Data security

I. Purpose of this Privacy Policy

We are pleased about your visit to our website. Below, we would like to inform you about the handling of your data in accordance with Art. 19 Swiss Data Protection Act (DSG) and Art. 13 GDPR. This includes both data processing when accessing the website and the offered services, as well as data processing in the context of our telemedical service (medical consultation).

The protection of your privacy is very important to Medgate. Therefore, we comply with the requirements of applicable data protection regulations when processing your personal data.

If your place of residence is in Switzerland, the processing of your personal data is governed by the provisions of the Swiss Data Protection Act (DSG).

If your place of residence is in a Member State of the European Union, the processing of your personal data is governed by the REGULATION (EU) 2016/679 OF THE EUROPEAN (GDPR). Below, you will be informed about data processing and the underlying basis.

From the perspective of Swiss data protection, the adequacy of the level of data protection within the EU is also ensured (available here: https://www.edoeb.admin.ch/edoeb/en/home/data-protection/commerce-and-economy/transfer-abroad.html).

From the perspective of the GDPR, the uniform level of data protection in Switzerland is ensured through the adequacy decision under Art. 45 GDPR (available here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000D0518).

In the following, we will use the uniform terms data processing and personal data. This equally includes the terms data processing and personal data as defined in the GDPR.

II. Data Controller

III. Location of Data Processing

Your personal data are generally processed in Switzerland. However, telemedical services can also be provided from abroad. If your personal data are transferred to other countries, this will only be done to countries that have a recognized equivalent data protection standard or where specific guaranteed assurances are in place. If you have any questions about this, please contact the address below.

IV. Further recipients of your personal data

The SP may use auxiliary persons for the processing of your personal data (especially within the Medgate Group), who carry out the processing on behalf of the SP. This is particularly for the handling of commercial administrative services and in connection with IT services. The doctor-patient confidentiality and data protection are always maintained in this process.

The SP forwards the personal data to the insurance companies responsible for you, which are necessary for billing with the insurance. Insurers do not have access to your medical data. In addition, the transfer to public authorities provided for by law remains reserved.

Please note that the transfer of anonymized data remains possible regardless of the above.

V. Erasure / duration of storage of personal data

As a rule, we erase your data from the point in time when a contract has been fulfilled or the purpose of the processing has ceased to exist. In the case of an objection to processing based on legitimate interests or consent, we erase your data from this point in time unless another basis for processing continues to exist, such as statutory retention obligations, a legitimate interest in enforcing our own legal positions, etc.

However, the storage of your personal data by the SP takes place at least for as long as necessary to fulfill the respective treatment contract. Statutory retention periods, particularly from public health and health insurance legislation, as well as storage for internal documentation purposes, also remain reserved.

I. Data Processing When Accessing the Webpage

a) Usage Data

To When you access our website, information is automatically sent to the server of our website by the browser used on your end device. This information is temporarily stored in a so-called logfile. The data is evaluated by us for statistical purposes as a protocol to ensure a smooth connection setup and to improve the quality of our website. This dataset consists of:

• Name of the retrieved file
• Date and time of retrieval
• Transferred data volume
• Notification whether the retrieval was successful
• Description of the type of web browser used
• Operating system used
• The previously visited page
• Provider
• Your IP address, which is shortened in such a way that it can no longer be traced back to a person

The aforementioned log data is only evaluated in an anonymized form.

b) Storage of the IP Address for Security Purposes

Furthermore, we store the full IP address transmitted by your web browser for a strictly limited purpose for the duration of one month, in the interest of detecting, limiting, and eliminating attacks on our websites. After this period, we erase or anonymize the IP address. The processing of data is based on our legitimate interests in defending against cyber-attacks (Art. 6 para. 1 sentence 1 lit. f GDPR).

c) Use of Cookies

We typically use «cookies» and similar technologies on our website to identify your browser or device. A cookie is a small file that is sent to your computer or automatically stored by the web browser you use on your computer or mobile device when you visit our website. When you revisit this website, we can recognize you even if we do not know who you are. In addition to cookies that are only used during a session and are deleted after your website visit («session cookies»), cookies can also be used to store user settings and other information over a specific period (e.g., two years) («permanent cookies»). However, you can set your browser to reject cookies, store them only for a session, or otherwise delete them prematurely. Most browsers are preset to accept cookies.

Unless we provide specific information about the storage duration, we erase personal data when it is no longer required for the purposes of processing and no legitimate interests, or other (legal) retention reasons oppose the erasure.

d) Necessary Cookies

We use so-called technically necessary cookies in some areas of our website. We do not use these required cookies for analysis, tracking, or advertising purposes. Some of these cookies only contain information about certain settings and are not personally identifiable. They may also be necessary to enable user navigation, security, and implementation of the site.

The basis for setting the cookies and subsequent processing of the data is our legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

You can also delete cookies at any time via the corresponding browser setting and prevent the setting of new cookies. Please note that our websites may then not be displayed, and some functions may no longer be technically available.

Below, we list the necessary cookies used, along with the respective providers and the personal data processed. Data processing agreements have been concluded with the providers.

• Cookie Consent with Usercentrics

This website uses the cookie consent technology of Usercentrics to obtain your consent for the storage of certain cookies on your end device and to document this in a data protection-compliant manner. The provider of this technology is Usercentrics GmbH, Rosental 4, 80331 Munich, website: https://usercentrics.com/ (hereinafter «Usercentrics»). When you visit our website, the following personal data is transmitted to Usercentrics:

• Granting or withdrawal of your consent(s)
• Your IP address
• Information about your browser
• Information about your end device
• Time of your visit to the website

The processing is necessary to comply with the legal obligation to document consent (Art. 6 para. 1 sentence 1 lit. c GDPR).

e) Optional Cookies

We also use the following cookies to understand how you use our services and to present you with further advertising offers that may be of interest to you. The processing is based on your consent (Art. 6 para. 1 sentence 1 lit. a GDPR), provided you have given your corresponding consent to the setting of cookies in the cookie banner.

You can withdraw your consent at any time with effect for the future via the settings options of the consent banner.

• Use of Google Tag Managers

We use Google Tag Manager. This is a management system that allows us to integrate other services presented below on our website. Google Tag Manager itself does not process any personal data. This is only done by the Google services presented below in the manner described there.

• Use of Google Analytics

To design our websites according to demand, we use the web analysis tool «Google Analytics», with which we analyze your usage behavior. In doing so, we process your IP address, data on user interaction, browser information, cookie ID, information on viewed pages, viewed advertisements, visited websites, search terms, device operating system, screen resolution, geographic location, click path, and the date and time of the visit.

Permanent cookies are stored on your end device and read by us for this purpose. In this way, we can recognize and count returning visitors.

In the context of Google Analytics, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland («Google»)) supports us as a processor. A corresponding data processing agreement has been concluded.

The basis for collecting and processing your personal data is your consent (Art. 6 para. 1 lit. a GDPR), provided you have given this via our consent banner. Your consent is freely given and can be withdrawn at any time. Please make the appropriate settings via our banner.

It cannot be ruled out that the data will be processed on servers in the USA within the Google Group.
From the perspective of the EU and Switzerland, an adequate level of data protection is ensured for transfers to the USA due to the provider's certification under the adequacy decision (EU-U.S. Data Privacy Framework or Swiss-U.S. Data Privacy Framework).

For the security of your data, the IP anonymization settings have been activated. Therefore, no IP addresses are logged and stored, but are only used to derive geolocation data. This allows us to determine whether the collected data originates from devices in Switzerland or the EU. The IP address transmitted by your browser within the framework of Google Analytics will not be merged with other data from Google.

• Use of Google Ads Conversion and Remarketing

For advertising purposes in Google search results and on third-party websites, the so-called Google Remarketing cookie is set when you visit our website, which automatically enables interest-based advertising through the collection and processing of data (IP address, time of visit, device and browser information, and information about your use of our website) and by means of a pseudonymous cookie ID and based on the pages you visit. By analyzing your interaction on our website, we can determine which offers interest you and thus have the ability to show you targeted advertisements on other websites even after you leave our website.

Further data processing only takes place if you have activated the «personalized advertising» setting in your Google account. In this case, if you are logged into your Google account during your visit to our website, Google will use your data together with Google Analytics data to create and define target group lists for cross-device remarketing.

To analyze website usage and event tracking, we measure your subsequent usage behavior via Google Ads Conversion Tracking when you have reached our website via a Google Ads advertisement. Cookies may be used for this purpose, and data (IP address, time of visit, device and browser information, and information about your use of our website based on events specified by us, such as visiting a website or signing up for a newsletter) may be collected from which pseudonymous usage profiles are created. We receive only statistical evaluations from Google. Based on these evaluations, we can see which advertising measures are particularly effective. We do not receive any further data from the use of the advertising tools, and we cannot identify users based on this information.

In the context of Google Ads, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland («Google»)) supports us as a processor. A corresponding data processing agreement has been concluded.

The basis for collecting and processing your personal data is your consent (Art. 6 para. 1 lit. a GDPR), provided you have given this via our consent banner. Your consent is freely given and can be withdrawn at any time. Please make the appropriate settings via our banner. It cannot be ruled out that the data will be processed on servers in the USA within the Google Group.
From the perspective of the EU and Switzerland, an adequate level of data protection is ensured for transfers to the USA due to the provider's certification under the adequacy decision (EU-U.S. Data Privacy Framework or Swiss-U.S. Data Privacy Framework).

• Use of DoubleClick

This website uses the online marketing tool DoubleClick from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. DoubleClick uses cookies to serve relevant ads to users, improve campaign performance reports, or prevent a user from seeing the same ads multiple times. Google collects information about which ads are placed in which browser via a cookie ID and can thus prevent them from being displayed multiple times. In addition, DoubleClick can use cookie IDs to track conversions related to ad requests. This is the case, for example, when a user sees a DoubleClick ad and later visits the advertiser's website with the same browser and makes a purchase there. According to Google, DoubleClick cookies do not contain any personal information.

Due to the marketing tools used, your browser automatically establishes a direct connection to Google's server. We have no influence on the scope and further use of the data collected by Google through the use of this tool and therefore inform you according to our knowledge: By integrating DoubleClick, Google receives the information that you have accessed the corresponding part of our website or clicked on an ad from us. In the context of Google DoubleClick, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland («Google»)) supports us as a processor. A corresponding data processing agreement has been concluded.

The basis for collecting and processing your personal data is your consent (Art. 6 para. 1 lit. a GDPR), provided you have given this via our consent banner. Your consent is freely given and can be withdrawn at any time. Please make the appropriate settings via our banner.

It cannot be ruled out that the data will be processed on servers in the USA within the Google Group.
From the perspective of the EU and Switzerland, an adequate level of data protection is ensured for transfers to the USA due to the provider's certification under the adequacy decision (EU-U.S. Data Privacy Framework or Swiss-U.S. Data Privacy Framework).

• Use of Meta Pixel

Furthermore, the website uses the remarketing function «Custom Audiences» of Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland («Facebook»). This allows users of the website to be shown interest-based advertisements («Facebook Ads») when visiting the social network Facebook or other websites that also use the procedure. We pursue the interest of showing you advertisements that are of interest to you in order to make our website more interesting for you. Due to the marketing tools used, your browser automatically establishes a direct connection to Facebook's server. We have no influence on the scope and further use of the data collected by Facebook through the use of this tool and therefore inform you according to our knowledge: By integrating Facebook Custom Audiences, Facebook receives the information that you have accessed the corresponding website of our internet presence or clicked on an ad from us. If you are registered with a Facebook service, Facebook can assign the visit to your account. Even if you are not registered with Facebook or are not logged in, it is possible that the provider will obtain and store your IP address and other identification features. The deactivation of the «Facebook Custom Audiences» function is possible here and for logged-in users at https://www.facebook.com/settings/?tab=ads#_. The basis for this processing is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR, if applicable. Further information on data processing by Facebook can be found at https://www.facebook.com/about/privacy.

• Userlike Unified Messaging

For the purpose of providing the chat option and thus for the purpose of customer communication, we use cookies from the service provider Userlike UG (Probsteigasse 44-46, 50670 Cologne, Germany).

If you have given your consent to the setting of the cookie, the following data will be processed by Userlike: date of the visit, time of the visit, your browser type and its version, the operating system you use, the address of the previously visited website, the processed data volume, and an individual user ID. Depending on the course of the conversation, further personal data may be processed, the scope of which is determined by you. The basis for collecting and processing your personal data is your consent (Art. 6 para. 1 lit. a GDPR), provided you have given this via our consent banner. Your consent is freely given and can be withdrawn at any time. Please make the appropriate settings via our banner. The data processing by Userlike takes place within Germany. The data is processed exclusively bound by instructions, and a corresponding data processing agreement has been concluded. We also ask you to refrain from using the chat for medical inquiries.

• Embedding of YouTube Videos

We have embedded YouTube videos on our website. These videos are stored on https://www.youtube.com. To ensure that accessing our web pages with embedded videos does not automatically result in third-party content being loaded, we initially display only locally stored preview images of the videos. This way, the third party does not receive any information. Only by clicking on the preview image are third-party contents loaded. As soon as you play a video, data is transmitted to YouTube, a company of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. We have no influence on this data transmission. The data transmitted includes information that you have visited the corresponding page of our portal. In addition, your IP address, date and time of the request, time zone, content of the request, access status, the transferred data volume, the browser you use, as well as the type and version of your operating system are transmitted. This transmission occurs regardless of whether you have a user account with YouTube or not. If you are logged into a Google user account, your data will be directly assigned to this account. If you do not want this, you must log out of your user account before playing the video. As described, the embedding is based on your consent (Art. 6 para. 1 sentence 1 lit. a GDPR), provided you have given your consent by clicking on the preview image.

Please note that embedding many videos may result in your data being processed outside of Switzerland or the EU. In particular, data processing within the USA is very likely.
From the perspective of the EU and Switzerland, an adequate level of data protection is ensured for transfers to the USA due to the provider's certification under the adequacy decision (EU-U.S. Data Privacy Framework or Swiss-U.S. Data Privacy Framework).

 

a) When Using Our Contact Form

For any questions, we offer you the opportunity to contact us via a contact form provided on the website. It is necessary to provide your name, contact details (name, first name, email address, telephone number, and address), and a message in order to respond to your inquiry. Without providing this data, we cannot respond to your request.
The processing of data is based on our legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) to respond to your inquiry as easily, promptly, and customer-friendly as possible. Additionally, you can decide whether to provide us with further information (e.g., gender and reason for the message, information about your concern). This information is provided freely given and is not required for contacting us. We process your freely given information based on your consent (Art. 6 para. 1 sentence 1 lit. a GDPR). If you use the free text field to describe your concern, we kindly ask you to refrain from providing information about your health condition.

Your data will only be processed to respond to your inquiry. We erase your data when it is no longer necessary and no legal retention obligations oppose the erasure.

If your data transmitted via the contact form is processed based on our legitimate interests, you can object to the processing at any time. You can also withdraw your consent to the processing of the freely given information at any time. Please contact the email address provided in the imprint for this purpose.

b) Subscription to the Newsletter

You can also subscribe to our newsletter on our website. With this newsletter, we inform you about our interesting new offers.

Subscription to our newsletter is done using the so-called double opt-in procedure. This means that after your registration, we send an email to the email address you provided, asking you to confirm that it is your correct email address. The processing of data in the context of the newsletter dispatch is based on your consent (Art. 6 para. 1 sentence 1 lit. a GDPR). You can withdraw your consent at any time. An easy way to withdraw is provided, for example, via the unsubscribe link in every newsletter.

In addition to the email address you provided, we store your IP address and the time of your registration and confirmation for the purpose of proving your registration and to prevent possible misuse of your personal data. The corresponding data processing is based on our legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) to be able to account for the legality of the newsletter dispatch.

In the context of newsletter registration and subsequent newsletter dispatch, we are supported by the service provider Sendinblue GmbH (Köpenicker Str. 126, 10179 Berlin), who processes the data exclusively bound by instructions. A corresponding data processing agreement has been concluded. Data processing takes place within the EU. From the perspective of Switzerland, an adequate level of data protection has been recognized for EU Member States.

c) Online Applications

You have the opportunity to apply for a position advertised by us. You can upload your application documents for this purpose via the application form. In addition to the mandatory information on first and last name, postal code, city, mobile phone number, email, earliest start date, gross salary expectation, resume, cover letter, work certificates, diplomas, and certificates, you also have the option to provide information on your title, street, house number, date of birth, and to upload a facial photo on a voluntary basis. These fields marked as voluntary or optional do not need to be filled out.

In addition, you decide yourself within the cover letter to what extent you want to share data with us.

The processing of your data is carried out to conduct an initial suitability assessment and to provide you with appropriate feedback. The processing of the mandatory information is carried out in the context of pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR). The processing of all other personal data that you provide freely given is based on your consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Your information will be treated confidentially within our company and will only be viewed by those persons involved in the applicant selection process).

d) Links to other Websites

When we provide links to websites of other organizations, the data protection notices and declarations there apply.

I. Patient Admission

a) Profile Creation

To use our medical service, we will first create a patient profile in our patient management system during your initial appointment booking. We will initially request the following data from you:

• First and last name
• Date of birth

If you are insured with one of our partner insurance companies, we will receive the following data from your insurance company based on this information and store it in your patient profile:

• Gender
• Address
• Insurance model
• Type of insurance (basic insurance / supplementary insurance)
• VEKA number
• Member number (insurance number)
• Validity of insurance coverage

If you are not insured with one of our partner insurance companies, you will be asked for your VEKA number. Using the VEKA number, the following data will be requested from the service provider SASIS AG:

• Gender
• Address
• Insurance
• Type of insurance (basic insurance)

If you do not have a VEKA number, we will request the information directly from you.

If it turns out during the query that you do not have the necessary insurance to receive medical services, you will be informed.

The purpose of the collection of data is to verify your insurance status and your information. The processing of data is based on the service contract concluded with you (Art. 6 para. 1 sentence 1 lit. b) GDPR).

If your data changes (e.g., address change), please inform Medgate at the latest during your next contact so that we can keep your data up to date.

Already during patient admission, you have the option to voluntarily provide medically relevant information about your physical condition (e.g., allergies, medications, chronic diseases). This information will be added to your patient profile and will be available during each medical treatment. You can adjust and supplement this information at any time. This data is provided by you exclusively on a voluntary basis. The basis for the processing of data is your consent (Art. 6 para. 1 sentence 1 lit. a) GDPR in conjunction with Art. 9 para. 2 lit. a) GDPR). You can withdraw your consent at any time with effect for the future.

This data will only be used for medical care and serves to inform your treating physician in advance.

The information provided here, if necessary for the medical consultation, will be processed based on the treatment contract concluded with you (Art. 6 para. 1 sentence 1 lit. b) GDPR in conjunction with Art. 9 para. 2 lit. h) in conjunction with para. 3 GDPR). They will then become part of the patient record and are subject to the legal requirements for data storage in the context of patient care.

b) Data Storage in the Patient Management System (PMS)

All personal data you provide, including your health data, will be stored in our Patient Management System (PMS). This is a digital patient record; no paper-based version exists. The stored data includes both the information you provided during patient registration and the information recorded by the doctor during the telemedical treatment. Only data relevant to patient care will be recorded.
The purpose of the processing is both the execution of patient treatment and the resulting proof and documentation obligations. The processing of data is thus based on the treatment contract concluded with you (Art. 6 para. 1 sentence 1 lit. b) GDPR in conjunction with Art. 9 para. 2 lit. h) in conjunction with para. 3 GDPR). The data will become part of the patient record and are subject to the legal requirements for data storage in the context of patient care.

For hosting our PMS, we use the service provider Microsoft Deutschland GmbH (Walter-Gropius-Str. 5, 80807 Munich), which stores the data on servers within Switzerland. A corresponding data processing agreement has been concluded, which obliges the service provider to process the data exclusively bound by instructions.

Since Microsoft is a US corporation, it cannot be ruled out that access from the USA may also occur. By decision of the Swiss Federal Council, it has been determined that from the entry into force of the Swiss-U.S. Data Privacy Framework, adequate protection for the transfers of personal data to certified companies applies. Microsoft is listed as a certified company (https://www.dataprivacyframework.gov/list). To further limit the possibility of access from the USA, we have taken measures to ensure that your personal data is stored exclusively in encrypted form in the cloud.

II. Appointment Booking

a) Appointment booking, symptoms, emergency recognition, referral to service provider

When you schedule a medical consultation with Medgate by phone, our patient admission staff will assist you. During this process, you will have the opportunity to describe your symptoms in advance and provide initial medical information about your health condition to enable prioritization of your request (known as triage). Furthermore, this ensures that medical emergencies are recognized as quickly as possible and immediate measures can be taken. Additionally, this pre-information facilitates and shortens the consultation appointment with the doctor, as they may not need to request further or only a few additional pieces of information from you. You provide this special personal data in the form of health data voluntarily. The basis for providing this information is your consent (Art. 6 para. 1 sentence 1 lit. a) GDPR in conjunction with Art. 9 para. 2 lit. a) GDPR).

We kindly ask you to ensure that you only provide us with information that is necessary for medical treatment.

After the consultation has taken place, medically relevant data will become part of the patient record and will be stored in the Patient Management System (PMS) (details see section 1. lit d. «Data Storage in the Patient Management System (PMS) »).

b) Upload of Documents

Through our upload portal, you have the option to provide treatment-relevant documents (e.g., documents, photos, videos) during or after your medical consultation. We kindly ask you to ensure that you only provide us with information that is necessary for medical treatment.

For the purpose of providing these documents, the doctor will send an SMS and an email to the mobile number and email address linked to your patient profile. These will each contain a link for uploading your documents. Before you can perform the upload, you will need to enter your date of birth for verification purposes. This is solely a security measure.

If you have not yet provided an email address at this point, the treating doctor will request it and initiate the verification process (details on email address verification can be found in section 1 lit. a).

The link will expire upon the completion of the medical treatment and can no longer be used. Once you have uploaded the documents, please remember to log out of the portal.

The provision of these data is freely given.

The provided documents, if necessary for the medical consultation, will be processed for the purpose of medical treatment and thus based on the treatment contract (Art. 6 para. 1 sentence 1 lit. b) GDPR in conjunction with Art. 9 para. 2 lit. h) in conjunction with para. 3 GDPR) and will become part of your patient record (details see section 1 lit. d. «Data Storage in the Patient Management System (PMS) »). The data are subject to the legal requirements for data storage within the framework of patient care.

The processing of your mobile number and email address for the purpose of providing the link is based on your consent (Art. 6 para. 1 sentence 1 lit. a) GDPR), which you give by requesting the doctor to allow you to upload documents.

The processing of your date of birth is based on our legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) to verify your identity before providing the data.

c) Booking Confirmation, Appointment Reminder, and Rescheduling

If you give the corresponding consent during your call, we will send you a booking confirmation via SMS.
Additionally, you will receive an appointment reminder 1 hour before the scheduled start of your consultation. You will receive a final notification via SMS once the doctor has taken over your consultation and is familiarizing themselves with the information you provided in advance.
If there is a need to reschedule the appointment for various reasons by Medgate, we will inform you of this via SMS as well.
The processing of data is based on your given consent (Art. 6 para. 1 sentence 1 lit. a) in conjunction with Art. 9 para. 2 lit. a) GDPR). You can withdraw your consent at any time with effect for the future. 

d) Time Slot Booking

If the insurance model you have chosen requires your medical treatment to be coordinated by Medgate as the central entity (Managed Care), we will store the following data in our Patient Management System (PMS) after your call (details see section 1 lit. d. «Data Storage in the Patient Management System (PMS)»):

• Approved time slot
• Approved service provider

The processing of your data by Medgate is based on the existing treatment contract between you and Medgate AG (Art. 6 para. 1 sentence 1 lit. b) GDPR in conjunction with Art. 9 para. 2 lit. h) in conjunction with para. 3 GDPR). The data are part of your patient record and are subject to the legal requirements for data storage within the framework of patient care (details see section 1 lit. d. «Data Storage in the Patient Management System (PMS)»).

In accordance with your contractual agreements with your insurer, we will transfer the information about your time slot booking to the insurance company so that they can verify compliance with the contractual requirements within the Managed Care model.

e) Recording of Inbound Calls

Incoming calls (e.g., appointment bookings, time slot notifications) are always recorded by us to prove that you have scheduled an appointment for a medical consultation or that an appropriate time slot has been approved for you to see a general practitioner or specialist. We consider the exception of Art. 179quinquies para. 1 letter b of the Swiss Criminal Code (StGB) applicable. According to the stated purpose, we will only evaluate the calls on a case-by-case basis.

You will be informed during each call that your call is being recorded.

Additionally, you will be asked for your consent to evaluate the recorded calls for the purpose of improving our services and training our employees. The evaluation for the mentioned purposes is exclusively voluntary and thus based on your given consent (Art. 6 para. 1 sentence 1 lit. a) in conjunction with Art. 9 para. 2 lit. a) GDPR). The consent can be freely withdrawn at any time.

III. Medical Consultation

a) Medical Consultation via Telephone

During the medical consultation, the treating doctor will ask for further information about your health condition.

The additionally collected data, if necessary for the medical consultation, will be processed for the purpose of medical treatment and thus based on the treatment contract (Art. 6 para. 1 sentence 1 lit. b) GDPR in conjunction with Art. 9 para. 2 lit. h) in conjunction with para. 3 GDPR) and will become part of your patient record (details see section 1 lit. d. «Data Storage in the Patient Management System (PMS)»). The data are subject to the legal requirements for data storage within the framework of patient care.

b) Call Recording

If you have given your consent during the appointment booking, we will record your call for quality and documentation purposes. The storage and processing for the mentioned purposes are exclusively voluntary and thus based on your given consent (Art. 6 para. 1 sentence 1 lit. a) in conjunction with Art. 9 para. 2 lit. a) GDPR). The consent can be freely withdrawn at any time.

Please note, however, that the recordings will become part of your patient record (details see section 1 lit. d. «Data Storage in the Patient Management System (PMS)»). The data are subject to the legal requirements for data storage within the framework of patient care.

c) Download of Documents (Treatment Plan, Sick Note)

Various documents (e.g., treatment plan, sick notes) can be downloaded to your device via the download portal.

For this purpose, we will send you a corresponding link to the email address on file. If you have not yet provided an email address at this point, the treating doctor will request it and initiate the verification process (details on email address verification can be found in section 1 lit. a).

The link provided in the email will direct you to the download portal. To ensure that sensitive documents are not provided to unauthorized persons, we will also send you an SMS with an individual code. You must enter this code as a second factor to access the documents.

The provided link is valid for 7 days.

The processing of data in the context of providing the documents is based on the existing treatment contract (Art. 6 para. 1 sentence 1 lit. b) GDPR in conjunction with Art. 9 para. 2 lit. h) in conjunction with para. 3 GDPR).

d) Prescription Transmission to Pharmacy

If the treating doctor issues a prescription during a medical consultation, it will be transmitted to the pharmacy of your choice.

The transmission of the document to the pharmacy is generally done by sending an encrypted email (HIN Secure Mail GLOBAL). Alternative transmission methods also ensure secure data transfers of personal data.

The processing of data is based on your consent (Art. 6 para. 1 sentence 1 lit. a) GDPR in conjunction with Art. 9 para. 2 lit. a) GDPR).

Medgate's responsibility ends after the prescription has been transmitted to the chosen pharmacy. The processing of data in the context of medication dispensing lies within the responsibility of the pharmacy.

e) Billing of Medical Services

If you are insured with one of our partner insurance companies and Medgate’s medical services are included in your insurance model, billing will be done directly with your insurance company.

For invoicing purposes, the following personal data will be processed:

• First and last name
• Address
• Date of birth
• Gender
• VEKA number
• Insurance number
• Diagnosis code

The processing of data in the context of billing is based on and for the purpose of fulfilling a treatment contract between you and Medgate AG (Art. 6 para. 1 sentence 1 lit. b) GDPR in conjunction with Art. 9 para. 2 lit. h), para. 3 GDPR).

We are supported by the service provider Swisscom Health AG, which processes the data bound by instructions within Switzerland.

Medgate will retain the billing information according to legal requirements. The data will be erased once the purpose is fulfilled, and no legal retention periods oppose it.

f) Referral to External Service Providers

If a referral to an external service provider results from the medical consultation, we will transmit the referral form directly to the respective service provider in consultation with you.

The processing of data is based on your consent (Art. 6 para. 1 sentence 1 lit. a) GDPR in conjunction with Art. 9 para. 2 lit. a) GDPR).

Medgate's responsibility ends after the referral form has been transmitted to the chosen service provider. The processing of data in the context of further treatment lies within the responsibility of the service provider.

g) BetterDoc – Specialist Search

In some cases, we will recommend that you see a specialist for further clarification of your symptoms as a result of the treatment. We would like to suggest a suitable service provider for this purpose. For this, we use the service provider BetterDoc, which conducts such a specialist search on its own responsibility.

To find the right specialist for you, BetterDoc requires the following (mandatory) information:

• Patient information (first and last name, date of birth, gender, address, contact details, language, patient ID, and progress note)
• Insurance information (insurance, insurance tariff)
• Reason for consultation and sought specialist

To better tailor the search to your needs, you can also voluntarily share additional (optional) information about yourself:

• Preference for a specific doctor's gender
• Requirement for wheelchair accessibility
• More detailed information about your medical history (additional problems, medications, BMI, desired medication)

ZYou can also voluntarily provide information about a contact person.

The information is provided voluntarily and is used exclusively for the purpose of specialist search.

The offer to use the specialist search provided by BetterDoc is voluntary. If you do not wish to use it, the treating doctor will also recommend a suitable specialist for further treatment to the best of their knowledge.

The provision of data to BetterDoc will only occur if you give the corresponding consent to our doctors to transfer your data to BetterDoc and process this data for the purpose of specialist search. The processing of data is based on your consent (Art. 6 para. 1 sentence 1 lit. a) GDPR in conjunction with Art. 9 para. 2 lit. a) GDPR).

Grundlage der genannten vertraglichen Vereinbarungen (Art. 6 Abs. 1 S.1 lit. b) DSGVO i.V.m. Art. 9 Abs. 2 lit. h), Abs. 3 DSGVO).

Since the service provider is interested in continuously improving the offered service, we will also ask for your consent to provide your email address to BetterDoc on behalf of BetterDoc. BetterDoc would like to use this to send you PREM (Patient Reported Experience) and PROM (Patient Reported Outcome Measures). These are questionnaires that help BetterDoc improve the quality of the service based on your responses. The provision of your email address is voluntary and will only occur if you give the corresponding consent to the doctor (Art. 6 para. 1 sentence 1 lit. a) GDPR). Further data processing takes place exclusively under the responsibility of BetterDoc. Medgate has no influence on this.

IV. Miscellaneous

a) Customer Service

If you have any questions about medical treatment or our services, you can always contact a member of our Customer Service team. You can reach them via email or phone. Depending on the communication method you choose, we will process your phone number or email address and store it in a Customer Relation Management System (CRM system). These data and the contents of your inquiry will be erased once the purpose is fulfilled, and no legal retention periods oppose it. The processing of data is based on our legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). This lies in providing you with the opportunity to directly contact us regarding inquiries about treatment or our services and to offer you a prompt response or solution.

You generally have the option to object to this data processing according to legal requirements (Art. 21 GDPR).

We will not associate these data with your medical consultation information. Please ensure that you do not provide or transmit health data in such inquiries.

We will erase these data once the purpose is fulfilled and no legal retention periods oppose it.

 

When processing your personal data, data protection laws grant you certain rights as a data subject. Please note that the existence and scope of these rights may vary depending on the applicable data protection legislation:

• Right of Access
  You have the right to request confirmation as to whether personal data concerning you are being processed; if so, you have the right to access these personal data. Please submit an access request for this purpose.
• Right to Rectification
  You have the right to request the immediate rectification of inaccurate personal data concerning you and, if applicable, the completion of incomplete data.
• Right to Erasure
  You have the right to request the immediate erasure of personal data concerning you, provided there is no basis for further data storage at Medgate.
• Right to Restriction of Processing
  Under certain conditions (see also Art. 18 GDPR), you have the right to restrict processing. This may be the case, for example, if you doubt the accuracy of your data and have communicated this to us. Please note that restricting processing may result in you being unable to use our service or only being able to use it to a limited extent.
• Right to Data Portability
  In certain cases, as specified in data protection laws (see also Art. 20 GDPR), you have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format or to request the transfer of these data to a third party.
• Right to Withdraw Consent
  If the processing of data is based on your consent, you have the right to withdraw your consent to the use of your personal data at any time. Please contact us via email at servicecenter@medgate.ch servicecenter@medgate.ch for this purpose. Please note that the withdrawal will only take effect for the future. Processing that occurred before the withdrawal is not affected.
• Right to Object
  If data are collected and processed based on legitimate interests, you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are demonstrably compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves the assertion, exercise, or defense of legal claims.
• Right to Lodge a Complaint with a Supervisory Authority
  You have the right to lodge a complaint with a supervisory authority if you believe that the processing of data concerning you violates data protection regulations. The right to lodge a complaint can be exercised, in particular, with a supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement.
• Geltendmachung Ihrer Rechte
  Sofern vorstehend nichts anderes beschrieben wurde, wenden Sie sich zur Geltendmachung Ihrer Betroffenenrechte bitte an dataprotection@medgate.ch .
• • As part of the examination of the request, we may ask for proof of identity if necessary for identity verification. If you do not verify your identity on-site, we may request a copy of your identity card, which must include the following information:
  -              Name,
  -              Address,
  -              Validity period.

We ask you to black out all other data on the identity card that are not strictly necessary for identity verification (e.g., identity card number, nationality, personal characteristics, and your photo).

We will make a note of the result of the identity verification. The copies of the (blacked-out) identity cards will be destroyed after successful identity verification.
The identity verification is based on our legal obligation to provide information only to authorized persons and to be able to prove this accordingly (Art. 6 para. 1 sentence 1 lit. c GDPR in conjunction with Art. 12 para. 6 and Art. 5 para. 2 GDPR).

 

For questions related to the processing of your personal data and inquiries related to your rights, please contact us directly at:

Medgate AG
Data Protection Officer
P.O. Box
4020 Basel
Switzerland

Our external data protection officer and representative within the EU are also available for information on data protection at the following contact details:

datenschutz süd GmbH
Wörthstraße 15
97082 Würzburg
Germany

E-Mail: office@datenschutz-sued.de

When contacting our external data protection officer, please also specify the controller.

 

Basel, September 2024