Privacy Policy

of
Personal MedSystems GmbH
Wilhelm-Leuschner-Straße 41
60329 Frankfurt am Main
Germany
As of: 18. Mai 2018

I. General Provisions on Data Protection at Personal MedSystems GmbH

We take the protection of your data very seriously and adhere strictly to the regulations of the data protection acts (including the EU General Data Protection Regulation).

1. Party Responsible

The party responsible in terms of data protection acts is Personal MedSystems GmbH, Wilhelm-Leuschner-Str. 41, 60329 Frankfurt am Main, Germany (hereinafter referred to as “PMS”), represented by Mr. Felix Brand (Managing Director) and Dr. Markus Riemenschneider (Managing Director).

Independent data protection officer: Mr. Dr. Sebastian Kraska, Institut für IT-Recht GmbH (IITR), Marienplatz 2, 80331 Munich, Germany; phone: +49 (0)89 18917360; e-mail: dpo-contact@iitr.de.

2. Right to Information

You shall have the right to information at all times about the type and scope of data stored by us concerning yourself, their origin, recipients and purpose of the storage. E-Mail: info@cardiosecur.com

3. Revocation of Consent

You may withdraw any consent you may have granted to the storage of your personal data and use thereof at any time for future effect. Your objection to the continued use of the data may lead to you no longer being able to receive the services purchased (e.g. app usage, user account, newsletter). Please note that if you are our client or user of our services, we shall be entitled to process your data for the purpose of executing the contract and for accounting purposes to the extent necessary, despite the revocation of your consent. Furthermore, we are obliged to comply with statutory record retention periods.

4. Anonymisation and Deletion of Data

We shall irreversibly anonymise your medical data 10 years after the business objective connected to that data ceases to exist (e.g. due to cancellation or revocation of your contract). Up until that point in time, your data will allow you to support any civil law claims you may raise against doctors. Furthermore, your data needs to be stored in case of any legal proceedings that may be brought against Personal MedSystems GmbH during this period.

In compliance with the legal storage periods, we are obliged to keep your personal data related to the execution of the contract for 10 years and to irretrievably delete these thereafter.

5. Miscellaneous

We point out that electronic data transmission (e.g. when communicating by e-mail) may have security loopholes. It is not possible to fully protect data from being accessed by third parties.

6. Right of Complaint

If you feel that we have not handled your data appropriately, you may exercise your statutory right to complain directly to the relevant regulating authority. In our case, this is the Data Security Official of Hesse, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany, e-mail: poststelle@datenschutz.hessen.de

II. Information on Data Protection when using PMS’s website

In general, the mere use of our website is possible without having to provide personal data. Insofar as personal data is collected on our pages, this provision shall always take place on a voluntary basis. As a matter of principle, this personal data shall not be forwarded to third parties. Exceptions to this principle shall only apply when required by law or if you have expressly agreed to such forwarding. In this regard, we refer to the chapters on “Cookies” and “Processing by Third Parties”.

1. Storage of Access Data

With any access to our website and with any retrieval of a file, access data about this process shall be stored in a log file on our provider’s server. Usage data, such as details about the beginning, end and scope of the use of certain telemedia services or traffic data in the event of e-mail services shall be collected, processed and used, insofar as this is necessary, to enable the utilisation of these services. The date and time, as well as the time zone of the beginning and end of use, the scope in bytes, the user’s IP address and the type of telemedia service or telecommunication service used, are usually collected.
This data is collected anonymously and it is technically impossible to assign it to specific persons. The data shall be deleted after statistical evaluation.

2. Optional Newsletter Registration

If you register for our newsletter, you provide us with your e-mail address and optional further information. We use this information exclusively to send you our newsletter. Your data is stored by us until you unsubscribe our newsletter. You may unsubscribe at any point in time by clicking on the given link in any of our newsletters or by simply informing us (e-mail see impressum). By unsubscribing you revoke the usage of your e-mail address.

3. Services requiring Registration

If you wish to use our services provided by electronic means, then we shall require further information from you to render these services and for settlement purposes. These include, in particular, your name, e-mail address, address, telephone number, and so on. You shall disclose this data expressly on a voluntary basis. By sending your data, you agree that we may contact you by e-mail, post or telephone and collect, store and utilize your data in accordance with the respective purpose. The data shall only be forwarded to third parties, such as service providers (e.g. commissioned IT-service providers for our computing centre, companies assigned by us to handle invoicing the services you purchased with us, the financial institution that issues your credit card, logistics service companies commissioned by us to deliver your product) or cooperation partners, insofar as we have commissioned them to perform tasks according to the respective purpose. These third parties may not use the data for other purposes. Furthermore, they shall be obliged to treat the data in accordance with this Privacy Policy and the German data protection provisions, e.g. on order data processing § 28 EU General Data Protection Regulation (GDPR). No further forwarding of data to third parties shall occur.

4. Cookies

So-called cookies are used at several places on our websites. Cookies are small files of textual data sent to your computer and stored by your browser. The aim of the cookies we use is to perform service functions (e.g. for language settings) and to make them user-friendlier, more effective and safer.

You can set your browser to notify you when you receive a cookie and for how long their effective use lasts (e.g. session cookies may last only for the duration of your visit on our website or long-term cookies that support your entries or actions on our website for a period of up to ninety days so you need not have to repeat these entries at a revisit of our website again), enabling you to decide on a case-by-case basis whether you wish to accept them or whether you wish to rule them out altogether. Non-acceptance of cookies may lead to the limited functionality of our website or services.

5. Processing by Third Parties

Google Analytics:
Our website uses Google Analytics, a web analysis service provided by Google Inc. (“Google”). Google Analytics utilizes so-called “cookies”, text files that are stored onto your computer and allowing to analyse your usage of the website. The information generated by cookies and analysing your usage of this website are usually transferred to and stored on a server of Google in the USA. In case that IP-anonymisation is activated on this website your IP-address will be shortened by Google within member countries of the European Community and the European Economic Area. Only in exceptional cases will your full IP-address be transferred to the Google server in the USA and then shortened there. On behalf of the owner of this website, Google will utilize this information in order to analyse your usage of this website, to put together reports on website activity and to perform services for the website proprietor that are related to website and Internet usage. Your IP-address that is transmitted by your browser to Google Analytics will not be linked to other Google data. You may prevent the storage of cookies by setting your browser accordingly. Please note that non-acceptance of cookies may lead to the limited functionality of the website. In addition, you may prevent the cookie from collecting data on your usage of the website (incl. your IP-address) and transferring it to Google and the dispersion by Google, by downloading and installing the browser plugin from the following link (tools.google.com/dlpage/gaoptout?hl=en). Further information on this can be found under tools.google.com/dlpage/gaoptout?hl=en or support.google.com/analytics/answer/6004245?hl=en (general information on Google Analytics and privacy protection). Please note that on this website Google Analytics was extended by the code “gat._anonymizeIp();“, in order to ensure anonymised collection of IP-addresses (so called IP-masking) and eliminate direct reference to a person. Especially for browsers on mobile devices, please click the following link (tools.google.com/dlpage/gaoptout?hl=en) to prevent the anonymous collection by Google Analytics on this website for your browser by means of a so-called “opt-out cookie” in the future.

Google AdWords Conversion Tracking:
This website uses Google AdWords Conversion Tracking, a web analytics service provided by Google Inc. (“Google”). Google AdWords Conversion Tracking also uses “cookies” stored on your computer that allows you to analyze the use of the website. The information generated by the cookie about your use of this website is transmitted to a Google server in the USA and stored there. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators, and providing other services related to website activity and internet usage. Google may also transfer this information to third parties if required by law or as far as third parties process this data on behalf of Google. Google will in no case connect the data with other data from Google. You can generally prevent the use of cookies by prohibiting the storage of cookies in your browser.

Facebook:
Our site contains remarketing tags of the social network Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA. If you visit our website the remarketing tag will create a direct link between your browser and the Facebook server. Thereby Facebook will become aware of your visit to our website. This enables Facebook to allocate visits to our website to your user account. We may use the information gained thereby for advertisements with Facebook Ads. We would like to inform you that by offering the use of our website to you, we do not gain knowledge of the content of transferred data or on usage of that data by Facebook. You may find further information in the privacy policy of Facebook under: www.facebook.com/about/privacy/
Should you not wish any data storage via Facebook Custom Audience you may deactivate Custom Audience and the following link: www.facebook.com/ads/website_custom_audiences/

Twitter:
Our websites use social plugins (“plugins“) from the social network Twitter, operated by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA („Twitter“). Twitter plugins can be identified with the bird symbol or with the letter „t“. When accessing one of our websites that contains such a plugin, your browser connects directly to Twitter’s servers. The plugin’s content is transmitted directly to your browser from Twitter from which it is integrated in the website. Through the integration of plugins, Twitter receives the information that you accessed our website. If you are logged in to Twitter at the same time during which you are using a Plugin, Twitter can associate your visit with your Twitter account. When interacting with the plugins, for example when clicking on a „tweet“ button, the corresponding information is transmitted directly to Twitter where it is saved. If you are not a member of Twitter or if you logged out of Twitter before visiting our website, the possibility still remains that Twitter learns and saves your IP address. For information about the purpose and scope of data collection, the further processing and use of data by Twitter and your rights and the settings you can configure to protect your privacy, please refer to Twitter’s Data Protection Notice: twitter.com/en/privacy.

If you are a member of Twitter and do not want Twitter to collect data about your visit to our website, which can be connected to your saved data by Twitter, you need to log out of Twitter before visiting our website and delete cookies. More about information about cookies can be found under section “Cookies” of this document.

YouTube:
Our websites use plugins from the Google-run site YouTube. The operator of the site is YouTube, LLC, 901 Cherry Ave., San Bruno, CA, 94066, USA. When you visit one of our sites with a YouTube plugin, a connection to YouTube’s servers is created. The YouTube server thereby learns which of our sites you have visited.

If you are logged in to your YouTube user account while accessing our site, you allow YouTube to allocate your surfing behaviour to your personal YouTube profile. You can prevent this by first logging out of your YouTube user account.

More information can be found under YouTube’s privacy policy:
www.google.com/intl/en/policies/privacy/.

III. Information on Protection for App Usage

Our CardioSecur app when installed on your smartphone/tablet does not require any particular permissions  (e.g. access to GPS, photos, general profile data, etc.). Only when using the app you for example may opt to select and set contacts that you want to contact directly through the app (in such instance the app will need access to your contacts).

If you resort to iTunes or iCloud to back-up your smartphone/tablet, local data stored in the CardioSecur app on your smartphone/tablet will be saved there. In such a case please see Apple’s latest provisions regarding data protection at www.apple.com/uk/privacy/privacy-policy/.

IV. Information on Data Protection of PMS’s Clients

We have taken technical and organisational measures in order to reliably protect the data we receive from you. Profound information and training of our staff and their compliance with data protection laws under § 5 GDPR as well as the general obligation for non-disclosure ensure that your data is treated confidential. Our security measures entail further that when contacting us by phone we will ask for proof of your identity.

In addition, we ask you to take all possible measures yourself to secure protection of your data while using the Internet. Make a habit of changing your password frequently. For your password, we recommend creating a combination of letters and digits. Please use a safe SSL-compatible browser when surfing on the Internet. Logout of computers that are not used by you exclusively. Do not make your password available to third parties.

For pages of our website, which require personal information, e.g. in section “My Account”, we resort to the standard SSL (Secure Socket Layer) in order to encrypt your data. With SSL your data is obscured to such an extent before transfer to our server that it is not reconcilable by third parties. With this method, your payment data for transactions via the Internet is secured.

Technical data regarding security

Encryption with SSL-certificates for sensitive data transfers. Protection of servers: our servers are being protected with firewall systems against attacks. An internal security system and an elaborate authorisation concept ensure that sensitive data is only accessible for the purpose of contract execution and to specifically designated people (e.g. medical data to a doctor, accounting data to the accounting department etc.).

1. Handling of Client and Patient Data

Access to the client or patient data is regulated in such a way that the smallest possible group of persons (including the Physician selected by the client) gains access to both the patient’s identity and, simultaneously, his medical data. Access is ensured by respective password protection.

The following data types are collected and processed within the execution of the contract:

• Contact data: name, address, telephone number, e-mail, gender, etc.
• Measurement date: date and time of ECG measurements.
• Medical data: raw data of ECG measurements and automatic evaluation, as well as other health data optionally provided by you.

The PMS representative who handles client data has a special position of trust and deals with customer transactions relating to technical questions on ECG measurements. All other customer advisors shall not view any medical data or results, but view only the date and time of an ECG measurement.

Important advice:

By consenting to this data privacy statement and by providing medical data by own free will the client (in regards to Personal MedSystems GmbH) or as the case may be the patient (in regard to the selected physician) stipulates expressly, that the selected circle of people as defined above, are allowed to access the personal and medical data.

By registering a physician account, doctors consent to treat personal and medical data that is made available to them under doctor-patient confidentiality and as the case may be the data privacy laws provided in the GDPR.

Clients or patients shall only obtain access to their user account (hereinafter referred to as “UA”) in the following ways:

• via internet or the app using a password with at least 6 characters, consisting of letters and digits. If the client forgets the password, it may be reset by entering the user name. The client shall then receive a link via e-mail to the e-mail address stated in the UA, enabling the client to enter a new password within 24 hours and retain access to the UA. The password shall not be visible to PMS’s Customer Service (hereinafter referred to as “CS”) and may not serve as identification in the event of telephone enquiries.

• via telephone by means of proof of the client’s identity. In this case, CS can view the client’s personal data, inform the client about it and change data at the client’s request. Furthermore, CS can reset the password (see above for further details).

• via post by sending an informal letter in written form and a copy of the personal ID card. In this letter, the client may request a printout of his personal and medical data (if he expressly gives his consent to this in his letter) and communicate any personal data that may have changed. In addition, the client can ask for his password to be reset (see above for further details).

2. Invoicing, Collection of Claims

If we commission lawyers’ offices and/or collection agencies to collect our claims, the data required for balancing accounts with the client shall be submitted to them insofar as this is necessary for collecting the claims and for issuing a detailed invoice. The third party is obliged to observe data protection regulations. The same shall apply insofar as we commission any other service provider we use for meeting contractual services to e.g. issue invoices, handle payment transactions and collect claims.

3. Logistics

We commission third parties for logistical handling of your order (e.g. DHL, Deutsche Post). We submit the necessary data from your order to the designated third party exclusively for such purpose. This third party is obliged to handle your data in compliance with applicable data protection laws.

4. Newsletter Addressing of Existing Customers

In addition, we use your e-mail address, which we receive in connection with the sale of a good or service, exclusively for direct mail via our newsletter for similar goods or services, as the ones ordered by you, unless you have objected to this use. You may object to the use of your e-mail address at any time without incurring any costs other than the base rate transmission costs. Your objection (and thus the cancellation of our newsletter) can be exercised by sending an appropriate message to our e-mail address (see impressum).

5. No further Data Processing

The client’s data shall only be stored as long as necessary within the framework of the contractual agreement with the client and in accordance with applicable law.
Beyond that, we shall neither collect nor process any data. Above all, we shall not use the client’s data for marketing or advertising purposes or forward them to third parties for this purpose without the client’s effective consent.

V. Information on Data Protection of Participating Physicians

We may collect, store and process the data of participating physicians in accordance with data protection regulations insofar as this is necessary for the establishment, amendment and execution of the contract or billing for it. In concrete terms, physicians’ data are collected, stored and processed as follows:

1. Data Processing for Contractual Purposes, Forwarding Data

Physicians’ inventory data and further information concerning the physician himself and his user behaviour (connection data) (e.g. time, number and duration of connections, access passwords, uploads and downloads), are collected, stored and processed by us insofar as this is necessary to fulfil the contractual purpose.

We shall not forward the physician’s data to third parties without his consent unless we are legally obliged or entitled to do so.

2. Use of Inventory Data for other Purposes, Physician’s Declaration of Consent

Irrespective of our statutory authority to collect, store and process data, the physician agrees that we may also use his inventory data as well as his anonymized data on user intensity (e.g. number of readings, number of patients) exclusively for our own advisory, advertising and market research purposes and for the adequate provision of our services. The physician can revoke such a use of his data at any time for future effect.