I. Name and address of the data controller
The data controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is the:
Deutsche Krankenhaus TrustCenter und Informationsverarbeitung GmbH (DKTIG) (German Hospital TrustCenter and Data Processing Ltd)
Managing Director: Rene Schubert MBA (Univ. of Applied Sci.)
Dr Stephan Helm (Chairman), Managing Director Krankenhausgesellschaft Sachsen e. V. (Saxony Hospital Association)
Georg Baum (Deputy Chairman), Chief Managing Director Deutsche Krankenhausgesellschaft e. V. (The German Hospital Federation)
Ingo Morell, Managing Director Gemeinnützige Gesellschaft der Franziskanerinnen zu Olpe mbH (GFO) (The Charitable Society of the Franciscan Sisters of Olpe, Germany)
Siegfried Hasenbein, Managing Director Bayerische Krankenhausgesellschaft e. V. (Bavarian Hospital Association)
Dr Jens-Uwe Schreck, Managing Director Landeskrankenhausgesellschaft Brandenburg e. V. (Brandenburg Regional Hospital Association)
Phone: +49 341 308951-0
Fax: +49 341 308951-25
II. Name and address of the data protection officer
Lawyer Jan Marschner; LL.M.
Phone: +49 341 26 18 93 73
Fax: +49 341 26 18 93 74
III. General information about data processing
1. Scope of personal data processing
We collect and use personal data of our users only to the extent necessary for the provision of a functional website and our contents and services. The collection and use of the personal data of our users takes place on a regular basis, but only with the consent of the user.
2. Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6 para. 1(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.
For the processing of personal data necessary for the fulfilment of a contract, to which the data subject is a party, Art. 6 para. 1(b) GDPR serves as the legal basis. This also applies to processing operations that are required, in order to carry out pre-contractual measures.
Insofar as a processing of personal data is required to fulfil a legal obligation, to which our company is subject, Art. 6 para. 1(c), GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1(d) GDPR serves as the legal basis.
If processing is necessary to safeguard the legitimate interests of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not prevail over the first-mentioned interest, Art. 6 para. 1(f) GDPR serves as the legal basis for processing.
3. Data retention period and data erasure
Personal data of the data subject will be erased or blocked as soon as the purpose for its storage is no longer applicable. Data may be retained beyond that, if laid down by the European or national legislator in EU regulations, laws or other provisions, to which the data controller is subject. A blockage or erasure of data also takes place when the retention period prescribed by the standards mentioned expires, unless there is a need for further storage of the data for conclusion or fulfilment of the contract.
4. Transfer of personal data
We will transfer your data to service providers that we use to efficiently fulfil our contract with you or to fulfil our contractual obligations. Unless explicitly stated otherwise below, the service providers involve e-mail and web hosting providers for communication via e-mail and the website.
IV. Provision of the website and creation of log files
1. Description and scope of data processing
Each time our website is accessed, our system automatically collects data and information from the computer system of the visiting computer. The following data are collected here:
- Information about the browser type and version used
- The operating system of the user
- The internet service provider of the user
- The IP address of the user
- Date and time of access
- Websites, from which the system of the user has reached our website
- Websites that are accessed by the user's system through our website
The data are also stored in the log files of our system. Not affected by this are the IP addresses of the user or other data that allow the allocation of the data to a user. Storage of this data together with other personal data of the user does not take place.
2. Legal basis for data processing
The legal basis for the temporary storage of data is Art. 6 para. 1(f) GDPR.
Purpose of data processing
Temporary storage of the IP address by the system is necessary to allow delivery of the website to the computer of the user. For this purpose, the user's IP address must be stored for the duration of the session.
This purpose also constitutes our legitimate interest in the processing of data according to Art. 6 para. 1(f) GDPR.
3. Data retention period
Data will be erased as soon as they are no longer necessary for the purpose for which they were collected. In the case of data collection for the provision of the website, this is the case when the respective session has been terminated
4. Appeal and removal procedures
Collection of data for the provision of the website and the storage of data in log files is essential for the operation of the website. Accordingly, there is no possibility to appeal against it on the part of the user.
(1) Description and scope of data processing
(2) Legal basis for data processing
The legal basis for processing personal data using cookies is provided by Art. 6 para. 1(f) GDPR.
(3) Purpose of data processing
This purpose also constitutes our legitimate interest in the processing of personal data according to Art. 6 para. 1(f) GDPR.
(4) Duration of storage, appeal and removal options
VI. Rights of the subject concerned
If your personal data is processed, you are regarded as the subject concerned within the meaning of the GDPR and have the following rights vis-à-vis the data controller:
Right to information
You may ask the data controller to confirm whether personal data concerning you are processed by us.
If such processing exists, you may request the following information from the data controller:
- the purposes, for which the personal data are processed;
- the categories of personal data that are processed;
- the recipients or categories of recipients, to whom your personal data have been disclosed or are still being disclosed;
- the planned duration of storage of your personal data or, if specific information regarding this cannot be given, criteria for determining the duration of storage;
- the existence of a right to rectify or erase your personal data, a right to restrict the processing by the data controller or a right to object to such processing;
- the existence of a right of appeal to a supervisory authority;
- all available information on the source of the data, if the personal data are not collected from the data subject;
- the existence of automated decision-making, including profiling, pursuant to Article 22 para. 1 and 4 GDPR and – at least in these cases – meaningful information about the logic involved and the scope and intended impact of such processing on the data subject.
You have the right to request information about whether your personal information is transmitted to a third country or to an international organization. In this context, you may request to be informed about the appropriate guarantees with regard to the transmission in accordance with. Art. 46 GDPR.
Right to rectification
You have a right against the data controller regarding the rectification and/or completion of your personal data, if its processing is incorrect or incomplete. The data controller must carry out the correction without delay.
Right to restriction of processing
You may request that the processing of your personal data is restricted under the following conditions:
- if you contest the accuracy of your personal data for a period of time that enables the data controller to verify the accuracy of your personal data;
- if the processing is unlawful and you decline the erasure of the personal data and instead request the restriction of the use of the personal data;
- if the data controller no longer requires the personal data for the purposes of processing, but requires them to assert, exercise or defend legal claims, or
- if you objected to the processing in accordance with Art. 21 para. 1 GDPR and it is not yet certain whether the justifiable grounds of the data controller prevail over your grounds.
If the processing of your personal data has been restricted, this data may only be processed – with the exception of storage – with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest of the EU or a Member State.
If processing has been restricted in accordance with the above conditions, the data controller will inform you before the restriction is lifted.
Right to erasure
a. Obligation to erase data
You may demand that the data controller erases your personal data without delay. The data controller must then erase that data immediately, provided that one of the following reasons is applicable:
- Your personal data are no longer necessary for the purposes, for which they were collected or otherwise processed.
- You revoke your consent to the processing in accordance with Art. 6 para. 1(a) or Art. 9 para. 2(a) GDPR, and no other legal basis for processing exists.
- You file an objection to the processing of your data in accordance with Art. 21 para. 1 GDPR and no overriding justifiable grounds for processing exist or you file an objection to the processing in accordance with Art. 21 para. 2 GDPR.
- Your personal data has been processed unlawfully.
- The erasure of your personal data is required to fulfil a legal obligation under EU law or the law of the Member States, to which the data controller is subject.
- Your personal data were collected in relation to the provision of the information society services in accordance with Art. 8 para. 1 GDPR.
b. Information to third parties
If the data controller has made your personal data public and is obligated to erase them in accordance with Art. 17 para. 1 GDPR, the data controller must, under consideration of the available technology and implementation costs, take appropriate measures, including those of a technical nature, to inform the processors of personal data that you, as the affected person, have requested that they erase all links to such personal data or copies or replications of such personal data.
The right to erasure is not applicable, if processing is necessary:
- to exercise the right to freedom of expression and information;
- to fulfil a legal obligation requiring that processing in accordance with the law of the EU or the Member States to which the data controller is subject, or to carry out a task of public interest or for the execution of official authority, which was conferred to the data controller;
- for reasons of public interest in the field of public health pursuant to Art. 9 para. 2(h and i) and Art. 9 para. 3 GDPR;
- for archival purposes of public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR, to the extent that the law referred to in subparagraph a) is likely to be rendered impossible or seriously affects the realisation of the objectives of that processing, or
- to assert, exercise or defend legal claims.
Right to information
If you have asserted the right of rectification, erasure or restriction of processing of your data vis-à-vis the data controller, he/she is obliged to notify all recipients, to whom your personal data have been disclosed, of this rectification or erasure of the data or of the restriction to its processing, unless this proves to be impossible or involves a disproportionate effort.
You have a right vis-à-vis the data controller to be informed about these recipients.
Right to data portability
You have the right to receive the personal data you provided to the data controller in a structured, common and machine-readable format. In addition, you have the right to transfer this data to another data controller without hindrance by the data controller, to whom the personal data were provided, provided that
- the processing is based on a consent in accordance with Art. 6 para. 1(a) GDPR or Art. 9 para. 2(a) GDPR or on a contract in accordance with Art. 6 para. 1(b) GDPR and
- the processing is done using automated procedures.
In exercising this right, you also have the right to effect that your personal data are transmitted directly from one data controller to another data controller, insofar as this is technically feasible. Freedoms and rights of other persons may not be affected by this.
The right to data portability does not apply to the processing of personal data that are necessary for the performance of a task in the public interest or in the execution of official authority, which was conferred to the data controller.
Right of objection
You have the right to object at any time, for reasons that arise from your particular situation, against the processing of your personal data in accordance to Art. 6 para. 1(e or f) GDPR; this also applies to profiling based on these provisions.
The data controller will no longer process your personal data unless he/she can demonstrate compelling, legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
If your personal data are processed for direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct advertising.
If you object to the processing for direct advertising purposes, your personal data will no longer be processed for these purposes.
Notwithstanding Directive 2002/58/EC, you have the option, in the context of the use of the information society services, of exercising your right to object through automated procedures that use technical specifications.
Right to revoke the data protection consent declaration
You have the right to revoke your data protection consent declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent up to the revocation.
Automated decision on an individual basis including profiling
You have the right to not be subjected to a decision based solely on automated processing – including profiling – that has a legal effect on you or that compromises you to a similarly considerable degree. This does not apply if the decision
- is required for the conclusion or fulfilment of a contract between you and the data controller,
- is permissible based on EU or Member State legislation, to which the data controller is subject, and that legislation contains adequate measures to safeguard your rights and freedoms and your legitimate interests, or
- takes place with your explicit consent.
However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 (a or g) GDPR applies, and reasonable measures have been taken to protect the rights and freedoms as well as your legitimate interests.
With regard to the cases referred to in (1) and (3), the data controller shall take appropriate measures to uphold the rights and freedoms and your legitimate interests, including at least the right to effect the intervention of a person on the part of the data controller, to express one’s own viewpoint and to appeal the decision.
Right to appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to appeal to a supervisory authority, in particular in the Member State of your residence, your place of employment or the place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.
The supervisory authority, to which the complaint has been submitted, shall inform the complainant of the status and outcomes of the complaint, including the possibility of a legal remedy pursuant to Article 78 GDPR.