Data Protection

Data Protection

1. Privacy policy for medneo.com

This privacy policy explains the type, scope and purpose of personal data processing within our website and within the web pages, functions, content and external websites connected with it, e.g., our social media profile (hereinafter collectively referred to as the ‘website’).

1. Controller and data protection officer

The controller pursuant to Article 4[7] of the GDPR is

medneo GmbH
Hausvogteiplatz 12
D-10117 Berlin
E-mail: datenschutz(at)medneo.com
Phone: +49 (30) 814501-700

You can contact medneo Deutschland GmbH’s data protection officer at

medneo Deutschland GmbH
Datenschutz (Data Protection)
Hausvogteiplatz 12
D-10117 Berlin
E-mail: datenschutz(at)medneo.com

2. Informational use

If you use our website purely for informational purposes, the data outlined below relating to the website or access to a file is collected, stored, and processed in a log file:

the IP address and accessing machine.
the date and time of access.
the name and URL of the file retrieved.
the browser type used.
the name of the internet access provider.
the number of bytes transmitted; and
the status of the page visit.

This data is collected and processed for the purposes of enabling the use of our website (establishing a connection), permanently ensuring system security and stability, and to facilitate the technical administration of the network infrastructure and the optimisation of our website (the legal basis is point [f] of Article 6[1] of the GDPR). Beyond that, this data is only used for internal statistical purposes and to improve the website (the legal basis is point [f] of Article 6[1] of the GDPR). For security reasons (e.g., to clarify any misuse or fraud proceedings), this data is temporarily stored and then erased provided that legal retention periods do not require it to be stored for longer. In these cases, data is suppressed for other uses. It is not otherwise used or shared with third parties.

3. Further use

In addition to the purely informational use of this website, there is the option of getting in touch with us via the contact form. When doing so, we collect, store, and process the following data:

name and title.
e-mail address.
and other personal data that is sent to us in your message.

This data is collected and processed exclusively for the purposes of correspondence with you and to process your inquiry.The legal basis for data processing is your consent in accordance with Art. 6 Para. 1 lit. a, 9 Para. 2 lit. a GDPR. Since health data may also be collected as part of your request, your consent is required for the use of the contact form. You can revoke your consent at any time.

Your request may be forwarded to those doctors and healthcare facilities with whom an appointment is to be made or changed and/or who will perform your examination or treatment. This depends on the content of your request.

We will delete your request after processing is complete.

4. Sharing personal data

We do not share your personal data with third parties without your explicit consent. We only deviate from this if there is a legal obligation or if this is required for us to enforce our rights (point [f] of Article 6[1] of the GDPR).

We may use third party service providers and disclose to such service providers personal data as required for the provision of the services. We use in particular technical service providers for the hosting and operation of the website. These service providers are obliged to use personal data solely on our behalf and not for their own purposes. They are obliged to keep the data confidential.

Subject to legal or contractual permissions, we only process data in a third country, or allow data to be processed in a third country, if the particular conditions of Article 44 et seq. of the GDPR have been met. This means that processing takes place based on certain guarantees, for example, the officially recognised level of data protection in accordance with the EU or in compliance with officially recognised special contractual obligations (‘standard contractual clauses’).

5. Deletion of personal data

Unless otherwise explicitly specified as part of this privacy policy, data stored by us is erased if it is no longer required for its specific purpose, and erasure is not subject to any legal retention periods. If data is not erased because it is required for other legally permissible purposes or because it is subject to legal retention obligations, the processing of such data is restricted accordingly. This means that data is locked and not processed for other purposes.

6. Your rights

In addition to the right to revoke your consent given to us, if applicable, you have right to request access to (Art. 15 GDPR) and rectification (Art. 16 GDPR) or erasure (Art. 17 GDRP) of personal data or restriction of processing (Art. 18 GDPR), the right to object (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR).

You have the right to object against all types of processing described in this privacy information that are based on Art. 6(1)(f) GDPR, based on grounds relating to your particular situation (Art. 21(1) GDPR). To the extent we process your personal data pursuant to Art. 6(1)(f) GDPR for direct marketing purposes, you can object against such processing at any time without giving a particular reason.

Please address corresponding requests, if possible, to:

medneo GmbH
Datenschutz (Data Protection)
Hausvogteiplatz 12
D-10117 Berlin
E-mail: datenschutz(at)medneo.com

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent supervisory authority for us is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstraße 219, 10969 Berlin

7. Cookies

In addition to the above-mentioned data processing processes, ‘cookies’, small text files, are also saved on your machine. Cookies are not harmful to your computer and don’t contain viruses. Cookies are used to make our website more user-friendly, effective, and secure.

Temporary cookies, and/or ‘session cookies’ or ‘transient cookies’ are primarily used. These are cookies that are deleted after a user leaves a website and closes their browser. The shopping basket contents in an online shop, or a login status, can be saved in such a cookie, for example.

‘Permanent’ or ‘persistent’ cookies are also used; these remain stored even after the browser is closed and are only deleted after a set period of time. As an example, user interests, which are used for reach measurement or marketing purposes, can be saved in such a cookie. ‘Third-party cookies’ are cookies that are used by providers other than the controller who operates the website.

You can change your browser settings so that you are notified about cookies being placed on your machine, and so that you accept or reject cookies only in certain cases or reject cookies in general, and in order to enable cookies to be automatically deleted when you close your browser. Disabling cookies can restrict the functionality of this website.

8. Usercentrics Consent Management Platform

We use the Usercentrics Consent Management Platform (Usercentrics) from Usercentrics GmbH, Rosental 4, 80331 Munich to obtain your consent for the setting of cookies and for tracking and analysis measures ("Consent Management Tool" or "CMT").

When you open our website, you can submit declarations of consent for individual data processing via the CMT, which are stored by the CMT. For this purpose, the CMT assigns a so-called "controller ID" and also stores information in session storage and local storage of your browser:

Session-Storage:

uc_user_country: Stores country and region of you to display the output language of the Usercentrics interface in the appropriate language; Deleted after the session expires; There is no access by third parties to the processed data.

Local-Storage:

uc_tcf: Helps query and submit user consent; Deleted the next time your browser cache is cleared; There is no third-party access to the processed data.
uc_settings: Contains your settings in Usercentrics for consenting to different data processing operations as well as the time of your consent/refusal; Deleted when your browser cache is next cleared; There is no third-party access to the processed data.
uc_user_interaction: Stores whether you have already selected a setting for your data processing preferences (i.e., whether you have already interacted with the CMT); Will be cleared the next time your browser cache is cleared; There is no third-party access to the processed data.

This information, which is assigned to the controller ID, can be used to track which data processing by which services you have or have not consented to when you reopen the website. This means that you do not have to make your settings for consenting to individual data processing operations again each time you visit the site. Of course, you can also change your selection subsequently via the settings. You can open the CMT at any time via the "fingerprint icon".

We use the CMT to allow you to consent to different data processing operations and to revoke consent once given. The legal basis is our legitimate interest in requesting or obtaining, managing, and documenting consents pursuant to Art. 6 (1f) GDPR

You can find more information about Usercentrics' data protection practices at: https://usercentrics.com/privacy-policy/

9. Google Tag Manager

Our website uses Google Tag Manager, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").
The Tag Manager is used to manage tracking tools and other services, so-called website tags. A tag is an element that is stored in the source code of our website, for example, to record specified usage data. The Google Tag Manager ensures that the usage data required by our partners is forwarded to them.
This is done on the basis of your consent pursuant to Art. 6 (1a) DSGVO, which you have given via the CMT.

You can withdraw your consent to the use of the Google Tag Manager at any time via the CMT. You can open the CMT by clicking on the “fingerprint symbol” in the down left corner of the web page.

We have concluded a data processing agreement with Google. In part, data is processed on a Google server in the USA. We have also concluded an agreement with Google in accordance with the standard contractual clauses of the European Commission.

For more information, please refer to Google's information on the Tag Manager: https://support.google.com/tagmanager/answer/6102821?hl=de&topic=2574304&ctx=topic&rd=2&visit_id=637541728216895198-1249570484

You can also find further information in the CMT.

9. Google Analytics

We use Google Analytics, a web analysis service from Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (‘Google’). This is based on your consent pursuant to Art. 6(1)(a) GDPR given via the CMT.

You can withdraw your consent to the use of Google Analytics at any time via the CMT. You can open the CMT by clicking on the “fingerprint symbol” in the down left corner of the web page.

This service uses cookies, which are stored on your end device. The information collected by the cookie about your use of this website is generally sent to a Google server in the USA and saved and processed there.

We only use Google Analytics if IP anonymisation is enabled (‘_ananymizeIp()’). This means that your IP address is truncated by Google within the Member States of the European Union or in other signatory states to the Agreement on the European Economic Area such that it no longer contains any personal references. A full IP address is only sent to a Google server in the USA and truncated there in exceptional cases. According to information provided by Google, the IP address sent from the user’s browser will not be merged with other Google data.
The data processing is based on a data processing agreement with Google. We also entered into the Standard Contractual Clauses of the European Commission with Google.

Google uses this information on our behalf to evaluate the use of our website, to compile reports about the activities within our website and to provide other services associated with the use of this website and internet use. In doing so, pseudonym user profiles may be created based on the processed data.

You can find more information about data processing by Google as a controller, as well as settings and objection options on Google’s web pages:

www.google.com/intl/de/policies/privacy/partners (‘How Google uses information from sites or apps that use our services’);
www.google.com/policies/technologies/ads (‘Advertising’); and
www.google.de/settings/ads (‘Control the information Google uses to show you ads’).

You can find additional information in the CMT.
The data collected by Google associated to cookies, user IDs or advertising IDs will be deleted automatically after 14 months.

10. Google Ads

We use the ‘Google Ads’ service Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland („Google“), on our website to promote our offerings on external sites. The analytics service facilitates the statistical evaluation of the total number of users that have clicked on one of our ads who were redirected to certain sites into which Google Ads has been integrated. We do not receive any information that can personally identify users.

This is based on your consent pursuant to Art. 6(1)(a) GDPR given via the CMT.

You can withdraw your consent to the use of Google Ads at any time via the CMT. You can open the CMT by clicking on the “fingerprint symbol” in the down left corner of the web page.

For advertising purposes in Google search results as well as on third-party websites, the so-called Google Remarketing Cookie is set when you visit our website, which automatically enables interest-based advertising by collecting and processing data (IP address, time of visit, device and browser information as well as information about your use of our website) and by means of a pseudonymous CookieID and on the basis of the pages you visit. Data processing beyond this only takes place if you have activated the "personalized advertising" setting in your Google account. In this case, if you are logged in to Google while visiting our website, Google uses your data together with Google Analytics data to create and define target group lists for cross-device remarketing.

For website analysis and event tracking, we measure your subsequent usage behavior via Google Ads Conversion Tracking if you have reached our website via an advertisement from Google Ads. For this purpose, cookies may be used and data (IP address, time of visit, device and browser information, and information about your use of our website based on events specified by us, such as visiting a website or subscribing to a newsletter) may be collected from which usage profiles are created using pseudonyms.

You can find more information in the CMT.

11. Google Maps

This site uses the Google Maps service. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
This is based on your consent pursuant to Art. 6(1)(a) GDPR given via the CMT.

You can withdraw your consent to the use of Google Maps at any time via the CMT. You can open the CMT by clicking on the “fingerprint symbol” in the down left corner of the web page.

When using Google Maps, your internet browser automatically establishes a connection to Google servers, during which the data mentioned in section 2 is transferred from your browser to Google. If you have a user account with Google and are logged in to Google, your data may be assigned to your account by Google. We have no influence on this data transmission and further data processing by Google.

Further information on the purpose and scope of data collection and processing by Google, your rights, and settings options to protect your privacy can be found here: https://www.google.de/intl/de/policies/privacy

12. Matelso

Our website uses a service provided by matelso GmbH, Stuttgart. If you call a telephone number switched for us by matelso, information on the telephone call will be transferred to a web analysis service used by us (e.g. Google Analytics). In addition, matelso reads cookies set by our analysis service or other parameters for the website visited by you, such as referrer, document path and remote user agent. The corresponding information is processed by matelso in accordance with our instructions and stored on servers in the EU.

For more information, see: https://matelso.com/en/privacy-statement. You can prevent the storage of cookies by changing the relevant setting in your browser software; however, please note that you may not be able to use all of the functions of this website in their full scope in this case.

13. Online profiles on social media

We have online profiles on social networks and platforms which allow us to communicate with active customers, interested parties and users and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and data processing guidelines of the respective operator apply.

Platform

Profile Facebook: https://www.facebook.com/rad.medneo/
LinkedIn: https://www.linkedin.com/company/medneo-group/
Xing: https://www.xing.com/company/medneo

Data processing in connection with our social media appearances is carried out pursuant to Art. 6 (1f) DSGVO based on our legitimate interest in public relations and communication.

a) Data processing by us

If you publish data related to our social media profiles on the respective platform (e.g. comments, public messages / postings, videos, pictures, likes), this data is published by the respective platform provider. We do not use this data for any other purpose. We share your content published on the respective platform via our profile, if applicable, insofar as this function is offered by the respective social media platform.

We reserve the right to delete content on our own profile, insofar as this is possible for us and appears necessary. The deletion of the content published by you will be carried out in accordance with the usual procedures and policies of the respective social media platform.

We may communicate with you via the social media platform in order to respond to your inquiries. We delete the data accruing in this context after storage is no longer necessary or restrict processing if there are legal retention obligations, insofar as deletion or restriction of processing is possible with the respective social media platform. Communication via social media platforms is potentially insecure. You can always contact us via other means as described in this privacy information.

We do not use any enhanced advertising options in connection with our profiles (e.g. interest, behavior or location-based advertising) of the social media platforms. We only use aggregated, anonymized usage statistics provided by the social media platforms by default.

b) Data processing by the social media platforms

We have no influence on the data and data processing operations collected from you by the social media platforms, nor are we aware of the full extent of the data collection, the purposes of the processing or the storage periods. In particular, from experience, the platform providers stored your data as usage profiles and use them for purposes of advertising, market research and demand-oriented design of their platforms.

Insofar as this is possible for us, e.g. by making settings and configurations, we work towards a data protection-compliant and data-saving handling of your personal data by the respective social media platform. However, we have only extremely limited influence on the data processing by the platform providers.

You can find more detailed information on data processing by the social media platforms in the privacy statements of the respective providers. To exercise your data subject rights in connection with data processing by the social media platforms, you must contact the respective provider.

2. Privacy policy for medneo's scheduling service

This privacy policy explains the type, scope and purpose of personal data processing when using our service to schedule appointments (hereinafter referred to as "appointment service") at medneo diagnostic centres.

The appointment service can be used by telephone, online or on site at the diagnostic centres.

1. Controller and data protection officer

The person responsible in accordance with Art. 4[7] of the EU General Data Protection Regulation (GDPR) is medneo Deutschland GmbH, Hausvogteiplatz 12, D-10117 Berlin (hereinafter referred to as "medneo"), e-mail: datenschutz(at)medneo.com, phone: +49 (30) 814501-700.

You can contact the data protection officer of medneo Deutschland GmbH at

medneo Deutschland GmbH
Data Privacy
Hausvogteiplatz 12
D-10117 Berlin
E-mail: datenschutz(at)medneo.com
phone: +49 (30) 814501-700

2. Data processing by medneo

When using medneo's scheduling service, we record your name, your contact details (address, e-mail address, telephone number), your date of birth, referral data (questions about the examination, suspected diagnosis, referring doctor, type of health insurance or billing) and information about your state of health (contraindications, preliminary examinations).

This information is necessary for the selection of the correct examination date and for the preparation and planning of the examination procedure.

The legal basis for data processing is your consent in accordance with point [a] of Art. 6[1], point [a] of Art. 9[2] of the GDPR. Data processing will therefore only take place if you give your express consent. Since health data is also collected as part of the termination service, your consent is required for the provision of the service. Depending on the type of contact, consent is given by telephone, online or in writing.

If you contact us by telephone, we may also ask you to consent to the recording of the telephone conversation. If you expressly consent to this, we will record the telephone call for training purposes. The legal basis in this respect is point [a] of Art. 6[1], point [a] of Art. 9[2] of the GDPR.

The giving of consent is voluntary. You can revoke your consent at any time with effect for the future.

Your personal data will be forwarded within the framework of the appointment service to those doctors and health care institutions with whom an examination appointment is made and who carry out your examinations or treatments. Further data processing will then be carried out by the respective physicians or healthcare facilities under their own responsibility. For more details, please refer to the data protection information of the respective physician or healthcare facility.

In addition, we use IT and technology service companies to operate and maintain the technical infrastructure. In particular, we use the services of Doctena Germany GmbH, Platz vor dem Neuen Tor, 10115 Berlin to provide online scheduling functions. All of the service companies involved are working exclusively on our behalf and have committed themselves to strict confidentiality.

In addition, the data will only be passed on to third parties if you have consented to the transfer or if there is a legal obligation to do so.

The data will be stored for a period of up to three months unless you agree to longer storage on the basis of a separate declaration of consent. Telephone calls recorded for training purposes will be deleted after three months.

You can request deletion of the data at any time. We will also delete the data if we should no longer offer our termination service.

3. Your data protection rights

In addition to the right to revoke the consent you have given us, you have the right to information in accordance with Art. 15 of the GDPR, to correction in accordance with Art. 16 of the GDPR, to deletion in accordance with Art. 17 of the GDPR, to restriction of processing in accordance with Art. 18 of the GDPR, the right of objection in accordance with Art. 21 of the GDPR and the right to data transferability in accordance with Art. 20 of the GDPR, provided the respective legal requirements are met.

In addition, there is a right of appeal to the data protection supervisory authorities. The data protection supervisory authority responsible for us is the Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin.

3. Privacy policy – Applying to medneo

We would like to inform you below about data processing in connection with your application.

The data controller within the meaning of the General DataProtection Regulation ("GDPR")for the processing of applicant data is the medneo Group company to which you are applying. This can be one of the following companies:

medneo GmbH (Hausvogteiplatz 12, 10117 Berlin) – Data Protection Officer - email: datenschutz(at)medneo.com
medneo Deutschland GmbH (Hausvogteiplatz 12, 10117 Berlin) – – Data Protection Officer - email: datenschutz(at)medneo.com
medneo Schweiz AG (Poststrasse 9, 6300 Zug / CH) - Data – Data Protection Officer - email: datenschutz(at)medneo.com

1. We use your personal data that you provide to us throughout the application process (for example, in cover letters, resumes, references, applicant questionnaires, applicant interviews, information that you post on applicant portals). In addition, we may process personal data that we have lawfully obtained from publicly available sources (e.g., professional social networks), from recruiters or contact with references. The data processing is carried out in accordance with Art. 88 GDPR, § 26 para. 1 p. 1 BDSG for recruiting purposes. This also applies to special categories of personal data (such as health data, religious affiliation, severe disability) if you have voluntarily provided such data to us.

We do not carry out any automated decision-making or profiling pursuant to Art. 22 DSGVO.

medneo UK Ltd (155-157 Great Portland Street, London, United Kingdom, W1W 6QP – email: dpo-uk(at)medneo.com

2. Upon your express consent, we will retain your data beyond the end of a specific application process for a period of 12 months so that we can contact you later if you are considered for another position (inclusion in our "applicant pool"). If you apply for another position, the period starts again. Before the period expires, we will contact you by email to ask whether you agree to further storage. The legal basis for this data retention is Art. 6 para. 1a DSGVO.

You can withdraw your consent to be included in the applicant pool at any time, e.g. by sending an e-mail to people@medneo.com.

3. We delete your data as follows

Your data will be deleted after completion of the application process. You can request deletion of your data at any time, e.g., by sending an E-Mail to people@medneo.com.

An application process is completed when the period has expired in which lawsuits for violation of the AGG (Allgemeines Gleichbehandlungsgesetz, German General Equal Treatment Act) can still be expected (usually six months after the rejection has been sent, if no lawsuit or assertion according to § 15 para. 4 AGG has been received by then). Longer storage periods may apply if data is required to assert, exercise, or defend legal claims

If your application is successful, your data will be transferred to the personnel file, insofar as this is necessary and permissible.

4. We may engage external service providers who act exclusively on our behalf and are not permitted to process data for their own purposes, in particular:

assessment centers, recruiters and personnel consultants
external consultants in the case of an aptitude diagnostic procedure
lawyers in the event of a dispute, if applicable
IT service providers to support our IT processes

5. In addition to the right to revoke your consent given to us, you have right to request access to (Art. 15 GDPR) and rectification (Art. 16 GDPR) or erasure (Art. 17 GDRP) of personal data or restriction of processing (Art. 18 GDPR), the right to object (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR), if the respective legal requirements are met. In addition, you have a right of appeal to the data protection supervisory authorities pursuant to Art. 77 GDPR. The data protection supervisory authority responsible for us, to which (in addition to other supervisory authorities) a complaint about a violation of data protection law can be submitted is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 219, 10969 Berlin
Tel.: 030 13889 – 0
Fax: 030 2155050
E-Mail: mailbox(at)datenschutz-berlin.de

4. Information regarding data processing in the course of an examination or a treatment carried out at a medneo diagnostic centre

As a patient of a facility providing treatment, your personal data is processed by the facility providing the treatment and by medneo Deutschland GmbH. We would like to inform you about this data processing and the responsible bodies.

1. Data processing by the facility providing the treatment

With this information, we would like to inform you about data processing by the facility providing the treatment during an examination or treatment carried out at a medneo diagnostic centre. Please also note the data protection information of the facility providing the treatment. The contact details of each treatment facility can be found on the patient forms that you receive before the examination. Data processing is carried out for the performance of the diagnostic and therapeutic services by the physicians in the facility providing the treatment. The legal basis is Article 6 paragraph 1 sentence 1 point b), Article 9 paragraph 2. h) of the General Data Protection Regulation (GDPR), in conjunction with Section 22 paragraph 1 No. 1 point b) of the Federal Data Protection Regulation (BDSG). medneo Deutschland GmbH (medneo) will process your personal data by order of the respective facility providing the treatment (Article 28 GDPR). Every time an appointment is arranged and every time an examination or a treatment is carried out, the following data will be collected: Information about you (name, date of birth, address, contact details, insurance data, details of those bearing the costs) and about your state of health (referral details, consultation details, contraindications, preliminary findings, diagnoses, image data) as well as information from the examination or treatment carried out (medical history data, examination protocols, image data, diagnoses, findings, billing information). This information will be stored verifiably with reference to the patient in the information systems of medneo and, when applicable, of the facility providing the treatment.

Your personal data can be forwarded to the following recipients:

Physicians working in the facility providing the treatment or who are affiliated with the facility in a service provider association or professional association
Physicians who will create a second report at your request and your consent for data transmission
Physicians, with whom the medical facility cooperates to obtain a second opinion for quality assurance, if you have consented to this data transfer; the list of corresponding physicians can be viewed at the reception of the medneo diagnostic centre,
The outpatient/inpatient healthcare facilities that continue to provide treatment.
our health insurance scheme, competent National Association of Statutory Health Insurance Physicians (Kassenärztliche Bundesvereinigung) or the Social Accident Insurance Institution (Berufsgenossenschaft) for the billing of the services; billing data will only be forwarded to external billing service providers if you have consented to this separately.
Laboratory physicians and/or histologists, provided that the treatment requires such diagnostics.
medneo Deutschland GmbH as a service provider for the planning and carrying out of the examination and treatment, the follow-up regarding your examination results and the documentation of the service.
IT and Technology Service providers for the operation and maintenance of the infrastructure with which the treating facility cooperates, among other things all integrated service companies have undertaken to maintain strict confidentiality.

Moreover, data will only be passed on to third parties if you have consented to the transfer or if there is a legal obligation to do so (e.g. public health department, health insurance medical service [medizinischer Dienst der Krankenkassen, MDK]). The data will be retained in accordance with the statutory storage period and is subsequently erased. In accordance with Section 630f (3) of the German Civil Code (BGB), the patient file must generally be retained for ten years after completion of treatment, unless other retention periods exist under other regulations.

2. Data processing by medneo

Data processing for radiation protection and quality assurance medneo (medneo Deutschland GmbH, Hausvogteiplatz 12 10117 Berlin, Germany) as a diagnostic equipment carrier as well as radiation protection responsible is obliged to ensure documentation and quality assurance. When applying ionising radiation, medneo is obliged to store all treatment data (in regard to article 85 radiation protection law ‘Strahlenschutzgesetz) and to transmit this data to medical or dentistry services for quality assurance (in regard to paragraph 128 radiation protection act ‘Strahlenschutzverordnung’). This data contains information of the exculpatory indication, the point in time and way of appliance, information of the exposition, the result, image data and all other examination data. As a result, everything has to be stored for a duration of 10 year for adults as well as up to the age of 28 years if the patient is not at full age at the point of the examination (regarding paragraph 85 section 2 radiation protection law ‘Strahlenschutzgesetz). When applying non-ionising radiation, medneo is obliged to document and store examination data (kind of examination, used diagnostic devices and their technical settings, potential occurred secondary effects, education documentation and consents) as well as image data in regards to paragraph 2 sentence 3 in conjunction with attachment 2 of the enactment of the prevention of harmful effects of applying non-ionising radiation in humans ‘Verordnung zum Schutz vor schädlichen Wirkungen nichtionisierender Strahlung bei der Anwendung am Menschen (NiSV)’.

The legal basis for data processing to document and quality assurance is article 6 paragraph 1 point c), paragraph 2 point i) GDPR of the radiation protection law and radiation protection act ‘Strahlenschutzgesetz’ and ‘Strahlenschutzverordnungen’. Data processing for the provision of medical services by medneo as a treating facility and by cooperating physicians. medneo may provide certain medical services as a treating facility. In this case, medneo Deutschland GmbH is listed as the treating facility in the header of the patient form. The medical services are provided by cooperation physicians on behalf of medneo. The respective cooperating physician is named in the patient form. You can contact the cooperating doctor via medneo’s contact details below. Insofar as it is necessary for your examination / treatment, medneo will transfer your personal data, including your health data, to the cooperation physician in accordance with Art. 9 Para. 2 lit. h GDPR in conjunction with. § 22 para. 1 no. 1 lit. b BDSG.

For data processing by medneo as the treating facility and the cooperating physician, the data protection information listed above under No. 1 shall apply accordingly in each case. medneo and the cooperating physician process your data under joint responsibility pursuant to Art. 26 GDPR. The cooperating physician is responsible for data processing in connection with his medical services, medneo for the other processing operations, in particular in connection with the implementation of the treatment contract and the operation of the technical infrastructure. Your data subject rights and requests under the GDPR will be handled by medneo.

You can, however, assert your rights under the GDPR with and against medneo and the cooperating physician respectively. Data processing for the service provision In addition to carrying out data processing as part of examination and treatment, medneo (medneo Deutschland GmbH, Hausvogteiplatz 12 10117 Berlin) may provide you with further services on the base of your consent to the data processing. In this case, the data processing is carried out by your consent regarding article 6 paragraph 1 sentence 1 point a), article 9 paragraph 2. a) GDPR for the purpose of the service provision. Particularly your contact and insurance data (name, date of birth, address, contact details, insurance details, cost barer) will be stored as well as information regarding the examination or treatment (medical history data, examination protocols, image data, reports, billing information) due to be accessible for you at a later point in time, to be forwarded to other healthcare providers on your request as well as to schedule future appointments in a medneo diagnostic center. Data will be stored for a duration of five years unless you request a longer storage duration. You are free to request data erasing at any point in time. medneo is also erasing your data, if medneo would be unable to provide additional services. The consent is not mandatory. You can cancel the consent at any point in time for future purposes. We use your postal address to contact you regarding future services medneo provides. Therefore, the data processing is carried out in legitimate interest regarding article 6 paragraph 1 point f) GDPR. You are allowed to file an objection without giving any reasons against the data processing in relation to the described purposes above (Art. 21(2) GDPR).

Data processing in an anonymised way

In case you have given permission for the data processing, we will process your data regarding your health condition (referral data, educational questions, contraindications, previous results, diagnoses, image data) as well as information in relation to the examination itself or the treatment (medical history data, examination protocols, image data, diagnosis, reports, billing information) in an anonymised way for the purpose of product development and improvement, for teaching purposes as well as to proceed with scientific studies. For the aforementioned purposes, we may also transfer the anonymized data to third parties. For that, we erase all person-identifiable information from the data sets and process them strictly separate to the original data. This is secured through technical as well as organisational measures. In that way it is guaranteed that your identity stays confidential. We erase the anonymised data once it is not needed for the described purposes. The legal base is article 6, paragraph 1 sentence 1 point a), article 9 paragraph 2.a) GDPR. There is no obligation for consent. Withdrawing is possible with immediate effect at any point in time in the future. Your personal data may be forwarded to the following recipients:

Physicians and dentistry services for quality assurance in regard to paragraph 128 radiation protection act respectively the protection act of harmful radiation effects of non-ionising radiation in humans (NiSV);
Other healthcare facilities on your behalf.
IT and technology service providers with which medneo is cooperating for the operation and maintenance of the infrastructure, etc.; all service providers involved are subject to a strict obligation of Confidentiality.

Moreover, the data will only be passed on to third parties if you have consented to the transfer or if there is a legal obligation to do so.

3. Your data protection rights

You have the following data protection rights vis-à-vis the facility providing the treatment and medneo, depending on the specific circumstances of the case in question:

to obtain information about the personal data concerning you that are processed by us as well as to request access to your personal data or copies of such data. This includes access to the purpose of use, the category of the data used, the recipients of such data and those entitled to access it, as well as, if possible, the planned duration of the data storage or, if this is not possible, the criteria for determining this duration.
To request rectification, erasure or restriction of processing of your personal data, for instance when (i) the data is incomplete or inaccurate, (ii) the data is no longer necessary for the purposes for which it was collected, or (iii) the consent on which the processing was based has been withdrawn; where the data is processed by third parties, we will forward your requests to rectify, erase or restrict the processing to those third parties, unless this proves impossible or involves a disproportionate effort;
To refuse consent, or – without any effect on the lawfulness of the data processing that has occurred prior to the revocation–
To revoke your consent to the processing of your personal data at any time.
To request personal data concerning you, and which you have provided to us in a structured, commonly used, and machine-readable format and to transmit such data to another person without any hindrance from us; you also have the right, if applicable, to request that we directly transmit the personal data to another person, if this is technically feasible.
To request not to be subject to a decision based solely on automated processing, if this decision produces legal effects concerning you or similarly significantly affects you; if such an automated decision is taken by way of derogation, you have the right to obtain information on the logic involved as well as on the significance of the envisaged consequences.
To communicate with the data protection supervisory authorities and to lodge a complaint with the authorities. The contact address of the supervisory authority responsible for medneo is Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin.

4. Contact

If you have any questions about data processing by medneo or by cooperating physicians of medneo, medneo’s data protection officer will be happy to assist you:

medneo Deutschland GmbH
Datenschutz (Data Protection)
Hausvogteiplatz 12 D-10117 Berlin
datenschutz(at)medneo.com

If you have any questions about data processing by the facility providing the treatment, please contact the data protection officer of that facility, provided that the facility has designated a data protection officer. You can find the contact details of the facility providing the treatment in the patient form that you receive before the examination.

5. Information about legal retention periods

Retention periods based on an overview provided by Berlin Doctors’ Council (Ärztekammer Berlin, https://www.aerztekammer-berlin.de/10arzt/30_Berufsrecht/08_Berufsrechtliches/04_Praxisorga/20_Merkblatt_Aufbewahrungsfristen.pdf)

Balance sheets, accounting documents (Section 147 of the German Tax Code [Abgabenordnung, AO]): 10 years
Blood donations (documentation): 15, 20, 30 years
Blood product application (documentation): 15, 30 years

Certificate of incapacity: 1 year
Cytological findings and preparations: 10 years

Doctor’s records: 10 years
Doctor’s letters (internal and external): 10 years
Drug prescriptions part III, parts I to III of incorrectly issued drugs prescriptions: 3 years
Drugs register/EDP printouts, index card: 3 years

Early detection of cancer for children/women/men: 10 years
ECG strips; also, long-term ECG: 10 years
EEG strips: 10 years

Index cards and other medical records, including separate examination results: 10 years.

Laboratory journal, laboratory findings: 10 years

Occupational health record based on the Radiation Protection Ordinance (Strahlenschutzverordnung) and the X-Ray Regulation (Röntgenverordnung): up to 75 years old; minimum 30 years old.

Patient assessments: 10 years

Radiation examination: 10 years
Radiation treatment (records, calculations): 30 years
Referral letter (Section 4 No. 12 of the KV Berlin accounting regulations): 1 year (4 years)
Results of genetic examinations and analyses under the Genetic Diagnostics Act (Gendiagnostikgesetz, GenDG): 10 years

Sexually transmitted diseases: 10 years
Sonographic examinations: 10 years

X-ray examinations: 10 years
X-ray treatment (records, calculations): 30 years