Privacy policy for the use of the (samedi video consultation)

Last update 02.02.2021.

1. Purpose and scope of action

This privacy policy applies to the visit and use of:

Personal data (hereinafter referred to as "data") will only be processed by us within the scope of necessity and for the purpose of providing a functional and user-friendly Internet presence, including its contents and the services offered there.

In accordance with Art. 4 item 1. of Regulation (EU) 2016/679, i.e. the Basic Data Protection Regulation (hereinafter referred to only as "GDPR"), "processing" shall mean any operation or set of operations carried out with or without the aid of automated procedures in connection with personal data, such as collection, recording, organization, organization, storage, adaptation or alteration, reading, querying, use, disclosure by transmission, dissemination or any other form of provision, alignment or combination, restriction, deletion or destruction.

With the following data protection declaration, we inform you in particular about the type, scope, purpose, duration and legal basis of the processing of personal data, insofar as we decide either alone or together with others about the purposes and means of processing. In addition, we inform you in the following about the third-party components we use for optimization purposes and to increase the quality of use, insofar as third parties process data on their own responsibility.

2. Information about us as responsible persons

Responsible provider of this website in the sense of data protection law is:

samedi GmbH
represented by the managing directors Prof. Dr. Alexander Alscher, Katrin Keller
Rigaer Str. 44
10247 Berlin
Phone: +49 (0)30 21230707-0

Data protection officer at the provider is:

Oliver Guderjahn
Externer Datenschutzbeauftragter / Wirtschaftsjurist (LL. M.)
Kedua GmbH
Eichhorster Weg 80
13435 Berlin

Geschäftsführer: Ralf Schulze
HRB 4691 AG Neuruppin

3. Log files

For technical reasons, especially to ensure a secure and stable Internet presence, data is transmitted to us by your Internet browser. These so-called server log files are used to record, among other things, the type and version of your Internet browser, the operating system, the website from which you have switched to our Internet presence (referrer URL), the website(s) of our Internet presence that you visit, the date and time of the respective access and the IP address of the Internet connection from which our Internet presence is used.

This data is temporarily stored, but not together with other data about you. This storage takes place on the legal basis of Art. 6 para. 1 (f) GDPR. Our legitimate interest lies in the improvement, stability, functionality and security of our Internet presence.

The data will be deleted after 7 days at the latest, unless further storage is required for evidentiary purposes. Otherwise, the data is completely or partially excluded from deletion until the final clarification of an incident.

4. Health data

In order to provide the functionality of the video consultation between doctor and patient, we need to transfer data between the parties participating in the video consultation. In order to maintain patient and doctor confidentiality, we use technology that allows us to transfer data in an end-to-end encrypted format as directly as possible between the participants. This means that the data is encrypted on the patient's end device and only decrypted again on the doctor's end device (and vice versa). The technology used is called WebRTC, and generally uses AES as the encryption algorithm. This means that nobody except the participants of the video consultation can see this data in plain text (not even samedi the operator of the platform). The following data is sent and received over this special end-to-end encryption protected connection:

  • Name of the patient
  • Video and audio data
  • Chat Communication

These data are not processed or stored by us.

The processing of the data is based on the legal basis of art. 6 par. 1 (a) GDPR.

5. Metadata

In order to provide the functionality of the video consultation between doctor and patient, we need to collect and store additional metadata, including

  • Name of the participating doctors / medical staff
  • Name of the surgeries / clinics / institutions
  • Time and duration of communication
  • Used web browsers and versions
  • Type of connection
  • Technical quality evaluation of the video consultation

This data collection takes place on the legal basis of Art. 6 para. 1 (f) GDPR. Our legitimate interest lies in the improvement, stability, functionality and security of our Internet presence.

The meta data collected in this way will be deleted by us after 3 months at the latest by an automated process.

6. Cookies

We use so-called cookies with our Internet presence. Cookies are small text files or other storage technologies that are stored on your terminal device by the Internet browser you use. Through these cookies, certain information about you is processed to an individual extent.

a) First-party cookies

Provider: samedi
Name: _vc_backend_session
Benefit: Session-ID
Validity period: session, will be deleted when closing the internet browser
Legal basis: Article 6(1)(f) GDPR

b) Third party cookies

We do not use third party cookies.

c) Disposal option

You can prevent or restrict the installation of cookies by adjusting your Internet browser settings. You can also delete already stored cookies at any time. However, the steps and measures required for this depend on the Internet browser you are actually using. If you have any questions, please use the help function or documentation of your Internet browser or contact its manufacturer or support.

If you prevent or restrict the installation of cookies, however, this may mean that not all functions of our website can be used to their full extent.

7. Further data processors

We will pass on your data to service providers who support us in the operation of our websites and the related processes within the scope of data processing agreement in accordance with Art. 28 GDPR. These are e.g. hosting service providers. Our service providers are strictly bound by instructions and are contractually bound to us accordingly.

In the following, we will name the contract processors with whom we work, provided we have not already done so in the above text of the data protection declaration. Should data be transferred outside the EU or the EEA in this context, we will provide information on the appropriate level of data protection.

  • Filoo GmbH, Rhedaer Straße 25, 33330 Gütersloh: Hosting services
    Data security is regulated by an data processing agreement.
  • retarus GmbH, Aschauer Straße 30, 81549 Munich: E-Mail-Versand.
    Data security is regulated by an data processing agreement.
  • Twilio Germany GmbH: Frauenlobstraße 2, 80337 Munich: Provision of services for connection establishment (STUN) and media switching (TURN); SMS dispatch
    Data security is regulated by an data processing agreement.

8. Routine deletion and blocking of personal data

Personal data will only be stored for the period of time required for the purpose of storage, unless otherwise required by law. After the purpose of storage has ceased to apply, the personal data is routinely blocked or deleted in accordance with legal requirements.

9. Rights of users and data subjects

With regard to the data processing described above, the users and data subjects have the right

  • to obtain confirmation as to whether or not data concerning them are being processed, information on the data processed, further information on data processing and copies of the data (see also Art. 15 GDPR);
  • the correction or completion of incorrect or incomplete data (see also art. 16 GDPR);
  • to the immediate deletion of data relating to them (see also Art. 17 of the GDPR), or, alternatively, if further processing is necessary in accordance with Art. 17 para. 3 of the GDPR, to the restriction of processing in accordance with Art. 18 of the GDPR;
  • to the receipt of data concerning them and provided by them and to the transfer of such data to other providers/responsible parties (cf. also Art. 20 GDPR);
  • to lodge a complaint with the supervisory authority if they are of the opinion that the data concerning them is being processed by the provider in breach of data protection provisions (cf. also Art. 77 of the GDPR)

In addition, the provider is obliged to inform all recipients to whom data has been disclosed by the provider of any correction or deletion of data or the restriction of processing that is carried out on the basis of Articles 16, 17 (1) and 18 of the GDPR. However, this obligation does not apply if such notification is impossible or involves disproportionate effort. Notwithstanding this, the user has a right to information about these recipients.

Likewise, in accordance with Art. 21 GDPR, users and data subjects have the right to object to the future processing of data relating to them, provided that the data is processed by the provider in accordance with Art. 6 para. 1 (f) GDPR. In particular, an objection to data processing for the purpose of direct advertising is permitted.

Do you want to be one of the pioneers in digital healthcare? Get to know samedi now

Contact us