Privacy policy for users of the services video.samedi.de (samedi video consultation)

1. Purpose and scope

This data protection declaration concerns the use of the video consultation service via video.samedi.de.

Personal data (hereinafter mostly referred to as “data”) is processed by us only as necessary and for the purpose of providing a functional and user-friendly website, including its content and the services offered there.

In accordance with Art. 4 no. 1. of Regulation (EU) 2016/679, i.e. the General Data Protection Regulation (hereinafter referred to only as “GDPR”), “processing” shall mean any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

With the following privacy policy, we inform you in particular about the nature, scope, purpose, duration and legal basis of the processing of personal data, insofar as we decide either alone or jointly with others on the purposes and means of processing. In addition, we inform you below about the third-party components used by us for optimization purposes as well as to increase the quality of use, insofar as third parties process data through this, again under their own responsibility.

2. Information about us as the responsible party

The responsible provider of this website in the sense of data protection law is:

Data protection officer at the provider is:

3. Log files

For technical reasons, in particular to ensure a secure and stable Internet presence, data is transmitted to us by your Internet browser. These so-called server log files are used to collect, among other things, the type and version of your Internet browser, the operating system, the website from which you accessed our website (referrer URL), the website(s) of our website that you visit, the date and time of the respective access as well as the IP address of the Internet connection from which the use of our website takes place.

The data collected in this way is stored temporarily, but not together with other data about you. This storage takes place on the legal basis of Art. 6 para. 1 lit. f) DSGVO. Our legitimate interest lies in the improvement, stability, functionality and security of our website.

The data is deleted again after 7 days at the latest, insofar as no further storage is required for evidence purposes. Otherwise, the data is exempt from deletion in whole or in part until final clarification of an incident.

4. Video consultation process and processing of health data

In order to provide the functionality of the video consultation between physician and patient, we need to transfer data between the parties participating in the video consultation. In order to maintain patient confidentiality and doctor-patient confidentiality, we use technology here that allows us to transfer data in an end-to-end encrypted format as directly as possible between the participants. This means that the data is encrypted on the patient’s terminal device and only decrypted again on the physician’s terminal device (and vice versa). The technology used is called WebRTC, and uses AES as the encryption algorithm. This means that no one other than the participants in the video consultation can see this data in plain text (not even samedi as the operator of the platform).

The following data in detail is sent and received via this special end-to-end encryption protected connection:

• Name of the patient
• Video and audio data
• Chat communication
• Documents

We do not process or store this data for any other purpose.

The data is processed on the legal basis of Art. 6 para. 1 lit. a) DSGVO.

If it concerns health data, we process your data according to Art. 9 para. 2 lit. a)

5. group video consultation process and processing of health data

Within the framework of the group video consultation, there is the possibility for institutions with a maximum of 15 people to conduct a consultation by video. To join the group video consultation, it is necessary to enter a clear name. Within the group video consultation, a group chat is available to the participants, which can be viewed by all. Furthermore, the group video consultation offers the participating physicians and patients the possibility to share documents, which are then available to all participants and can be downloaded.

In order to provide the functionality of the video consultation between physician and patient, we must transfer data between the parties participating in the video consultation. In order to maintain patient confidentiality and doctor-patient confidentiality, we use technology here that allows us to transfer the data in an end-to-end encrypted format as directly as possible between the participants. This means that the data is encrypted on the patient’s terminal device and only decrypted again on the physician’s terminal device (and vice versa). The technology used is called WebRTC, and uses AES as the encryption algorithm. This means that no one other than the participants in the video consultation can see this data in plain text (not even samedi as the operator of the platform).

The following data in detail is sent and received via this special end-to-end encryption protected connection:

• Name of the patient
• Video and audio data
• Chat communication
• Documents

We do not process or store this data for any other purpose.

The data is processed on the legal basis of Art. 6 para. 1 lit. a) DSGVO. Insofar as health data is concerned, we process your data in accordance with Art. 9 (2) lit. a) DSGVO.

6. Metadata

In order to provide the functionality of the video consultation between physician and patient, we need to collect and store additional metadata this includes but is not limited to:

• Name of participating physicians / medical staff
• Name of the practices / clinics / institutions
• Time and duration of communication
• Web browsers and versions used
• Type of connection
• Technical quality assessment of the video consultation

This storage takes place on the legal basis of Art. 6 para. 1 lit. f) DSGVO. Our legitimate interest lies in the improvement, stability, functionality and security of our website.

The metadata collected in this way will be deleted by us by an automated process after 3 months at the latest.

7. Cookies

We use so-called cookies with our Internet presence. Cookies are small text files or other storage technologies that are placed and stored on your terminal device by the Internet browser you use. Through these cookies, certain information from you is processed to an individual extent.

a) First-party cookies

Provider: samedi Name: _vc_backend_session Use: Session ID Validity period: session, will be deleted when closing the internet browser Legal basis: § 25 para. 2 no. 2 TTDSG

b) Third-party cookies

We do not use third-party cookies.

c) Removal option

You can prevent or restrict the installation of cookies by setting your Internet browser. Likewise, you can delete already stored cookies at any time. However, the steps and measures required for this depend on your specific Internet browser used. If you have any questions, please use the help function or documentation of your Internet browser or contact its manufacturer or support. However, if you prevent or restrict the installation of cookies, this may mean that not all functions of our website can be fully used.

8. Subprocessors

We pass on your data to service providers within the scope of order processing pursuant to Art. 28 DSGVO, who support us in the operation of our websites and related processes. These are, for example, hosting service providers. Our service providers are strictly bound by instructions to us and are contractually obligated accordingly.

In the following, we will name the order processors with whom we work, if we have not already done so in the preceding text of the data protection declaration. If data is transferred outside the EU or EEA in this context, we provide information on the appropriate level of data protection.

Filoo GmbH, Rhedaer Straße 25, 33330 Gütersloh: Hosting services.

Data security is regulated by an AV contract.

T-Systems International, Hahnstraße 43d, 60528 Frankfurt am Main: Hosting services.

Data security is regulated by an AV contract.

retarus GmbH, Aschauer Strasse 30, 81549 Munich: E-mail dispatch.

Data security is governed by an AV contract.

9. Customer information and newsletter

In the user account, users are given the opportunity to subscribe to our company’s newsletter and further customer information by means of e-mail messages. The e-mail is always sent to the e-mail address already stored in the user account and confirmed during registration. The processing of the data provided for the newsletter is based exclusively on your consent (Art. 6 para. 1 lit. a DSGVO).

The subscription to our newsletter can be cancelled by the data subject at any time. For the purpose of revoking consent, a corresponding link can be found in each newsletter. Furthermore, it is also possible to unsubscribe from the newsletter mailing directly in the customer’s user account at any time or to notify the controller of this in another way. The data you provide us with for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted after you unsubscribe from the newsletter. Data that has been stored by us for other purposes remains unaffected by this.

10. Routine deletion and blocking of personal data

Personal data will only be stored for the period of time required for the purpose of storage, unless otherwise required by law. After the purpose of storage has ceased to apply, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.

11. Rights of the users and data subjects

With regard to the data processing described above, users and data subjects have the right to

a) Right of access

You have the right to information about the personal data processed about you, this means that you have the right to obtain confirmation as to whether or not personal data in question is being processed. To the extent that this is the case, you have the right to access the personal data processed about you and certain additional information, as well as to receive a copy in a commonly used electronic format.

b) Right to rectification

You have the right to have inaccurate personal data concerning you corrected and the right to have incomplete personal data completed.

c) Right to erasure

You have the right to have your personal data deleted, subject to restrictions under applicable law. This is the case, for example, if the personal data is no longer necessary for the purposes for which it is processed, you withdraw your consent and there is no other legal ground for the processing, or the processing of your personal data is not necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims.

d) Right to restriction of processing

You have the right to restrict your personal data, for example, if you dispute its accuracy or if you have objected to the processing as described above. In both cases, this right applies while we are processing and reviewing your request.

e) Right to withdraw your consent to data processing

If you have consented to certain processing, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on the consent prior to its withdrawal.

f) Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in performance of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.

g) Right to object

You have the right to object if the processing is based on the balance of interests pursuant to Art. 6 (1) p. 1 lit. e) or f) DSGVO in order to request a reassessment of interests or to object to direct marketing. We will then make a new assessment and continue processing your personal data, despite your objection, only if we can demonstrate compelling legitimate grounds that override your interests.

h) Right to lodge a complaint with the competent supervisory authority

You can file a complaint if you believe that we have violated applicable data protection regulations when processing your personal data. In addition, the provider is obliged to inform all recipients to whom data has been disclosed by the provider about any correction or deletion of data or restriction of processing that takes place on the basis of Articles 16, 17 (1), 18 DSGVO. However, this obligation does not exist insofar as this notification is impossible or involves a disproportionate effort. Notwithstanding the above, the user has a right to information about these recipients.