Privacy Policy

The following information is about the processing of personal data by Berlin Heart GmbH, in particular when using our website. The processing of personal data (e.g., name, address, e-mail address or telephone number of a data subject) is carried out pursuant to the statutory provisions, in particular the requirements of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

This privacy policy uses terms that are based on the wording of the GDPR. The definitions for some of these terms can be found at the end of this document.

1. Name and Address of the Controller

Controller in the sense of Art. 4 para. 7 GDPR is:

Berlin Heart GmbH
Represented by the directors Sven-René Friedel, Dr. Ares K. Menon
Wiesenweg 10
12247 Berlin, Germany
Tel: +49 30 8187 2600
Fax: +49 30 8187 2601
e-mail: info@berlinheart.de

2. Data Protection Officer

You may contact our Data Protection Officer as follows:

LOROP GmbH
Landgrafenstraße 16
10787 Berlin
E-Mail: datenschutz@lorop.de

3. Processing of Personal data when visiting our website

When using the website for strictly informational purposes, we only process the personal data that your browser transmits to the server we use. If you wish to view our website, we process the following data, which is technically necessary for us to display our website to you and to ensure stability and security (legal basis: Art. 6, para. 1, subpara. f, GDPR):

• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status/HTTP status code
• amount of data transferred in each case
• Website from which the request originates
• Browser
• Operating system and its interface
• Language and version of the browser software.

4. Processing of Personal Data in the event of personal contact

When you contact us by e-mail, post, via a contact form or in any other way, the data you provide (e.g., your e-mail address, your name and/or your telephone number) will be processed by us in order to process or respond to your request (legal basis: Art. 6, para. 1,, subpara. a, f, GDPR). We delete the data collected in this context as soon as storage is no longer required, or we restrict processing if there are any statutory retention obligations.

5. processing of personal data in video surveillance

We use video surveillance on the property we use. This is done to exercise domiciliary rights by controlling access, to prevent criminal offenses and to preserve evidence in the event of criminal offenses.

The legal basis for video surveillance is Art. 6, para. 1, subpara. f, GDPR, whereby our interests arise from the aforementioned purposes. Insofar as special categories of personal data are processed, this is done on the basis of Art. 9, para. 2, subpara. f, GDPR.

In the event of any suspected criminal acts, we may also pass the data on to law enforcement authorities.

Otherwise, the data will only be passed on if there is a legal basis for the transfer. This may be the case in particular if the police or other security authorities take action in the context of protecting property or persons and demand access to the video surveillance data.

Personal data is not processed in the context of video surveillance.

6. Processing of personal data when using Microsoft Teams

The video conferencing function of Microsoft Teams enables us to offer you participation in our online events via audio/video. Microsoft Teams collects and processes various personal data, such as communication data (e-mail address, name), log files, metadata (IP address, time of participation) and profile data (user name). Data processing is carried out to provide the Teams functions, to improve the application, to enable troubleshooting and to fulfill contractual or legal obligations. The legal basis for the use results from Art. 6, para. 1, subpara. a, GDPR.

Login data and IP addresses are generally deleted after four weeks. Chat histories and recordings of online meetings are also stored, although recordings may be deleted after four weeks. 

Data is only passed on to third parties if this is necessary for the provision of the service or if there is a legal basis for doing so. Microsoft itself, as the provider of Teams, has access to the data as part of the order processing contract. 

Consent to use by Microsoft Teams is usually implied by participation in a meeting or use of the application. If consent is not given, an alternative means of communication must be used. 

Microsoft Teams is part of Microsoft Office 365. Microsoft Teams is a productivity, collaboration and exchange platform for individual users, teams, communities and networks that is used across company organizations. Among other things, this includes a video conferencing function.

Microsoft Office 365 is a software product of the company:

Microsoft Ireland Operations Limited
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18
D18 P521
Ireland

Microsoft Teams is part of the Office 365 cloud application, a user account must be created in order to use it.

Data processing with Office 365 takes place on servers in data centers in the European Union, Ireland and the Netherlands.

7. Processing of Personal Data when registering a user account

7.1  Protected user areas

Our website offers a protected user area exclusively for certain user groups (clinics, distributors, patients, etc.) in order to provide users with access to further, in particular product-specific information. If you belong to one of these user groups and would like to set up a user account, you must complete the information requested in the registration form and register using a password of your choice.

7.2  Registration

We use a double opt-in procedure for registration, i.e., your registration is not complete until you have confirmed your log-in registration by clicking on the link contained in a confirmation e-mail sent to you for this purpose. If you do not confirm this within 24 hours, your log-in registration will be automatically deleted from our database.

7.3  Processing of data when using the portal

When you use our portal, we process the data required for the fulfillment of the contract until you ultimately delete your account access. Furthermore, we process the data you voluntarily provide for the duration of your use of the portal, unless you delete it beforehand. You can administrate and change all details in the protected customer area. The mandatory information required for registration is marked separately, any additional information is voluntary. The legal basis for this is Art. 6, para. 1, subpara. b, GDPR, for the voluntarily provided data Art. 9, para. 2, subpara. a, GDPR (for health data), otherwise Art. 6, para. 1, subpara. a, GDPR.

7.4  Encryption

To prevent unauthorized access to your personal data by third parties, the connection is encrypted using TLS technology.

7.5  Account deletion

The account can be deleted independently in the "Account" tab.

8. Processing of Personal Data in the context of "Share your Story"

If you use the "Share your Story" function we provide and send us your story about a heart disease, heart treatment or similar experience for publication on our website, we will process the personal data you provide for the purpose of an internal preliminary check as to whether we would like to publish your story and, if applicable, for publication on our website. Your personal data will only be published if it is contained in the document you have uploaded. The mandatory information required for transmission is marked separately, further information is voluntary. The legal basis for this is Art. 9, para. 2, subpara. a, e, GDPR (for health data), otherwise Art. 6, para. 1, subpara. a, f GDPR.

9. Processing of personal data in the application process and during employment

9.1  Application procedure

The legal basis for the processing of your personal data in this application procedure is primarily § 26 BDSG. Accordingly, the processing of data required in connection with the decision on the establishment of an employment relationship is permitted.

Should the data be required for legal prosecution after completion of the application process, data processing may be carried out on the basis of the requirements of Art. 6 GDPR, in particular to safeguard legitimate interests in accordance with Art. 6, para. 1, subpara. f) GDPR. Our interest then lies in the assertion of or defense against claims.

We use a specialized software provider for the application process. The latter acts as a service provider for us and may also obtain knowledge of your personal data in connection with the maintenance and care of the systems. We have concluded a so-called order processing contract with this provider, which ensures that the data processing is carried out in a permissible manner.

Your application data will be reviewed by the HR department upon receipt of your application. Suitable applications are then forwarded internally to the department managers for the respective open position. The next steps in the procedure are then agreed. Within the company, only those persons have access to your data who need it for the proper course of our application procedure.

Applicants' data will be deleted after 5 months in the event of rejection.

In the event that you have consented to further storage of your personal data, we will transfer your data to our applicant pool. The data will be deleted there after 11 months.

9.2  Employment relationship

If a contractual relationship is established between you and us, the data transmitted will be processed for the purpose of entering into and implementing the employment relationship in compliance with the statutory provisions (legal basis: Art. 6, para. 1, subpara. b, GDPR). Otherwise, the application documents will be automatically deleted six months after completion of the application process, provided that no other legitimate interests on our part stand in the way of

10. Processing of personal data of other contractual partners

If you enter into a contractual relationship with us, e.g., as a customer or supplier, or if we are in the initiation phase of such a relationship, we process the data you provide to us, including the data of any contact persons at your company. This data is processed for the establishment and execution of the contractual relationship. The legal basis for this is Art. 6, para. 1, subpara. b, GDPR; for the data not required for this purpose but provided by you, Art. 6, para. 1, subpara. a, GDPR.

11. Recipients patient's information

11.1  Anonymizing or pseudonymizing patient’s information

If Berlin Heart receives patient information, e.g., from contractual partners (in particular from clinics treating patients), Berlin Heart will immediately pseudonymize or anonymize the patient's data.

11.2  Legality of processing patient’s information

Patient information, including health data, will only be processed by Berlin Heart if this is permitted by law.

11.3  Explicit consent of the patient

This is the case in particular if the patient has expressly consented to the processing of personal data or information for the purposes stated in the declaration of consent (legal basis for health data: Art. 9 para. 2 subpara. a GDPR; otherwise: Art. 6, para. 1, subpara. a, GDPR).

11.4   Processing purpose

Furthermore, processing is carried out for necessary quality assurance measures (legal basis for health data: Art. 9, para. 2, subpara. h, i GDPR and Section 22, para. 1, no. 1, subpara. b,, c BDSG; otherwise: Art. 6, para. 1, subpara. a, f, GDPR) as well as for any necessary medical support of the patient, in particular in an emergency (legal basis for health data: Art. 9, para. 2, subpara. c, h, GDPR; otherwise: Art. 6, para. 1, subpara. a, f GDPR).

11.5  Reporting obligations

As a manufacturer of medical devices, Berlin Heart is also subject to statutory reporting obligations to state supervisory authorities. This applies, for example, to incidents that may have led to a serious deterioration in a patient's state of health. These obligations also apply in part to the competent supervisory authorities in third countries, i.e., those outside the European Union, in accordance with national law. Patient information is always transmitted pseudonymously or, if possible and legally permissible, anonymously. (Legal basis for health data: Art. 9, para. 2, subpara. f, h, i, GDPR and Section 22, para. 1, no. 1 subpara. b, c, BDSG; otherwise: Art. 6, para. 1, subpara. a, f, GDPR).