Privacy policy
Information relating to our health is extremely sensitive data. As such, it must be protected with the utmost care. Respect for privacy is a fundamental right and one of our core values. 300plus GmbH is committed to complying with national and European regulations on the protection of personal data and in particular the General Data Protection Regulation (“GDPR”). From the outset, we have been committed to protecting all data of patients, healthcare professionals and facilities that use our services. We have a dedicated team of technical and legal experts in security and data protection based in Berlin. Personal data (including health data) of patients is hosted by a host with physical infrastructure and managed services provider certified to European data protection standards. The data is stored in Germany (Frankfurt and Nuremberg) with an approved hosting provider. Our hosting providers are also certified according to the most important international standards, including ISO/IEC 27001, and are audited annually by an independent body. Their data centers have 24/7 (around the clock) security standards that are among the most advanced in the world.
Due to the requirements of the European General Data Protection Regulation (hereinafter “GDPR”), we are obliged to inform you comprehensively about the processing of your personal data in the context of the implementation of the documentation software. We would like to provide you with the necessary information below.
If you have any further questions about the processing of your personal data, please do not hesitate to contact our data protection officer at any time (see A. IV of the following data protection information).
Table of contents:
- General information
- Important terms
- Scope of application
- Controller
- Data protection officer
- The data processing in detail
- General information on data processing
- Accessing our services
- Documentation software: Practitioners
- Documentation software: Patients
- Contact and feedback
- Rights of data subjects
- Right of objection
- Right to information
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to data portability
- Right to withdraw consent
- Right to lodge a complaint
- General information
In this section of the privacy policy, you will find information on the scope of application, the data controller, its data protection officer and data security. We also explain in advance the meaning of important terms used in the privacy policy.
- Important terms
- Browser: Computer program for displaying websites (e.g. Chrome, Firefox, Safari)
- Cookies: Text files that are placed on the user’s computer by the web server accessed via the browser used. The stored cookie information may contain both an identifier (cookie ID), which is used to recognize the user, and content information such as login status or information about websites visited. The browser sends the cookie information back to the web server on subsequent, new visits to this page with each request. Most browsers accept cookies automatically. You can manage cookies using the browser functions (usually under “Options” or “Settings”). This allows the storage of cookies to be deactivated, made dependent on your consent in individual cases or otherwise restricted. You can also delete cookies at any time.
- Third countries: Third countries are countries outside the European Union (“EU”) or the European Economic Area (“EEA”).
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), available here .
- Personal data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
- Services: Our offers to which this privacy policy applies (see scope of application).
- Tracking: The collection of data and its evaluation regarding the behavior of visitors to our services.
- Tracking technologies: Tracking can take place both via the activity logs stored on our web servers (log files) and by means of data collection from your end device via pixels, cookies and similar tracking technologies.
- Pixel: Pixels are also known as tracking pixels, web beacons or web bugs. These are small, invisible graphics in HTML emails or on websites. When a document is opened, this small image is downloaded from a server on the Internet and the download is registered there. This allows the server operator to see if and when an email has been opened or a website visited. This function is usually implemented by calling up a small program (Javascript). In this way, certain types of information can be recognized and passed on to your computer system, such as the content of cookies, the time and date of the page view and a description of the page on which the tracking pixel is located.
- Browser: Computer program for displaying websites (e.g. Chrome, Firefox, Safari)
- Scope of application
This privacy policy applies to the following services:
- Our online service “Dr. Notes”, available at drnotes.app
- Our online offer, app in the App Store (Android and Apple)
- Dr. Notes Chatbot
- Data controller
Responsible for the processing of your personal data in the context of service provision is
Christian Kloewer
300plus GmbH
Glogauerstr. 5
10999 Berlin
E-mail info@drnotes.app
- Data protection officer
You can contact our data protection officer at any time via our contact e-mail:
datenschutz@drnotes.app
You can also contact our data protection officer directly using the following contact options:
Postal:
300plus GmbH
for the attention of the data protection department
Glogauerstr. 5
10999 Berlin
E-mail: datenschutz@drnotes.app
- The data processing in detail
In this section of the privacy policy, we inform you in detail about the processing of personal data in the context of our services. For the sake of clarity, we organize this information according to certain functionalities of our services. During normal use of the services, different functionalities and therefore also different processing operations may be carried out consecutively or simultaneously.
- General information on data processing
Unless otherwise stated, the following applies to all processing described below:
- No obligation to provide and consequences of non-provision
The provision of personal data is not required by law or contract. You are not obliged to provide your personal data. We will inform you during the input process if the provision of personal data is required for the respective service (e.g. by marking it as a “mandatory field”). In these cases, the requested service cannot be provided without processing your personal data. In all other cases, the non-provision of your personal data may have an impact on the form and quality of the respective services.
- Consent
In various cases, you have the option of giving us your consent in connection with the processing described below. In this case, we will inform you separately in connection with the submission of the respective declaration of consent about all modalities, about the scope of the consent and about the purposes that we pursue with this processing.
- Transfer of personal data to third countries
In the event that we transfer your personal data to third countries, this transfer will only take place in compliance with the legal requirements. In particular, this means that we only transfer your personal data to a third country in accordance with the requirements of Art. 44 et seq. GDPR to a third country.
In principle, we only transfer your personal data to trusted service providers in third countries with an adequate level of data protection (“adequacy decision”, Art. 45 GDPR). If there is no adequacy decision for the respective third country, your personal data will generally be transferred on the basis of suitable guarantees within the meaning of Art. 46 GDPR. For this purpose, we rely in particular on standard data protection clauses pursuant to Art. 46 para. 2 lit c. GDPR, whereby a copy of the agreements concluded in each case can be viewed on site.
The transfer of your personal data to a third country may also be necessary for the purpose of contract fulfillment. In addition, the transfer of your personal data may also be necessary for the assertion, exercise or defense of legal claims or on the basis of your express consent (Art. 49 GDPR).
- Hosting with external service providers
When processing your personal data, we also use “hosting service providers” who provide us with storage space and processing capacities in their data centers. The “hosting service providers” used process your personal data exclusively on the basis of individually agreed order processing contracts in accordance with Art. 28 GDPR, whereby it is ensured in particular that data processing is carried out exclusively on the basis of our instructions.
- Transmission to state authorities
We transfer your personal data to state authorities (including law enforcement authorities) if this is necessary to fulfill a legal obligation to which we are subject (Art. 6 para. 1 sentence 1 lit. c GDPR). In addition, we also process your personal data if the processing is necessary for the establishment, exercise or defense of legal claims. In this case, your personal data will be processed on the basis of our overriding legitimate interests in the enforcement of rights within the meaning of Art. 6 para. 1 sentence 1 lit. f GDPR.
- Storage period
The “Storage period” section indicates how long we process your personal data for the respective purpose or the respective functionality. If the processing of your personal data is no longer required for the respective purpose, we will delete your personal data, unless we are obliged to retain it for a longer period due to legal obligations.
- Designation of data categories
As part of the use of our services, we regularly process the data categories described in more detail below:
- Account data
- Personal master data
- Address data
- Contact data
- Login data
- Access data
- Profile data
- Processing operations during the execution of the documentation
The documentation recording takes place via an encrypted connection between the end devices of the conversation partners and the hosting provider. This technically ensures that we have no access to the content data such as the conversations. In this context, we only process your personal data to the extent necessary to provide the documentation software.
- Accessing our services
Below we describe how your personal data is processed when you access our services (e.g. loading and viewing the website, opening and navigating within the mobile device app).
- Purpose of the processing, legal basis, including identification of legitimate interests, storage period
Data category
Access data
Intended purpose
Establishing a connection, displaying the content of our service, detecting attacks on our services based on unusual activities, error diagnosis.
Legal basis
Art. 6 para. sentence 1 lit. f GDPR
Legitimate interest, if applicable
Ensuring the proper functionality of the services, security of data
Storage duration
Seven days
- Recipients of the personal data
Recipient category
IT security service provider
Data categories
Access data
Legal basis
Art. 6 para. 1 sentence 1 lit. f GDPR. By using external IT service providers, we can ensure the integrity and confidentiality of our services, in particular by identifying security gaps, closing vulnerabilities and defending against attacks. This also constitutes our overriding legitimate interest.
- Documentation software: practitioners
Below we describe how your personal data is processed when practitioners use an account to carry out documentation with us:
- Purpose of the processing, legal bases including designation of legitimate interests, storage period
Data category
E-mail address
Intended purpose
Verification of registration (double opt-in procedure)
Legal basis
Art. 6 para.1 sentence 1 lit.b Alt.1 GDPR
(in the event that the medical service provider itself is the customer)
Art. 6 para. 1 sentence 1 lit.f Alt.1 GDPR
(in the event that the medical service provider is an employee of the customer, e.g. hospital)
Legitimate interest, if applicable
Duration of storage
Duration of the contractual relationship
——————————————-
Data category
Personal master data, contact data, address data
Intended purpose
Identification, checking authorization to access the offer, making contact, traceability of successful registration, processing payments for the service
Legal basis
Art. 6 para.1 sentence 1 lit.b Alt.1 GDPR
(in the event that the medical service provider itself is the customer)
Art. 6 para. 1 sentence 1 lit.f Alt.1 GDPR
(in the event that the medical service provider is an employee of the customer, e.g. hospital)
Legitimate interest, if applicable
Duration of the contractual relationship, unless further processing of personal data is required due to legal obligations, in particular the German Commercial Code (HGB) and the German Tax Code (AO).
——————————————-
Data category
Contract data
Intended purpose
Documentation within the framework of the contractual relationship; contract processing
Legal basis
Art. 6 para.1 sentence 1 lit.b Alt.1 GDPR
(in the event that the medical service provider itself is the customer)
Art. 6 para. 1 sentence 1 lit.f Alt.1 GDPR
(in the event that the medical service provider is an employee of the customer, e.g. hospital)
Legitimate interest, if applicable
Duration of storage
Duration of the contractual relationship, unless further processing of personal data is required due to legal obligations, in particular the German Commercial Code (HGB) and the German Tax Code (AO).
——————————————-
Data category
Profile data
Intended purpose
Provision of our services
Legal basis
Art. 6 para.1 sentence 1 lit.b Alt.1 GDPR
(in the event that the medical service provider itself is the customer)
Art. 6 para. 1 sentence 1 lit.f Alt.1 GDPR
(in the event that the medical service provider is an employee of the customer, e.g. hospital)
Legitimate interest, if applicable
Duration of storage
Duration of the contractual relationship, unless further processing of personal data is required due to legal obligations, in particular the German Commercial Code (HGB) and the German Tax Code (AO).
——————————————-
Data category
Registration data, access data, usage data
Intended purpose
Connection establishment, presentation of the contents of the service, detection of attacks on our site based on unusual activities, error diagnosis, provision of our services
Legal basis
Art. 6 para.1 sentence 1 lit.b Alt.1 GDPR
(in the event that the medical service provider itself is the customer)
Art. 6 para. 1 sentence 1 lit.f Alt.1 GDPR
(in the event that the medical service provider is an employee of the customer, e.g. hospital)
Legitimate interest, if applicable
Ensuring the proper functioning of the services, security of personal data and business processes, prevention of misuse, prevention of damage caused by interference with information systems, improvement of our services.
Storage period
Duration of the contractual relationship, unless further processing of personal data is required due to legal obligations, in particular the German Commercial Code (HGB) and the German Tax Code (AO).
Recipients of the personal data
Recipient category
IT service provider for customer relationship management system (CRM)
Data concerned
Personal master data; address data; contact data; contract data
- Documentation software: patients
Below we describe how your personal data is processed if you, as a patient, have documentation created by your practitioner via our platform. The scope of the processed data depends on the specifications of your practitioner, the list of the processing of personal data presented here is based on the general guidelines of your practitioner.
- Purpose of data processing and legal basis and, where applicable, legitimate interests, storage period
Data category
Surname, first name, date of birth
Intended purpose
Provision of our services for patients, identification, checking authorization to access the offer, prescribed documentation by practitioners
Legal basis
Art. 9 para. 2 lit. a GDPR
Legitimate interest, if applicable
Storage period
In principle, we delete your personal data seven days after the appointment has been carried out, unless you revoke your consent. Your personal data will only be stored beyond this period if this is necessary due to legal obligations, in particular the German Commercial Code (HGB) and the German Tax Code (AO).
——————————————-
Data category
Access data
Intended purpose
Provision of our services, prescribed documentation by practitioners, contract fulfillment, presentation of the contents of the service, detection of attacks on our site based on unusual activities, error diagnosis.
Legal basis
Art.9 para.2 lit.a GDPR, Art. 6 para.1 p.1 lit.f Alt. 2 GDPR
Legitimate interest, if applicable
The processing of the aforementioned data categories ensures the proper functionality and, in particular, the security of our services. In addition, the processing of your personal data in this context serves to prevent misuse, prevent damage and optimize our services in your interest. This also constitutes our overriding interest in the processing of your personal data.
Storage period
Seven days
——————————————-
Data category
various medical histories:
e.g:
- current/main complaints
- Family history
- Social history
- Medication history
- Gynecological anamnesis (for women)
- Addiction history
- Psychosocial anamnesis
Intended purpose
Provision of our services, documentation within the framework of the contractual relationship, prescribed documentation by practitioners, contract fulfillment
Legal basis
Art. 9 para. 2 lit. a GDPR
Legitimate interest, if applicable
Storage duration
In principle, we delete your personal data seven days after the appointment has been carried out, unless you revoke your consent. Your personal data will only be stored beyond this period if this is necessary due to legal obligations, in particular the German Commercial Code (HGB) and the German Tax Code (AO).
——————————————-
Data category
various medical data:
e.g:
- Allergies and intolerances
- Environment and living situation
- Examination findings
- Diagnosis
- Treatment recommendations
- Follow-up
- Recommendations for lifestyle changes
- Prognosis and outlook
- Concluding remarks
Intended purpose
Provision of our services, documentation as part of the contractual relationship, prescribed documentation by practitioners, contract fulfillment
Legal basis
Art. 9 para. 2 lit. a GDPR
Legitimate interest, if applicable
Storage duration
In principle, we delete your personal data seven days after the appointment has been carried out, unless you revoke your consent. Your personal data will only be stored beyond this period if this is necessary due to legal obligations, in particular the German Commercial Code (HGB) and the German Tax Code (AO).
- Recipients of the personal data
Recipient category
Practitioner with whom you carry out / maintain the documentation and, if necessary, other service providers in connection with the execution of the documentation
Data concerned
Surname, first name, date of birth
Legal basis
Art. 9 para. 2 lit. a GDPR
- Making contact and feedback
Below we describe how your personal data is processed when you contact our customer service (e.g. via an online contact form or by telephone) and/or participate in customer or user satisfaction surveys:
- Purpose of data processing and legal basis and, where applicable, legitimate interests, storage period
Data category
Personal master data, contact data, content of enquiries/complaints, access data
Intended purpose
It is absolutely necessary to process your personal data in order to process your customer inquiry. By processing your personal data, we want to process your request and contribute to improving our services. If an additional contract is concluded in connection with the processing of your request, the processing of your request also serves to initiate or fulfill the contract.
Legal basis
Art. 6 para. 1 sentence 1 lit. a GDPR
Art. 6 para. 1 sentence 1 lit. b GDPR
Art. 6 para. 1 sentence 1 lit. f GDPR
Legitimate interest, if applicable
Through our customer service and by processing your customer inquiry, we would like to make a significant contribution to maintaining or strengthening the customer relationship with you. This also constitutes our overriding legitimate interest.
Storage period
1 year after the inquiry has been processed, unless further processing of personal data is required due to legal obligations, in particular the German Commercial Code (HGB) and the German Tax Code (AO).
- Recipients of personal data
Recipient category
IT service provider for customer relationship management system (CRM)
Data concerned
Personal master data; contact details; content of enquiries/complaints; content of feedback
II Rights of data subjects
- Right to object
You have the right to object, on grounds relating to your particular situation, at any time with future effect to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.
You can exercise your right to object free of charge. In order to process your request more quickly, please use the contact details provided under I. 3.
- Right to information
You have the right to request confirmation from us as to whether personal data concerning you is being processed and, if so, to request information about this personal data and the other information listed in Art. 15 GDPR.
- Right to rectification
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you (Art. 16 GDPR). Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure (“right to be forgotten”)
You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the grounds specified in Art. 17 (1) GDPR applies and the processing is not necessary for one of the purposes specified in Art. 17 (3) GDPR.
- Right to restriction of processing
You are entitled to request the restriction of the processing of your personal data if one of the conditions set out in Art. 18 (1) (a) to (d) GDPR applies.
- Right to data portability
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us, subject to the conditions set out in Art. 20 (1) GDPR. When exercising the right to data portability, you have the right to have the personal data transmitted directly from us to another controller, where technically feasible.
- Right to withdraw consent
If the processing is based on your consent, you have the right to withdraw your consent at any time. This does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.
- Right to lodge a complaint
You have the right to lodge a complaint with the supervisory authority responsible for our company. The supervisory authority responsible for our company is
Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59-61; 10555 Berlin
Phone: 49 30 13889-0
Fax: 49 30 2155050
E-mail: mailbox@datenschutz-berlin.de