The protection of your personal data and your privacy is very important to us. We drd GmbH (hereinafter "drd" or "we"), therefore process your personal data exclusively on the basis of the statutory provisions - in particular the GDPR, the Data Protection Act 2018, the Health Telematics Act 2012 and the Telecommunications Act 2003 - and take all technical and organizational measures to ensure that to ensure an appropriate level of security.
This data protection declaration describes how drd, as the responsible party in accordance with the EU General Data Protection Regulation (hereinafter: "GDPR"), processes your personal data within the framework of the drd app and thereby guarantees the security of your data.
Responsible acc. Art. 4 para. 7 GDPR:
If you have any questions regarding the protection and security of your customer and user data or if you want to register and assert claims or rights under data protection law, you can contact us at drd GmbH, Sillerstrasse 60, A-1190 Vienna, via email firstname.lastname@example.org (with the subject Subject: data protection).
Personal data are "all information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); A natural person is regarded as identifiable who, directly or indirectly, in particular by means of assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person can be identified“ (Art 4 1 GDPR).
1. CATEGORIES OF PROCESSED DATA AND LEGAL BASIS
1.1. DATA ON IDENTITY
When using the drd app, the following personal data is collected, processed and stored: Name, date of birth, social security number (or, for foreign customers, ID number from passport or identity card), statutory health insurance, gender, home address, telephone number (including country code), E-mail address, password (for drd account). This data is collected on the basis of a contract concluded in the course of registration, therefore forms Art 6 para 1 lit b GDPR a valid legal basis.
We only use your data to provide you with the service you require. We do not pass this data on without consent, but we cannot rule out that this data can be viewed in the event of illegality.
If you send us personal data by email - outside of our app - we cannot guarantee the secure transmission of your data (and thus the security of your data). We therefore recommend that you never send confidential data unencrypted by e-mail.
1.2. BILLING INFORMATION
The billing data (name, date of birth, type of drd service (one-time or subscription) and one of the three categories of telephone number / insurance data / credit card data are collected during registration and their processing is also necessary for the fulfilment of the contract. The legal basis is therefore Art 6 para 1 lit b GDPR. You can find more information on this under the items "Mobile phone company", "Insurance company" and "Credit card company".
1.3. TRAFFIC DATA
In the course of use, user data is collected and processed by us for the purpose of smooth operation of the drd app and the content and offers on it, for analytical purposes with the aim of optimizing offers and quality assurance, and preventing and eliminating operational errors. The customers' IP addresses are not stored (not even in anonymized form). Files accessed and the date and time of access, the amount of data and URL references, any error messages and information on the causes of errors (e.g. battery status of the device in the event of an unintentional service interruption, currently available amount of RAM, etc.) are stored within the scope of use saved and evaluated by the drd app.
The collection and processing of this data is necessary in order to provide and optimize the drd service for you. This justifies a legitimate interest of drd GmbH as the person responsible and therefore fulfils the legal basis of Art 6 Paragraph 1 lit f GDPR.
1.4. HEALTH DATA
The health data (data on your state of health) form a special category of personal data according to Art 9 Paragraph 1 GDPR (“sensitive data”). The health data is only processed in encrypted form, except for direct billing with an insurance company (see point 2.4). drd it can not access the data. In particular, drd has no access to the customer's patient file. In the course of registration, customers expressly consent to the (encrypted) processing of this data in the drd app. The processing of this data is a necessary prerequisite for the provision of telemedical treatment. Thereby forms Art 9 Paragraph 2 lit a GDPR forms a valid legal basis. You can find more detailed information on this under the item "drd doctors".
2. DISCLOSURE OF DATA TO THIRD PARTIES
We do not pass on the data you provide to third parties. Exceptions to this are the service providers and contractual partners whom we use for billing and to whom we make data available. Your data will only be forwarded on the basis of the GDPR.
We use the following service providers or categories of service providers as well as the following contractual partners or categories of contractual partners to provide the drd app and for billing: IT service providers and our contractual partners in the areas of mobile communications, insurance and payment service providers.
2.1. IT SERVICE PROVIDER
An IT service provider operates the servers for us. All processed data is stored on the servers of this third-party provider. This third party enables us to provide you with the drd app. It is the recipient of your data and acts on our behalf. drd has concluded an order processing contract with the IT service provider in accordance with Art. 28 GDPR. It is based in Germany.
2.2. DRD DOCTORS
The drd doctors receive the data from the drd customers necessary for the video call, the identification of the customer and the telemedical service. The drd doctors verify patient identitiy by comparing the transmitted data with a passport or driver's license, which the customer holds up to the camera.
The following personal data are specifically affected: telephone number, name, date of birth and gender.
In addition, the following health data - necessary for the telemedical service - which are "sensitive data" according to Art 9 Paragraph 1 GDPR, are processed by the drd doctors:
- All health data uploaded by customers themselves or entered in the chat bar (e.g. descriptions of health status).
The drd doctors also process the following data within the framework of telemedical services:
- All health data uploaded or entered by the doctor consultes (e.g. prescriptions, referrals, referrals, prescriptions and sick leave) and
- also the identification of the diagnosis on the billing letter using the ICD 10 code.
The data received can be viewed by the doctors for up to 24 hours after the customer has given their consent; drd does not plan to store the unencrypted data.
The personal data documented in the files (such as prescriptions, referrals, referrals, prescriptions and sick leave) are stored by the doctors for at least 10 years due to a legal documentation requirement.
This data is stored on the servers used by drd GmbH for a maximum of 1 year. It is stored longer if a customer has a subscription with drd for more than a year. In this case, the data will be stored for the duration of the subscription for the customer.
2.3. CELLULAR COMPANIES
If you are a customer of a mobile phone company, billing can be done via the mobile phone bill. Please clarify with your mobile operator whether billing via the drd app is possible. If billing is possible, the customer status is verified during registration via an interface with the mobile communications company; under certain circumstances, the customer password must be entered at the mobile phone company. The telephone number is also processed. The customer can choose between a one-time service and a subscription, both of which are billed as part of the mobile phone bill. To this end, the mobile communications company receives the identity of the customer and the type of service (one-time or subscription), but in no case the content of the telemedical service (health data).
2.4. INSURANCE COMPANY
If you are a customer of an insurance company that is our cooperation partner, our services can be billed via your insurance company under certain conditions. When registering, the number of the insurance policy must be entered, the data is compared via an interface. The insurance company is sent the identity of the customer and the use of the service. If you wish to be billed directly to the insurance company, the insurance company may also receive a diagnosis (possibly as an ICD 10 code); this is a common label done by doctors. The legal basis for this is your consent in accordance with Article 9 Paragraph 2 lit a GDPR. The insurance company reserves the right to also send (certain) customers vouchers that contain a certain code, with the help of which the insured person concerned can also use drd services. We ask you to clarify with your insurance company in advance whether you can bill your insurance company for the services you have provided.
2.5. CREDIT CARD COMPANY
If either item 2.3 or 2.4. applies to you, you can bill via an in-app purchase via the Apple App Store or Google Play or, under certain circumstances, via a credit card company. In the latter case, the credit card details (cardholder, credit card number, expiry date and the security code must be entered when registering via an interface. For this purpose, the credit card company receives the identity of the customer and the type and use of the service (one-off or subscription), but in no case the content of the telemedical service (health data). In addition, the credit card details are processed. In the first case, the same applies to in-app purchases with regard to the Apple App Store or Google Play.
3. DATA SECURITY
The protection of your personal data takes place through appropriate organizational and technical precautions. These precautions relate in particular to the protection against unauthorized, illegal or accidental access, processing, loss, use and manipulation.
The protection is given in particular by the asymmetrical algorithm of TweetNaCL .
- Log-in requirement: Customers only have access to their personal data by entering their six-digit password on their device. When registering for the first time on an end device, a private key is generated after the password has been recorded, which customers can download as a PDF and keep in a safe place. Customers need this key if they forget their log-in data or want to log in on a different device.
- Two-factor authentication: Patient data is encrypted with a private key that is only accessible on the customer's recorded device and there only with the customer's password. When using a different terminal device, access to the personal data is only possible after linking the respective terminal device with the private key.
- End-to-end encryption: Communication between doctor and patient is encrypted end-to-end with DTLS 1.3 via WebRTC and thus corresponds to a tried and tested security standard.
Please note that we assume no liability whatsoever for the disclosure of information due to errors in data transmission not caused by us and / or unauthorized access by third parties (e.g. hacker attack).
4. EVENTS CALENDAR
The drd app contains an appointment calendar in which you can save the appointments you have made yourself for telemedical treatments. There is an optional SMS reminder function for your saved appointments, which you must agree to. If you do not consent to the SMS reminder function or if you revoke your consent, this will not affect the use of the drd app, you will just not be reminded by SMS about upcoming drd appointments.
5. CHAT FUNCTION
On the app's start screen there is a chat bar with the text “How are you today?”. By entering in the chat bar you can start communication with a drd family doctor - even without prior registration. In this chat you can provide information about your state of health, but this information is provided on an anonymous basis. This means that this data cannot be assigned to a specific person either by us or by our IT service providers.
6. PROCESSING OF DOCTORS 'DATA
In the context of the drd app, a distinction must be made between two groups of doctors: The general practitioners who can be reached in the app ("drd doctors") are contractual partners of drd GmbH. As part of telemedicine treatment, they can also make recommendations for referring the patient to a specialist. The drd app contains a function that can display specialists in your area; however, the specialists are not contractual partners of drd GmbH.
With regard to the specialists established in Austria, we process the following data:
- Full name
- Address (of the practice)
- Telephone number
- Opening hours
- Health insurance companies
This is public data that is freely accessible to everyone in public registers / lists, such as the list of doctors of the Austrian Medical Association in accordance with Section 27 of the Doctors Act. The legal basis for the processing of this data is the legitimate interest of drd GmbH according to Art 6 Paragraph 1 lit f GDPR.
These personal data are processed by specialists for the duration of the listing in drd's list of doctors and are no longer displayed in the drd app when they are deleted from the list of doctors.
If, as a specialist, you want to assert your rights as a data subject (in particular objection to processing) against drd GmbH, please address your request or your objection email@example.com.
7. RETENTION OF DATA
We will not store your data longer than is necessary to fulfill our contractual or legal obligations and to defend against any liability claims.
8. DATA SECURITY
Please always secure your end devices against unauthorized access by third parties; use passwords that meet a high security standard; Do not leave your devices to third parties and do not share passwords. Use an up-to-date firewall and virus protection program and only visit websites that are from authentic and reputable providers. Pay attention to the authenticity and seriousness of (phishing) e-mails addressed to you and never give passwords or access data to third parties.
9. DELETION OF CUSTOMER DATA
We delete customer data that is stored on the servers we use within the statutory period. If there is a statutory retention requirement, the data will only be deleted after this period has expired. These data, which shall be kept forlonger, are internally blocked for further use.
10. APP PERMISSIONS
In order to guarantee the full functionality of the drd app, it is necessary that you grant the drd app access to certain functions of your end device.
The following authorizations are required for iOS operating systems:
- Microphone: This is required for audio or video chat.
- Camera: This is necessary for video chat and, if necessary, for taking photos of documents.
- Photos: This is required to save or upload files (photo files of documents) to your patient record.
The following authorizations are required for Android operating systems:
- Microphone: This is required for audio or video chat.
- Camera: This is necessary for video chat and, if necessary, for taking photos of documents.
- Photos / Media / Files: This is required to save or upload files (photo files of documents) to your patient record.
- Network connections: This is required for communication with the drd servers.
These functions of your device are used exclusively to provide the drd service.
11. SHARED RESPONSIBILITY FOR DATA
If you make use of telemedical treatment, drd GmbH and drd doctors also process your personal data and your health data together.
The following data are processed together:
Personal data according to Art 4 Z 1 GDPR:
- Full name
- Date of birth
- Phone number
Health data according to Art 9 Paragraph 1 GDPR:
- All health data uploaded by customers themselves or entered in the chat bar (e.g. descriptions of a state of health)
- All health data uploaded or entered by consulted doctors (e.g. prescriptions, referrals, referrals, prescriptions and sick leave)
Purpose of joint processing: The joint processing of your data is necessary so that you can use the telemedical treatment within the framework of the drd app. drd itself has no access to the health data due to the encryption.
The jointly responsible parties (drd GmbH and the respective drd doctors) have concluded an agreement in accordance with Art. 26 GDPR for this purpose. If you would like to assert your data subject rights under the GDPR (see point 13), please contact us, drd GmbH, using the contact details above.
Cookies are small text modules that a website stores on the user's device. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier for the cookie. It consists of a string of characters through which websites and servers can be assigned to the specific internet browser in which the cookie was stored. This enables the websites and servers visited to distinguish the individual browser of the data subject from other Internet browsers that contain other cookies. A specific internet browser can be recognized and identified via the unique cookie ID.
By using cookies, we can provide you with more user-friendly services that would not be possible without the cookie setting.
Using a cookie, the information and offers on the website can be optimized for the benefit of the user.
A distinction is made between the following categories of cookies:
- Absolutely necessary cookies to ensure basic functions of the website.
- Functionality cookies: These cookies allow the website to be tailored to the needs of the user in order to improve the user experience.
- Session cookies: These are temporary cookies that remain on the user's computer until the browser is closed and are then automatically deleted.
- Persistent cookies: For better user-friendliness, cookies are stored on your device and allow us to recognize your browser the next time you visit.
Sie können Ihren Browser so einstellen, dass Sie über das Setzen von Cookies informiert werden und Cookies nur im Einzelfall erlauben, die Annahme von Cookies für bestimmte Fälle oder generell ausschließen und das automatische Löschen der Cookies beim Schließen des Browsers aktivieren.
If cookies are deactivated, the functionality of this website may be restricted.
13. YOUR RIGHTS UNDER THE GDPR
13.1. RIGHT TO INFORMATION
On request, we will provide you with extensive information on all of the data we have stored about you within the legally standardized period. This information includes, among other things, the processing purpose, the categories of personal data and the recipients or categories of recipients.
13.2. RIGHT TO CORRECTION
If you discover that we are using customer and / or user data without your consent, or should we violate legal provisions or in the event that customer or user data is incorrect, you can always contact the above contact addresses and correct them of the data. We will comply with this request in a timely manner, provided that there are no legitimate interests on our part or legal obligations, and correct, supplement or change your personal data.
13.3. RIGHT TO DELETION
If you do not want your customer data available to us to be stored any longer, you can request that your customer data be deleted at any time by sending a written entry to the (email) address given above. We will then delete all customer data stored by us, unless we are obliged to continue to store customer data due to legal regulations. In such a case, we will inform you that your customer data will continue to be stored with us. We cannot vouch for the deletion of your customer data by third parties to whom we have passed on data in order to fulfill the contract.
13.4. RIGHT TO DATA TRANSFER
You have the right, as far as this is technically possible, to have all data stored by us about you transferred to another company.
13.5. RIGHT TO OBJECT
You have the right to object to the processing of your data if the processing serves the purposes of direct marketing or is processed for another purpose based on our legitimate interest in accordance with Article 6 (1) (f) GDPR. Insofar as we process your data for legitimate purposes, you have the right to object to this processing if your particular situation gives rise to reasons for doing so.
13.6. RIGHT TO WITHDRAW CONSENT
When you start using our app, users of our app consent to their personal data being processed within the scope of this data protection provision for the purposes stated when using the drd app unfortunately it is not possible to use the drd service.
You have the option of revoking your consent at any time in writing by email to firstname.lastname@example.org to revoke. Withdrawing your consent does not affect the legality of the data processing carried out on the basis of your consent up to the point of withdrawal.
13.7. OPPORTUNITY TO COMPLAIN
If you want to register and assert claims and rights and do not want to contact us directly, you can also bring your concerns or your complaint to the data protection authority. A corresponding form is available on the website of the data protection authority under the following link: https://www.dsb.gv.at.