Menu

Privacy policy for users of the website video.samedi.de (samedi video consultation)

Last updated: Dec 13, 2024

This document in German

1. Purpose and scope

This privacy policy applies to the use of video consultations via video.samedi.de.

Personal data (hereinafter referred to as “data”) will only be processed by us within the scope of necessity and for the purpose of providing a functional and user-friendly website, including its content and the services offered there.

According to Article 4(1) of Regulation (EU) 2016/679, i.e. the General Data Protection Regulation (hereinafter referred to as the “GDPR”), “processing” means any operation or set of operations carried out on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

With the following privacy policy, we inform you in particular about the type, scope, purpose, duration and legal basis of the processing of personal data, insofar as we decide on the purposes and means of the processing, either alone or jointly with others. In addition, we will inform you below about the third-party components used by us for optimisation purposes and to increase the quality of use, insofar as third parties process data on their own responsibility.

2. Information on data protection responsibility:

Responsible (Art. 4 No. 7 GDPR) for visiting the website video.samedi.de is samedi GmbH. For the implementation of the video consultation, samedi only provides the use of the platform; In terms of data protection law, samedi acts as a processor (Art. 28 GDPR) in the responsibility of the healthcare facility with which you booked the appointment for the video consultation when conducting a video consultation.

The provider of this website in the sense of data protection law is:

samedi GmbH
Represented by the managing directors Katrin Alscher, Prof. Dr. Alexander Alscher, Dr. Benedikt Simon

Rigaer Str. 44
10247 Berlin
Germany

Telefon: +49 (0)30 21230707-0
E-Mail: info@samedi.de

The data protection officer at the provider is:

Dr. Christian Herles
Internal Data Protection Officer
General Counsel / Lawyer

Rigaer Str. 44
10247 Berlin
Germany

E-Mail: datenschutz@samedi.de

3. Visiting the website

When you visit the website, we process data in the manner described below as a controller.

a) IP address

When you visit the website, your IP address is transmitted to our server. This transmission is necessary to enable the establishment of the connection and the display of the content of our website on your device. The IP address is stored for the duration of the session and can be used in log files to ensure technical security (e.g. to defend against attacks). The legal basis for this processing is Art. 6 (1) (f) GDPR, as we have a legitimate interest in ensuring the security and functionality of our website.

The legitimate interest in the storage of the IP address lies in ensuring the technical functionality and provision of the website, for which the temporary storage of the IP address is mandatory. The impact on the data subjects is minimal, as the IP addresses are only stored for the duration of the session and then deleted. Since the storage is exclusively for functional purposes and no use beyond this takes place, the legitimate interest of the company outweighs the interests of the data subjects.

The data will be deleted after 7 days at the latest, unless further storage is required for evidentiary purposes. Otherwise, the data will be exempted from deletion in whole or in part until an incident has been finally resolved.

b) Technically necessary cookies

We use so-called cookies on our website. Cookies are small text files or other storage technologies that are stored and stored on your device by the Internet browser you use. These cookies process certain information about you to the individual extent.

aa) First-party cookies

Provider: samedi
Name: _vc_backend_session
Benefit: Session ID
Period of validity: Session, will be deleted when the Internet browser is closed
Legal basis: § 25 para. 2 no. 2 TTDSG

bb) Third-party cookies

We do not use third-party cookies.

cc) Possibility of removal

You can prevent or restrict the installation of cookies by setting your Internet browser. You can also delete cookies that have already been stored at any time. However, the steps and measures required for this depend on the specific Internet browser you are using. If you have any questions, please use the help function or documentation of your Internet browser or contact its manufacturer or support. However, if you prevent or restrict the installation of cookies, this may mean that not all functions of our website can be used to their full extent.

4. Conducting the video consultation

In order to provide the functionality of the video consultation between the practitioner and the patient, we need to transfer data between the parties participating in the video consultation. In order to maintain patient confidentiality and medical confidentiality, we use technology that enables us to transmit the data in an end-to-end encrypted format as directly as possible between the participants. The data is therefore encrypted on the patient’s device and only decrypted again on the practitioner’s device (and vice versa). The technology used is called WebRTC, and uses AES as the encryption algorithm. This means that no one except the participants of the video consultation can see this data in plain text (not even samedi).

a) Booking and preparation of the video consultation

The booking of a video consultation appointment takes place in the organisational area of the healthcare facility. The processing of data in connection with your video consultation is carried out in accordance with Art. 28 GDPR on behalf of the healthcare facility with which you have booked the video consultation. When booking an appointment, in particular surname, first name, an e-mail address and, if necessary, information to be determined by the responsible health facility, will be requested. Before the start of the video consultation, we will send you an access code and the link to the video consultation on behalf of the healthcare facility. The legal basis on the part of the responsible healthcare facility is Art. 6 para. 1 lit. a, b GDPR and Art. 9 para. 2 lit. a, h GDPR.

On behalf of the responsible health institutions, we also enable messages to be sent by e-mail or SMS in order to provide advance information or to remind you of the appointment. The controller will only instruct us to do so if you have given your consent in accordance with Art. 6 (1) (a), 9 (2) (a) GDPR.

b) Technical implementation of the video consultation

The following data is sent and received via this special end-to-end encrypted connection:

In order to provide the functionality of the video consultation between the practitioner and the patient, we must collect and store further metadata, including:

The metadata collected in this way will be deleted by us after 3 months at the latest through an automated process. We do not process or store this data for any other purpose. The basis for processing for us is the order processing agreement with the healthcare facility. On the part of the healthcare facility, the processing is carried out on the basis of the treatment contract in accordance with Art. 6 (1) (b) and Art. 9 (2) (h) GDPR.

c) Group video consultation and health data processing process

As part of the group video consultation, there is the possibility for institutions with a maximum of 15 people to conduct a consultation hour via video. To join the group video consultation, the entry of a real name is a prerequisite. Within the group video consultation, a group chat is available to the participants, which can be viewed by everyone. Furthermore, the group video consultation offers participating doctors and patients the opportunity to share documents, which are then available to all participants and can be downloaded.

In order to provide the functionality of the video consultation between doctor and patient, we need to transfer data between the parties participating in the video consultation. In order to maintain patient confidentiality and medical confidentiality, we use technology that enables us to transmit the data in an end-to-end encrypted format as directly as possible between the participants. The data is therefore encrypted on the patient’s device and only decrypted again on the doctor’s device (and vice versa). The technology used is called WebRTC, and uses AES as the encryption algorithm. This means that no one except the participants of the video consultation can see this data in plain text (not even samedi as the operator of the platform).

The following data is sent and received via this special end-to-end encrypted connection:

We do not process or store this data for any other purpose.

5. Processors

We pass on your data to service providers who support us in the operation of our websites and the associated processes within the framework of order processing in accordance with Art. 28 GDPR. These are, for example, hosting service providers. Our service providers are strictly bound by our instructions and are contractually obligated accordingly.

In the following, we will list the processors with whom we work, if we have not already done so in the previous text of the Privacy Policy.

6. Customer information on product renewals

In the user account, users are given the opportunity to subscribe to our company’s newsletter on product renewals by means of e-mail messages. The e-mail will always be sent to the e-mail address already stored in the user account and confirmed during registration. The processing of the data provided for the newsletter is carried out exclusively on the basis of your consent (Art. 6 para. 1 lit. a GDPR).

The subscription to our newsletter can be cancelled by the data subject at any time. For the purpose of revoking consent, a corresponding link can be found in each newsletter. Furthermore, it is possible to unsubscribe from the newsletter at any time directly in the customer’s user account or to inform the controller of this in another way. The data you provide to us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and deleted after you unsubscribe from the newsletter. Data that has been stored by us for other purposes remains unaffected by this.

7. Routine deletion and blocking of personal data

Personal data will only be stored for the period necessary for the purpose of storage, unless otherwise required by the legislator. Once the purpose of storage has ceased to apply, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.

8. Rights of Users and Data Subjects

With regard to the data processing described above, users and data subjects have the right to

a) Right to information

You have the right to access the personal data you are processing, which means that you have the right to confirmation as to whether or not the personal data in question is being processed. Where this is the case, you have the right to access the personal data you are processing and certain additional information, as well as to receive a copy in a commonly used electronic format.

b) Right to rectification

You have the right to rectification of inaccurate personal data concerning you and the right to have incomplete personal data completed.

c) Right to erasure

You have the right to erasure of your personal data, subject to the restrictions under applicable law. This is the case, for example, if the personal data is no longer necessary for the purposes for which it is processed, you withdraw your consent and there is no other legal ground for the processing, or the processing of your personal data is not necessary for compliance with a legal obligation, to establish, exercise or defend legal claims.

d) Right to restriction of processing

You have the right to restrict your personal data, for example if you contest its accuracy or if you have objected to the processing as described above. In both cases, this right applies during the processing and verification of your request by us.

If you have consented to a particular processing, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on the consent before its withdrawal.

f) Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done to the extent that it is technically feasible.

g) Right to object

You have the right to object if the processing is based on the balancing of interests in accordance with Art. 6 (1) sentence 1 (e) or (f) GDPR in order to request a reassessment of the interests or to be able to object to direct marketing. We will then carry out a new assessment and, despite your objection, we will only continue to process your personal data if we can demonstrate compelling legitimate grounds which override your interests.

h) Right to lodge a complaint with the competent supervisory authority

You can lodge a complaint if you believe that we have violated applicable data protection legislation in the processing of your personal data. In addition, the Provider is obliged to inform all recipients to whom data has been disclosed by the Provider of any correction or deletion of data or the restriction of processing that takes place on the basis of Articles 16, 17 (1), 18 GDPR. However, this obligation does not apply if this notification is impossible or involves disproportionate effort. Without prejudice to this, the user has a right to information about these recipients.