Data protection - Spitzenverband Digitale Gesundheitsversorgung e.V.

I. Scope and responsibilities

With this privacy policy, we would like to inform you about how we process personal data. The protection of your privacy is of the highest importance to us, which is why compliance with the legal provisions on data protection is a matter of course for us.

The scope of this data protection declaration covers both the internet presence at digitalversorgt.de and digitalversorgt.info, as well as data processing within the framework of association membership.

Responsible entity:

German Digital Healthcare Association

Karl-Liebknecht-Straße 1
10178 Berlin

For all questions regarding data protection, please contact the following email address datenschutz@digitalversorgt.de

II. Data processing

1. General information

1.1 Person-related data:

Personal data is any information relating to an identified or identifiable individual. This includes the following categories of personal data that we process:

Your contact details (such as first and last name, address, email address, telephone number),
Your correspondence with us,
Log files containing information about your visit to our website,
Online identifiers (such as cookie IDs, IP addresses,)
Member data (such as billing data, address, membership, payment data),
Application documents (such as references and certificates)
Photos from events
Videos from events

1.2 Purposes of use:

We process your data for the following purposes:

for correspondence with you,
to process membership and contracts with you,
to send you our newsletter,
for quality assurance and statistics,
for the provision of our service,
for your participation in our events,
for your participation in our surveys,
to consider your application,
to improve our service.

1.3 Legal basis:

We rely on the following legal bases when processing your data:

Your consent, if you have given us such consent – Art. 6 para. 1 lit. a DSGVO,
the initiation or execution of a contract with you – Art. 6 para. 1 lit. b DSGVO,
the fulfilment of legal obligations – Art. 6 para. 1 lit. c DSGVO,
the implementation of our legitimate interests – Art. 6 para. 1 lit. f DSGVO.

1.4 Legitimate interests:

The purpose of processing your data is to protect the following legitimate interests:

the improvement of our offer,
the protection of our systems against misuse,
the compilation of statistics,
the storage of our correspondence with you.

1.5 Requirement or obligation to provide data:

Unless expressly stated, the provision of your data is not required or obligatory.

1.6 Storage period:

We store your data,

if you have consented to the processing, at most until you revoke your consent;
if we need the data to perform a contract, at most for as long as the contractual relationship with you exists;
if we use the data on the basis of a legitimate interest, at most for as long as your interest in deletion or anonymisation does not outweigh this;
if there are statutory retention obligations, until the end of the retention periods.

1.7 Third-party providers and transfer to third countries

Our website uses a number of third-party providers. Below you will find a detailed list of our various processing activities and any third party providers involved, including any associated transfers to countries outside the scope of the GDPR.

2. Provision of the website and creation of log files

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.

The following data is collected:

Information about the browser type and the version used
The IP address of the user
Date and time of access

This data is also stored in the log files of our system. This data is not stored together with other personal data of the user. The legal basis for the temporary storage of the data and the log files is our legitimate interest according to Art. 6 (1) lit. f DSGVO.

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session. The storage in log files is done to ensure the functionality of the website. In addition, we use the data to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context. Accordingly, neither analysis tools nor other procedures are used to create user profiles.

The IP address can be a personal data, because under certain conditions it is possible to find out the identity of the owner of the used internet access by information of the respective internet provider. We do not intend to evaluate the IP address. This could at most become relevant if there is an attack on our Internet presence. In this case, we have a legitimate interest in the processing of the IP address within the meaning of Art. 6 Para. 1 lit. f DSGVO. It results from the need to ward off the attack on our internet system, to determine the origin of the attack in order to be able to take criminal and civil action against the person responsible and to effectively prevent further attacks.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

Third-party provider Google

In order to display our content correctly and in a graphically appealing manner across browsers, we use “Google Web Fonts” from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, to display fonts on this website. The legal basis for this is our legitimate interest within the scope of Art. 6 Para. 1 lit. f DSGVO.

Further information on Google Web Fonts can be found at https://developers.google.com/fonts/faq and in Google’s privacy policy: https://www.google.com/policies/privacy/.

3. Contact via e-mail

We provide an e-mail address for direct contact. The following data is always collected:

Email address
Your correspondence with us

Depending on the purpose of the contact, the correspondence may also contain the following data, which is provided voluntarily by you:

First and last name
Address
telephone number
Billing data
Payment data
Membership status
Application documents

Depending on the content of the e-mail, the data is voluntary (legal basis is Art. 6 para. 1 lit. a DSGVO) or data in the context of association membership or other contractual relationships (legal basis is Art. 6 para. 1 lit. b DSGVO).

In the case of contact by e-mail, this also constitutes the necessary legitimate interest in processing the data. The other personal data processed during the sending process serve to prevent misuse of the and to ensure the security of our information technology systems. The data are deleted as soon as they are no longer required to achieve the purpose for which they were collected.

4. Subscription to the newsletter

A form is available on the website for subscribing to the association’s newsletter. If a user takes advantage of this option, the data entered in the input mask will be transmitted to us and stored. For the processing of the data, your consent is obtained during the sending process and reference is made to this data protection declaration. Here, the e-mail address is compulsorily collected: The legal basis for the processing of the data is Art. 6 para. 1 lit. a DSGVO if the user has given his consent.

4.1 Third-party provider Mailjet

We use Mailjet to send newsletters. The provider is Mailjet SAS, 13-13 bis, Rue de l’Aubrac – 75012 Paris, France. Mailjet is a service with which the newsletter dispatch can be organised and analysed. The data you enter for the purpose of receiving newsletters (e.g. e-mail address) is stored on Mailjet’s servers in the EU.

Our newsletters sent with Mailjet enable us to analyse the behaviour of the newsletter recipients. Among other things, we can analyse how many recipients have opened the newsletter message and how often which link in the newsletter was clicked on. With the help of so-called conversion tracking, it can also be analysed whether a predefined action (e.g. purchase of a product on our website) has taken place after clicking on the link in the newsletter. For more information on data analysis through Mailjet newsletters, please visit: mailjet.com/function/tracking-tools.

Mailjet also allows us to subdivide newsletter recipients based on various categories (“segmentation”). In doing so, the newsletter recipients can be subdivided according to the data provided during registration. In this way, the newsletters can be better adapted to the respective target groups.

Detailed information on the Mailjet functions can be found at the following link: mailjet.com/function.

The data processing is based on your consent (Art. 6 para. 1 lit. a DSGVO). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation.

If you do not want any analysis by Mailjet, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. Furthermore, you can also unsubscribe directly on the website.

The data you provide for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted from our servers as well as from the servers of Mailjet after you unsubscribe from the newsletter. Data stored by us for other purposes (e.g. e-mail addresses for the members’ area) remain unaffected by this. We have concluded a contract with Mailjet for the processing of commissioned data and fully implement the strict requirements of the German data protection authorities when using Mailjet.

For more information, please refer to Mailjet’s “Security and Data Protection” information at mailjet.com/security-data-protection and Mailjet’s data protection policy at mailjet.com/privacy-policy.

5. Cookies

Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. When a user accesses a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.

Depending on the setting selected by the user for the Internet browser, the browser automatically accepts cookies. However, this setting can be changed and the storage of cookies can be deactivated or set in such a way that the user is notified as soon as a cookie is set. If the use of cookies is deactivated, some functions of the website may not be available or may only be available to a limited extent. You can prevent the setting of cookies by our website at any time by means of a corresponding setting of the Internet browser used and thus permanently object to the setting of cookies. Cookies that are already active can be deleted at any time using an internet browser or other software programmes.

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. The user data collected through technically necessary cookies are not used to create user profiles.The legal basis for the processing of personal data using technically necessary cookies is Art. 6 para. 1 lit. f DSGVO.

6. Integration of social networks

Our website is linked to the social networks LinkedIn and Twitter. By using this share function or the follow function on Twitter, the web pages you visit are linked to your account on these social networks and made known to other users. In the process, data is also transmitted to the social networks. The processing of users’ personal data is based on our legitimate interests in effectively informing users and communicating with users pursuant to Art. 6 para. 1 lit. f. DS-GVO. If the users are asked by the respective providers to agree to GTCs for which the data processing is required, the legal basis for the processing is Art. 6 (1) lit. b.

We would like to point out that we, as the provider of the pages, do not receive any knowledge of the content of the transmitted data as well as its use by the providers of the social networks. If you are a member of the social networks and do not want them to collect data about you via our website and link it to your data stored there, you must log out of the social networks and delete any cookies set before visiting our website.

6.1 Third-party provider LinkedIn

We use the technical platform and services of LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland for our company page on LinkedIn.

When you visit this site, LinkedIn collects, among other things, your IP address and other information that is present on your PC in the form of cookies. This information is used to provide us, as the operator of this site, with statistical information about the use of this site. The data collected about you in this context is processed by LinkedIn and may be transferred to countries outside the European Union. What information LinkedIn receives and how it is used is described in general terms by LinkedIn in its data usage guidelines and privacy policy. There you will also find information on how to contact LinkedIn. The data use policy and full data policy are available at the following link:

https://www.linkedin.com/legal/privacy-policy?_l=de_DE

We do not know how LinkedIn uses the data from visits to LinkedIn pages for its own purposes, to what extent activities on the LinkedIn page are assigned to individual users, how long LinkedIn stores this data and whether data from a visit to the LinkedIn page is passed on to third parties.

When you access a LinkedIn page, the IP address assigned to your end device is transmitted to LinkedIn. LinkedIn also stores information about the end devices of its users (e.g. as part of the “registration notification” function); LinkedIn may thus be able to assign IP addresses to individual users.

If you are currently logged in to LinkedIn as a user, a cookie with your LinkedIn identification is located on your end device. This enables LinkedIn to track that you have visited this page and how you have used it. This also applies to all other LinkedIn pages. LinkedIn buttons embedded in websites enable LinkedIn to record your visits to these website pages and assign them to your LinkedIn profile. Based on this data, content or advertising can be offered tailored to you.

If you wish to avoid this, you should log out of LinkedIn or deactivate the “stay logged in” function, delete the cookies present on your device and close and restart your browser. This will delete LinkedIn information that can directly identify you. This allows you to use our LinkedIn page without revealing your LinkedIn identifier. When you access interactive features of the site (Like, Comment, Share, News, etc.), a LinkedIn login screen will appear. After any login, you will again be recognisable to LinkedIn as a specific user.

The data transfer to the USA takes place on the basis of standard contractual clauses, which can be accessed here: https://www.linkedin.com/help/linkedin/answer/62533

Information on how to manage or delete information about you can be found on the following LinkedIn support pages: https://www.linkedin.com/legal/privacy-policy?_l=de_DE

6.2 Third party provider Twitter

Our website also uses functions of the Twitter service. The functions are offered by Twitter Inc, 795 Folsom St, Suite 600, San Francisco, CA 94107, USA. By using Twitter and the “Re-Tweet” function, the website you visit is linked to your Twitter account and made known to other users. This data forwarding also involves the transfer of data to Twitter. We, as the service provider, would like to point out that we, as the website provider, have no knowledge of the content of the transmitted data or its use by Twitter. Therefore, we refer to the following link to obtain further information regarding Twitter’s privacy policy: http://twitter.com/privacy

If you wish to change your data protection settings on Twitter, you can do so under this link: http://twitter.com/account/settings

Data transfer to the USA is based on standard contractual clauses. These can be accessed here: https://help.twitter.com/de/rules-and-policies/global-operations-and-data-transfer Opt-Out: https://twitter.com/personalization.

7. Processing in the context of webinars

We regularly offer webinars and comparable events for association members, but also for external parties. These are usually recorded and can then be accessed in the members’ area.

7.1. Third-party provider Zoom

We use the Zoom service of the provider Zoom Video Communications, Inc.,55 Almaden Blvd, Suite 600,San Jose, CA 95113, USA. We use Zoom for internal communication as Video Conference Too as well as for recording webinars .Zoom processes data on our behalf in accordance with the provisions of the DSGVO and the BDSG The responsible party for data processing directly related to the implementation of online meetings is the Spitzenverband Digitale Gesundheitsversorgung e.V..

In order to participate in an online meeting, you must at least provide information about your name. In addition, participant IP addresses, device/hardware information and – in the case of telephone dial-in – telephone number, country name and metadata of the connection will be stored.

For internal use, online meetings are not recorded by default. In the case of a webinar, all participants will be informed transparently in advance about the recording and – if necessary – asked for their consent.

If you are registered as a user at Zoom, then reports on online meetings (meeting metadata, telephone dial-in data, questions and answers in webinars, survey function in webinars) can be stored at Zoom for up to one month.

Insofar as personal data of employees of Spitzenverband Digitale Gesundheitsversorgung e.V. are processed, § 26 BDSG is the legal basis for data processing. If, in connection with the use of Zoom, personal data is not required for the establishment, implementation or termination of the employment relationship, but is nevertheless an elementary component in the use of Zoom, Art. 6 (1) lit. f DSGVO is the legal basis for data processing. In these cases, our interest lies in the effective implementation of online meetings.

Otherwise, the legal basis for data processing when conducting online meetings is Art. 6 (1) lit. b DSGVO, insofar as the meetings are conducted within the framework of contractual relationships. If there is no contractual relationship, the legal basis is Art. 6 para. 1 lit. f DSGVO. Here too, our interest is in the effective conduct of online meetings.

We have concluded a contract processing agreement with the provider of “Zoom” that complies with the requirements of Art. 28 DSGVO.The transfer of data outside the scope of the DSGVO is based on EU standard contractual clauses: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32010D0087

Further information can be found in Zoom’s privacy policy: https://zoom.us/de-de/privacy.html

7.2 Sli.do

On our website, we use the Slido tool from sli.do s. r. o., Vajnorská 100/A, 831 04 Bratislava, Slovakia for online meetings and events. Slido offers its service via AWS servers in Germany and Ireland. The purpose of the integration is to enable you to make comments and ask questions about the lectures / workshops during the virtually held events in order to make the events interactive. When you post comments/questions about individual lectures, you can voluntarily enter your name or otherwise simply leave the name field blank. We have entered into a commissioning agreement with Slido so that Slido contractually guarantees to process your data exclusively according to our specifications.

When using Slido, cookies are used for analysis and advertising purposes. You can give or revoke your consent at any time in the settings there in the “Privacy Manager”. You can find detailed information on the cookies set by Slido at: https://www.sli.do/cookie-policy.

The legal basis is our legitimate interest within the framework of Art. 6 para. 1 lit. f in a user-friendly and effective design of our webinars. Any data transfer outside the scope of the GDPR is based on EU standard contractual clauses: Further information on data transfer, in particular on measures supplementing the standard contractual clauses, can be found here: https://www.sli.do/terms#service-providers For more information, please read the provider’s privacy policy at: https://www.sli.do/terms

7.3 Vimeo

Social media plugins of Vimeo LLC, 555 West 18th, Street, NY 10011, USA, are integrated on our website. This enables us to provide our members with webinars in the past. When you visit our website, a connection is established with the Vimeo servers. Vimeo also receives the information that you have visited our site with your IP address. If you are logged in to Vimeo, Vimeo can assign your visit to our website to your user account. If you interact with the plugin (e.g. by clicking on an embedded video), this will be assigned to your profile and stored by Vimeo. To prevent the assignment of the collected data to your profile, you must log out of your account.

We have no influence on the scope and content of the data collected by Vimeo. The basis for data transfer outside the scope of the GDPR are the EU standard contractual clauses, see Vimeo’s privacy policy: https://vimeo.com/privacy

8. Internal communication for members

A number of third-party providers are used for internal communication between members. The legal basis is the consent in the course of membership (Art.6 para.1 lit. a DSGVO).

8.1 Third-party provider Slack

We use the Slack service of the provider Slack Technologies, Inc, 500 Howard Street, San Francisco, CA 94105, USA. We use Slack for project planning and internal communication. Slack processes data on our behalf in accordance with the provisions of the DSGVO. The legal basis is our legitimate interest within the scope of Art. 6 Para. 1 lit. f in a user-friendly and effective internal exchange. Data transfer outside the scope of the GDPR is based on EU standard contractual clauses: https://slack.com/intl/de-de/terms-of-service/data-processing, Further information can be found in Slack’s privacy policy: https://slack.com/intl/de-de/legal

9. Photographs at events

In the context of events, photographs are taken of the attendees. This may result in the collection of personal data. The legal basis is basically our legitimate interest within the scope of Art. 6 (1) lit. f DSGVO in an appealing and representative design of our online presence. The photographs are stored and used for the purpose of documenting events and reporting on them.

Depending on the type and scope of the event, consent is obtained in accordance with Art. 6 Para. 1 lit a for the taking of photographs and subsequent publication on our online presence.

III. Data subject rights

As a user you have the following rights:

To request information about the processing of your data and to receive a copy of your personal data. Among other things, you can request information about the purposes of the processing, the categories of personal data that are processed, the recipients of the data (if they are passed on), the duration of the storage or the criteria for determining the duration;
To receive the personal data concerning you in a structured, commonly used and machine-readable format or to transfer it to another controller;
rectify your data. If your personal data is incomplete, you have the right to complete the data, taking into account the purposes of the processing;
have your data erased or blocked;
restrict the processing of your data;
to object to the processing of your data;
to withdraw your consent to the processing of your data in the future;

and

complain to the competent supervisory authority about unlawful data processing.

Supervisory authority:

If you believe that the processing of your personal data by us is not lawful, you may lodge a complaint with any data protection supervisory authority. The supervisory authority responsible for us can be reached at the following contact details: Berlin Commissioner for Data Protection and Freedom of Information Friedrichstr. 219 10969 Berlin Telephone 030 13889-0 Fax 030 2155050 E-mail: mailbox@datenschutz-berlin.de Website: datenschutz-berlin.de

Status of the data protection declaration

This data protection declaration will be adapted according to changing processes and offers on our website. You will find the current version at this point. In general, we recommend that you regularly check our data protection information for changes.

Date of the data protection declaration: 12.5.2021