Privacy Policy for the users of video.samedi.de services (samedi video consultation)
Last updated 1 September 2022
1. Purpose and Scope
This Privacy Policy concerns the use of video consultation via video.samedi.de.
We process personal data (hereinafter generally referred to as "data") only as required and for the purpose of providing a functional and user-friendly website, including its content and the services offered therein.
In accordance with Article 4 No. 1. of Regulation (EU) 2016/679, i.e. the General Data Protection Regulation (hereinafter referred to as "GDPR"), "processing" means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or combination, restriction, erasure or destruction.
With the following data Privacy Policy we inform you in particular about the type, scope, purpose, term and legal basis of the processing of personal data, insofar as we decide either independently or together with others on the purposes and means of processing. In addition, we inform you in the following about the third-party components we use for optimisation purposes and in order to increase the quality of use insofar as third parties process data in turn on their own responsibility.
2. Differentiation from our other services
As soon as you log in or register as a user under app.samedi.de, the data protection conditions for the user account for professionals of samedi apply. As soon as you log in or register as a user at patient.samedi.de or termin.samedi.de, the data protection conditions for the samedi user account for patients apply.
3. We as the Controller
The responsible provider of this website within the meaning of data protection law is:
samedi GmbH
represented by Katrin Alscher, Prof. Dr. Alexander Alscher, Dr. Benedikt Simon
Rigaer Str. 44
10247 Berlin
Germany
Tel.: +49 (0)30 21230707-0
e-mail: info@samedi.de
The provider's data protection officer is:
Oliver Guderjahn
External data protection officer / business lawyer (LL. M.)
Kedua GmbH
Eichhorster Weg 80
13435 Berlin
Managing director: Ralf Schulze
HRB 4691 AG Neuruppin
e-mail: datenschutz@samedi.de
4. Log Files
For technical reasons data is transmitted to us via your Internet browser; particularly in order to provide a secure and stable website. Among other things, the type and version of your Internet browser, the operating system, the website from which you accessed our website (referrer URL), the page(s) of our website that you visit, the date and time of the respective access, as well as the IP address of the Internet connection from which use of our website takes place are collected using these so-called server log files.
The data collected in this manner is temporarily stored, but not together with any other data from you. The legal basis for such storage is provided by Article 6 Paragraph 1 lit. f) of the EU General Data Protection Regulation [GDPR]. Our legitimate interest lies in the improvement, stability, functionality and security of our website.
The data is deleted after seven days at the latest, unless further storage for the purpose of providing evidence is required. Otherwise, data shall be partially or entirely exempt from deletion until an issue has been finally clarified.
5. search for a doctor / book a video consultation.
Via our website patient.samedi.de and termin.samedi.de. you can search for institutions and book appointments for a video consultation with them online. There are two ways of booking. The respective institution decides which booking option is open to you.
a) Booking with samedi patient account
To book an appointment, you must log in to your samedi patient account or create one beforehand. When booking the appointment, depending on the institution's query, the following personal data may be processed and transmitted to the corresponding institution: Name, first name, date of birth, email address, telephone number, address data, appointment data, purpose of the appointment, type of health insurance, contact data and medical data. The legal basis for the transmission of the appointment request to the respective institution is Art. 6 para. 1 lit. a) DSGVO or Art. 9 para. 2 lit. a) DSGVO for health data.
If you would like to register for a samedi patient account, you will find all further information on how samedi handles your personal data in the privacy policy for patients at:
https://www.samedi.com/datenschutz/datenschutz-patienten
b) Booking as a guest
Furthermore, you have the possibility to book an appointment with an institution as a guest. In this case, the booking is also possible without a samedi patient account. Whether a guest booking is possible at an institution is solely up to the institution. When booking the appointment as a guest, the following personal data may be processed and transmitted to the respective institution, depending on the institution's request: Name, first name, date of birth, e-mail, appointment data, purpose of the appointment, type of health insurance, contact data and health data. Mandatory data are: Name, e-mail . The legal basis for the transmission of the appointment request to the respective institution is Art. 6 para. 1 lit. a) DSGVO or Art. 9 para. 2 lit. a) DSGVO for health data.
6. video consultation process and processing of health data
In order to provide the functionality of the video consultation between doctor and patient, we need to transfer data between the parties participating in the video consultation. To maintain patient confidentiality and medical secrecy, we use technology that enables us to transfer the data in an end-to-end encrypted format as directly as possible between the participants. The data is therefore encrypted on the patient's terminal device and only decrypted again on the doctor's terminal device (and vice versa). The technology used is called WebRTC, and employs AES as the encryption algorithm. This means that no one except the participants in the video consultation can see this data in plain text (not even samedi as the operator of the platform).
The following data is sent and received via this special end-to-end encrypted connection:
Name of the patient
Video and audio data
Chat communication
Documents
We do not process or store this data.
The data is processed on the legal basis of Article 6 Paragraph 1 lit. a) of the EU General Data Protection Regulation [GDPR].
Insofar as health data is involved we process your data in accordance with Article 9 Paragraph 2 lit. a) EU GDPR.
7. group video consultation process and processing of health data
Within the framework of the group video consultation, it is possible for institutions with a maximum of 15 persons to conduct a consultation by video. In order to join the group video consultation, it is necessary to enter a clear name. Within the group video consultation, participants have access to a group chat that can be viewed by all. Furthermore, the group video consultation offers the participating doctors and patients the possibility to share documents, which are then available to all participants and can be downloaded.
In order to provide the functionality of the video consultation between doctor and patient, we need to transfer data between the parties participating in the video consultation. In order to protect patient confidentiality and medical secrecy, we use a technology that allows us to transfer the data in an end-to-end encrypted format as directly as possible between the participants. The data is thus encrypted on the patient's terminal device and only decrypted again on the doctor's terminal device (and vice versa). The technology used is called WebRTC, and uses AES as the encryption algorithm. This means that no one except the participants in the video consultation can see this data in plain text (not even samedi as the operator of the platform).
The following data is sent and received via this special end-to-end encrypted connection:
- Patient name
- Video and audio data
- Chat communication
- documents
We do not process or store this data for any other purpose.
The legal basis for this storage is provided by Article 6 Paragraph 1 lit. f) of the EU General Data Protection Regulation [GDPR]. If it concerns health data, we process your data in accordance with Art. 9 Paragraph 2 lit. a) of the EU General Data Protection Regulation [GDPR].
Our legitimate interest lies in the improvement, stability, functionality and security of our website.
We delete the metadata collected in this manner after three months at the latest by means of an automated process.
8. Metadata
In order to provide the functionality of the video consultation between doctor and patient we need to collect and store additional metadata this includes:
- Name of participating doctors / medical staff.
- Name of the practices / clinics / institutions
- Time and duration of communication
- Web browsers and versions used
- Type of connection - Technical quality assessment of the video consultation
- To establish the video connection, the IP address of the device used is processed. This storage takes place on the legal basis of Art. 6 para. 1 lit. f) of the EU General Data Protection Regulation [GDPR].
Our legitimate interest lies in the improvement, stability, functionality and security of our website. We delete the metadata collected in this way after 3 months at the latest by means of an automated process.
9. Cookies
We use so-called cookies with our website. Cookies are small text files or other storage technologies that are placed and stored on your terminal device by your Internet browser. With these cookies certain information about you is processed to an individual extent.
a) First-party cookies
Provider: samedi
Name: _vc_backend_session
Use: Session ID
Validity period: Session is deleted when the Internet browser is closed
Legal basis: § 25 Abs. 2 Nr. 2 TTDSG
b) Third-party cookies
We do not use third-party cookies.
c) Removal option
You may prevent or restrict the installation of cookies through the appropriate setting of your Internet browser. You may also delete cookies that have already been saved at any time. However, the steps and measures required to this end depend on your specific Internet browser. If you have any questions, please use the help function or documentation provided with your Internet browser or contact the manufacturer or support.
Should you prevent or restrict the installation of cookies, then this may, however, result in the fact that not all of our website functions are fully available.
10. Other Processors
We share your data with service providers who support us in the operation of our websites and related processes within the scope processing in accordance with Article 28 of the EU General Data Protection Regulation [GDPR]. These are, for example, hosting service providers. Our service providers are strictly bound by our instructions and correspondingly obliged by way of agreement.
In the following, we name the processors with whom we work, if we have not already done so in the preceding text of the Privacy Policy. If data is transferred outside the EU or EEA in this context, then we provide information on the appropriate level of data protection.
Filoo GmbH, Rhedaer Straße 25, 33330 Gütersloh: hosting services
Data security is regulated by a processing agreement.
A samedi solution is used to offer video consultation (E2E).
retarus GmbH, Aschauer Straße 30, 81549 Munich: e-mail and sms-dispatch
Data security is regulated by a processing agreement.
Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen: STUN/TURN
Data security is regulated by a processing agreement.
11. Customer Information and Newsletter
In the user account users are given the opportunity to subscribe to our company's newsletter as well as additional customer information via e-mail messages. The e-mail is always sent to the e-mail address already stored in the user account and confirmed during registration. Processing of the data provided for the newsletter takes place exclusively on the basis of your consent (Article 6 Paragraph 1 lit. a) EU GDPR).
The subscription to our newsletter may be cancelled by the data subject at any time. You will find a corresponding link in each newsletter for the purpose of revoking your consent. Furthermore, it is also possible to unsubscribe from the newsletter mailing directly in the customer's user account at any time or to inform the controller in another manner. The data you provide us with for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter and will then be deleted once you unsubscribe. Data that we have stored for other purposes shall remain unaffected.
12. transfer of personal data to third countries
If we transfer personal data to countries outside the EU, we rely on an adequacy decision of the Commission (Art. 45 GDPR), on appropriate safeguards (Art. 46 GDPR) or, pursuant to Art. 49 GDPR, on the exemptions for a third country transfer.
13. Routine Erasure and Blocking of Personal Data
Unless otherwise required by law, personal data shall only be stored for the period of time required for the purpose of storage. After the purpose of storage has ceased to apply, personal data will be routinely blocked or erased in accordance with statutory provisions.
14. Rights of Users and Data Subjects
With regard to the data processing described above, users and data subjects shall have the right to
a) Right of access
You have the right of access to the personal data processed with regard to your person; that is, you have the right to obtain confirmation as to whether your personal data are processed or not. Insofar as this is the case, you have the right to access the personal data processed about you and certain additional information, as well as to receive a copy in a commonly used electronic format.
b) Right to rectification
You have the right to have inaccurate personal data concerning you corrected as well as the right to have incomplete personal data completed.
c) Right to erasure
You have the right to erasure of your personal data, subject to restrictions under applicable law. This is the case, for example, if the personal data are no longer necessary in relation to the purposes for which they are processed, you withdraw your consent and there is no other legal ground for the processing, or the processing of your personal data is not required for compliance with a legal obligation, or for the assertion, exercise or defence of legal claims.
d) Right to restriction of processing
You have the right to restrict your personal data, for example if you contest its accuracy or if you have objected to the processing as described above. In both cases, this right applies during the processing and verification of your request by us.
e) Right to withdraw your consent to data processing
If you have consented to a certain type of processing, then you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
f) Right to data portability
You have the right to have data that we automatically process on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a commonly used, machine-readable format. If you request direct transfer of the data to another controller, then this will only be done to the extent technically feasible.
g) Right to object
You have the right to object if the processing is based on the weighing of interests in accordance with Article 6 Paragraph 1 Sentence 1 lit. e) or f) EU GDPR in order to request a reassessment of interests or to object to direct marketing. We will then carry out a new assessment and continue processing your personal data, despite your objection, only if we can demonstrate compelling legitimate grounds that override your interests.
h) Right to lodge a complaint with the competent supervisory authority
You may file a complaint if you believe that we have violated applicable data protection provisions in the processing of your personal data.
In addition, the provider shall be obliged to inform all recipients to whom data has been disclosed by the provider about any correction or erasure of data or restriction of processing that takes place on the basis of Articles 16, 17 Paragraph 1, 18 of the EU General Data Protection Regulation. However, this obligation shall not obtain insofar as this notification is impossible or involves disproportionate effort. Notwithstanding the above, the user shall have a right to information about these recipients.