We herewith wish to inform you about the processing of personal data by Berlin Heart, in particular when you are using our website. We process personal data (e.g. name, address, e-mail address and telephone number of a data subject) in accordance with the applicable law, in particular the General Data Protection Regulation (GDPR) and the German Data Protection Law (BDSG).
Controller in the sense of Art. 4 para. 7 GDPR is:
Berlin Heart GmbH
Represented by the directors Sven-René Friedel, Dr. Ares K. Menon
12247 Berlin, Germany
Tel: +49 30 8187 2600
Fax: +49 30 8187 2601
You may contact our Data Protection Officer as follows:
Berlin Heart GmbH
- attn. the Data Protection Officer -
12247 Berlin, Germany
Tel: +49 30 8187 2106
The mere informatory use of our website only leads to a processing of personal data that are transmitted by your internet browser to our server. While visiting our website we process the following data. This is technically necessary for us in order to display the website and to safeguard its stability and security (legal basis: Art. 6 para. 1 phr. 1 lit. f GDPR):
When you are entering into personal contact with us by e-mail, letter, contact form or in another way we will process the transmitted data (e.g. your e-mail address, your name and/or your telephone number) in order to process and/or answer your request (legal basis: Art. 6 para. 1 phr. 1 lit. a, f GDPR). The data processed in this context will be deleted as soon as their storage is no longer necessary or we restrict the processing if we have to fulfill a legal obligation to retain such data.
5.1 Our website offers a secured user section, exclusively for certain user groups (inter alia clinics, distributors, patients), which provides such users access to additional, in particular product-specific information. If you belong to one of these user groups and wish to register a user account, you must fill in the information required in the registration form and register with a freely chosen password.
5.2 For registration we are using the so-called double-opt-in process. This means, your registration is only completed if you have priorly confirmed your registration by clicking on the link in the confirmation e-mail we will send to you for this purpose. If you do not confirm within 24 hours, your application will be automatically deleted from our database.
5.3 If you are using our portal, we will process your data necessary for the fulfilment of the contract until you permanently delete your account. Furthermore, we will process the data you have transferred to us on a voluntary basis for the time you are using the portal, unless you have deleted them before. You may manage and change all data in the secured user section. The data necessary for registration will be highlighted, other information is voluntary. Legal basis is Art. 6 para. 1 phr. 1 lit. b GDPR; for the voluntarily provided data: Art. 9 para. 2 lit. a GDPR for data concerning health, for other data Art. 6 para. 1 phr. 1 lit. a GDPR.
5.4 The connection is secured with TLS technology, in order to prevent third parties from unauthorized access to your personal data.
If you are using the website function “Share your Story” and provide us with your story concerning a heart disease, treatment or similar for the purpose of publication on our website, we will process the personal data provided for a preliminary review if we also wish to publish your story, and as the case may be, for the publication on our website. Your personal data will only be published if it is contained in the document you have uploaded. The data necessary for submitting your story will be highlighted, further data is voluntary. Legal basis is Art. 9 para. 2 lit. a, e GDPR (for data concerning health), for other data Art. 6 para. 1 phr. 1 lit. a, f GDPR.
7.1 If you transmit personal data to us in the context of recruitment procedures, such data will be processed only for the implementation of this procedure, to determine the possible success of your application (legal basis: Art. 6 para. 1 phr. 1 lit. a, f GDPR).
7.2 If a contract is concluded between you and us, we will process the data for the purposes of conclusion and execution of the employment subject to the statutory provisions (legal basis: Art. 6 para. 1 phr. 1 lit. b GDPR). In any other case, we will automatically delete the application documents after six months, unless the deletion is in contrary to our legitimate interests (e.g. procedures according to the German General Equal Treatment Act).
When entering into a contractual relationship with us (e.g. as a client or supplier) and in the initiation phase, we will process the data you have provided to us, including those of eventual contact partners. These data will be processed for the conclusion and execution of the contractual relationship. Legal basis is Art. 6 para. 1 phr. 1 lit. b GDPR; or Art. 6 para. 1 phr. 1 lit. a GDPR for data that is not required therefore, but provided by you.
9.1 If data of a patient is transmitted to Berlin Heart, e.g. by contract partners (in particular by clinics where the patient receives the medical treatment), Berlin Heart will immediately pseudonymize or anonymize the patient’s data.
9.2 The patient’s data (including data concerning health) will only be processed by Berlin Heart, if this is permitted according to statutory provisions.
9.3 This is particularly the case if the patient has given his/her explicit consent to the processing of personal data for the purposes mentioned in the declaration of consent. Legal basis is Art. 9 para. 2 lit. a GDPR (for data concerning health), for other data Art. 6 para. 1 phr. 1 lit. a GDPR.
9.4 In addition, we will process personal data for necessary measures of quality assurance (Legal basis for data concerning health: Art. 9 para. 2 lit. h, i GDPR as well as § 22 para. 1 No. 1 lit. b, c BDSG – German Federal Data Protection Act; for other data: Art. 6 para. 1 phr. 1 lit. f GDPR) and the eventually necessary medical support of the patient, especially in case of emergency (Legal basis for data concerning health: Art. 9 para. 2 lit. c, h; for other data: Art. 6 para. 1 phr. 1 lit. a, f GDPR).
9.5 As a producer of medical devices Berlin Heart also has to fulfill legal reporting obligations towards public regulatory authorities. As an example, this applies for (adverse) events that may have led to a serious deterioration in the state of a patient’s health. These reporting obligations are also applicable towards public authorities in third countries (countries outside the European Union). We will only transfer patient data in a pseudonymized or, if possible and legally permitted, anonymized form (Legal basis for data concerning health: Art. 9 para. 2 lit. f, h, i GDPR as well as § 22 para. 1 No. 1 lit. b, c BDSG – German Federal Data Protection Act; for other data: Art. 6 para. 1 phr. 1 lit. a, f GDPR).
If you participate in one of our forums (e.g. trainings, Berlin Heart Academy etc.) the conclusion of the contract concerning the participation requires information about such personal data that we need for your registration and the execution of the forum. The necessary data will be highlighted, further data is voluntary. Legal basis is Art. 6 para. 1 phr. 1 lit. b GDPR, for voluntarily provided data Art. 6 para. 1 phr. 1 lit. a GDPR.
We will only transfer personal data to third parties in those cases mentioned in this policy or if we explicitly inform you accordingly on other occasions. In addition, we partly use external processors in the sense of Art. 28 GDPR (e.g. host provider, e-mail provider). However, these service providers process personal data only within the European Union.
We do use any automated decision-making processes, including profiling, in the sense of the GDPR. A transfer of personal data to third countries will only be made in those cases explicitly mentioned in this policy or you have given your consent.
13.1 With respect to your personal data you have the following rights:
13.2 You may withdraw your consent at any time for the future without providing reasons.
13.3 If you think that we have not duly observed your rights, you are entitled to lodge a complaint with the supervisory authority concerning our processing of your personal data. However, before lodging a complaint, we would be happy if you could inform us about your criticism so that we are able to remedy the grounds of your complaint.
14.1 We process your data only for the period of time that is necessary to achieve the respective storage purpose or if we following our legal obligations. All server log files (including your IP-address) will be automatically erased within 14 days.
14.2 We will erase your personal data if the processing purpose or the legal storage obligation ceases to exist. Therefore, you don’t have to take any actions to this end.
15.2 You may configure your browser preferences according to your demands and, for example, prevent the acceptance of third party or all cookies. However, please note that by refusing cookies, some functions of this website may eventually not be accessible.
16.1 This website uses Google Analytics, a web analytics service of Google Inc. (“Google“). Google Analytics uses “cookies”, which means text files placed on your computer that allow an analyses how you use the website. The information generated by the cookie about your use of the website will in general be transmitted to and stored by Google on servers in the USA. If the IP – anonymization is activated on this website (see below), your IP-address will be previously shortened by Google within a member state of the European Union or in a contracting state to the Agreement on the European Economic Area. Only as an exception your IP-address will be fully transmitted to a server located in the USA and shortened there. Google will use these information on behalf of the controller for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services for the controller relating to website activity and internet usage.
16.2 Google will not associate your IP address with any other data held by Google.
16.4 This website uses Google Analytics with the extension „_anonymizeIp()“. Therefore, only shortened IP-addresses will be processed. A direct link to a data subject should be excluded.
16.5 We use Google Analytics to analyze and to constantly improve the use of our website. For cases of an exceptional transmission of personal data in the USA, Google has joined the EU-US Privacy Shield regulation, see https://www.privacyshield.gov/EU-US-Framework. Legal basis for the use of Google Analytics is Art. 6 para. 1 phr. 1 lit. f GDPR.
17.1 Our website uses YouTube-Videos that are stored under www.YouTube.com and may be directly activated on our website. All these videos are embedded in the extended data protection mode, which means that your user data will not be transferred to YouTube, if you do not activate the video play button. If you activate it, the data mentioned in the following section will be transferred. We do not have any influence on this data transfer.
17.2 If you are visiting our website, YouTube receives this information and the data set forth above, that is processed when you visit our website, will be transferred as well. This data is transferred whether or not you have a user account at YouTube and/or if you are logged in. If, at the same time, you are logged in at your Google account, your data will be directly attributed thereto. If you do not wish such attribution to your YouTube profile, you have to sign off before activating the button. YouTube collects your data in user profiles and uses them for the purpose of advertisement, market research and/or for a demand-oriented design of its website. This analysis is in particular done to provide a demand-oriented advertisement and to inform other users about your activity on our website (even if you are not logged in). You have the right to object to the creation of such user profiles. But such objection has to be directed to YouTube.
17.3 You may receive further information about the purpose and extent on the processing of data by YouTube in the data policy. This policy also provides you with further information on your rights and the different options for the protection of your privacy: https://www.google.de/intl/en/policies/privacy. Google also processes your personal data in the USA but has joined the EU-US Privacy Shield regulation, see https://www.privacyshield.gov/EU-US-Framework.
'personal data' means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
'restriction of processing' means the marking of stored personal data with the aim of limiting their processing in the future;
'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
'pseudonymisation' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
'third party' means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;