Data protection

 

Data Protection Information

The processing of personal data by Charité Healthcare Services GmbH (CHS) is always carried out in accordance with the General Data Protection Regulation (GDPR) and all country-specific data protection regulations applicable to CHS.

This data protection statement has the aim of informing the public with regard to the type, scope and purpose of the personal data collected, applied and processed by us. Additionally, this statement aims to inform the public of their rights as a data subject.

The specific type of data that will be processed, and the manner in which it is used, is dependent on the services requested and/or the agreed provision of services. Please take note of the information most relevant to you.

Who is responsible for data processing and who can I contact?
Responsible for all issues relating to the General Data Protection Regulation, data protection regulations in other European Union member states, and other regulations relating to data protection is:

Charité Healthcare Services GmbH
Bundesallee 39-40a
10717 Berlin Germany
E-Mail: chs(at)charite.de
Tel: +49(30)450-578217

You may contact our Internal Data Protection officer at:

HiSolutions AG
Bouchestr. 12
12435 Berlin
Germany

Herr René Mario Meßinger
messinger(at)hisolutions.com

Herr Sebastian Lammel
lammel(at)hisolutions.com

Responsible Governmental Data Protection Authority:

Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstr. 219
Puttkamerstr. 16 -18 (5.Etage)
10969 Berlin
Telephone: 030/ 13889 0
Telefax: 030/ 215 5050

All data subjects are invited to contact our Internal Data Protection Officer at any time with questions or queries relating to data protection.

General: Definition of Terms

Our data protection statement invokes the terms applied by the European regulatory bodies during the implementation of the General Data Protection Regulation (GDPR). To ensure that this document is as easy as possible to understand, we would like to define the following terms below:

a) Personal Data
Personal data is any type of data related to a natural person (hereafter referred to as “the data subject”) that can be used directly or indirectly to identify the person. A data subject would be deemed, directly or indirectly, identifiable through such details as name, identification number, location information, online identification data or one or more specific characteristics that relate to the physical, physiological, genetic, psychological, economic, cultural or social identity of the data subject.

b) Data Subject
The data subject is any natural person who has been identified or deemed identifiable, whose personal data can be processed by a controller or processor.

c) Processing
Processing is any operation performed on personal data, regardless whether it is by manual or automated means, such as collection, recording, organization, sorting, storage, adjustment or altering, selection, retrieval, usage, disclosure by transfer, dissemination or other form of deployment, comparing or linking, as well as the restriction of processing, and deletion or destruction.

d) Right to restriction of processing
restriction of processing or the labeling of personal data with the aim of restricting future usage.

e) Profiling
Profiling is defined as every type of automated processing of personal data by which personal data is used to analyze or predict certain aspects of a data subject’s behavior, such as work performance, economic situation, health, personal preferences, interests, dependability, behavior, location or change of location.

f) Pseudonymisation
Pseudonymisation is the processing of personal data in such a way that it is deemed no longer attributable to any single data subject without the use of additional data – but only when said data is stored separately and is subject to technical and organizational measures that ensure the non-attribution of the personal data to a identified or identifiable data subject.

g) Controller
A controller is the natural or legal person, public authority agency or other body who has power of decision, whether alone or in cooperation with others, over the purpose and method of processing personal data. If the purpose and method of the processing is enshrined in European Union Law or the statutes of the member states, the controller or specific criteria for nomination can be provided for by the European Union or member states.

h) Processor
The processor is the natural or legal person, public authority, agency or other body who is designated to process data on behalf of the controller.

i) Recipient
The recipient is a natural or legal person, public authority, agency or other body to whom the personal data is disclosed, regardless whether a third party or not. Public authorities who may receive access to personal data, in accordance with European Union law or the statutes of the member states, as part of a particular inquiry, shall not be deemed recipients.

j) Third Party
Third party means a natural or legal person, public authority, agency or other body other than the data subject, controller, processor or other person, under the direct authority of the controller, that has been granted authorization to process personal data.

k) Consent
Consent refers to any freely issued, specific and unambiguous indication that states the data subject’s wishes in a clear and unequivocal way by signifying agreement to the processing of personal data relating to the individual data subject.

Which sources and data do we use?
We process personal data that we have collected from our clients during the business relationship.
Relevant personal data in the prospect process, in the master data set-up as well as in the context of authorization or person/parties entitled to dispose, could be:

  • Basic personal data (name, address, date of birth, nationality, gender or marital status).
  • Data for legitimation (e.g. identification information) and authentication data (e.g. a sample signature).

In the event of the use of services, further personal data, different to that mentioned above, may be collected, processed and stored. This encompasses primarily:

  • Any kind of health-related data, including findings and medical reports.
  • Data required for the fulfillment of contractual stipulations (e.g. payment data)
  • Documentation data (e.g. statement of suitability, minutes of conversation)
  • During the start-up phase and during the business relationship, in particular through personal, telephone or written contacts initiated by you or CHS, further personal data, information relating to the channel of contact, reason and result and (digital) copies of all correspondence will be collected.

Why do we process your information (purpose of processing) and what is the legal basis?
We process all personal information in accordance with the stipulations stated in the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG in German).

a) Fulfillment of contractual obligations (Article 6 (1b) GDPR)
The processing of data is necessary for the provision of services in accordance with the contract agreements with our patients and prospective clients and other contracting entities or contractual partners (uniformly referred to as “Patients”) or the execution of requested pre-contractual measures. The purpose of data processing is aimed at specific services provided and may include analysis and consulting, among other things. All other information regarding the purposes of data processing can be found in the respective contract or terms and conditions.
Nr. 1 b. BDSG. As part of our provision of services, we can additionally request and process other specific categories of data in accordance with Art. 9(1) GDPR, in particular information relating to the health of the patient, including information regarding their sex life and sexual orientation, if deemed necessary. If necessary, we shall obtain an unambiguous letter of explicit consent from the patient, in accordance with Art. 7, Art. 9(2) lit. a. GDPR and process the specific category data for the purpose of preventive healthcare in accordance with Art. 9(2) lit h. GDPR, § 22 (1).

b) For the purpose of legitimate interests (Art. 6(1f) GDPR)
If deemed necessary, we will process your data beyond the contractual purpose to safeguard our justified interests or those of a third party. This may include:

  • The safeguarding of IT safety and IT operations at CHS
  • Detection and investigation of criminal offences
  • Measures to exercise domiciliary rights (e.g. CCTV monitoring)

Measures for business management and the further development of services and products

  • Marketing purposes (e.g. advertisement or market and opinion reach) or
  • The assertion of legal claim and of the establishment of a legal defence.

c) Based on your consent (Art. 6(1a) GDPR)
After receiving your consent to the processing of data for specific purposes (e.g. transfer of data, photography during events, newsletter delivery) the processing is deemed lawful on the basis of your consent. Given consent can be withdrawn at any time. This also applies to consent given to us before the enactment of the GDPR, meaning before the 25th of May 2018. The withdrawal of consent only applies to future processing and the legality of data processed before the withdrawal of consent remains unaffected.

Who will receive my data?
Within CHS all staff deemed necessary for the fulfillment of our contractual obligations and legal compliance have access to your data. In addition, service providers and agents contracted by us may be given access to data for this purpose and only when they comply with applicable data protection laws. For example, this can be companies in the fields of IT services, logistics, print services, telecommunications, debt collection and consulting.

With regard to the transfer of data to recipients outside of CHS, it should be noted that CHS is bound to confidentiality when dealing with client-related issues and assessments of which we have gained knowledge. Client information can also be passed on when the legal framework allows for this, the client has given previous consent or we are authorized to pass on such information.
In these circumstances, the recipients of personal data could be the following:

  • The Charité - Universitätsmedizin Berlin and other companies in the Charité group of companies to whom we will transfer your personal data in the scope of fulfilling our business relationship (depending on the type of contract)
  • Public bodies and institutions (e.g. public authorities or the courts) if a legal or official obligation exists.
  • Creditor or insolvency administrator who requests information as part of enforcement proceedings.
  • A service provider whom we contract to enable compliance with contractual obligations.

Other possible recipients are bodies where you have previously consented to the transfer of information or you have contractually or via written consent exempted us of our confidentiality agreement. We may also transfer personal data for the purpose of legitimate interests.

Will data be transferred to third countries or international organizations?
Data transfer to states outside of the European Union (third countries) will only take place in the following circumstances:

  • It is necessary to properly provide your contracted services
  • It is a legal requirement
  • You have given us your consent

We do not contract service providers in third countries. In the event that third country service providers are contracted then the contract with the providers will include standard European Union clauses for compliance with European standard data protection regulations.

With the consent of the data subject or due to legal rules governing money laundering, terrorism financing or other illegal acts as well as for the purpose of legitimate interests, in individual cases personal data (e.g. legitimation data) will be transferred to the European Union in accordance with all applicable data protection legislation.

How long will my data be stored?
Your personal data will be processed for as long as this is deemed necessary for the fulfillment of our contractual and legal obligations. It should be noted that our business relationship is a continuing obligation which will operate over a period of years.

If the data is deemed no longer necessary for the contractual purposes or to fulfil legal regulations, then the affected data will be deleted regularly.

What data protection rights do I have?
a) Right to Confirmation
Every data subject, in line with European Union directive and regulatory law, has the right to obtain confirmation from the controller as to whether or not personal data concerning him or her is being processed, and, where that is the case, access to the personal data. The data subject can contact the controller at a time of their choosing to make use of this right.

b) Right to Information
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed, and, where that is the case, access to the personal data and the following information:

  • the purposes of the processing of the data;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data has been or will be transferred, in particular recipients in third countries or international organizations;
  • where possible, the envisaged period for which the personal data is due to be stored, or, if not possible, the criteria used to determine what the period will be;
  • the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data, relating to the data subject, or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • If personal data is not collected from the data subject, any available information as to the source of the data.
  • the existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4) and, at least in those cases, suitable information regarding the logic involved, as well as the significance and the possible consequences of this type of processing for the data subject.
  • If personal data is transferred to a third country or to an international organization, the data subject retains the right to be informed of the appropriate safeguards in accordance with Art. 46 relating to the transfer.
  • The data subject can contact the controller at a time of their choosing to make use of this right.

c) Right to Rectification
The data subject retains the right to obtain from the controller without unjustified delay the rectification of inaccurate personal data relating to the above-mentioned data subject. Taking into account the purposes of the processing, the data subject shall retain the right to have incomplete personal data completed, including by means of having the opportunity to provide a supplementary statement.
The data subject can contact the controller at a time of their choosing to make use of this right.

d) Right to Erasure (Right to be Forgotten)
The data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her without unjustified delay and the controller is obligated to erase personal data without unjustified delay in the vent that one of the following grounds applies:

  • The personal data is deemed no longer necessary for the purposes for which it was collected or otherwise processed.
  • The data subject withdraws consent on which the processing is based in accordance with (a) of Art. 6(1), or (a) of Art. 9(2), and where there is further legally justifiable reason for the processing to continue.
  • The data subject issues an objection to the processing in accordance with Art. 21(1) and there are no superseding legitimate grounds to continue with processing, or the data subject objects to the continuation of processing in accordance with Art. 21(2).
  • Unlawful processing of the personal data.

The personal data must be erased to comply with a legal obligation under European Union or Member State law that is applicable to the controller.

  • The personal data was collected in relation to the offer of information society services referred to in Art. 8(1).

In the event that the above-mentioned grounds apply and the data subject wishes to erase personal data that has been stored with us, the data subject can contact the controller at a time of their choosing to make use of this right. Our employees shall then initiate the erasure process without delay.
In the event that personal data has been made public and is obligated in accordance with Art. 17 (1) to erase all personal data, the controller, taking into account the technology available and the cost of implementation, shall take all necessary steps, including technical measures, to inform the respective controllers responsible for processing the personal data that the data subject has requested the erasure by the responsible controllers as well as any links to, or copy or replication of, that personal data. In each case our employees shall initiate all necessary steps to carry out erasure of the data.

e) Right to Restriction of Processing
The data subject has the right to obtain restriction of processing from the controller in the event that one of the following grounds is applicable:

  • The data subject is contesting the accuracy of the personal data, and the controller is granted a suitable period of time to verify the accuracy of the personal data.
  • The processing has been deemed unlawful and the data subject objects to the erasure of the personal data and requests a restriction of use in its place.
  • The controller has deemed the personal data no longer necessary for the purpose for which it was originally collected, but the data subject requires the data for the establishment, exercise or defense of a legal claim.
  • The data subject has objected to further processing in accordance with Art. 21(1) pending the final confirmation as to whether or not the legitimate grounds named by the controller supersede those of the data subject.

In the event that the above-mentioned grounds apply and the data subject wishes to make use of their right of restriction of processing the data stored by us, the data subject can contact the controller at a time of their choosing to make use of this right. Our employees shall then initiate the restriction of processing without delay.

f) Right to Data Portability
The data subject retains the right to receive the personal data relating to him or her, which he or she has provided to a controller, in a structured and commonly machine-readable format and retains the right to transmit that data to another controller without the original controller to whom the data had previously been transmitted raising objection and where the processing is legally based on the data subject’s consent in accordance with Art. 6(1) or (a) of Art. 9(2) or on a legal contractual agreement in accordance with (b) of Art. 6(1); and the processing is carried out by automated means.

In making use of his or her right to data portability in accordance with Art. 20(1), the data subject retains the right to have the personal data transmitted directly from one controller to another, wherever considered within the realm of technically feasibility.

The data subject can contact the controller at a time of their choosing to make use of his or her right of data portability.

g) Right to Object
The data subject retains the right to object, on grounds relating to their particular situation, to the processing of personal data at any time in accordance with Art. 6(1) (e) and (f) . This section can also be applied in the event of objection to profiling. In the event of objection, we shall no longer process the personal data unless it is demonstrated that there are compelling legitimate grounds to continue with the processing that supersede the interests, rights and freedoms of the data subject of if they are deemed necessary for the establishment, exercise or defense of a legal claims. In the event that personal data is processed for the purpose of direct marketing, the data subject retains the right to voice an objection, at any time, to the continued processing of personal data directly relating to the data subject for such marketing, this also includes profiling to the extent where the profiling is also related to such direct marketing. In the event that the data subject objects to continued processing of her or her personal data for direct marketing purposes, we shall no longer use the personal data for such purposes.

The data subject can contact the controller at a time of their choosing to make use of this right. Notwithstanding Directive 2002/58/EC and in relation to the use of services provided by the information society, the data subject can make use of his or her right of objection by automated means using technical specifications.

h) Automated Decision Making, Including Profiling
Each data subject affected by data processing has, in line with European Union directive and regulatory law, the right not to be subjected to a decision based on the automated processing of data, including profiling, which leads to legal effect relating to him or her or has a similarly significant effect on him or her, provided the decision:

  • Is deemed necessary to enable the entering into a contract between the data subject and a data controller
  • Has been authorized by Union or Member State law, which is applicable to the controller, and which contains suitable legal safeguards to ensure the data subject's rights and freedoms and legitimate interests remain unaffected
  • Is based on the data subject’s explicit and unambiguous consent

If the decision is:

  • Deemed necessary for the fulfillment of a contractual agreement between the data subject and the controller

If the data subject issues his or her explicit consent, then we shall implement all necessary measures to safeguard the data subject's rights and freedoms and legitimate interests, while retaining the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision if necessary.

The data subject can contact the controller at a time of their choosing to make use of this right relating to automated decision making including, including profiling.

i) The Right to Withdrawal of Consent
Each data subject affected by data processing has, in line with European Union directive and regulatory law, the right to withdraw previously given consent to allow data processing at any time.
The data subject can contact the controller at a time of their choosing to make use of this right to withdrawal of consent.
Any previous issued consent regarding the processing of personal data can be withdrawn at any time. This also applies to consent issued before the implementation of GDPR, so before May 25, 2018. Please note that withdraw of consent only pertains to future processing of data. All processing which has taken place before that receipt of the withdrawal of consent is unaffected.

j) Right to Lodge a Complaint with a Supervisory Authority
The data subject retains the right to lodge a complaint with a supervisory authority, especially in the member state of their place of residence, place of work or the place of the suspected violation, when the data subject suspects that the processing of their data has been unlawful.

Am I legally obligated to provide data?
As part of our business relationship you are obliged to provide data that is deemed necessary for the admission, completion and ending of our business relationship and the fulfillment of all related contractual obligations or for the collection of data to which we are legally bound. Without access to this data, we will be unable to enter into, fulfill and end a contractual agreement with you.

We are legally obligated, before entering into a business agreement, in accordance with laws to prevent money laundering, to verify your identification using your official identification document as well as record your name, place of birth, date of birth, nationality, address and identification details. To allow us to comply with all applicable money laundering laws, you are obligated to immediately inform us of any changes to the relevant data. If you do not provide us with said information, then we are unable to enter into or proceed with a business relationship.

To what extent is automated decision-making technology used?
In principle, we do not initiate and/or fulfill business relationships using automated decision-making technology in accordance with Art. 22. If we decide to make use of this technology in your particular case, then we will inform you in advance and also inform you of your rights in this case – if required to do so by law.

Is profiling used?
We do not carry out automated analysis of your data with the aim of obtain information pertaining to certain personal traits.
Information on your right to withdraw consent in accordance with Art. 21 GDPR

a) Right to Object on a Case-by-Case Basis
The data subject retains the right to object, on grounds stemming from his or her particular situation, at any time to the processing of personal data relating to said data subject in accordance with (e) or (f) of Art. 6(1), and including profiling based on those provisions. The controller will halt processing of the personal data unless they can demonstrate a compelling legitimate ground for the continued processing that supersedes the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

b) Right to Object to the Processing of Data for Purposes of Direct Marketing
In individual cases we may process your personal data for direct marketing purposes. The data subject retains the right to object at any time to the processing of personal data for the purpose of direct marketing. If you object to the processing for direct marketing, then we will no longer process your personal data for this purpose. An informally drafted objection can be submitted to the above-mentioned address with the subject line: “Objection”.

Data Processing on the Website
CHS also processes personal data on its website. The following information provides an overview of this type of personal data collected by us and the respective data protection laws.

Link to Internet Data Protection Statement

Further Information
If you require further information that is not contained in the above, or if you would like more information on a certain aspect, please contact our data protection officer.

Contact

Charité Healthcare Services GmbH
Bundesallee 39 – 40a | 10717 Berlin

Charité International Healthcare
Visiting hours:
9 am - 3 pm (Mo - Fr)

Phone: +49 30 450 578 244
8 am -  5 pm (Mo - Fr)

Telefax: +49 30 450 757 8244

E-Mail
Contact form