Privacy Policy

Privacy Policy

Deutsche Version

The protection of your privacy as well as the security of all patient and business data during the processing of personal data is an important concern for us, which we take into account in our processes. Here we inform you in detail about how we handle your data.

Controller according to Art. 4 para. 7 EU-General Data Protection Regulation (GDPR)

Universitätsklinikum Frankfurt
Theodor-Stern-Kai 7
60590 Frankfurt
Germany
Telephone: +49 69 63 01 - 0

Data protection officer of the controller
The data protection officer can be reached at:
Telephone: +49 69 / 6301-7235
E-Mail: Datenschutz@kgu.de
For more information about our data protection officer, please visit: https://www.kgu.de/ueber-uns/datenschutzbeauftragter

1. Rights of the data subject (Art. 15. GDPR)
In the following, we will inform you about your data subject rights. You can exercise these rights at any time and contact us directly for this purpose. If you request these rights from us, we will examine them in detail, considering the associated legal requirements and conditions. If necessary, we will request further information from you. We will explain the results of our examination and our procedure for fulfilling your request to you in detail. It is possible that we will not be able to fully comply with your requests in the way you would like. This should not prevent you from claiming your rights from us or from inquiring with us in this regard. We will be happy to answer any questions you may have.

a) Right of access (Art. 15 GDPR)
In accordance with the law, you have the right to request information from us at any time as to whether and which of your personal data is being processed by us. This also includes information on the purposes of processing, if applicable, recipients to whom we have disclosed your data, the planned storage period and, if applicable, information on the origin of this data if we have not collected it directly from you. In addition, you have the right to a one-time free copy of your personal data stored by us. We reserve the right to charge a reasonable administrative fee for making the following copies.

b) Right of rectification (Art. 16 GDPR)
You have the right to request us to correct any inaccurate data we have stored about you. This also includes the right to have incomplete personal data completed.

c) Right to erasure (Art. 17 GDPR)
You have the right to request us to delete data that we have stored about you. If we have published data about you, this also includes our obligation, within the framework of the "right to be forgotten" pursuant to Article 17 (2) of the GDPR, to forward your request to delete all links to this data and copies or replications of this data to other controllers of this published personal data, considering available technology and implementation costs.

d) Right to restriction of processing (Art. 18 GDPR)
You have the right to demand that we restrict the processing of data that we have stored about you. After that, processing of this data is only possible with your consent or for a few legally defined purposes.

e) Right to object to processing (Art. 21 GDPR)
Insofar as we base the processing of your personal data on the balance of interests, you can object to the processing. This is the case if the processing is not necessary, in particular, for the performance of a contract with you, which is shown by us in each case in the following description of the functions. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will review the situation and either discontinue or adjust the data processing or show you our compelling legitimate grounds on the basis of which we will continue the processing. Of course, you can object to the processing of your personal data for purposes of advertising and data analysis at any time. You can inform us about your advertising objection via the contact channels listed above.

f) Right to revoke consent under data protection law (Art. 7 GDPR)
If you have given your consent to the processing of your data, you may revoke it at any time in accordance with Article 7 (3) of the GDPR. Such revocation affects the permissibility of processing your personal data after you have expressed it to us.

g) Right to data portability (Art. 20 GDPR)
You have the right to receive from us personal data that you have provided to us in a structured, common and machine-readable format for the purpose of transferring it to another controller. At your request and taking into account the available technical possibilities, this also includes direct transfer from us to the other responsible party.

h) Right of appeal to a supervisory authority (Art. 13 GDPR)
You have the right to lodge a complaint about our processing of data relating to you with a data protection supervisory authority at any time. You can reach the responsible data protection authority at: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Postfach 3163, 65021 Wiesbaden

i) Automated decision-making including profiling (Art. 22 GDPR)
You have the right to obtain information about the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

2. legal basis for the processing of personal data (Art. 6 GDPR)

(1) Insofar as we obtain the consent of the data subject for processing operations involving personal data, this shall be based on the legal basis of Art. 6 (1) a of the EU General Data Protection Regulation (GDPR).

(2) When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

(3) Insofar as processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 (1) c GDPR serves as the legal basis.

(4) In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 (1) (d) GDPR shall serve as the legal basis.

(5) If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not override the first-mentioned interest, Art. 6 (1) (f) GDPR shall serve as the legal basis for the processing.

3. information about the collection of personal data

(1) In the following, we inform you about the collection of personal data when using our website. Personal data is all data that can be related to you personally, e.g., name, address, e-mail addresses, user behaviour.

(2) When you contact us by e-mail or via a contact form, the data you provide (your e-mail address, name and telephone number, if applicable) will be stored by us in order to answer your questions. We delete the data accruing in this context after the storage is no longer necessary or restrict the processing if there are legal retention obligations.

(3) If we use contracted service providers for individual functions of our offer or would like to use your data for advertising purposes, we will inform you in detail about the respective processes below. In doing so, we will also state the defined criteria for the storage period.

Collection of personal data when visiting our website
In the case of mere informational use of the website, i.e., if you do not register or otherwise transmit information to us, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security (legal basis for this is Art. 6 para. 1 p. 1 lit. f GDPR):

  • IP-Address
  • Hostname
  • Date & Time of the request
  • Time zone difference from Greenwich Mean Time (GMT)
  • Content of the request (concrete page)
  • Access status/HTTP status code
  • Amount of data transferred in each case
  • Website from which the request comes (referrer)
  • The specific pages of our website that you called up
  • Browser: Type, version and set language
  • Operating system: type and version
  • With JavaScript enabled moreover:
  • Screen resolution
  • Color depth
  • Browser window size
  • Installed browser plugins

4. Data deletion and storage duration

(1) The personal data of the data subject shall be deleted or blocked as soon as the purpose of the storage expires.

(2) Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject.

(3) Data shall also be blocked or deleted if a storage period prescribed by the standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.

5. Cookie usage
Cookies are small files that are stored on your hard drive associated with the browser you are using and through which certain information flows to the entity that sets the cookie. Cookies cannot execute programs or transfer viruses to your computer. They serve to make the Internet offer more user-friendly and effective. A detailed list of the cookies used can be found below this privacy statement.

6. Further functions & offers of our company website

(1) In addition to the purely informational use of our website, we offer various services that you can use if you are interested. For this purpose, you must usually provide additional personal data that we use to provide the respective service and for which the data processing principles apply. Mandatory data is marked with an asterisk. Information in fields not marked in this way is purely voluntary.

(2) When you contact the service provider by e-mail, your e-mail address and, if you so indicate, your name, telephone number and [...] will be stored by us to answer your questions.

(3) In some cases, we use external service providers to process your data. These have been carefully selected and commissioned by us, are bound by our instructions, and are regularly monitored.

(4) Furthermore, we may pass on your personal data to third parties if we offer promotions, competitions, contracts or similar services together with partners. You will receive more information about this when you provide your personal data or below in the description of the offer.

(5) If our service providers or partners are based in a country outside the European Economic Area (EEA), we will inform you about the consequences of this circumstance in the description of the offer.

6.1 Teleradiology Upload Portal (JiveX Connect Upload)

(1) Via the upload portal (JiveX Connect), personal data, findings and image files can be transmitted to the KGU in the file formats .dicom or .pdf.

(2) When the upload portal website is called up, each access to the upload portal and each retrieval of a file stored on this website is logged. The storage serves internal system-related and statistical purposes. The following are logged: Name of the retrieved file, date and time of retrieval, amount of data transferred, notification of successful retrieval, web browser and requesting domain. In addition, the IP addresses of the requesting computers are logged.

(3) The above-mentioned data are collected by VISUS in order to enable a smooth connection setup as well as a comfortable use of the portal. In addition, VISUS uses the above-mentioned data to evaluate system security and stability.

(4) Furthermore, additional personal data is collected via the upload of data containing personal information (e.g., metadata in DICOM objects, PDF files with personal content, file names) or if the user of the website voluntarily enters data via the forms of the website (or does so via the settings of his browser).

(5) In accordance with the various purposes, the persons involved within the hospital have access to your images and data, which also includes, for example, all medical staff in other departments who participate in an interdisciplinary exchange or the administration, which carries out the accounting.

(6) Legal basis: The upload and processing of special categories of personal data, in particular health data, is based on Art. 9 (2) lit. a GDPR in conjunction with. Art. 6 para. 1 lit. a GDPR.

(7) Archiving and deletion: Insofar as your transmitted images and findings serve your care or the care of your patient in the university hospital, selected images and findings will be transferred to the archive. This does not result in an archiving obligation for uploaded images and findings. The data accruing in this context will be deleted after storage is no longer necessary or restrict processing if there are legal retention obligations. Legal regulations such as the X-ray Ordinance, the Radiation Protection Ordinance, the Pharmacy Operating Regulations or the Transfusion Act prescribe different retention periods. For liability reasons, your patient file is kept for up to 30 years. This follows from the fact that claims for damages asserted by patients against the hospital become statute-barred in 30 years at the latest pursuant to Section 199 (2) of the German Civil Code. On the part of the appointed processor and its appointed subcontractor, all personal data collected are automatically deleted after successful forwarding to the recipient (teleradiology of the University Hospital Frankfurt). If the data cannot be successfully forwarded to the recipient, the data will be automatically deleted from the systems after a maximum of 2 weeks. Non-personal data (statistics on transmission duration or size of upload, etc.) are deleted manually.

(8) Service provider: The upload portal is operated and provided by MedEcon Telemedizin GmbH, Gesundheitscampus-Süd 29, 44801 Bochum, Germany and its subcontractor VISUS Health IT GmbH, Gesundheitscampus-Süd 15-17, 44801 Bochum, Germany.

7. Third-party services
The legal basis for the use of locally deployed web analysis tools is Art. 6 para. 1 p. 1 lit. f GDPR, i.e., the protection of our legitimate interests in consideration of the interests of our website visitors. Our interest is the analysis of the use of our website by our website visitors, to improve our offer and to make it more interesting for you as a user. If the analysis tool used also serves other purposes or we use it for other interests, we will inform you about this directly in the explanations for the respective analysis tool. The legal basis for the use of third-party providers to perform web analytics is based on Art. 6 para. 1 p. 1 lit. a.

a) Google Maps

(1) On this website, we use the Google Maps service by displaying interactive maps directly on our website and enabling you to use the map function conveniently. The legal basis for the use of the plug-in is Art. 6 para. 1 p. 1 lit. a GDPR. Consent is given through your selection in the cookie banner.

(2) By visiting the website, Google receives the information that you have called up the corresponding sub-page of our website. This occurs regardless of whether Google provides a user account through which you are logged in or whether there is no user account. If you are logged in to Google, your data will be directly assigned to your account. If you do not want the assignment with your profile at Google, you must log out before activating the button. Google stores your data as usage profiles and uses them for the purposes of advertising, market research and/or demand-oriented design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right.

(3) For more information on the purpose and scope of data collection and its processing by the plug-in provider, please refer to the provider's privacy policy. There you will also find further information on your rights in this regard and setting options for protecting your privacy: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland; http://www.google.de/intl/de/policies/privacy.

b) Google Web Fonts

(1) This site uses so-called web fonts provided by Google for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly. For this purpose, the browser you are using must connect to Google's servers. This enables Google to know that our website has been accessed via your IP address. Google Web Fonts are used in the interest of a uniform and appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

(2) If your browser does not support web fonts, a standard font from your computer will be used. For more information on Google Web Fonts, please visit https://developers.google.com/fonts/faq/ and Google's privacy policy at: https://www.google.com/policies/privacy/.

8. Definitions

a) Personal Data

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

b) Processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

c) Restriction of Processing
The marking of stored personal data with the aim of limiting their processing in the future.

d) Profiling
Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

e) Pseudonymisation
The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

f) Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law

g) Processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

h) Consent
The data subject any freely given specific, informed and unambiguous indication of his or her wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to personal data relating to him or her being processed.

State: 28.04.2021