (Article 15 of the GDPR);
  • where applicable, a right to obtain the rectification (Article 16 of the GDPR), erasure (Article 17 of the GDPR) or restriction of processing/suppression (Article 18 of the GDPR) of inaccurate or incomplete data;
  • a right to object to processing, provided it is based on a legitimate interest of medneo GmbH (point [f] of Article 6[1] of the GDPR) and you provide reasons that oppose processing (Article 21 of the GDPR); and
  • a right to request that data provided by you is sent to you or another controller (Article 20 of the GDPR).

If you have given us consent to process your personal data, you can withdraw it at any time with future effect. The legality of data processing carried out before consent is withdrawn remains unaffected by the withdrawal.

Corresponding requests can be sent to:

medneo GmbH

Datenschutz (Data Protection)

Hausvogteiplatz 12

D-10117 Berlin

E-mail:datenschutz(at)medneo.com

You also have the right to lodge a complaint with a data protection supervisory authority concerning inadmissible data processing, particularly in the member state/federal state in which you reside, in which you work, in which the alleged breach took place or in which medneo GmbH has its head office (Berliner Beauftragte für Datenschutz und Informationsfreiheit [‘Berlin Commissioner for Data Protection and Freedom of Information’], Friedrichstraße 219, 10969 Berlin, mailbox(at)datenschutz-berlin.de; https://www.datenschutz-berlin.de/index.html).

 

7.   Cookies

In addition to the above-mentioned data processing processes, ‘cookies’, small text files, are also saved on your machine. Cookies are not harmful to your computer and don’t contain viruses. Cookies are used to make our website more user-friendly, effective and secure.

Temporary cookies, and/or ‘session cookies’ or ‘transient cookies’ are primarily used. These are cookies that are deleted after a user leaves a website and closes their browser. The shopping basket contents in an online shop, or a login status, can be saved in such a cookie, for example.

‘Permanent’ or ‘persistent’ cookies are also used; these remain stored even after the browser is closed and are only deleted after a set period of time. As an example, user interests, which are used for reach measurement or marketing purposes, can be saved in such a cookie. ‘Third-party cookies’ are cookies that are used by providers other than the controller who operates the website.

You can change your browser settings so that you are notified about cookies being placed on your machine, and so that you accept or reject cookies only in certain cases or reject cookies in general, and in order to enable cookies to be automatically deleted when you close your browser. Disabling cookies can restrict the functionality of this website. A general objection can be made to the use of cookies for the purposes of online marketing for a number of services – including tracking services in particular – via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. You can also reject the use of cookies used for reach measurement and advertising purposes via the Network Advertising Initiative opt-out page (http://optout.networkadvertising.org/) and also via the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

 

8.   Google Analytics

On the basis of our legitimate interests (i.e. interest in analysing, optimising and economically operating our website, point [f] of Article 6[1] of the GDPR), we use Google Analytics, a web analysis service from Google LLC (‘Google’). This service uses cookies, which are stored on your end device. The information collected by the cookie about your use of this website is generally sent to a Google server in the USA and saved and processed there.

We only use Google Analytics if IP anonymisation is enabled (‘_ananymizeIp()’). This means that your IP address is truncated by Google within the Member States of the European Union or in other signatory states to the Agreement on the European Economic Area such that it no longer contains any personal references. A full IP address is only sent to a Google server in the USA and truncated there in exceptional cases. According to information provided by Google, the IP address sent from the user’s browser will not be merged with other Google data.

Google uses this information on our behalf to evaluate the use of our website, to compile reports about the activities within our website and to provide other services associated with the use of this website and internet use. In doing so, pseudonym user profiles may be created based on the processed data.

You can prevent cookies from being saved by changing your respective browser settings; you can also prevent the data generated by the cookie relating to your use of the website from being captured and processed by Google by downloading and installing the browser plug-in available via the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

You can find more information about data processing by Google as a controller, as well as settings and objection options on Google’s web pages:

Google is certified under the Privacy Shield Agreement, which provides an additional guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

 

9.   Google AdWords

We use the ‘Google AdWords’ service from ‘Google Inc.’ (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; ‘Google’) on our website to promote our offerings on external sites. The analytics service facilitates the statistical evaluation of the total number of users that have clicked on one of our ads who were redirected to certain sites into which AdWords has been integrated. We do not receive any information that can personally identify users. Processing is based on the legitimate interest in targeted advertising and the analysis of the effects and efficiency of this advertising, as per point [f] of Article 6[1] of the GDPR.

If you click on a Google ad, a cookie will be placed on your machine. These cookies have limited validity (expiring every 30 days) and therefore cannot be used for personal identification. The cookies allow the browser to be recognised again. If you visit certain pages on our website and the cookie has not yet expired, the fact that you have clicked on the advert and have been directed to the page via an advert can be recognised by us and by Google. Each Google AdWords customer receives a different cookie. There is therefore no way to trace the cookies via the websites accessed by AdWords customers. We do not process personal data ourselves in this context; we only receive statistical evaluations from Google. Your browser automatically establishes a connection with Google servers when you access our website. We have no control over the specific scope and use of the data. If you are signed into Google when you use the website, the visit to our site and the data collected by AdWords can be assigned to your user account and saved. To prevent Google from assigning the above-mentioned data to your account, sign out before you visit our website. Even if you don’t have an account, it cannot be excluded that your data will be shared with, and processed by Google.

You can find more information and Google’s privacy policy at: https://www.google.de/policies/privacy/

You can prevent cookies from being saved by changing your browser settings. Please note that in this case, you may not be able to use all of this website’s functions properly. You can also opt out of personalised ads in the Google Ads settings. You can find instructions on how to do this at https://support.google.com/ads/answer/2662922?hl=de. You can also disable the use of cookies by third-party providers by accessing the Network Advertising Initiative opt-out page at https://www.networkadvertising.org/choices/ and following the further information relating to opting out there.

 

10. Google remarketing/marketing services

We use the marketing and remarketing service (‘Google marketing services’) from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (‘Google’) on the basis of our legitimate interests (i.e. interest in analysing, optimising and economically operating our website, point [f] of Article 6[1] of the GDPR).

Google marketing services allow us to display adverts for and on our website in a targeted way, in order to only show users adverts that have the potential of being interesting based on previous website visits. For these purposes, when accessing our website and other websites on which Google marketing services are active, code is run directly by Google and ‘(re)marketing tags’ (hidden images or code, also known as ‘web beacons’) are integrated into the web pages. These are used to store an individual cookie, i.e. a small file, on the user’s device. This file records which websites the user has visited, what content they were interested in and what offers they clicked on as well as technical information about the browser and operating system, referring web pages, the time of the visit and other information relating to the use of the website. Users’ IP addresses are also collected through Google Analytics, whereby the IP address is truncated within European Union Member States or in other signatory states to the Agreement on the European Economic Area and only sent to a Google server in the USA in full and truncated there in exceptional cases. According to information provided by Google, the IP address is not merged with user data within the scope of any other Google services. If the user then visits other websites, adverts may be shown that are tailored to the user’s interests.


For this purpose, Google creates pseudonym user profiles unless a user explicitly permits Google to process data without pseudonymisation. The information collected by Google marketing services about the user is sent to Google and stored on Google servers in the USA.
You can find more information about how Google uses data for marketing purposes on the following overview page: https://www.google.com/policies/technologies/ads; Google’s privacy policy is available at https://www.google.com/policies/privacy.
Unless otherwise specified in our privacy policy, we process user data if users communicate with us on social media and on platforms, e.g. by publishing posts on our online profiles or by sending us a message.

If you would like to object to Google marketing services adverts that are based on interests, you can use Google’s settings and opt-out options: http://www.google.com/ads/preferences.

Google is certified under the Privacy Shield Agreement, which provides an additional guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

 

11. Social media plug-ins

We use social media plug-ins within the scope of our website, and based on our legitimate interests in analysing, optimising and economically operating our website (point [f] of Article 6[1] of the GDPR):

  • Facebook (Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you reside in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
  • Google+ (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States)
  • Xing (Xing AG, Gänsemarkt 43, 20354 Hamburg)
  • Linked in (LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043)

You can recognise the specific plug-in provider by the logo shown on each plug-in button. We use the ‘two-click solution’ here. No personal data is shared with the plug-in provider if you simply visit our website. The plug-in is only activated, and data sent to the plug-in provider, when you click on the provider’s button. If the plug-in provider is based in the USA, your data may be sent there, and stored and processed there. We have no control over which data the provider specifically processes for what purposes nor over how they do so. We also do not obtain any information with respect to storage and erasure. The plug-in provider regularly saves and processes your personal data for the purposes of advertising, market research and website design, and may create a user profile to do so. Individual providers also carry out processing to inform other network users about your activities.

If you are signed into the respective provider when you use the plug-in, the visit to our website and all of your interactions in connection with the plug-in can be assigned to your user account and saved. To prevent the plug-in provider from assigning the above-mentioned data to your account, sign out before you use the plug-in. Even if you don’t have an account with the respective provider, it cannot be excluded that your data will be shared with, and processed by, such providers.

You can find more detailed information relating to the scope and purpose of data processing by the respective plug-in provider in the providers’ respective privacy policies.

You can essentially object to the respective provider processing data by contacting them. Please see the providers’ websites to do so.

Facebook is certified under the Privacy Shield Agreement, which provides an additional guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

Google is certified under the Privacy Shield Agreement, which provides an additional guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

LinkedIn is certified under the Privacy Shield Agreement, which provides an additional guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

 

12. Online profiles on social media

 

We have online profiles on social networks and platforms which allow us to communicate with active customers, interested parties and users and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and data processing guidelines of the respective operator apply. 

 

2. Privacy policy for medneo’s telephone scheduling service

This privacy policy explains the type, scope and purpose of personal data processing when using our telephone services to schedule appointments (hereinafter referred to as the ‘telephone scheduling service’) in the medneo diagnostics centres.

Personal data includes all information relating to an identified or identifiable natural person, e.g. name, address, e-mail address. With respect to other terms used, e.g. ‘processing’ or ‘controller’, we refer to the definitions in Article 4 of the EU General Data Protection Regulation (GDPR).

 

1. Controller and data protection officer

The controller pursuant to Article 4[7] of the GDPR is

     medneo Deutschland GmbH

     Hausvogteiplatz 12

     D-10117 Berlin

     (hereinafter referred to as ‘medneo’)

     E-mail: datenschutz(at)medneo.com

     Phone: +49 (30) 814501-700>

 

You can contact medneo Deutschland GmbH’s data protection officer at>

     medneo Deutschland GmbH

     Datenschutz (Data Protection)

     Hausvogteiplatz 12

     D-10117 Berlin

     E-mail:  lang="DE">datenschutz(at)medneo.com

     Phone: +49 (30) 814501-700

 

2. Data processing by medneo

When using medneo’s telephone scheduling service to schedule appointments with doctors or health care facilities that our diagnostic centres use, we collect your name, contact details (address, e-mail address, telephone number), your date of birth, referral data (surveys for examinations, suspected diagnosis, referring doctor, type of health insurance or settlement) and information relating to your state of health (contraindications, preliminary investigations). This information is required to select the right appointment and to prepare and plan the examination procedure.

Data processing is only carried out if you have consented to the use of the telephone scheduling service. There is no obligation to use the telephone scheduling service. As well as contacting us by phone, you consent to us contacting you for scheduling purposes by other means (e.g. SMS, e-mail, etc.) The legal basis is the first sentence of point [a] of Article 6[1] of the GDPR and point [a] of Article 9[2] of the GDPR.

Your personal data is forwarded to the following recipients:

  • the doctors and health care facilities that we schedule your appointment with and with which your examinations or treatments are carried out; and
  • IT and technology service providers with which medneo is cooperating for the operation and maintenance of the infrastructure, etc.; all service providers involved are subject to a strict obligation of secrecy.

Moreover, the data is only passed on to third parties if you have consented to the transfer or if there is a legal obligation to do so. Data is stored in accordance with the legal retention period and is subsequently erased, in particular if you withdraw your consent.

 

3. Your data protection rights

You have the following data protection rights vis-à-vis medneo, depending on the specific circumstances of the case in question:

  • to obtain information about the personal data concerning you that is processed by us as well as to request access to your personal data or copies of such data. This includes access to the purpose of use, the category of the data used, the recipients of such data and those entitled to access it, as well as, where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • to request the rectification, erasure or restriction of processing of your personal data, for instance if (i) the data is incomplete or inaccurate, (ii) the data is no longer necessary for the purposes for which it was collected, or (iii) the consent on which the processing was based has been withdrawn; in cases where the data is processed by third parties, we will forward your requests to rectify, erase or restrict the processing to those third parties, unless this proves impossible or involves a disproportionate effort;
  • to refuse consent, or – without any effect on the lawfulness of the data processing that has occurred prior to the withdrawal – to withdraw your consent to processing of your personal data at any time;
  • to request personal data concerning you, and which you have provided to us, is provided in a structured, commonly used and machine-readable format and to transmit such data to another controller without any hindrance from us; you also have the right, where applicable, to request that we directly transmit the personal data to another controller, if this is technically feasible;
  • to request not to be generally subject to a decision based solely on automated processing, if this decision produces legal effects concerning you or similarly significantly affects you; if such an automated decision is taken by way of derogation, you have the right to obtain information on the logic involved as well as on the significance of the envisaged consequences; and
  • to communicate with the data protection supervisory authority and to lodge a complaint with that authority, where necessary.

3. Privacy policy – Applying to medneo

Preamble

As part of the direct application process, medneo processes personal data pursuant to Article 4(2) of the General Data Protection Regulation (GDPR). medneo includes medneo GmbH as well as affiliated companies under Section 15 of the Stock Corporation Act (Aktiengesetz, AktG), medneo Deutschland GmbH and medneo Schweiz AG. medneo is to be qualified as a controller under data protection law within the meaning of Article 4(7) of the GDPR. Data processing is required to carry out pre-contractual measures at the applicant’s request, and is therefore lawful pursuant to point (b) of Article 6(1) of the GDPR.

Protecting and keeping your data confidential is particularly important to medneo. Of course, your data is exclusively processed in accordance with the respectively applicable data protection regulations, with particular reference to the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).

This privacy policy also corresponds with any legal regulations that are binding with the entry into force of the EU General Data Protection Regulation (GDPR). The GDPR applies from 25 May 2018 onwards. medneo will never share your personal data with unauthorised third parties for advertising, marketing, or other purposes. Should you have any questions about this privacy policy, please send an e-mail to datenschutz(at)medneo.com

1. What is personal data?

Personal data is any information that can be used to draw conclusions about you personally or about factual circumstances, or that can be used to identify you.

 

2. What data is collected?

  1. The following data is collected and processed for the automated processing of your application:
    1. Name, surname, e-mail and possibly also address/town or city, date of birth, title, telephone number, citizenship
    2. Additional questions that relate to the respective vacancy (e.g. driver’s licence)
    3. CV, with particular reference to information relating to professional experience and education
    4. Skills (e.g. Photoshop, MS Office)
    5. Application photo
    6. Qualifications, awards and language skills
    7. Motivational cover letter
    8. Files and documents that you may have uploaded
  2. We store written and electronic communication that has taken place between you and medneo. We also process comments and assessments given to you as part of your application process.

 

3. Purpose of data collection

medneo processes your data for the purposes of exchanging information between applicants and medneo. Please note that we send you electronic notifications for new job vacancies at medneo for direct marketing purposes.

 

4. What are cookies?

  1. medneo uses ‘cookies’ when operating this website. They are used to make your online application process more user-friendly, effective and secure. Cookies are small text files that are saved on your computer. Session-related ‘session cookies’ are deleted as soon as you leave our website again. Permanent cookies stay on your computer until they are deleted by your browser (e.g. to allow you to return to a current application process at a later date). You can prevent cookies from being installed by changing your browser settings. Cookies may be required to maintain the website. The use of such cookies does not require approval and these therefore cannot be disabled. Cookies that are used to ‘analyse’ your behaviour on our website are only used with your consent. If we use cookies that require approval, the first time you visit our website you will be shown a cookie banner that you can click on to accept the use of cookies that require approval. If you want to change your cookie settings at a later point in time, you can do so by making changes on the website under ‘cookies’.
  2. Below is a list of the cookies used.
PHPSESSID Session Cookie Functionality This cookie is used to identify the user when Prescreen is used. The cookie is mandatory for correct functionality. The cookie is no longer valid once the browser is closed. jobbase.io
REMEMBERME Persistent Cookie Functionality This cookie is used to restore an expired session. The cookie expires after 2 weeks. jobbase.io

 

5. Is data shared with third parties, or collected by third parties?

Data collected as part of your application is neither disclosed nor shared with unauthorised third parties, where ‘unauthorised’ particularly includes instances where your consent is not given. With the exception of our employees who process your data as part of the application process, we share your personal data only with the following recipients:

As part of the application process, medneo is supported by technical IT service providers headquartered in the EU. The service providers act as a processor pursuant to Article 28 of the GDPR.

 

6. Storage periods

  1. Personal data from rejected applicants is stored for a maximum period of six months, starting on the day the application is rejected. If you prefer to have a longer storage period as part of your application process (e.g. to continue your application at a later date), we ask that you change your settings accordingly when registering.
  2. Longer storage periods may apply if data is required for medneo to assert, exercise or defend legal claims. Data is stored for as long as this is required to fulfil this purpose.

 

7. Your rights with respect to your data

  1. You have the right to obtain information relating to what personal data we process concerning you, and a right to rectification, erasure, restriction of processing and to data portability, free of charge. To assert this right or to obtain additional information about this, please send an e-mail to datenschutz(at)medneo.com
  2. In principle, our privacy policy and our responsibility and liability in relation to it does not extend to third-party websites that we include links to or to which you are redirected. Furthermore, we are also not responsible for data processing that is carried out by the operators of such websites in these cases.

 

8. Option of withdrawal

You can withdraw the consent given under data protection law at any time with future effect. To use the option of withdrawing your consent, please send an e-mail todatenschutz(at)medneo.com.

 

9. Agreement validity (severability)

If parts of this privacy policy and terms of use are unlawful, ineffective, invalid or unenforceable, the remaining provisions shall remain unaffected with respect to effectiveness and validity.

 

10. Complaints to relevant supervisory authorities

If you believe that we are processing your data in contravention of applicable legal provisions, you may lodge a complaint with German data protection authorities or other responsible supervisory authorities, with particular reference to those in the Member State in which you have your place of residence, place of work, or where medneo GmbH’s head office is located (Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstraße 219, 10969 Berlin, mailbox(at)datenschutz-berlin.de; https://www.datenschutz-berlin.de/index.html).

 

11. Contact details for the company that is the controller under data protection law

     medneo GmbH

     Datenschutz (Data Protection)

     Hausvogteiplatz 12

     D-10117 Berlin

     E-Mail: datenschutz(at)medneo.com

4. Information regarding data processing in the course of an examination or a treatment carried out at a medneo diagnostic centre

As a patient of a facility providing treatment, your personal data is processed by the facility providing the treatment and by medneo Deutschland GmbH. We would like to inform you about this data processing and the responsible bodies.

1. Data processing by the facility providing the treatment

In this information sheet, we would like to inform you about data processing by the respective facility providing the treatment in the course of an examination or treatment carried out at a medneo diagnostic centre.

Data processing is carried out for the performance of the diagnostic and therapeutic services by the physicians in the facility providing the treatment. The legal basis is the first sentence of point [b] of Article 6[1], and point [h] of Article 9[2] of the GDPR, in connection with point [b] of Section 22[1] No. 1 of the new Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). medneo processes your personal data by order of the respective facility providing the treatment (Article 28 of the GDPR).

Every time an appointment is arranged and every time an examination or a treatment is carried out, the following data is collected: Information about you (name, date of birth, address, contact details, insurance data, details about those bearing the costs) and about your state of health (referral details, consultation details, contraindications, preliminary findings, diagnoses, image data) as well as information from the examination or treatment carried out (medical history data, examination protocols, image data, diagnoses, findings, billing information). This information is stored verifiably with reference to the patient in the information systems of medneo and, where applicable, of the facility providing the treatment. Your personal data may be forwarded to the following recipients:

  • physicians working in the facility providing the treatment or who are merged with the facility in a service provider association or group practice, and physicians who you request to give a second opinion;
  • the outpatient/inpatient healthcare facility responsible for your further treatment;
  • your health insurance scheme, competent Association of Statutory Health Insurance Physicians (Kassenärztliche Bundesvereinigung [KBV]) or the Social Accident Insurance Institution (Berufsgenossenschaft) for the billing of the services; billing data is only forwarded to external billing service providers if you have consented to this separately;
  • laboratory physicians and/or histologists, provided that the treatment requires such diagnostics;
  • medneo Deutschland GmbH as a service provider for the planning and carrying out of the examination and the treatment, the follow-up regarding your examination results and the documentation of the service; and
  • IT and technology service providers with which the facility providing the treatment is cooperating in the operation and maintenance of the infrastructure, etc.; all service providers involved are subject to an obligation of secrecy.

The legal basis for the forwarding to third parties is Article 28 of the GDPR.

Moreover, data is only passed to third parties if you have consented to the transfer or if there is a legal obligation to do so (e.g. public health department, health insurance medical service [medizinischer Dienst der Krankenkassen, MDK]). Data is stored in accordance with the legal retention period and is subsequently erased.

 

2. Data processing by medneo

In addition to carrying out examinations and treatments, medneo (medneo Deutschland GmbH, Hausvogteiplatz 12 in 10117 Berlin) may provide you with further services, provided that you have consented to data processing by medneo. Hereafter, we would like to inform you about data processing in the context of making contact, the provision of the examination results to you and to other healthcare facilities on your behalf as well as in the context of quality assurance and the scheduling of further examinations following an examination or treatment carried out at a medneo diagnostic centre.

Data processing includes your name, your contact details (address, e-mail address, telephone number), the health data collected (information about your state of health, referral details, consultation details, contraindications, preliminary findings, diagnoses, image data) as well as information about the examination or treatment carried out (medical history data, examination protocols, image data, diagnoses, findings, billing information).

Data processing is only carried out if you have explicitly consented to it. The legal basis is the first sentence of point [a] of Article 6[1] and point [a] of Article 9[2] of the GDPR. There is no obligation to give consent.

Your personal data may be forwarded to the following recipients:

  • physicians who work for medneo for quality assurance; and
  • IT and technology service providers with which medneo is cooperating for the operation and maintenance of the infrastructure, etc.; all service providers involved are subject to a strict obligation of secrecy.

Moreover, the data is only passed on to third parties if you have consented to the transfer or if there is a legal obligation to do so. Data is stored in accordance with the legal retention period and is subsequently erased, in particular if you withdraw your consent.

 

3. Your data protection rights

You have the following data protection rights vis-à-vis the facility providing the treatment and medneo, depending on the specific circumstances of the case in question:

  • to obtain information about the personal data concerning you that is processed by us as well as to request access to your personal data or copies of such data. This includes access to the purpose of use, the category of the data used, the recipients of such data and those entitled to access it, as well as, where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • to request the rectification, erasure or restriction of processing of your personal data, for instance if (i) the data is incomplete or inaccurate, (ii) the data is no longer necessary for the purposes for which it was collected, or (iii) the consent on which the processing was based has been withdrawn; in cases where the data is processed by third parties, we will forward your requests to rectify, erase or restrict the processing to those third parties, unless this proves impossible or involves a disproportionate effort;
  • to refuse consent, or – without any effect on the lawfulness of the data processing that has occurred prior to the withdrawal – to withdraw your consent to processing of your personal data at any time;
  • to request personal data concerning you, and which you have provided to us, is provided in a structured, commonly used and machine-readable format and to transmit such data to another controller without any hindrance from us; you also have the right, where applicable, to request that we directly transmit the personal data to another controller, if this is technically feasible;
  • to request not to be generally subject to a decision based solely on automated processing, if this decision produces legal effects concerning you or similarly significantly affects you; if such an automated decision is taken by way of derogation, you have the right to obtain information on the logic involved as well as on the significance of the envisaged consequences; and
  • to communicate with the data protection supervisory authority and lodge a complaint with that authority, where necessary.

 

4. Contact

If you have any questions about data processing by medneo, medneo’s data protection officer will be happy to assist you: medneo Deutschland GmbH, Datenschutz (Data Protection), Hausvogteiplatz 12, 10117 Berlin, datenschutz(at)medneo.com

5. Information about legal retention periods

Retention periods based on an overview provided by Berlin Doctors’ Council (Ärztekammer Berlin, https://www.aerztekammer-berlin.de/10arzt/30_Berufsrecht/08_Berufsrechtliches/04_Praxisorga/20_Merkblatt_Aufbewahrungsfristen.pdf)

B

  • Balance sheets, accounting documents (Section 147 of the German Tax Code [Abgabenordnung, AO]): 10 years
  • Blood donations (documentation): 15, 20, 30 years
  • Blood product application (documentation): 15, 30 years

 

C

  • Certificate of incapacity: 1 year
  • Cytological findings and preparations: 10 years

 

D

  • Doctor’s records: 10 years
  • Doctor’s letters (internal and external): 10 years
  • Drug prescriptions part III, parts I to III of incorrectly issued drugs prescriptions: 3 years
  • Drugs register/EDP print-outs, index card: 3 years

 

E

  • Early detection of cancer for children/women/men: 10 years
  • ECG strips; also long-term ECG: 10 years
  • EEG strips: 10 years

 

I

  • Index cards and other medical records, including separate examination results: 10 years

 

L

  • Laboratory journal, laboratory findings: 10 years

 

O

  • Occupational health record based on the Radiation Protection Ordinance (Strahlenschutzverordnung) and the X-Ray Regulation (Röntgenverordnung): up to 75 years old; minimum 30 years old

 

P

  • Patient assessments: 10 years

 

R

  • Radiation examination: 10 years
  • Radiation treatment (records, calculations): 30 years
  • Referral letter (Section 4 No. 12 of the KV Berlin accounting regulations): 1 year (4 years)
  • Results of genetic examinations and analyses under the Genetic Diagnostics Act (Gendiagnostikgesetz, GenDG): 10 years

 

S

  • Sexually transmitted diseases: 10 years
  • Sonographic examinations: 10 years

 

X

  • X-ray examinations: 10 years
  • X-ray treatment (records, calculations): 30 years