When you visit our website, your internet browser will (for technical reasons) necessarily transmit certain data to our web server. For the duration of the session, the following data are collected by our web server:
- Date and time of visit
- name of requested file
- last site accessed before visiting the Website (referrer URL)
- file access status (file transferred, not found, etc.)
- type, version and configuration of internet browser
- device configuration
- operating system used
- complete IP address
- data volume transferred
For security reasons, including the prevention and mitigation of malicious attacs on our web server, we store such data for a limited period of time. However, such stored data is anonymized and will not allow identification of individual users. We will also process anonymized data for statistical purposes.
In the following, you will find information on how we collect and process your data when you visit our website.
A. Information about the data controller and the data protection officer
Responsible for the Website of Health Care Systems GmbH www.hcsg.de (the „Website“) is:
Health Care Systems GmbH
represented by its Managing Directors
Wolfratshauser Straße 42
82049 Pullach i. Isartal
Germany
info@hcsg.de
Tel.: +49 (0)89 444 889 100
(hereinafter „HCSG“ or „we“)
All interested parties and visitors to our Website can contact our Data Protection Officer Gregor Klar as follows: dsb@hcsg.de
Health Care Systems GmbH is registered in the commercial register of the Local Court of Justice in Munich under the number HRB 159415.
B. Information on the processing of personal data
Various personal data are processed for various purposes when you access and use this Website and the content offered on this Website. We for example process protocol data which accrue for technical reasons when you access the Website to provide the Website content requested by you.
If we as data controller alone or jointly with others determine the purposes and means of the processing of personal data, you will in particular receive information about
- the personal data or categories of personal data that are processed,
- the purposes for which the personal data are processed,
- the legal basis for the processing and – if the processing is based on point f of Article 6 (1) GDPR – the legitimate interests pursued by us or any third party,
- if applicable, the recipients or categories of recipients of the personal data,
- if applicable, our intention to transfer the personal data to a third country or an international organisation, as well as the existence or absence of an adequacy decision of the Commission or in the case of transfers in accordance with Article 46 or Article 47 GDPR or subparagraph 2 of Article 49 paragraph 1 GDPR reference to the suitable and appropriate safeguards and the means to obtain a copy of them or where they have been made available,
- the duration for which the personal data are stored or if this is not possible, the criteria for determining this duration.
To the extent that we collect your personal data from you as a data subject, you will also receive information below about whether the provision of the personal data is required by law or contract or to enter into a contract, whether you are obliged to provide the personal data and what possible consequences not providing such would have. If we do not collect your personal data as a data subject, you will receive information about from what source the personal data originate and if applicable whether they originate from publicly accessible sources.
I. Informational use of the Website
When the use of the Website is purely informational, certain information, for example your IP address, is for technical reasons sent to our Website’s server by the browser used on your end device. We process this information in order to provide the Website content requested by you. To ensure the security of the IT infrastructure used to provide the Website, this information is also stored temporarily in what is referred to as a “web server log file”.
In order to facilitate an informational use of the Website by you, we use Cookies on the Website, by means of which personal data are processed.
Details on the personal data that are processed
Data categories | Personal-data | Source-of-data | Obligation to provide the data | Duration of storage |
---|---|---|---|---|
Certain protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S) (“HTTP Data”) for technical reasons when the website is visited. | Date and time of visit, name of requested file, last site accessed before visiting the Website (referrer URL), file access status (file transferred, not found, etc.), type, version and configuration of internet browser, device configuration, operating system used, complete IP address, data volume transfered. | User of the Website. | There is no obligation to provide the data, but if the data are not provided, we cannot provide the requested Website content. | 7 days, unless any security-relevant event occurs (e.g. a DDoS attack). If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and clarified in full. |
Data stored on the user’s end device in cookies (see Section C.) strictly necessary to manage the cookie consents for this (“Opt-In Cookie Data”) | Consent and, where applicable, your individual selection for the use of cookies on your end device. | User of the Website. | There is no obligation to provide the data, but if the data are not provided, we cannot provide the requested Website content. | We do not store these data on our systems.See Section C.III.III on the validity period of the cookie. |
Data stored on the user’s end device in cookies (see Section C.) strictly necessary to keep track of the user’s state on all Website pages requested by the user | User preferences | User of the Website. | There is no obligation to provide the data, but if the data are not provided, we cannot provide the requested Website content. | We do not store these data on our systems. See Section C.III.III on the validity period of the cookie. |
Data stored on the user’s end device in cookies (see Section C.) strictly necessary to store the user’s preferred language (“Language Data”) | User’s preferred language | User of the Website. | There is no obligation to provide the data, but if the data are not provided, we cannot provide the requested Website content. | We do not store these data on our systems. See Section C.III.III on the validity period of the cookie. |
Details on the processing of the personal data
Purpose of the processing | Categories of data | Legal basis | Recipient |
---|---|---|---|
HTTP data are temporarily processed on our web server for provision of the Website content requested by the user. | HTTP Data | Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the provision of the Website content requested by the user. | Hosting provider. |
HTTP data are processed temporarily in web server log files to ensure the security of the IT infrastructure used to provide the Website, in particular to identify, eliminate and preserve evidence of disruptions (e.g. DDoS attacks). | HTTP Data | Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest ensuring the security of the IT infrastructure used to provide the Website, in particular identifying, eliminating and preserving evidence of disruptions (e.g. DDoS attacks). | Hosting provider. |
Data from cookies which are strictly necessary to provide the management of cookie consents are processed temporarily on our web server in order to identify, when the site is visited again, whether you have already given consent. | Opt-In Cookie Data. | Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the management of the cookie consents granted by the user for this Website. | Hosting provider. |
Data from strictly necessary cookies are processed temporarily on our web server in order to store the user’s preferred language. | Language Data | Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the provision of the informational function of the Website requested by the user. | Hosting provider. |
HCSG is the Hosting Provider (no third party data processor).
II. Measurement of web audience and use of web analysis and web tracking technologies
To measure the web audience, visits to our website are recorded and analysed in anonymised form.
It you have given your consent to this, we also use web analysis technologies, by means of cookies (Section C.), to record and analyse the usage behaviour on our website to improve the website and better achieve the objectives of the website (e.g. frequency of visits, increase in number of page visits).
Details on the personal data that are processed
Data categories | Personal-data | Source-of-data | Obligation to provide the data | Duration of storage |
---|---|---|---|---|
Protocol data accrued via the Hypertext Transfer Protocol (Secure) (HTTP(S)) when the Website is accessed. | Date and time of visit, name of requested file, last site accessed before visiting the Website (referrer URL), file access status (file transferred, not found, etc.), type, version and configuration of internet browser, device configuration, operating system used, complete IP address, data volume transfered. | User of the Website. | There is no obligation to provide the data. If the data are not provided, we cannot carry out any measurement of web audience. | The IP address transmitted is anonymised before storage by being shortened. The other protocol data are not stored in a form allowing the data subject to be identified either. |
Details on the processing of the personal data
Purpose of the processing | Data categories | Legal basis | Recipient |
---|---|---|---|
To measure the web audience, the visits to our Website are recorded and analysed in anonymised form. | HTTP-Data. | Balancing of interests (point (f) of Article 6 paragraph 1 GDPR). Our legitimate interest is the measurement of the web audience. | Hosting Provider. |
HCSG is the Hosting Provider (no third party data processor).
C. Information on the use of Cookies
Cookies are small text files with information that can be placed on a user’s end device through its browser when a website is visited. When the website is visited again with the same end device, the cookie and the information it contains can be retrieved.
Our Website uses different types of Cookies. We use Session Cookies and Persistent Cookies. Session Cookies become obsolete upon leaving the Website while Persistent Cookies stay valid for an extended period of time.
Cookie types
Required Cookies
Required Cookies provide basic functionalities such as navigation or security. A website will not work properly with out Required Cookies.
Cookie | Domain | Purpose | Duration |
---|---|---|---|
_csrf | hcsg.de | Session Cookie which validates request and protects against cross site scripting attacks | Until end of session |
Preference Cookies
Preference Cookies make it possible for a website to remember a user when the user returns to the website thus allowing for a personalized experience (e.g., preferred language).
Cookie | Domain | Purpose | Duration |
---|---|---|---|
_language | hcsg.de | Storage of preferred language | 1 year |
cookieconsent_status | hcsg.de | Storage of user’s opt-in-decision with respect of Statistics Cookies | 1 year |
Statistics Cookies
Statistics Cookies allow us to better understand how you use our Website. This data is anonimized before storage.
Cookie | Domain | Purpose | Duration |
---|---|---|---|
_pk_ses | analytics.hcsg.de | Session Cookie to identify devices | 30 minutes |
_pk_ref | analytics.hcsg.de | Referrer Cookie to identify last site accessed before visiting the Website | 6 months |
_pk_id | analytics.hcsg.de | Cookie with information on device to recognize repeat visit. | 1 year |
How and when Cookies are deployed
1. Your consent is needed for the deployment of Statistical Cookies
The use of Statistical Cookies requires your consent. To this end, our Website displays a Cookie Banner which asks you if you consent to the use of Statistical Cookies. If your answer is yes, your web browser stores your consent as an Opt-In-Cookie. This way, your devise knows that you had previously consented and our Website will not ask you again at your next visit. The Opt-In-Cookie is valid for 1 year.
If you want to deactivate Required Cookies you will have to do this though your browser settings.
2. Changing Cookie Settings in your browser
You can tell your browser how cookies are handled. Each type of browser does it differently. Please refer to documention of your browser or research the internet to find more information on this topic.
You can use our Website without using cookies but in this case functionality and user experience will be compromised.
D. Information about your rights
As a data subject you have the following rights regarding the processing of your personal data:
Right to access (Article 15 GDPR)
As a data subject, you have a right to obtain access and information under the conditions provided in Article 15 of the General Data Protection Regulation.
This means in particular that you have the right to obtain confirmation from us as to whether we are processing your personal data. If so, you also have the right to obtain access to the personal data and the information listed in Article 15 paragraph 1 of the General Data Protection Regulation. This includes information regarding the purposes of the processing, the categories of personal data that are being processed and the recipients or categories of recipients to whom the personal data have been or will be disclosed (points (a), (b) and (c) of Article 15 paragraph 1 of the General Data Protection Regulation).
DYou can find the full extent of your right to access and information in Article 15 of the General Data Protection Regulation, which can be accessed using the following: https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679
Right to rectification (Article 16 GDPR)
As a data subject, you have the right to rectification under the conditions provided in Article 16 of the General Data Protection Regulation.
This means in particular that you have the right to receive from us without undue delay the rectification of inaccuracies in your personal data and completion of incomplete personal data.
You can find the full extent of your right to rectification in Article 16 of the GDPR, which can be accessed using the following : http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679
Right to erasure (“right to be forgotten”) (Article 17 GDPR)
As a data subject, you have a right to erasure (“right to be forgotten”) under the conditions provided in Article 17 of the General Data Protection Regulation.
This means that you have the right to obtain from us the erasure of your personal data and we are obliged to erase your personal data without undue delay when one of the reasons listed in Article 17 paragraph 1 of the General Data Protection Regulation applies. This can be the case, for example, if personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (point (a) of Article 17 paragraph 1 of the General Data Protection Regulation).
If we have made the personal data public and are obliged to erase it, we are also obliged, taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of those personal data (Article 17 paragraph 2 of the General Data Protection Regulation).
The right to erasure (“right to be forgotten”) does not apply if the processing is necessary for one of the reasons listed in Article 17 paragraph 3 of the General Data Protection Regulation. This can be the case, for example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims (points (a) and (4) of Article 17 paragraph 3 of the General Data Protection Regulation).
You can find the full extent of your right to erasure (“right to be forgotten”) in Article 17 of the GDPR, which can be accessed using the following: http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679
Right to restriction of processing (Article 18 GDPR)
As a data subject, you have a right to restriction of processing under the conditions provided in Article 18 of the General Data Protection Regulation.
This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in Article 18 paragraph 1 of the General Data Protection Regulation applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts for a period that enables us to verify the accuracy of the personal data (point (a) of Article 18 paragraph 1 of the General Data Protection Regulation).
Restriction means that stored personal data are marked with the goal of restricting their future processing (Article 4 paragraph 3 of the General Data Protection Regulation).
You can find the full extent of your right to restriction of processing in Article 18 of the GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679
Right to data portability (Article 20 GDPR)
As a data subject, you have a right to data portability under the conditions provided in Article 20 of the General Data Protection Regulation.
This means that you generally have the right to receive your personal data with which you have provided us in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from us if the processing is based on consent pursuant to point (a) of Article 6 paragraph 1 or point (a) of Article 9 paragraph 2 of the General Data Protection Regulation or on a contract pursuant to point (b) of Article 6 paragraph 1 of the General Data Protection Regulation and the processing is carried out by automated means (Article 20 paragraph 1 of the General Data Protection Regulation).
You can find information as to whether an instance of processing is based on consent pursuant to point (a) of Article 6 paragraph 1 or point (a) of Article 9 paragraph 2 of the General Data Protection Regulation or on a contract pursuant to point (b) of Article 6 paragraph 1 of the General Data Protection Regulation in the information regarding the legal basis of processing in Section B of this Privacy Policy.
In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller if technically feasible (Article 20 paragraph 2 of the General Data Protection Regulation).
You can find the full extent of your right to data portability in Article 20 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679
Right to object (Article 21 GDPR)
As a data subject, you have a right to object under the conditions provided in Article 21 of the General Data Protection Regulation. At the latest in our first communication with you, we expressly inform you of your right, as a data subject, to object. More detailed information on this is given below:
Right to object on grounds relating to the particular situation of the data subject
As a data subject, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Article 6 paragraph 1, including profiling based on those provisions.
You can find information as to whether an instance of processing is based on point (e) or (f) of Article 6 paragraph 1 of the General Data Protection Regulation in the information regarding the legal basis of processing in Section B of this Privacy Policy.
In the event of an objection relating to your particular situation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal Claims.
You can find the full extent of your right to objection in Article 21 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679
Right to object to direct Marketing
Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct Marketing.
You can find information as to whether and to what extent personal data are processed for direct marketing purposes in the information regarding the legal basis of processing in Section B of this Privacy Policy.
If you object to processing for direct marketing purposes, we no longer process your personal data for these purposes.
You can find the full extent of your right to objection in Article 21 of the General Data Protection Regulation, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679
Right to withdraw consent (Article 7 paragraph 3 GDPR)
Where an instance of processing is based on consent pursuant to point (a) of Article 6 paragraph 1 or point (a) of Article 9 paragraph 2 of the General Data Protection Regulation or on a contract pursuant to point (b) of Article 6 paragraph 1 of the General Data Protection Regulation, as a data subject, you have the right, pursuant to Article 7 paragraph 3 of the General Data Protection Regulation, to withdraw your consent at any time. The withdrawal of your consent does not affect the legitimacy of the processing that occurred based on your consent until the withdrawal. We inform you of this before you grant your consent.
You can find information as to whether an instance of processing is based on point (a) of Article 6 paragraph 1 or point (a) of Article 9 paragraph 2 of the General Data Protection Regulation in the information regarding the legal basis of processing in Section B of this Privacy Policy.
Right to lodge a complaint with the supervisory authority (point (f) of Article 57 paragraph 1 GDPR)
As a data subject, you have a right to lodge a complaint with the competent supervisory authority under the conditions provided in point (f) of Article 57 paragraph 1 of the General Data Protection Regulation. The competent supervisory authority for us is:
Bayerisches Landesamt für Datenschutzaufsicht
Promenade 27 (Schloss)
91522 Ansbach
Germany
Telephone: +49 (0) 981/53-1300
Fax: +49 (0) 981/53-5300
E-mail:poststelle@lda.bayern.de
You can also contact our data protection officer to exercise your rights (Section A.).
E. Effective date and changes to this Privacy Policy
The effective date of this Privacy Policy is 8 June, 2018.
It may be necessary to modify this Privacy Policy due to technical developments and/or amendment of statutory or official requirements.