1) Introduction and Contact Information of the Data Controller
1.1 We are pleased that you are visiting our website and thank you for your
interest. In the following, we will inform you about how we handle your
personal data when using our website. Personal data refers to any data that
can personally identify you.
1.2 V
The data controller for data processing on this website in accordance with
the General Data Protection Regulation (GDPR) is Katharina Treder,
Manfred-von-Richthofen-Str. 9, 12101 Berlin, Deutschland, Tel.: +4915161496900,
E-Mail: katharinatreder@protonmail.com. The data controller is the natural or legal
person who alone or jointly with others decides on the purposes and means of
processing personal data.
2) Data Collection When Visiting Our Website
2.1 When you use our website for informational purposes only, i.e., when you
do not register or provide us with information, we collect only the data that
your browser sends to the server (so-called “server log files”). When you access
our website, we collect the following data that is technically necessary for us to
display the website to you:
- Our visited website
- Date and time of access
- Amount of data sent in bytes
- Source/reference from which you accessed the page
- Used browser
- Used operating system
- Used IP address (if applicable, in anonymized form)
Processing is carried out in accordance with Art. 6(1)(f) GDPR based on our
legitimate interest in improving the stability and functionality of our website.
There is no further use or disclosure of this data. However, we reserve the right
to retrospectively check the server log files should specific indications of
unlawful use become known.
2.2 For security reasons and to protect the transmission of personal data and
other confidential content (e.g., orders or inquiries to the data controller), this
website uses SSL or TLS encryption. You can recognize an encrypted connection
by the address line of your browser changing to “https://” and the lock symbol
in your browser line.
3) Contact
3.1 Doctolib
For the provision of an online appointment booking function, we use the
services of the following provider: Doctolib GmbH, Mehringdamm 51, 10961
Berlin, Germany.
For the purpose of scheduling appointments, first and last names, as well as
email addresses (and, if a phone appointment is desired, possibly the phone
number), are collected in accordance with Art. 6(1)(b) GDPR and transmitted to
the provider based on our legitimate interest in effective customer management
and efficient appointment scheduling. The data is stored by the provider for appointment organization.
After the appointment or after the agreed appointment period has expired,
your data will be deleted by the provider.
We have concluded a data processing agreement with the provider, which
ensures the protection of our website visitors’ data and prohibits unauthorized
disclosure to third parties.
3.2 In the context of contacting us (e.g., via contact form or email), personal
data is collected. The data that is collected when using a contact form can be
found in the respective contact form. This data is stored and used exclusively
for the purpose of responding to your inquiry or for contact and the associated
technical administration. The legal basis for processing this data is our
legitimate interest in responding to your request in accordance with Art. 6(1)(f)
GDPR. If your contact is aimed at concluding a contract, an additional legal
basis for the processing is Art. 6(1)(b) GDPR. Your data will be deleted after the
final processing of your request, provided there are no legal retention
obligations preventing its deletion.
4) Rights of the Data Subject
4.1 The applicable data protection law grants you comprehensive rights
regarding the processing of your personal data by the data controller (rights of
data subjects). For the specific conditions for exercising these rights, please
refer to the specified legal basis:
- Right to information according to Art. 15 GDPR
- Right to rectification according to Art. 16 GDPR
- Right to erasure according to Art. 17 GDPR
- Right to restriction of processing according to Art. 18 GDPR
- Right to be informed according to Art. 19 GDPR
- Right to data portability according to Art. 20 GDPR
- Right to revoke granted consent according to Art. 7(3) GDPR
- Right to lodge a complaint according to Art. 77 GDPR
4.2 Right of objection
If we process your personal data based on our legitimate interest or public
interest, you have the right to object to such processing, provided that there
are grounds arising from your particular situation that give rise to the
objection. If you exercise your right to object, we will stop processing the data
concerned. However, we may continue to process the data if we can
demonstrate compelling legitimate grounds for the processing that override
your interests, rights, and freedoms, or if the processing is necessary for the
establishment, exercise, or defense of legal claims.
If your personal data is processed by us for direct marketing purposes, you
have the right to object at any time to the processing of personal data
concerning you for such marketing. You may exercise this right as described
above.
If you exercise your right to object, we will cease processing your personal data
for direct marketing purposes.
If you exercise your right to object, we will cease processing your personal data
for direct marketing purposes.
5) Duration of Personal Data Storage
The duration of the storage of personal data is based on the respective legal
basis, the purpose of processing, and, if applicable, the applicable legal
retention periods (e.g., commercial and tax retention periods).
If personal data is processed on the basis of explicit consent in accordance with
Art. 6(1)(a) GDPR, it will be stored until you revoke your consent.
If there are legal retention periods for data that are processed within the
framework of legal or similar obligations based on Art. 6(1)(b) GDPR, the data
will be routinely deleted after the retention periods have expired, provided
they are no longer necessary for the performance of the contract or the
initiation of a contract, and/or if there is no longer a legitimate interest in
continued storage on our part.
If personal data is processed based on Art. 6(1)(f) GDPR, it will be stored until
you exercise your right to object according to Art. 21(1) GDPR, unless we can
demonstrate compelling legitimate grounds for the processing that override
your interests, rights, and freedoms, or if the processing serves the assertion,
exercise, or defense of legal claims.
If personal data is processed for the purpose of direct marketing based on Art.
6(1)(f) GDPR, it will be stored until you exercise your right to object according
to Art. 21(2) GDPR.
If no other information is provided in this statement regarding specific
processing situations, stored personal data will be deleted when it is no longer
necessary for the purposes for which it was collected or otherwise processed.
6) Multilingual design of the website
For the multilingual design of our website, we use the program Polylang, developed by WP SYNTEX, located at 28, rue Jean Sebastien Bach, 38090 Villefontaine, France. The cookies from Polylang are used solely to recognize and store the language chosen or used by the user. These cookies are stored for one year and then automatically deleted. The legal basis for the use of these cookies is Article 6(1)(f) of the GDPR. For more information on data protection compliance, please refer to: https://polylang.pro/doc/is-polylang-compatible-with-the-eu-cookie-law/.
Extended Privacy Policy for the Online Appointment Service of DOCTOLIB
For DOCTOLIB, the security and confidentiality of its users’ personal data are of
the utmost priority. Therefore, DOCTOLIB commits to complying with all
German and European regulations for the protection of personal data.
DOCTOLIB adheres to the professional rules and regulations issued by the
respective chambers and associations for doctors and healthcare professionals.
DOCTOLIB employs an extremely strict privacy policy, as outlined below, to
ensure the security of its users’ personal health data:
Each user has sole ownership of their data. DOCTOLIB can only process this
data for the purposes listed below.
Data processing is transparent, confidential, and adheres to high security
standards.
DOCTOLIB commits to continuous monitoring and improvement of existing
data protection measures in compliance with the Federal Data Protection Act
(BDSG) as amended on June 30, 2017, and the General Data Protection
Regulation (GDPR) of April 27, 2016.
DOCTOLIB maintains its own privacy team, specialized in not only
maintaining but consistently enhancing the already high level of security. This
team includes legal experts, a Data Protection Officer, a Chief Security Officer,
and a team of developers with specialized training in data privacy and security.
Users’ personal health data is hosted in two separately certified data centers
with physical security safeguards.
SUBJECT OF DATA PROTECTION PROVISIONS
DOCTOLIB aims to inform its users about how it protects the personal data
collected through the website https://www.doctolib.de or the “Doctolib”
mobile application, available on mobile devices.
These data protection provisions describe how DOCTOLIB and healthcare
professionals, as subscribers to DOCTOLIB’s online services, process and store
the personal data of visitors and users (hereinafter referred to as “users”) when
using and navigating on the website www.doctolib.de (hereinafter referred to
as the “website”) or using the mobile application (hereinafter referred to as the
“application”).
Certain personal data of users is considered as personal health data and is thus
referred to as “health-related personal data.”
These data protection provisions may be amended, supplemented, or updated,
especially to comply with developments in laws, regulations, jurisprudence,
editing, or technology. However, the personal data of the user will always be
processed in accordance with the data protection provisions in effect at the
time of their collection, unless a retroactive rule dictates otherwise. The data
protection provisions are part of the general terms of use of the website.
Legal Declaration: The responsible entity for processing personal data, as per
the law, is the person who determines the means and purposes of the
processing. The data processor is the person who processes personal data on
behalf and under the instructions of the responsible entity. The data processor
acts exclusively under the supervision and instructions of the responsible
entity.
For the processing of personal health data collected by the user (i) when
scheduling appointments online through the website or application or (ii) by
the healthcare professional in their Doctolib appointment calendar, each
individual doctor with whom you have scheduled an appointment is the
responsible entity. In this case, each doctor is considered the responsible
entity, and Doctolib is the data processor, acting according to the specific
instructions of the responsible entity.
For the data entered by the user during account setup or website navigation:
DOCTOLIB GMBH, Wilhelmstraße 118, Building C, 10963 Berlin, registered in
the commercial register of the Amtsgericht Charlottenburg under registration
number HRB 175963B, represented by the managing directors Simon Krüger
and Stanislas Niox-Chateau.
Depending on whether DOCTOLIB is the responsible entity or the data
processor, appropriate measures are taken by DOCTOLIB to ensure the security
and confidentiality of the personal information it possesses or processes in
compliance with the BDSG and GDPR. For further information regarding the
services provided by DOCTOLIB, we direct you to the terms of use of the
website (https://www.doctolib.de/terms).
COLLECTION AND ORIGIN OF DATA
All data concerning users is only collected directly from them. Where
necessary, we commit to obtaining their consent and/or allowing them to
object to the use of their data for specific purposes. In any case, users are
informed of the purposes for which their data is collected by DOCTOLIB
through various online data collection forms or through our cookie
management.
PURPOSE OF DATA PROCESSING
Necessity of collecting personal data
Most of DOCTOLIB’s services do not require registration, and users can visit the
website without prior login. When scheduling an online appointment with a
doctor, disclosing certain personal data of the user may be necessary. In these
cases, if the user chooses not to provide the requested information, they may,
under certain circumstances, be unable to access certain parts of the website
or application, and DOCTOLIB may not be able to process their request as a
result.
Purposes
The legal basis for collecting user data is as follows:
Our legitimate interest in ensuring the best quality of our services, the best
possible tracking of user appointments and journeys, and the conduct of
satisfaction improvement of our website and application.
Our legitimate interest in conducting voluntary opinion surveys to improve
our services.
User consent, where required by applicable law, especially regarding
advertising and cookies.
Personal data of users are collected for the following purposes:
To enable users to navigate the website and use the application.
To connect them with healthcare professionals and facilitate their
communication.
To manage the appointments and treatment progress of users and their
relatives with healthcare professionals (e.g., receiving appointment
notifications, changing or canceling appointments).
To provide users with an optimal treatment schedule.
As a secondary purpose, personal data may be processed for the following
purposes:
To prevent and combat computer fraud (spam, hacking, etc.).
To improve website navigation and application usage.
To conduct voluntary opinion surveys about Doctolib’s services anonymously
or in a pseudonymous manner.
To generate statistics about the use of the DOCTOLIB tool, internal reporting
for research and development teams, and reporting directed at healthcare
professionals (no personal health data is used).
More details about managing cookies can be found below.
The mandatory or optional nature of the requested personal data and the
possible consequences of not providing them are specified at the time of their
collection.
TYPES OF PROCESSED PERSONAL DATA
DOCTOLIB, as a data processor for appointment scheduling, appointment
management, and treatment, may process the following data, in whole or in
part:
Last name (and name at birth), first name, date of birth
Phone number, email address, postal address (possibly digicode)
Password
Reason for the appointment with the healthcare professional, the healthcare
professional’s specialty, appointment frequency
Treating and referring physician
Schedule of appointments
The data that belongs to the patient’s record, which the healthcare
professional shares with the user.
The same data for relatives for whom the user schedules appointments.
DOCTOLIB, as the data controller for appointment scheduling and appointment
management, may collect the following data, in whole or in part:
To enable you to navigate the website or use the application: Connection data
and website or application usage.
To prevent and combat computer fraud (Sperr, Hacking….): Computer
hardware for browsing, IP address, password (hashed) to enhance user website
navigation or application usage: login and usage data.
For conducting optional opinion surveys: Email address.
For conducting communication campaigns: SMS, email, phone, letter.
NO DISCLOSURE OF PERSONAL DATA
Personal data will not, under any circumstances, be disclosed to commercial or
advertising partners. Personal data may only be used by DOCTOLIB, its parent
and subsidiary companies, and subcontractors (service providers) for the
purposes of data protection in full respect of the principle mentioned above.
In the scope of their respective responsibilities and the purposes mentioned
above, the individuals who have access to the data (excluding health-related
personal data) of Doctolib users may be employees of the DOCTOLIB customer
service.
Additionally, DOCTOLIB utilizes hosting providers certified by the French
Ministry of Health. DOCTOLIB also utilizes the services of several specialized
companies (mailing, audience analysis), the list of which can be sent to the data
subjects upon request to datenschutz[at]doctolib.de. No personal health data
is disclosed to them. If these companies use servers outside of the European
Union, we have concluded special contracts and standard contractual clauses
of the European Commission with them to monitor and secure the
transmission of your data to these providers.
DURATION OF STORAGE
Data will be stored only for as long as necessary in accordance with applicable
law to fulfill the respective purpose.
USER RIGHTS
Whenever DOCTOLIB processes personal data, DOCTOLIB takes all necessary
measures to ensure their accuracy and relevance in accordance with the
purpose for which they are collected. According to the GDPR, you have the
following rights:
Right of access, information (Article 15 GDPR), correction (Article 16 GDPR),
updating, completeness of user data.
Right to block or delete personal data (Article 17 GDPR) if they are
inaccurate, incomplete, ambiguous, expired, or their collection, use, disclosure,
or storage is prohibited (more on this).
Right to withdraw consent at any time (Article 13-2 GDPR).
Right to restriction of processing (Article 18 GDPR).
Right to object to processing (Article 21 GDPR).
Right to data portability of the data provided by the user, to the extent that
they are processed automatically based on a contract or consent (Article 20
GDPR).
If the user wants to know how DOCTOLIB uses their personal data, wishes to
object to the processing, or requests a correction, they can contact DOCTOLIB
in writing at the following address: DOCTOLIB GMBH — DPO — Wilhelmstraße
118, Aufgang C, 10963 Berlin, Germany, or by email at
datenschutz[at]doctolib.de.
In this case, the user must provide the personal data that DOCTOLIB should
correct, update, or delete; for this, they must identify themselves precisely with
a copy of their ID (identity card or passport). For requests for the deletion of
personal data, the legal obligations of DOCTOLIB to retain or archive the
relevant documents must be considered. You also have the right to lodge a
complaint with a data protection supervisory authority regarding the
processing of your personal data by us. The competent supervisory authority
for DOCTOLIB’s headquarters is the Berlin Commissioner for Data Protection
and Freedom of Information, Friedrichstr. 219, 10969 Berlin.
“COOKIES” AND TAGS ON THE INTERNET
“COOKIES”
A “cookie” is a small information file that is sent to the user’s browser and
stored on the user’s terminal (e.g., PC, smartphone) (hereinafter referred to as
“cookies”). The file contains information such as the user’s domain name, the
user’s internet service provider, the user’s operating system, and the date and
time of access. Cookies cannot in any way damage the user’s terminal.
DOCTOLIB may process user information about their visit to the website, the
pages visited, and searches (excluding health-related personal data). This
information allows DOCTOLIB to improve the content of the website and the
user’s navigation.
Since cookies facilitate browsing and/or the delivery of services offered by the
website, the user can configure their browser through the “Settings/Security”
menu to decide whether to accept cookies stored on the terminal from various
sources or not. The user can also configure their browser to prompt them for
consent or rejection of cookies before a cookie is stored on their terminal.
DOCTOLIB informs the user that in this case, they may not have access to all
the features of their navigation software.
If the user rejects the storage of cookies on their terminal or browser or deletes
already stored cookies, they will be informed that browsing and visiting the
website may be limited for them. This may also be the case if DOCTOLIB or one
of its service providers cannot recognize the technical compatibility or the type
of browser used, language and display parameters, or the country from which
the terminal is connected to the internet.
DOCTOLIB disclaims any liability for the consequences of the restricted
operation of the website and services offered by DOCTOLIB if (i) the user
rejects cookies, or (ii) DOCTOLIB cannot store or consult the cookies necessary
for operation.
The configuration for managing cookies and the user’s choice varies for each
browser. The help menu of each browser describes how the user can change
their preferences regarding cookies. The user can change and implement their
preferences and choices regarding cookies at any time.
DOCTOLIB may also access external service providers to assist in the collection
and processing of the information described in this section.
Finally, by clicking on the social network icons for Twitter, Facebook, LinkedIn,
and Google Plus on our website or in our mobile application and if you have
accepted the placement of cookies, continuing to browse our website or
mobile application, Twitter, Facebook, LinkedIn, and Google Plus may also
place cookies on your devices (computer, tablet, mobile phone). These types of
cookies are only placed on your devices with your consent as you continue to
browse our website or mobile application. However, you can withdraw your
consent for the storage of these types of cookies at any time through our
cookie management policy.
“INTERNET TAGS”
DOCTOLIB may occasionally use internet tags (also known as action tags, single-
pixel GIFs, clear GIFs, invisible GIFs, and 1×1 GIFs) and may employ them
through a partner advertising or special web analytics partner, which may be
located abroad (and thus may store relevant information, including the user’s
IP address). These tags are placed in online advertisements to enable users to
access the website as well as on various pages. This technology allows
DOCTOLIB to assess visitors’ responses on the website and the effectiveness of
their actions (e.g., the number of page views and sought-after information), as
well as the user’s utilization of the website. The external service provider
(advertising partner or web analyst) may potentially collect information about
website visitors and visitors to other internet websites using these tags,
generate reports on the website’s activity for DOCTOLIB, and provide other
services related to its use and the internet.
SECURITY
Doctolib is committed to implementing all necessary technical and
organizational measures to ensure the secure and protected processing of
personal data. In this context, DOCTOLIB takes all required precautions related
to the nature of the data and the associated processing risks to ensure data
security, particularly to prevent data from being tampered with, damaged, or
accessed by unauthorized third parties. These measures include physical facility
security, authentication processes with personal and secure access through
usernames and confidential passwords, logging of connection data, and
encryption of specific data, among others.
PERSONAL INFORMATION AND MINORS
In principle, the website and the services available on the website are intended
for adults who are legally competent to enter into contracts according to the
laws of the country in which the user is located. Minors under 16 years of age
must obtain the prior consent of their legal guardian before they are allowed to
enter their data on the website or application. Except in cases of legal
confidentiality requirements or medical confidentiality obligations, DOCTOLIB
can immediately inform this guardian (i) about the specific categories of
personal data collected from the minor, and (ii) about the option to object to
the collection, use, or retention of this data. Depending on the legal provisions
in force at the user’s habitual residence, the minimum age may be lowered to
13 years in accordance with Article 8 of the GDPR.
HOW TO CONTACT US
If the user has any questions or complaints regarding DOCTOLIB’s compliance
with these data protection policies, or if the user wishes to provide DOCTOLIB
with recommendations or comments to improve the quality of these data
protection policies, they can contact DOCTOLIB in writing at the following
address: DOCTOLIB GMBH — Wilhelmstraße 118, Aufgang C, 10963 Berlin,
Germany, or email at datenschutz[at]doctolib.de.