Privacy Policy

of
Personal MedSystems GmbH
Wilhelm-Leuschner-Straße 41
60329 Frankfurt am Main
Germany
As of: 5th May 2021

“Data Protection Logo – CardioSecur fulfils the strict standards of the Federal Data Protection Act of Germany”  /General Data Protection Regulation

I. Privacy Policy of Personal MedSystems GmbH

We take the protection of your data very seriously and adhere strictly to the regulations of the applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the Swiss Data Protection Act.

1. Responsible entity

The responsible entity within the meaning of the data protection laws is Personal MedSystems GmbH, Wilhelm-Leuschner-Strasse 41, 60329 Frankfurt am Main (hereinafter "PMS"), represented by Mr Felix Brand (Managing Director) and Dr Markus Riemenschneider (Managing Director).

Independent data protection officer: Mr. Dr. Sebastian Kraska, Institute for IT-Security GmbH (IITR), Marienplatz 2, 80331 Munich, Germany; phone: +49 (0)89 18917360; e-mail: dpo-contact@iitr.de.

2. Right of information

In accordance with Art. 15 of the GDPR, you have the right at any time to obtain information about the type and scope of the data stored about you, its origin and recipients, and the purpose for which it is stored. E-mail: info@cardiosecur.com

3. Revocation of consent and right to rectification

You may revoke your consent to the storage of your personal data and its use in accordance with Art. 21 GDPR at any time with effect for the future. If you revoke your consent to further use of your data, you will no longer be able to use the services you have in place (e. g. use of the app, user account, newsletter). Please note that even after revocation of your consent and in the event that you are our customer or user of our services, we may process your data to the extent necessary for the purposes of executing the contract and for billing purposes. Furthermore, we are obliged to comply with the statutory retention periods.

If the information concerning you is not (or no longer) correct, you can request a correction in accordance with Art. 16 GDPR. If your data is incomplete, you can request that it is completed.

4. Anonymisation and deletion of data

After the cessation of the business purpose associated with your data (e. g. after termination or revocation of the contract), your medical data will be irreversibly anonymised after 10 years so that you may support any civil claims against doctors with your data at least during this time. Furthermore, the data will be retained for this period in accordance with Art. 17 (3) (e) GDPR for any claims against Personal MedSystems GmbH.

If, after the cessation of the business purpose, you do not wish your medical data to be kept securely for 10 years, please let us know as part of your termination or revocation so that your medical data can be anonymised immediately and irreversibly. Our anonymisation concept provides that your personal data directly related to your medical data (e.g. on the ECG reports) are irreversibly deleted and replaced by data from a random generator. There is no data reservoir that allows an indirect or direct link between your deleted personal data and the anonymisation data.

We hereby inform you that your medical data can no longer be assigned to your person after this step. Even in the event that the business purpose with us is resumed at your request, we will no longer be able to display your anonymised ECG data. This also applies in the event that your personal data (as opposed to your medical data) should still be available to us within the scope of contract processing and the associated statutory retention period.

Im Rahmen der gesetzlichen Aufbewahrungsfristen sind wir verpflichtet, Ihre persönlichen Daten in Bezug auf die Vertragsabwicklung 10 Jahre – oder soweit gesetzlich verlangt länger – aufzubewahren und danach unwiederbringlich zu löschen.

5. IT security and cyber security

We maintain an Information Security Management System (ISMS) and are certified according to ISO 27001.

For security reasons, we recommend that you only transmit e-mails and SMS in encrypted form and that you do not process your data via unprotected WiFi networks.

Important note: In the case of unencrypted electronic data transmission, there may be considerable risks despite all the security precautions we take. Complete protection of data against unauthorised access by third parties is not possible. Furthermore, we refer to sections III. and IV. below.

If you identify a cyber security issue, please report it to us. E-mail: info@cardiosecur.com

6. Right of complaint

If you are of the opinion that we are not handling your data appropriately, you have the statutory right to complain at any time, in particular in accordance with Art. 77 GDPR, directly to the competent supervisory authority, the Hessian Data Protection Commissioner, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany, e-mail: poststelle@datenschutz.hessen.de

II. Information on Data Protection when using PMS’s website and Services requiring Registration

The content of our website was created with the utmost care. However, we do not assume any liability for the correctness, completeness and up-to-dateness of the contents provided. The use of content of our website is at the user's own risk. Contributions identified by name reflect the opinion of the respective author and not necessarily our opinion. The mere use of our website does not constitute any contractual relationship between the user and us.

This website contains links to third-party websites (hereinafter "external links"). These websites are subject to the liability of the respective operators. We have no influence whatsoever on the current and future design and content of the linked sites. The inclusion of external links does not imply that we adopt the content behind the reference or external link as our own. We cannot reasonably be expected to check external links without concrete evidence of legal violations. However, we will delete such external links immediately if we become aware of any legal violations.

The content published on this website is subject to German copyright and ancillary copyright law. Any use not permitted by German copyright and ancillary copyright law requires the prior written consent of us or the copyright holder. This applies in particular to the copying, editing, translation, storage, processing or reproduction of content in databases or other electronic media and systems. The unauthorised reproduction or transmission of individual contents or complete pages is not permitted and is punishable by law. Only the production of copies and downloads for personal, private and non-commercial use is permitted. The display of this website in external frames is only permitted with our prior written consent. Insofar as the content on this website was not created by us, the copyrights of third parties are respected. In particular, third-party content and rights are indicated as such. Should the user nevertheless become aware of a copyright infringement, we request that a corresponding notification be made. If we become aware of any infringements, we will remove such content immediately.

The use of our website and the services requiring registration (user account, newsletter) is subject exclusively to this data protection declaration.

It is largely possible to use our website without providing personal data. The data collected will not be passed on to third parties, except in the case of a legal obligation or if you have expressly consented to such a transfer. Taking these exceptions into account, also no data will be passed on to third parties in connection with cookies and website analysis. To protect your data, we do not use Google Analytics or Google AdWords but the internal, GDPR-compliant analysis tool Matomo.

The web server for the operation of our website is technically hosted by the IT service company (hereinafter "IT service provider"):

ilexius GmbH

Unter den Eichen 5

Haus i

65195 Wiesbaden, Germany

 

The IT service provider has been obligated by us to comply with the requirements of the GDPR via a valid data processing agreement.

1. Collection of data when using the website

When you visit our website, you transmit data (out of technical necessity) via your internet browser to our web server at our IT service provider. To enable you to use our website, the following data is recorded during an ongoing connection between your internet browser and our web server:

  • Date and time,
  • Time zone of beginning and end of use
  • Size in bytes
  • Anonymised user IP address (shortened by 2 bytes) and
  • Type of telemedia or telecommunications service used, as well as
  • Device specific and other similar information.

 

For reasons of technical security, in particular to defend against attempted attacks on our web server, we store this data. It is not possible for us to draw conclusions about individual persons on the basis of this data, as the data is anonymised by shortening the IP address.  The data is processed in anonymised form for statistical purposes; it is not compared with other data or passed on to third parties, even in extracts.

2. Cookies

Our website uses so-called cookies in certain places. Cookies are small text files that the web browser stores on your computer. The cookies we use are not tracking cookies (e. g. not for re-targeting or targeted advertising) but are used to fulfil essential service functions (e. g. for language settings) and to make the website more user-friendly, effective and secure.

You can set your browser so that you are informed about the setting of cookies and their duration of effect in order to decide on a case-by-case basis whether to accept them or to generally exclude the acceptance of cookies. With regard to the duration of the effect, there are, for example, session cookies that are limited in time to the specific use of the website or cookies that remember the actions and/or entries you have made on our website for a longer period of up to ninety days, so that you may not have to make repeated entries, such as your name, the next time you visit our website.

If cookies are excluded, the functionality of our website or our services may be limited.

We are happy to help you find out more about cookie settings for the most popular browsers. Click on the link for your browser:

• Cookie settings in Google-Chrome
• Cookie settings in Firefox
• Cookie settings in Internet Explorer
• Cookie settings in Safari for Mac
• Cookie settings in Safari for iPhone, iPad and iPod Touch

 

If you have any questions about cookie settings, please feel free to contact our customer support.

3. Website analysis

In order to protect your data as much as possible, we do not use Google Analytics for website analysis. For the needs-based design of our website we use the GDPR-compliant tool Matomo. This is a PMS internal web analysis service of InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769. No data is transferred to New Zealand.

In order to record and analyse the use of our website with Matomo, usage information is only transmitted to our server at the IT service provider commissioned by us and named in this data protection declaration and temporarily stored for analysis purposes. During this process, your IP address is only processed in a shortened form and thus anonymised. It does not allow any conclusion about your personal identity.

The legal basis for the use of Matomo is Art. 6 para. 1 lit. f DSGVO. Further information on Matomo's terms of use and data protection regulations can be found at: https://matomo.org/privacy/.

 If you would like to stop the pseudonymous data collection by Matomo, please click on the corresponding option at the bottom of this page.

4. Optional newsletter registration

Registration for our newsletter (e.g. via our website) is effected by the double opt-in procedure, i.e. you provide your confirmation of the newsletter registration on the website and via a confirmation link in an e-mail that is then automatically sent to you. You are not registered for the newsletter until you have submitted both confirmations. If you register for our newsletter, you provide us with your e-mail address. We use this information exclusively to send you the newsletter. For sending the newsletter to you we utilise:

Rapidmail GmbH, with corporate seat in Augustinerplatz 2 in 79098 Freiburg, Germany.

Each time we send out our newsletter, Rapidmail measures for us whether the email sent was opened by you (success measurement). This information is used by us to send you product-related and medically more relevant content. The email address you entered when registering for the newsletter remains stored by us and Rapidmail until you unsubscribe from our newsletter. You can unsubscribe at any time by using the link provided in the newsletter or by sending us a message to this effect (see imprint for e-mail address). By unsubscribing, you object to the use of your email address for the newsletter. Furthermore, we refer to section IV. 4 below for existing customers.

5. Processing in connection with services requiring registration

If you wish to use our electronically provided services (e. g. app use, user account, etc.), we require further information from you in order to provide these services and for billing purposes. This includes, in particular, your name, e-mail address, address, telephone number, etc. You disclose this data on an expressly voluntary basis in order to enable us to provide our services. With your confirmation when sending your data, you agree that we may contact you by e-mail, post or telephone in accordance with the respective purpose (e. g. provision of services, improvement of our scope of services) and that we may collect, store and use your data. A transfer of your data to third parties, such as:

  • the IT service provider commissioned by us,
  • our data center:

Hetzner Online GmbH

Industriestraße 25

91710 Gunzenhausen, Germany

with computer sites in:

Nürnberg, Falkenstein Vogtland, both Germany and Helsinki, Finnland

  • companies commissioned by us to bill you for the services you have used,
  • the card-issuing financial service provider such as the bank or credit card company,
  • logistics service providers commissioned by us for the delivery of our products or
  • cooperation partners commissioned by us for the purpose,

only takes place insofar as they are commissioned by us to fulfil the tasks corresponding to the respective purpose. These third parties may not use the data for purposes other than those specified in accordance with our instructions. Furthermore, third parties are obliged to handle the data in accordance with this data protection declaration and the currently applicable data protection regulations, e. g. within the scope of commissioned processing pursuant to Art. 28 GDPR. Furthermore, we may be required to disclose your personal data in order to comply with legal provisions and regulatory requirements. We do not pass on any data beyond this to third parties.

III. Information on protection when using our app

For data protection reasons, our CardioSecur app is configured in such a way that it does not require any special authorisations. Within the scope of app use, you can optionally specify whether you want to contact people directly from the app and set them up as trusted contacts in the app. For this purpose, the app requires special authorisation to access your address book, which you must initiate yourself. The CardioSecur app does not automatically access your address book.

When installing the CardioSecur app, you will be asked in the process if you want to

  • share your GPS data to possibly detect an influence of altitude or weather conditions during an ECG measurement on the ECG measurement result in the future,
  • allowed the app to send you messages, e. g. for reminding you to record an ECG measurement.

Declining these options does not affect the other functions of your CardioSecur app.

We urge you to perform active device protection for your smartphone/tablet, otherwise sensitive data may be accessed by third parties. Protect your smartphone/tablet from access by third parties with an access code, your fingerprint or security through facial recognition. If you protect it with a passcode, make a habit of changing it regularly and not making it accessible to third parties.
 

If you use a cloud solution (e. g. iTunes, iCloud or Android-based solutions) as a backup solution for your smartphone/tablet, the CardioSecur app data stored locally on your smartphone/tablet will also be backed up there. In this case, please refer to the currently valid version of the cloud solution applicable to you (e. g. Apple privacy policy at www.apple.com/uk/privacy/privacy-policy/).

IV. Information on the protection of PMS customers' data

We have developed organisational and technical measures to reliably protect the data we receive from you. Comprehensive training of our employees with regard to data protection and IT security and their contractual obligation to data secrecy (in particular pursuant to Art. 5 GDPR and in accordance with the Swiss Data Protection Act) as well as general confidentiality obligations ensure that your data is treated confidentially by us. Our security measures also include that we ask you for proof of your identity, especially when contacting us by telephone.

On the sections of our website where personal details can be entered, e.g. in the "My Account" area, we use the industry standard SSL (Secure Sockets Layer) to encrypt your data. With SSL encryption, your data is altered before it is transferred to our server in such a way that it cannot be reconstructed by third parties. In this way, the confidentiality of your details and your payment data is guaranteed during transactions over the Internet.

 

We urge you to take all possible precautions to protect your data while you are working browser-based in the "My Account" section. Make it a habit to change your password regularly. We recommend that you use a combination of letters and numbers for your password and ensure that you use a secure SSL-enabled browser to browse the Internet. If possible, log off completely after you have finished using a computer that you do not use exclusively alone and do not make your password available to third parties. Please note that a password change for your user account always becomes effective in both, the website section "My Account" and in the CardioSecur app.

 

Technical data regarding safety

Encryption of sensitive data transfers with SSL certificates. Securing the servers: Our servers are protected against attacks by firewall systems. An internal security system and a comprehensive authorisation concept ensure that your sensitive data is only accessible for the purpose of executing the contract, by the designated persons (e. g. medical data by the doctor, billing data by the billing department, etc.).

 

1. Handling of client and patient data

Access to client or patient data is regulated in such a way that the smallest possible group of persons (including the Physician selected by the client) gains access to both the patient’s identity and, simultaneously, his medical data. Access is ensured by respective password protection.

The following data types are collected and processed within the execution of the contract:

  • Contact data: name, address, telephone number, e-mail, gender, etc.
  • Measurement date: date and time of ECG measurements.
  • Medical data: raw data of ECG measurements and automatic evaluation, as well as other health data optionally provided by you.

The data is stored exclusively on proprietary servers in Germany and Finland at the data centre named in this privacy policy.

PMS's trusted client data officers have a special position of trust and handle client cases that deal with technical issues related to ECG measurements. All other customer support staff does not have access to medical data or results, but only to the date and time of an ECG measurement. Furthermore, PMS commissions selected internal and external technical staff to maintain and develop the portal. This restricted group of persons, who can be identified at any time, is contractually bound by PMS to special protection in handling personal and medical data in accordance with the requirements of Article 5 of the GDPR. The obligation to data secrecy continues for this group of persons beyond their employment relationship.

Important note:By agreeing to our General Terms and Conditions (creation of the business purpose) and by making their own medical data available, the customer (in relation to Personal MedSystems GmbH) or the patient (in relation to the physician selected by the patient) expressly agrees that the group of persons described above may access the medical data for a specific purpose.

By registering on the portal and the associated confirmation of the terms and conditions for services to doctors, doctors agree to subject the personal and medical data made available to them via the portal to medical confidentiality and the data protection requirements of the GDPR or, as the case may be, the Swiss Data Protection Act.

Customers respectively patients themselves can only access their user account (hereinafter "UA") in the following ways:

• via internet or the app using a password with at least 6 characters, consisting of letters and digits. If the client forgets the password, it may be reset by entering the username. The client shall then receive a link via e-mail to the e-mail address stated in the UA, enabling the client to enter a new password within 24 hours and retain access to the UA. The password shall not be visible to PMS’s Customer Service (hereinafter referred to as “CS”) and may not serve as identification in the event of telephone enquiries.

• via telephone by means of proof of the client’s identity. In this case, CS can view the client’s personal data, inform the client about it and change data at the client’s request. Furthermore, CS can reset the password (see above for further details). 

• via post by sending an informal letter in written form and a copy of the personal ID card. In this letter, the client may request a printout of his personal and medical data (if he expressly gives his consent to this in his letter) and communicate any personal data that may have changed. In addition, the client can ask for his password to be reset (see above for further details).

2. Invoicing, collection of claims

If we commission lawyers’ offices and/or collection agencies to collect our claims, the data required for balancing accounts with the client shall be submitted to them insofar as this is necessary for collecting the claims and for issuing a detailed invoice. The third party is obliged to observe data protection regulations. The same shall apply insofar as we commission any other service provider we use for meeting contractual services to e. g. issue invoices, handle payment transactions and collect claims.

3. Logistics

We commission third parties for logistical handling of your order (e. g. DHL, Deutsche Post). We submit the necessary data from your order to the designated third party exclusively for such purpose. This third party is obliged to handle your data in compliance with applicable data protection laws.

4. Newsletter addressing of existing customers

In addition, and insofar as it is legally admissible, we use your e-mail address, which we received in connection with the purchase of a product or service, exclusively for advertising via our newsletter for our products or services, similar to those ordered by you, provided that you have not objected to this use. You can object to the use of your e-mail address at any time without incurring transmission costs other than those under the basic rates. Your objection (and thus the cancellation of our newsletter) can be effected by sending a message to our e-mail address: info@cardiosecur.com. Furthermore, we refer to Section II. 4 above with regard to the use and storage of your e-mail address, also in connection with our newsletter dispatcher.

5. Storage period and no further data processing

The customer's data will only be stored for as long as is necessary within the scope of the contractual agreement with the customer and in compliance with the applicable laws. For the anonymisation and deletion of data, we refer to section I. 4 above. We do not collect or process any additional data. In particular, we will not use the customer data for marketing or advertising purposes or transfer it to third parties for these purposes without the effective consent of the customer.

We are furthermore entitled to irreversibly anonymise the customer's data in accordance with the statutory provisions and to use this anonymised data for our own purposes to improve the range of services offered by PMS and to pass it on to third parties exclusively for anonymised research purposes to combat cardiac diseases or anonymised statistical evaluations.

V. Information on data protection of participating physicians

In accordance with the data protection regulations, we may collect, store and process the data of the participating doctors insofar as this is necessary for the establishment, amendment and implementation of the contract or its billing. In detail, data of the doctors are collected, stored and processed as follows:

1. Data processing for contractual purposes, forwarding data

The physicians' inventory data and other information concerning him/herself and usage behaviour (connection data) (e.g. time, number and duration of connections, access passwords, uploads and downloads) are collected, stored and processed by us to the extent necessary to fulfil the purpose of the contract. The data is stored on proprietary servers of the data centre named in this privacy policy in Germany and Finland.

We will not pass on the doctor's data to third parties without the doctor's consent unless we are legally obliged or entitled to do so. In particular, we refer to point II. 5 above regarding processing in connection with services subject to registration.

2. Use of inventory data of physicians for other purposes

Irrespective of our statutory powers to collect, store and process data, the physician, by confirming our Terms and Conditions for Services to Doctors during registration on our portal, agrees that, insofar as it is legally admissible, we may also use his inventory data as well as his anonymized data on user intensity (e. g. number of readings, number of patients) exclusively for our own advisory, market research and for the adequate provision of our services. The physician can revoke such a use of his data at any time for future effect.