Data privacy statement
The following policy provides you with an overview of what kind of personal data is collected and stored and for what purpose when you access our website or use our online services, including those of our subsidiaries and sub-subsidiaries.
Personal data
‘Personal data’ is not just obvious personal information, such as a person’s name or address, but also the IP address and information concerning the pages a person has visited online (user behaviour).
1. Name and address of the data controller pursuant to Article 4 (7) of the GDPR
RKH Regionale Kliniken Holding und Services GmbH
Posilipostraße 4
71640 Ludwigsburg
Represented by:
Managing Director
Prof. Dr. Jörg Martin
Telephone: 07141-99-90
Fax: 07141-99-60919
info.rkh(at)rkh-gesundheit.de
2. Contact details of the data protection officer for the holding company, subsidiaries and sub-subsidiaries
3. Notes on data processing/definition of terms
3.1. Depending on the reason for processing, the provision of personal data may be required by law or contractually or may be required to conclude a contract. If this is the case, this will be pointed out below, in addition to the possible consequences of not making the information available. Similarly, automated decision making or profiling in accordance with Article 22 (1) and (4) will only take place if we make explicit reference to it.
3.2. If you contact us or one of our subsidiaries or sub-subsidiaries via the contact form or by e-mail or use other online forms, you are providing personal data on a voluntary basis. You are not obliged to do so either by law or contractually.
3.3. When visiting our website, your surfing behaviour can be statistically evaluated. This is primarily done using cookies and ‘analysis programs’.
3.4. For the purposes of this privacy policy:
Cookies: are small text files that are stored by your browser on your end device. Cookies serve to make our website more user-friendly and more secure.
Cookies are stored on a user’s end device and the cookie data is transmitted to us by the user. As a user you can control the use of cookies. You can disable or restrict the transmission of cookies by changing your browser settings. You can delete cookies that have already been saved at any time, and you can even do so automatically.
However, if you disable cookies, it may no longer be possible to fully use all of the features on the websites you visit or various tools on the Internet.
3.5. In some cases we use external service providers (processors within the meaning of Article 28 of the GDPR) to process your data to whom we may disclose personal data. These are carefully selected and commissioned by us, are bound by our instructions and are regularly checked. Otherwise, your data will only be disclosed to other recipients if we make separate reference to this in the following.
4. Data processing via the website
4.1. Encryption
To ensure that your personal data is processed in such a way that it is protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, we use encryption (SSL or TLS) on our website and all subpages.
4.2. Visiting our website
Each time our website is accessed, data and information is automatically collected by the accessing computer’s computer system. This data includes:
- Name of the file or page accessed
- Date and time of access
- Amount of data transmitted
- IP address (anonymized) [60 days]
- Browser type (User Agent)
- Referrer URL
- Access status/http status code
- Directory protection users [anonymised after 1 day, 60 days]
- Logs (error) [7 days]
- Protocols (mail dispatch website) [anonymised after 1 day, 60 days]
- Protocols (mail dispatch mail server) [4 weeks]
- Hostname accessed
The data is stored in the log files of our IT service provider/host.
Processing purpose: the processing of the above-mentioned data is necessary to enable us to display the website and to guarantee the security and stability of our information technology systems and the technology of our website. Processing is also carried out in order to provide law enforcement authorities with the information required for law enforcement purposes in the event of a cyber attack.
Legal basis: we have a legitimate interest in data processing within the meaning of Article 6 (1) (f) of the GDPR, where a legitimate interest results from the aforementioned purpose.
Storage period: data is erased as soon as data storage no longer fulfils the purpose. The point in time is to be determined on a case-by-case basis, where storage is to be terminated no later than when civil law claims become time-barred in accordance with Section 199 of the German Civil Code (Bundesgesetzbuch, BGB) or when criminal prosecution is no longer possible due to the statute of limitations (Sections 78, 79 of the Criminal Code [Strafgesetzbuch, StGB]).
4.3. Our own cookies
We use ‘session cookies’ in connection with login features on our websites, which are not for tracking purposes and may be collected without consent. Among other things, these store a ‘session ID’, with which various requests from your browser can be assigned to the shared session, as well as the data listed below.
Session cookies store the following data:
- Session ID - this is stored in the cookie
- The first two segments of the IP address
- The user ID in the Typo3 content management system RKH Kliniken uses
- Timestamp of the last login
- Typo3 control data
Processing purpose: the cookies are used by us for the purpose of ensuring website security.
Legal basis: cookies are saved to protect our legitimate interests within the meaning of Article 6 (1) (f) of the GDPR, where the legitimate interest then arises from the purpose of processing.
Storage period: session cookies are usually deleted when the browser is closed.
4.4. Contacting us - general
If you contact us (e.g. by e-mail, fax), we will store the data you provide, such as your name, your e-mail address and any other contact data you may have provided.
Processing purpose: processing of the above-mentioned data is required in order for us to be able to process or respond to the request you made when contacting us.
Legal basis: data may be processed on different legal bases, depending on the request. In any case, however, processing is required to protect our legitimate interests within the meaning of Article 6 (1) (f) of the GDPR. The legitimate interest results from the fact that we want to follow up on your request and fulfil the purpose of processing.
Storage period: we will erase your personal data no later than when storage is no longer necessary. The point in time is to be determined on a case-by-case basis, where storage is to be terminated no later than when civil law claims become time-barred in accordance with Section 199 of the German Civil Code (Bundesgesetzbuch, BGB) or when criminal prosecution is no longer possible due to the statute of limitations (Sections 78, 79 of the Criminal Code [Strafgesetzbuch, StGB]).
4.5. Contacting us, course registrations, booking requests and appointments made via online forms
We provide you with different online forms on our website for various purposes. Specifically, these are:
- contact forms, for the purpose of contacting us with questions or other concerns;
- contact forms for the purpose of arranging appointments for certain consultation hours, e.g. paediatric surgery section;
- registration forms for certain course offerings, e.g. (preparing for birth); and
- event booking forms for booking requests for rooms in our buildings for conferences.
If you use of one or more online forms on our website, the data you enter on the input screen will be sent to us and stored by us. Depending on the requirements, different data is requested for individual online forms.
In addition, if you send us a message or a completed online form, the following data will also be stored:
- IP address of the user
- Date and time
- User Agent (browser type)
Processing purpose: the processing of personal data provided on the input screen is used to process your request or your registration, booking request or the submission of a proposed date for surgery. Health data that is requested in connection with course registrations is required for the purpose of billing with respect to service providers. Information and personal data that you provide us with via the online form in order to arrange a consultation appointment, such as clinical pictures, information about previous stays with us, service providers, etc., contribute towards us preparing for an appointment in the best way possible. We can tell you specifically which documents to bring to the appointment and create a patient file when you make an appointment. We store other data that is sent from your browser to our server when you send a completed contact form in order to prevent the contact form from being misused and to ensure that our information technology systems are secure.
Legal basis: your consent will be obtained for the processing of this data before the submission process and reference will be made to this privacy policy. On the basis of your consent, the legal basis for processing is Article 6 (1) (a) of the GDPR.
Storage period: the data will be erased if consent has been withdrawn, which will be no later than when data storage can no longer fulfil the purpose. The point in time is to be determined on a case-by-case basis, where storage is to be terminated no later than when civil law claims become time-barred in accordance with Section 199 of the German Civil Code (Bundesgesetzbuch, BGB) or when criminal prosecution is no longer possible due to the statute of limitations (Sections 78, 79 of the Criminal Code [Strafgesetzbuch, StGB]).
4.6. User login - access to protected content
You can access protected content after successfully logging in via a login screen where you have to enter the login data provided by us (user name and password). Protected content may, for example, include training videos, information and documents for (new) employees and student nurses.
The following data is saved when logging in:
- Session ID—this is stored in the cookie
- The first two segments of the IP address
- The user ID in the Typo3 CMS RKH Kliniken uses
- Timestamp of the last login
- Typo3 control data
Processing purpose: we store the technical data collected on login in order to prevent the misuse of access to the protected contents and to ensure the security of our information technology systems.
Legal basis: processing is required to protect our legitimate interests within the meaning of Article 6 (1) (f) of the GDPR. The legitimate interest results from the purpose of processing.
Storage period: we will erase this data no later than when storage is no longer necessary. The point in time is to be determined on a case-by-case basis, where storage is to be terminated no later than when civil law claims become time-barred in accordance with Section 199 of the German Civil Code (Bundesgesetzbuch, BGB) or when criminal prosecution is no longer possible due to the statute of limitations (Sections 78, 79 of the Criminal Code [Strafgesetzbuch, StGB]).
4.7. Online application
We offer applicants who are interested in an advertised position in our company or who take the initiative in applying for a job the option of applying via an online form.
If you make use of this option, the data that you have entered on the input screen will be transmitted to us and stored by us. For more information on the processing of personal data in the context of the application procedure, in particular the purpose of processing, the legal basis and the storage period, please refer to the privacy policy for applicants.
In addition, if you send us a message or a completed online form, the following data will also be stored:
- IP address of the user
- Date and time
- User Agent (browser type)
4.8. Google Analytics
We use the web analysis service Google Analytics on our website. The provider is Google Inc (hereinafter ‘Google’), 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA.
Google Analytics is a web analytics service that collects, compiles and evaluates data on the behaviour of visitors to a website. Google Analytics uses cookies that transmit data to Google for analysis purposes when you visit our website.
Within the framework of this procedure, provided that the website user has consented to the use of cookies, the following data is usually transmitted to and stored on Google’s servers:
- Referrer URL
- Which subpage of the website is accessed
- How often and for how long a subpage is viewed
- IP address
- Time of access
- Location of access
- Frequency of visits to our website
We have enabled the addition ‘ga('set', 'anonymizeIp', true);’ for this service. This means that the IP address for your Internet connection is shortened by Google and is anonymised if our website is accessed from a member state of the European Union or from other states that are party to the Agreement on the European Economic Area. In exceptional cases, the full IP address is transferred to a Google server in the USA and shortened there.
Processing purpose: the purpose of the Google Analytics tool is to analyse visitor flows on our website. From the data obtained, Google evaluates the use of the website and provides us with online reports that show the activities on our website. The use of Google Analytics allows us to optimise our website and to carry out a cost-benefit analysis of our website as well as our offering.
Legal basis: we only use cookies if you agree to their use. To allow you to give us your consent, we use a cookie layer on our website. By clicking on the button located there, you agree to cookies being saved. The use of Google Analytics is therefore based on the legal basis of Article 6 (1) (a) of the GDPR.
Storage period: Google stores the data obtained by Google Analytics for a maximum of 14 months.
Third country transfer: data is usually transferred to Google’s servers in the USA and stored there.
Transfer to third parties: it is possible that Google may pass on the data obtained in the process to third parties.
Furthermore, even after you have given your consent, you have the option of generally objecting to the collection of data generated by Google Analytics and relating to the use of this website and the processing of this data by Google, and you also have the option of preventing such collection. To do this, you must download and install a browser add-on via the link tools.google.com/dlpage/gaoptout. This browser add-on informs Google Analytics via JavaScript that no data and information about visits to websites may be transmitted to Google Analytics. The installation of the browser add-on is considered by Google to be an objection. If the IT system is deleted, formatted or reinstalled by you at a later date, you will need to reinstall the browser add-on to disable Google Analytics. If the browser add-on is uninstalled or disabled by you or another person within your sphere of control, you have the option of reinstalling or reenabling the browser add-on.
We also offer you the option of opting out of the collection of website usage data for this website by clicking on the following link:
Deactivate Google Analytics5. Other data processing via the website
5.1. Google Fonts
We use Google Fonts for the uniform presentation of fonts on our website.
The provider of Google Fonts is Google Inc (hereinafter ‘Google’), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
When you visit our website, your browser loads the embedded fonts into the cache of your browser. For this purpose, a direct connection is established between your browser and a Google server. We do not know what personal data Google processes in this way.
Google is solely responsible for processing your data. We are therefore not the controller for data processing in connection with this service. Nevertheless, on the basis of Article 13 of the GDPR, we would like to inform you as far as possible about data collection in connection with this service.
Processing purpose: the above-mentioned data is used so that we can design our website in a uniform manner, and therefore in an appealing way as well.
Legal basis: the legal basis for using this service is Article 6 (1) (f) of the GDPR. We have a legitimate interest in increasing how appealing our website is.
Storage period: since we have no influence over the further processing and use of the data by Google, we cannot make any statements about how long Google stores the data for.
Data transmission: your data is sent to Google’s servers in the USA. It is not excluded that Google may transfer the data to third parties.
Further information: the following link will direct you to Google’s privacy policy:
https://policies.google.com/privacy?hl=de#infochoices
5.2. Google Maps
We use the Google Maps map service on our website to display interactive maps and provide directions.
The provider of Google Maps is Google Inc (hereinafter ‘Google’), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
When you visit our website, your browser establishes a direct connection with a Google server. Google then transmits the map content built into our website to your browser. Through this and through the use of the route planning function, Google processes the following data as a minimum:
- IP address
- Referrer URL
- Date and time of access
- Location data
- The addresses you enter when planning the route
We would also like to point out with regard to Google Maps that Google is solely responsible for processing your data. We are therefore not the controller for data processing in connection with this service. Nevertheless, on the basis of Article 13 of the GDPR, we would like to inform you as far as possible about data collection in connection with this service.
Processing purpose: the above data is used to visually present geographical information on our website.
Legal basis: the legal basis for using Google Maps is Article 6 (1) (f) of the GDPR. We have a legitimate interest in making it easier for our customers to find us.
Storage period: since we have no influence over the further processing and use of the data by Google, we cannot make any statements about how long Google stores the data for.
Data transmission: your data is sent to Google’s servers in the USA. It is not excluded that Google may transfer the data to third parties.
Further information: the following link will direct you to Google’s privacy policy:
https://policies.google.com/privacy?hl=de#infochoices
5.3. YouTube
We have integrated the plugin for the video portal YouTube into our website. The provider is YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066 USA (hereinafter ‘YouTube’).
When you visit our website, your browser establishes a direct connection to a YouTube server in the USA. YouTube then transmits the video content integrated into our website to your browser.
Through this, YouTube processes the following data as a minimum:
- Your IP address
- Referrer URL
YouTube is solely responsible for processing your data. We are therefore not the controller for data processing in connection with this service. Nevertheless, on the basis of Article 13 of the GDPR, we would like to inform you as far as possible about data collection in connection with this service.
Processing purpose: the above data is used to display videos from the YouTube platform on our website.
Legal basis: the legal basis for the use of the YouTube plugin is Article 6 (1) (f) of the GDPR. We have a legitimate interest in increasing how appealing our website is.
Storage period: since we have no influence over the further processing and use of the data by YouTube, we cannot make any statements about how long YouTube stores the data for.
Data transmission: your data is sent to YouTube’s servers in the USA. It is not excluded that YouTube may transfer the data to third parties.
Further information: The following link will take you to YouTube’s privacy policy:
https://policies.google.com/privacy?hl=de&gl=de
5.4. Google reCAPTCHA
We have integrated the service Google reCAPTCHA into our website. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA (hereinafter ‘Google’).
As soon as our website is accessed, reCAPTCHA analysis starts automatically. Among other things, Google processes the following data:
- IP address
- The page visitor’s mouse movements
- Internet site visitor’s length of stay
Google is solely responsible for processing your data. We are therefore not the controller for data processing in connection with this service. Nevertheless, on the basis of Article 13 of the GDPR, we would like to inform you as far as possible about data collection in connection with this service.
Processing purpose: the service checks the behaviour of the site visitor to determine whether data input on our website is automated or whether it is done by a natural person.
Legal basis: the legal basis for the use of this service is Article 6 (1) (f) of the GDPR, as we have a legitimate interest in protecting ourselves from spam and abusive automated spying.
Storage period: since we have no influence over the further processing and use of the data by Google, we cannot make any statements about how long Google stores the data for.
Data transmission: your data is sent to Google’s servers in the USA. It is not excluded that Google may transfer the data to third parties.
Further information: the following link will direct you to Google’s privacy policy:
https://policies.google.com/privacy?hl=de#infochoices
6. Social media - Facebook fan page
We have refrained from embedding ‘social media plugins’ on our website, and instead link to our fan page, which we operate via Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.
We and Facebook are jointly responsible with respect to the fan page, under Article 26 of the GDPR. In the case of joint responsibility, both parties are liable as joint and several debtors. Detailed regulations regarding the Facebook’s responsibilities and our responsibilities can be found under the ‘Page Insights Controller Addendum’, which can be accessed via the following link https://www.facebook.com/legal/terms/page_controller_addendum.
Depending on the type and scope of your use of the Facebook fan page, we can access the following data from Facebook:
- Statistical data for different categories such as the total number of page views
- ‘Like’ information
- Page actions
- Post interactions
- Comments
- Shared content
Processing purpose: we link to our Facebook fan page to promote the communicative character of the Internet—and thus freedom of opinion—and to facilitate optimisation measures with respect to our quality and range of services.
Legal basis: the legal basis for linking is Article 6 (1) (f) of the GDPR. We have a legitimate interest in making our services more appealing.
Storage period: the privacy policy, which can be accessed at www.facebook.com/legal/terms/page_controller_addendum, provides information about the storage period.
Data transmission: when you visit the Facebook fan page, your data is sent to servers in third countries such as the USA. It is not excluded that Facebook may transfer the data to third parties.
Further information:
you can find more information about data protection regulations on the website https://www.facebook.com/legal/terms/ in particular how to exercise your rights as a data subject in connection with the use of the Facebook fan page.
7. Yumpu
If we have inserted virtual catalogues on our web pages, this is done through Yumpu, a free publisher service of i-magazine AG, Gewerbestrasse 3, 9444 Diepoldsau, Switzerland.
Switzerland is recognised by the European Commission as being a country with an appropriate level of data protection. The adequacy decision by the European Commission permits the communication of personal data from the EU without further protective measures. For further information, please visit ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
Use of the Yumpu service allows the contents of pdf files to be displayed as a flip page catalogue, which is freely accessible to everyone and easily readable directly in the web browser, without having to load any pdf files.
To run the service, i.e. when you browse the catalogue, your web browser connects directly to Yumpu and retrieves the content directly from Yumpu. i-magazin AG is solely responsible for processing the following data in server log files. Nevertheless, on the basis of Article 13 of the GDPR, we would like to inform you as far as possible about data collection in connection with this service.
- Browser type and browser version
- Operating system used
- Referrer URL
- Host name of the accessing computer
- Time of the server request
- IP address
Processing purpose: the purpose of processing is to improve the stability and functionality of the website.
Legal basis: processing is carried out on the basis of Article 6 (1) (f) of the GDPR.
Storage period: i-magazine AG stores data for up to one month.
Third country transfer: data is usually transferred to the servers of i-magazine AG, which are located in Ireland (EU), and is stored there. However, it can also be processed outside the European Economic Area (EEA) in accordance with i-magazin AG’s privacy policy. If this happens, they will take appropriate measures to protect your personal information and your rights.
Further information can be found in i-magazine AG’s privacy policy at https://www.yumpu.com/de/info/privacy_policy.
8. Information on data subject rights
You are entitled to ‘data subject rights’, i.e. rights that you can exercise as a person affected in individual cases. You can assert these rights against the operator of the website, i.e. the hospital operator. They result from the EU General Data Protection Regulation (GDPR), which also applies in Germany:
- Right of access, Article 15 of the GDPR
You have the right to request information from the controller as to whether they are processing personal data concerning you. If the answer is in the affirmative, you have a right of access to the information listed in Article 15 of the GDPR. - Right of rectification of personal data, Article 16 of the GDPR
In accordance with Article 16 of the GDPR, you have the right to ask the controller to rectify or complete personal data concerning you if the personal data concerning you is incorrect or incomplete. - Right to erasure (‘right to be forgotten’), Article 17 of the GDPR
In accordance with Article 17 of the GDPR, you have the right to request that the controller erases personal data concerning you. - Right to restrict processing, Article 18 of the GDPR
As a data subject, you have the right to request that the controller restricts processing under the conditions of Article 18 of the GDPR. - Right of information, Article 19 of the GDPR
You have the right to be informed of the recipients to whom personal data concerning you has been disclosed and to whom the controller has communicated your rights to rectify, delete or limit the data, in accordance with Article 19 of the GDPR. - Right to data portability, Article 20 of the GDPR
Under the conditions of Article 20 of the GDPR, you have the right to receive personal data concerning you in a structured, commonly used and machine-readable format. Subject to the conditions of Article 20 of the GDPR, you have the right to transfer this data to another controller without hindrance from the person to whom personal data has been made available. You have the right to request that personal data is transferred directly from one controller to another, as far as this is technically feasible. - Right to object to processing, Article 21 of the GDPR
Pursuant to Article 21 of GDPR, you have the right to object at any time to the processing of personal data concerning you, which is carried out on the basis of Article 6 (1) (e) or (f). This also applies to profiling based on these provisions. If the personal data concerning you is processed for direct marketing, you have the right to object to the processing of the personal data concerning you for such marketing at any time; this also applies to profiling if it relates to such direct marketing. - Right not to be subject to automated decision making including profiling, Article 22 of the GDPR
As a data subject, you have the right under Article 22 of the GDPR not to be subject to a decision based solely on automated processing—including profiling—which has legal effect vis-à-vis you or which affects you in a similarly significant way. - Right to withdraw consent given under data protection law, Article 7 of the GDPR
According to Article 7 of the GDPR, you have the right to withdraw your consent to the processing of your personal data at any time. - Right to lodge a complaint with a data protection supervisory authority, Article 77 of the GDPR
Without prejudice to other legal remedies, you have the right to appeal to a supervisory authority under Article 77 of the GDPR if you believe that the processing of your personal data by us is in breach of the GDPR. The complaint to the supervisory authority may be made informally.