Data privacy statement for patients
With the internet software, samedi GmbH (referred to in short as “samedi”) provides web software for in-house data processing via the internet platforms patient. samedi.de and patient.samedi.cc (including all associated top level, country and sub-domains). This web software is accessed exclusively via a web browser or samedi® apps. The applications forming part of the patients’ user accounts can be used by natural persons (users) free of charge. The personal and medical data that is saved on samedi® is highly sensitive and is therefore protected by samedi with the highest levels of effectivity and security. Germany’s data protection laws (such as the TMG (Telemedieng-esetz [Telemedia Act]), the BDSG (Bundesdatenschutzgesetz [Federal Data Protection Act]), the data protection law provisions of the TKG (Telekommunikationsgesetzes [Telecommunications Act])) and the legislative provisions at EU level should therefore ensure that the right to self-determination is preserved, including where data of the samedi®’s users and customers is concerned, and the privacy of every individual is preserved. samedi ensures compliance with these data protection laws and is subject to monitoring and supervision by the Berlin Commissioner for Data Protection and Freedom of Information.
The data recorded by users in their personal user accounts is highly sensitive and is therefore protected by samedi to very high security standards. samedi has therefore developed a comprehensive data protection and security concept regarding (1) data access, (2) data processing, (3) data transfer and (4) data storage, which is appropriate to the sensitivity of the data.
1 Access to data in samedi®
All data is entered and updated by the individual users of samedi themselves in a personal samedi user account. An email address is stored as a minimum requirement for identification purposes of a user. samedi requires this data in order to contact the users. The users can also save additional information. It is at the discretion of user of samedi to decide which data to enter and save. The users/customers can delete individual parts or all of their data at any time. Access to their data is only possible via an email address freely chosen by the customers and an also freely chosen password. In accordance with the data protection recommendations, users are prompted to choose as secure a password as possible (i.e. one containing at least 6 characters, a combination of numbers, symbols and letters rather than a combination of words). samedi recommends that users keep the access data (username and password) as securely as a valuable item and that they regularly change their password. The user is, however, re-sponsible for its own computer and software, and must ensure they are appropriately protected. The data is stored for as long as the registration is in place. If the user wishes to end its user relationship with samedi - which can be done at any time - the associated user profile, including all data saved there, is completely and irrev-ocably deleted from the platform. Information (such as dates or messages) that the user has sent to a customer (for example doctors), are kept as incoming messages with the customer, as this information has been passed into the customer’s possession.
If the user loses its access data, samedi offers users the opportunity to restore access using a two-stage TAN proce-dure with the email address and mobile phone number provided by the user. After successfully inputting both TANs the user can create a new password.
2 General data processing
Neither samedi GmbH’s employees nor third parties are given access to data stored on samedi’s servers without the user’s express approval. The data is held by samedi exclusively for the purpose of allowing electronic access by the individual user and by those authorised to access the data by the user in individual cases using the special approval mechanism. In order to show customers the date of last access when they access data and, if necessary, to be able to start re-minder and deletion procedures after a longer period of inactivity, these dates are processed by samedi. However, no corresponding user or customer profiles will be created for this; instead the user is only shown a kind of general logbook of its past logins. This does not show and/or save what the user/customer did or changed specifically, but will only show in general whether it was active in the personal user account.
samedi also uses ‘session cookies’. Session cookies are small files stored in the user's/customer’s computer in or-der to assist the session concept of the samedi® platform. This therefore only involves so-called temporary files which are automatically deleted when the user ends the current samedi® session. Under no circumstances do third parties have the opportunity to leave cookies with the users/customers via samedi’s websites. samedi will not pass on any personal data to third parties unless the user has given express consent to this, or samedi is obliged to disclose it, for example due to a legal or official order. samedi sends newsletters to the users for the purposes of communicating important contractual changes, technical developments or general user information. The user may unsubscribe to the newsletter in its user account, however, in doing this the user excludes itself from important information. Thereby any liability for consequential losses is excluded.
3 Encryption of data transfer and communication
The transfer of data from the user’s computer to samedi’s server, and vice versa, data downloaded from samedi’s server to the user’s computer, is encrypted. For this, samedi uses the current encryption standard SSL (Secure Sock-et Layer, Version 3.0). This proven cryptographic procedure is used worldwide as standard for highly sensitive trans-actions on the internet, for example in online banking and for sensitive internet applications in the health sector. It combines a 2048 bit long public key with a symmetrical key 256 bits in length. The padlock symbol in the browser window shows whether or not the information is protected when transmitted, and which key length is supported by the browser. The authenticity of samedi’s encryption code is confirmed by the StartSSL.com certificate. By double clicking on the key symbol at the bottom of the screen the user can find out more about the certificate.
4 Encryption of data storage
The user’s data is not only transferred encrypted, but is also stored on encrypted hard discs. This prevents direct access to the data by third parties. The data from the patient’s medical records is first encrypted locally on the pa-tient’s computer and only then transmitted to the samedi servers. A multi-stage system of symmetrical and asymmet-rical encryption algorithms is used for this, so that neither samedi’s administrators and employees, nor third parties can read this data in plain text. To decode the key needed for this, the user name and password for the user account must be known. All cryptographic algorithms used comply with Technical Guideline TR-02102 (“Cryptographic Pro-cedures: Recommendations and Key Lengths”) of the German Federal Office for Information Security.
For secure, physical safekeeping of the user/customer data, samedi works with a large external internet provider (currently: filoo GmbH, Moltkestraße 25a, D-33330 Gütersloh). The servers provided by this provider are located in Germany. Only specially authorised persons (for example from service companies for maintenance work) have access to the secured rooms. Because of the encrypted data storage, these persons cannot access the customer data. The provider guarantees the use of modern firewall technology and physically secured equipment.
The provider’s area of responsibility only includes ensuring the availability of the infrastructure of the computer cen-tre (electricity, internet, routing), as well as the hired hardware (e.g. replacing defective components). Only samedi’s administrators have access to the server itself.
5 Right to information and right of revocation
The customer may receive information about its data stored by samedi free of charge and at any time, without giving any reasons. It may at any time have the data collected by samedi blocked, corrected or deleted. It may also at any time revoke the permission given to samedi to collect and use data without providing any reasons for this.
Should you have any further questions, please contact us at: samedi GmbH, Hessische Str. 11, D-10115 Berlin, Tel. +49 (0)30 21230707-0, Email: firstname.lastname@example.org.
samedi regularly and consistently reviews compliance with these data protection provisions and allows an inde-pendent external company to review this (currently: TÜV Saarland). If samedi receives formal letters of complaint, it will contact the writers about their concerns in order to resolve any complaints about the use of personal data. For this, samedi undertakes to work in cooperation with the appropriate authorities, including local data protection authorities.An offer of samedi GmbH
Hessische Str. 11
Telefon: +49 (0)30 21230707-0
Fax: +49 (0)30 21230707-9
Represented by: Prof. Dr. Alexander Alscher, Katrin Keller
Commercial register number: Amtsgericht Berlin Charlottenburg/HRB: 112862 USt-IdNr: DE260137799
VAT No.: Center for Regional Tax Office III - Sales Tax Number. DE260137799