Personal MedSystems GmbH
D-60329 Frankfurt am Main
As of: 19th May 2016
I. General Provisions on Data Protection at Personal MedSystems GmbH
We take the protection of your data very seriously and adhere strictly to the regulations of data protection acts (including the Federal Data Protection Act and the German Teleservices Act).
1. Party Responsible
The party responsible in terms of data protection acts is Personal MedSystems GmbH, Hansaallee 154, 60320 Frankfurt am Main, Germany (hereinafter referred to as “PMS”), represented by Mr. Felix Brand (Managing Director) und Dr. Markus Riemenschneider (Managing Director).
2. Right to Information
You shall have the right to information at all times about the type and scope of data stored by us concerning yourself, their origin, recipients and purpose of the storage.
3. Revocation of Consent
You may withdraw any consent you may have granted to the storage of your personal data and use thereof at any time for future effect. Please note that, if necessary, we shall be entitled to process your data for the purpose of executing the contract and for accounting purposes to the extent necessary if you are our client, despite the revocation of your consent. For the rest, an objection to the continued use of the data may lead to you no longer being able to receive the services purchased (e.g. user account, newsletter). In this context, your personal data and if provided by you your medical data, shall be deleted immediately and shall no longer be retained in our data inventory unless statutory retention periods exist. In the latter case, the data shall be blocked for further use.
4. Deletion of Data
We shall delete your personal and your medical data, if the business objective connected to that data ceases to exist and if the applicable provisions of data protection regulation require to do so. At your request we will block your personal and your medical data (for further information see “Revocation of Consent”).
We point out that electronic data transmission (e.g. when communicating by e-mail) may have security loopholes. It is not possible to fully protect data from being accessed by third parties.
II. Information on Data Protection when using PMS’s website
In general, mere use of our website is possible without having to provide personal data. Insofar as personal data is collected on our pages, this provision shall always take place on a voluntary basis. As a matter of principle, this personal data shall not be forwarded to third parties. Exceptions to this principle shall only apply when required by law or if you have expressly agreed to such forwarding. In this regard we refer to chapter 3 “Cookies” and 4 “Processing by Third Parties”.
1. Storage of Access Data
With any access to our website and with any retrieval of a file, access data about this process shall be stored in a log file on our provider’s server. Usage data, such as details about the beginning, end and scope of the use of certain telemedia services or traffic data in the event of e-mail services shall be collected, processed and used, insofar as this is necessary, to enable the utilisation of these services. The date and time, as well as the time zone of the beginning and end of use, the scope in bytes, the user’s IP address and the type of telemedia service or telecommunication service used are usually collected.
This data is collected anonymously and it is technically impossible to assign it to specific persons. The data shall be deleted after statistical evaluation.
2. Services requiring Registration
So-called cookies are used at several places on our websites. Cookies are small files of textual data sent to your computer and stored by your browser. The aim of the cookies we use is to perform service functions (e.g. for language settings) and to make them user-friendlier, more effective and safer.
You can set your browser to notify you when you receive a cookie, enabling you to decide on a case-by-case basis whether you wish to accept them or whether you wish to rule them out altogether. Non-acceptance of cookies may lead to limited functionality of our website or services.
4. Processing by Third Parties
Our website uses Google Analytics, a web analysis service provided by Google Inc. (“Google”). Google Analytics utilizes so called “cookies”, text files that are stored onto your computer and allowing to analyse your usage of the website. The information generated by cookies and analysing your usage of this website are usually transferred to and stored on a server of Google in the USA. In case that IP-anonymisation is activated on this website your IP-address will be shortened by Google within member countries of the European Community and the European Economic Area. Only in exceptional cases will your full IP-address be transferred to the Google server in the USA and then shortened there. On behalf of the owner of this website Google will utilize this information in order to analyse your usage of this website, to put together reports on website activity and to perform services for the website proprietor that are related to website and Internet usage. Your IP-address that is transmitted by your browser to Google Analytics will not be linked to other Google data. You may prevent the storage of cookies by setting your browser accordingly. Please note that non-acceptance of cookies may lead to limited functionality of the website. In addition you may prevent the cookie from collecting data on your usage of the website (incl. your IP-address) and transferring it to Google and the dispersion by Google, by downloading and installing the browser plugin. (Further information about Google Analytics or the privacy protection of Google Analytics). Please note that on this website Google Analytics was extended by the code “gat._anonymizeIp();“, in order to ensure anonymised collection of IP-addresses (so called IP-masking).
Should you not wish any data storage via Facebook Custom Audience you may deactivate Custom Audience.
III. Information on Protection for App Usage
Our CardioSecur app when installed on your smartphone/tablet does not require any particular permissions (e.g. access to GPS, photos, general profile data, etc.). Only when using the app you may opt to select and set contacts that you want to contact directly through the app (in such instance the app will need access to your contacts).
If you resort to iTunes or iCloud to back-up your smartphone/tablet, local data stored in the CardioSecur app on your smartphone/tablet will be saved there. In such a case please see Apple’s latest provisions regarding data protection.
IV. Information on Data Protection of PMS’s Clients
We have taken technical and organisational measures in order to reliably protect the data we receive from you. Profound information and training of our staff and their compliance with data protection laws under § 5 BDSG as well as the general obligation for non-disclosure ensure that your data is treated confidential. Our security measures entail further that when contacting us by phone we will ask for proof of your identity.
In addition we ask you to take all possible measures yourself to secure protection of your data while using the Internet. Make a habit of changing your password frequently. For your password we recommend creating a combination of letters and digits. Please use a safe SSL-compatible browser when surfing on the Internet. Logout of computers that are not used by you exclusively. Do not make your password available to third parties.
For pages of our website, which require personal information, e.g. in section “My Account”, we resort to the standard SSL (Secure Socket Layer) in order to encrypt your data. With SSL your data is obscured to such an extent before transfer to our server that it is not reconcilable by third parties. With this method your data and transaction information is secured on the Internet.
Technical data regarding security
Encryption with SSL-certificates for sensitive data transfers. Protection of servers: our servers are being protected with firewall systems against attacks. An internal security system and an authorisation concept ensure that sensitive data is only accessible to specifically designated people (e.g. medical data to a doctor, accounting data to the accounting department etc.).
1. Handling of Client and Patient Data
Access to client or patient data is regulated in such a way that the smallest possible group of persons (including the Physician selected by the client) gains access to both the patient’s identity and, simultaneously, his medical data. Access is ensured by respective password protection.
The following data types are collected and processed within the execution of the contract:
• Contact data: name, address, telephone number, etc.
• Measurement date: date and time of measurements
• Medical data: raw data of ECG measurements and automatic evaluation
The PMS representative who handles client data has a special position of trust and deals with customer transactions relating to technical questions on measurements. All other customer advisors shall view only the date and time of a measurement, but not the result.
By consenting to this data privacy statement and by providing medical data by own free will the client (in regards to Personal MedSystems GmbH) or as the case may be the patient (in regard to the selected physician) stipulates expressly, that the selected circle of people as defined above, are allowed to access the personal and medical data.
By registering a physician account, doctors consent to treat personal and medical data that is made available to them under doctor-patient confidentiality and as the case may be the data privacy laws provided in the BDSG.
Clients shall only obtain access to their user account (hereinafter referred to as “UA”) in the following ways:
• via internet or the app using a password with at least 6 characters, consisting of letters and digits. If the client has forgotten his password, then he can have it reset by entering his user name. The client shall then receive a link via e-mail to the e-mail address stated in the UA, enabling the client to enter a new password within 24 hours and retain access to his UA. The password shall not be visible to PMS’s Customer Service (hereinafter referred to as “CS”) and may not serve as identification in the event of telephone enquiries.
• via telephone by means of proof of the client’s identity. In this case, CS can view the client’s personal data, inform the client about it and change data at the client’s request. Furthermore, CS can reset the password (see above for further details).
• via post by sending an informal letter in written form and a copy of the personal ID card. In this letter, the client may request a printout of his personal and medical data (if he expressly gives his consent to this in his letter) and communicate any personal data that may have changed. In addition, the client can ask for his password to be reset (see above for further details).
2. Invoicing, Collection of Claims
If we commission lawyers’ offices and/or collection agencies to collect our claims, the data required for balancing accounts with the client shall be submitted to them insofar as this is necessary for collecting the claims and for issuing a detailed invoice. The third party is obliged to observe data protection regulations. The same shall apply insofar as we commission any other service provider we use for meeting contractual services to e.g. issue invoices, handle payment transactions and collect claims.
We commission third parties for logistical handling of your order (e.g. DHL, Deutsche Post). We submit the necessary data from your order to the designated third party exclusively for such purpose. This third party is obliged to handle your data in compliance with applicable data protection laws.
4. No further Data Processing
The client’s data shall only be stored as long as necessary within the framework of the contractual agreement with the client and in accordance with applicable law.
Beyond that, we shall neither collect nor process any data. Above all, we shall not use the client’s data for marketing or advertising purposes or forward them to third parties for this purpose without the client’s effective consent.
V. Information on Data Protection of Participating Physicians
We may collect, store and process the data of participating physicians in accordance with data protection regulations insofar as this is necessary for the establishment, amendment and execution of the contract or billing for it. In concrete terms, physicians’ data are collected and processed as follows:
1. Data Processing for Contractual Purposes, Forwarding Data
Physicians’ inventory data and further information concerning the physician himself and his user behaviour (connection data) (e.g. time, number and duration of connections, access passwords, uploads and downloads), are collected and processed by us insofar as this is necessary to fulfil the contractual purpose.
We shall not forward the physician’s data to third parties without his consent unless we are legally obliged or entitled to do so.
2. Use of Inventory Data for other Purposes, Physician’s Declaration of Consent
Irrespective of our statutory authority to collect and process data, the physician agrees that we may also use his inventory data as well as his anonymized data on user intensity (e.g. number of readings, number of patients) exclusively for our own advisory, advertising and market research purposes and for the adequate provision of our services. The physician can revoke such a use of his data at any time for future effect.