1. Content of this information
This privacy notice explains how we handle your personal data if you register at www.dad-consulting.eu and use our services. We also inform you about your rights under the General Data Protection Regulation (GDPR). This information applies for both browser-based use and our mobile app, which you can download from the Apple or Google app store.
2. About DAD Consulting Berlin
DAD Consulting Berlin is a web platform which includes an app that brings doctors together quickly and easily to facilitate digital healthcare on the ICU and in the operating theatre.
We record your basic data and concerns, put you in touch with an affiliated medical specialist, and enable digital communication between the doctors. Additionally, we provide a central digital patient file that our doctors use to exchange information and store relevant documents centrally.
In general, we do not provide medical or therapeutic services ourselves.
The contract is concluded exclusively between DAD Consulting Berlin and the treating clinic.
3. Person responsible and data protection officer
3.1 Responsibility relating to the use of the platform
Within the meaning of the GDPR, the entity responsible for processing your data as a DAD Consulting Berlin user is:
DE DAD Consulting Berlin
Johann-Landefeldt-Str. 23, 14089 Berlin
The contact details of our data protection officer are:
DE DAD Consulting Berlin
Data Protection Officer
3.2 Shared responsibility for processing patients’ personal data
4. Registration as a doctor/clinic
In order to use our platform, the doctor/clinic must register (create a user account) and provide the following personal data:
- e-mail address
- name of the clinic
- first and last name of the doctor
We will send an e-mail with an individual activation link (double opt-in) to the e-mail address. We do this in order to prevent misuse during registration. The contract for use with the clinic is only concluded after confirming the link sent by e-mail.
Besides confirming registration, we also use the doctor’s/clinic’s e-mail address for contract-related communication (e.g. queries, appointment reminders). Provided the treating clinic gives us separate consent, we will send information by e-mail about health matters as well as products and services from DAD Consulting Berlin in the consulting domain.
The legal basis for the processing of this data is the fulfilment of the usage contract in accordance with Art. 6 (1b) GDPR. Without this data, the use of our service is not possible. We delete this data as soon as the purpose has been fulfilled (e.g. when the clinic deletes its account) and no legal retention periods are there to prevent this.
5. Telemedicine consultation
If the clinic would like a consultation with a doctor, one of its employees, preferably a specialist, firstly describes their medical concerns via our platform. All information is stored in the central digital patient file at DAD Consulting Berlin.
The attending doctor contacts the doctor on duty at DAD Consulting Berlin (specialist in anaesthesiology) via our platform, the DAD app, or a video call. All documents related to the consultation are entered by the doctor in the digital patient file of DAD Consulting Berlin.
Processing of the data is necessary to fulfil the condition for concluding the contract of use. The legal basis for this is Art. 6 (1b) GDPR and Art. 9 (2a) GDPR.
6. Digital patient file
We maintain a central digital patient file in which all data relevant for medical treatment can be entered. In particular, the patient file contains:
- personal master data from registration
- the doctor’s treatment data (medical case documentation)
- other data entered by the doctor, e.g. epicrises, discharge reports, diagnoses, medication lists, photos, the patient’s video recordings, data from imaging procedures, lab and vital parameters
We store the patient’s data until the user deletes their profile once the purpose of storage ceases to apply, or if they revoke a separate consent or demand deletion.
7. Billing the doctor’s services
DAD Consulting Berlin allows the doctor to generate their invoice for the consultative service rendered after submitting details of the service and approval via the DAD Consulting Berlin platform. For this reason, DAD Consulting Berlin has access to the consulting doctor’s billing data.
The following data is processed in the billing process:
- name and address of the doctor
- date of rendering the service
- the service rendered
The legal basis for processing this data is fulfilment of the contract of use in accordance with Art. 6 (1b) GDPR and the patient’s consent in accordance with 6 (1a) GDPR.
8. System authorisations for mobile apps
If the clinic uses our mobile app, it requires certain system authorisations on the respective terminal device, which we use for the following purposes:
8.1 Android/Google operating systems:
- Phone: handling outgoing and incoming calls from/to the DAD Consulting Berlin hotline
- Photos/media/files: storing and uploading data to the patient record
- Camera: capturing images to share with the doctor; provision of video chat
- Microphone: providing audio/video chat
- Internet / network connections: communicating with our server, provision of chat functions
- Deactivating the display lock: preventing silent mode during audio/video chat
8.2 iOS/Apple operating systems:
- Microphone: providing audio/video chat The microphone is only accessed and authorisation requested if you use this function.
- Camera: capturing images to share with the doctor; provision of video chat
- Photos: storing and uploading data to the patient record
The authorisations are only requested and used if the respective function is used.
9. Server log files and error reports
We collect technical data when our websites are accessed and in case of errors in our mobile app in order to be able to operate our platform securely and error-free.
When the user accesses an individual page of our website, in a log file our web servers collect the address (URL) of the page called up, the date and time of access, any error messages and, if applicable, the operating system and browser software of the terminal device as well as the website and IP address from which the user visits us. We use this data for error detection and correction, to ensure system security and to defend against any attacks. We delete the log data after one month.
If a system error occurs with our mobile app, we collect data about the system status of the device (e.g. device type, operating version number, free memory space) and about the error that occurred. The IP address is only collectd in a shortened, anonymised form. Healthcare data is not included. We use the data exclusively for error analysis and correction. The data will be deleted after six months at the latest. We use a web host with server located in Germany for providing our website.
The legal basis for the processing operations are our aforementioned legitimate interests in accordance with Art. 6 (1f) GDPR.
9.1 Legal basis
The aforementioned processing is based on the legal basis of our legitimate interest in accordance with Art. 6 (1) (1f) GDPR. Our legitimate interest arises from the aforementioned purposes of processing.
9.2 Your right to object
In accordance with Art. 21 GDPR, you have the right to object to processing of your data as described above, if there are reasons from your particular situation or if your objection is against direct marketing.
You can exercise your right to object by sending an e-mail to firstname.lastname@example.org.
10. Processing when contacted by e-mail or phone
You can contact us via the e-mail addresses and phone numbers given on our website. In order to process your request, we use the e-mail address or phone number you have provided to us. We only collect additional information directly from you where it is necessary and relevant to responding to your enquiry and you provide it to us voluntarily. You can send us your patients’ health data by e-mail to a service address of DAD Consulting Berlin.
Processing for the purpose of contacting us is carried out in accordance with Art. 6 (1) (1b) GDPR. In accordance with Art. 6 (1) (1b) GDPR, the aforementioned processing is necessary for providing our services of which you are a contracting party, and for the performance of pre-contractual measures, which take place upon your request. If contact is made within the scope of the consultation contract, we retain the information in our electronic patient file for ten years in accordance with Articles 630a et seq. of the German Civil Code [Bürgerliches Gesetzbuch, BGB]. Otherwise, we delete the personal data collected for the use of the contact form on completion of your request. We use a German order processor with a server located in Germany for providing our e-mail server.
11. Technical service provider
The use of technically necessary cookies and their processing is carried out in accordance with Art. 6 (1f) GDPR based on our legitimate interest in a user-friendly design of our website.
The recipients of the data are technical service providers acting as order processors for operating and maintaining our website. We have concluded the appropriate processing contracts with the providers for this purpose.
The legal basis for this processing is your respective consent, Art. 6 (1a) GDPR.
11.2 Defence against attacks
DAD Consulting Berlin uses the web service of “united domains AG”, Gautinger Strasse 10, 82319 Starnberg, Germany, hereinafter referred to as UDAG, to protect the DAD Consulting Berlin platform from attacks.
All data traffic between the browser or app and our server is routed through UDAG servers. UDAG analyses the data traffic (but not the content, e.g. transmitted messages) with the aim of detecting and defending against attacks, such as DDoS attacks, on DAD Consulting Berlin.
UDAG collects data such as IP addresses, security certificates, DNS login data and website performance data from the browser for this purpose. There is no specific processing of healthcare data.
The legal basis for processing in conjunction with UDAG is our legitimate interests under Art. 6 (1f) GDPR in ensuring the provision of our service.
11.3 ClickMeeting conference tool for establishing communication between the doctor and patient
We have concluded a processing contract with the ClickMeeting provider and fully implement the strict requirements of the German data protection authorities for using Zoom.
The conference tool collects all data you provide/enter in order to use the tools (e-mail address and/or your phone number). Furthermore, the conference tool processes the duration, start and end (time) of participation in the conference, number of participants, and other “context information” related to the communication process (metadata).
The provider of the tool also processes all technical data required for handling online communication. This especially includes IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or speaker, as well as the connection type.
If content is exchanged, uploaded or otherwise provided within the tool, this is also stored on the servers of the tool providers. Such content particularly includes cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards, and other information shared while using the service.
Please note that we do not have full control over the data processing operations of the tools used. Our options largely depend on the corporate policy of the respective provider. For further information on data processing with the ClickMeeting conference tool, please refer to the privacy statements we have listed below this text.
The conference tool is used to communicate with prospective or existing contractual partners or to offer certain services to our clients (Art. 6 (1b) GDPR). Moreover, the use of this tool serves to generally simplify and accelerate communication with us or our company (legitimate interest within the meaning of Art. 6 (1f) GDPR). If consent has been requested, the particular tool is used on the basis of this consent; consent can be revoked at any time with future effect.
The data collected directly by us through the video and conference tool will be deleted from our systems as soon as you request us to delete it, revoke your consent to store it, or if the purpose for storing the data no longer applies. Stored cookies remain on your terminal device until you delete them. Mandatory statutory retention periods remain unaffected.
We have no influence on the storage period of your data, which is stored by the conference tool operators for their own purposes. Please contact the operators of the conference tool directly for details.
We operate a LinkedIn page to present our company and our offering.
We have entered into a shared responsibility agreement with LinkedIn: https://legal.linkedin.com/pages-joint-controller-addendum. in accordance with shared responsibility, LinkedIn assures compliance with the transparency obligations. You can inform yourself about the processing of your personal data here: https://privacy.linkedin.com/de-de.
The LinkedIn provider is: LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. We use LinkedIn to produce detailed campaign reports, track conversions, and for retargeting.
Your IP address is pseudonymised in the process.
You can object to the collection or analysis of your data with this tool by following these LinkedIn application instructions: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
12. Supplementary information
12.1 Mandatory details
All fields with mandatory details are marked with an asterisk (“*”) on our platform. Without these details, the use of the use of the corresponding function is not possible.
12.2 Personalised product recommendations by e-mail
As a DAD Consulting Berlin client, you will receive regular information about our services by e-mail. You will receive this information regardless of whether you have subscribed to a newsletter (legal basis: Art. 6 (1f) ) GDPR). We have received your e-mail address from you as part of your registration to use our service and we use it for our information. The legal basis for sending information by e-mail, even without express consent is Article 7 (3) of the German Fair Trade Practices Act [Gesetze gegen den unlauteren Wettbewerb, UWG].
In the mails you will find the latest information about our services that may interest you based on the last time you use our services. If you no longer wish to receive information from us, you may object to this at any time without incurring any costs from DAD Consulting Berlin.
12.3 Criteria for the storage period
If no specific storage period or criteria for determining the period are specified in this privacy notice, the following applies:
We calculate the storage period for the data based on the specific purposes for which we use the data. In addition, we or the doctors are subject to statutory storage and documentation obligations, which arise in particular from the German Commercial Code [Handelsgesetzbuch, HGB], the German Fiscal Code [Abgabenordnung, AO], the German Medical Association’s Professional Code of Conduct and the German Federal Master Treaty for Medical Practitioners [Bundesmantelvertrag-Ärzte] and is often six or ten years. Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, in accordance with Article 195 et seq. of the German Civil Code [BGB] is generally three years (from the end of the calendar year).
12.4 Data transmission
We generally do not pass on your personal data to third parties. This only happens only if
- you have given your express consent in accordance with Art. 6 (1) (1a) or Art. 9 (2a) GDPR
- passing on your data is necessary for asserting, exercising or defending legal claims in accordance with Art. 6 (1) (1f) GDPR and there is no reason to assume that you have an overriding interest worthy of protection in not having your data passed on
- there is a legal obligation for passing on data in accordance with Art. 6 (1) (1c) GDPR and/or
- passing on data is legally permissible and required in accordance with Art. 6 (1) (1b) GDPR for processing contractual relationships with you
We would like to point out at this point that we have concluded processing contracts with external service providers in accordance with Art. 28 GDPR, for example with our IT provider. A processor is a natural or legal entity, an authority, institution or other body that processes personal data on behalf of the responsible person. In selecting these processors, we have ensured that they provide sufficient guarantees that the appropriate technical and organisational measures are implemented such that the processing is in compliance with data protection requirements. We are authorised to issue instructions to the processors and we regularly check whether the processing by the processors complies with the requirements of data protection law. For their part, the processors do not pass on the data to third parties.
12.5 Data security
To ensure adequate security in processing your personal data, we take the appropriate technical and organisational measures. When visiting our website/app, the SSL procedure is used, combined with the highest encryption level supported by your browser. This is usually 256-bit encryption. Only in exceptional cases if your browser does not support this encryption technology is 128-bit v3 technology. You can check very easily whether an individual page of our website is transmitted in encrypted form. The display of the key or a padlock icon in the lower status bar of your browser indicates encrypted transmission. We regularly develop the technical and organizational measures with our processors and strive to constantly improve the security of your personal data.
12.6 Terms and explanations
We explain some legal and technical terms used in this privacy notice as follows.
Personal data: Personal data is any information relating to an identified or identifiable natural person, e.g. information linked to your e-mail address or insurance number (Art. 4 (1) GDPR).
Processing: Processing of personal data is any operation relating to personal data, such as data collection via an online form, storing on our servers, use for making contact, modifying, querying or reading out data (Art. 4 (2) GDPR).
Cookie: A cookie is a small text file stored on the computer. The content of this file is transferred to our servers each time a web page is accessed.
IP address: The IP address is a number assigned by the Internet provider to a terminal device, either temporarily or permanently. For example, the complete IP address allows the connection owner to be identified in individual cases on the basis of additional information from the Internet access operator.
Processors: These are technical service providers who process personal data for us for a specific purpose and according to our specifications. We have entered into contractual agreements with processors to ensure data protection in accordance with the requirements of the GDPR.
12.7 Legal basis
The GDPR allows processing of personal data only if this is permitted by a legal basis. We are required by law to communicate the legal basis for processing personal data.
Unless otherwise stated in this privacy notice, the legal basis for our processing is fulfilment of the user contract.
If we process personal data for purposes for which we do not have a legal basis (e.g. for the fulfilment of the user contract in accordance with Art. 6 (1b) GDPR or due to our legitimate interests in accordance with Art. 6 (1f) GDPR), we ask for the user’s consent in advance (e.g. for newsletter registration). For some processing purposes for which we require the consent of the user, we will inform you separately about this.
13. Shared responsibility for patient data
DAD Consulting Berlin and the doctors consulted also process the patients’ personal data presented to us jointly in individual processing steps. This concerns the following processing steps:
- Collecting patient data in the context of patient presentation
- Storing data in the CRM tool by the telemedical assistant at DAD Consulting Berlin
- Providing medical consultation
- Documenting the proposed treatment in the CRM tool
The jointly processed data is of the following types:
- Patient master data (e.g. first name, last name, date of birth)
- The patient’s vital signs
- Treatment data (concern with which the clinic contacts DAD Consulting Berlin)
- Content uploaded by the treating doctor to the DAD Consulting Berlin digital patient file (e.g. diagnoses, admission findings, epicrisis, laboratory, imaging procedures)
The doctor is solely responsible for data processing within the scope of telemedical consultation on the basis of the service contract.
DAD Consulting Berlin is responsible for the data concerning the video consultation module.
14. Your rights
By law, we are obliged to inform our users about their rights arising from the GDPR. We explain these rights, i.e. the right to be informed, to have data rectified, deleted, restricted, to data transfer, to complain to a supervisory authority, to revoke consent and object.
Our users are entitled to these rights under the conditions of the respective data protection provisions. No further rights are granted by the following.
14.1 Information, Art. 15 GDPR
The user has the right to demand confirmation from us as to whether we are processing personal data relating to them; if this is the case, they have a right to be informed about this personal data and the information listed in detail in Art. 15 GDPR.
14.2 Correction, Art. 16 GDPR
The user has the right to demand that we correct any inaccurate personal data relating to them without undue delay and, if necessary, to request completion of any incomplete personal data, Art. 16 GDPR.
14.3 Deletion (“right to be forgotten”), Art. 17 GDPR
The user has the right to demand that we delete personal data concerning them without delay, provided that one of the reasons listed in detail in Art. 17 GDPR applies, e.g. if the data is no longer required for the purposes pursued. This right may be restricted if DAD Consulting Berlin is however unable to carry out deletion due to statutory retention periods. In this case, we block the personal data and inform the user of this.
14.4 Restriction of processing, Art. 18 GDPR
The user has the right to demand that we restrict processing if one of the conditions listed in Art. 18 GDPR applies, e.g. if the user has objected to processing, for the duration of our review.
14.5 Data portability, Art. 20 GDPR
Under certain conditions, the user has the right to receive, to transmit and – as far as technically feasible – to have data concerning them, which they have provided to us, transmitted in a structured, common and machine-readable format. The user is only entitled to this right if we process personal data on the basis of their consent in accordance with Art. 6 (1a) GDPR or use an automated procedure for processing.
14.6 Complaint, Art. 77 GDPR
Irrespective of any other administrative or judicial remedies, the user has the right to file a complaint with a supervisory authority if they believe that our processing of personal data concerning them violates the GDPR. The user may assert this right before a supervisory authority in the Member State of their residence, place of work or the place of the alleged violation. The contact details of the supervisory authorities in Germany can be found at https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
Address and contact details of the supervisory authority responsible for DAD Consulting Berlin:
Berlin Commissioner for Data Security and Freedom of Information
[Berliner Beauftragter für Datenschutz und Informationsfreiheit]
14.7 Revocation (of consent), Art. 7 (3) GDPR
If the user has given us data protection consent in accordance with Art. 6 (1a) GDPR, they have the right to revoke this at any time with future effect. Data processing up until the time of revocation remains lawful.
14.8 Objection, Art. 21 GDPR
The user also has the right to object at any time, for reasons relating to their particular situation, to the processing of personal data concerning them, provided that we base the processing on Art. 6(1e ) or (1f) GDPR. We will then no longer process this data, unless we can demonstrate compelling legitimate reasons for processing which override the interests, rights and freedoms of the user, or the processing serves the purpose of asserting, exercising or defending legal claims (Art. 21 GDPR).
If personal data is used by us for direct marketing (e.g. by e-mail), the data subject has the right to object to the use of their data for these purposes at any time. This also applies to profiling, if this is connected with direct advertising. Profiling means using personal data to analyse or predict certain personal aspects (e.g. interests).