Privacy policy
Privacy Notice (website) of Oncare
Welcome to our website and thank you for your interest in our company. We take the protection of your personal data very seriously. We process your data in accordance with the applicable legal provisions for the protection of personal data, in particular the EU General Data Protection Regulation (EU GDPR) and the country-specific laws applicable to us. With the help of this privacy notice, we inform you comprehensively about the processing of your personal data by ONCARE GmbH (hereinafter referred to as “Oncare”) when using our website and the rights to which you are entitled.
Personal data is any information that makes it possible to identify a natural person. This includes, in particular, your name, date of birth, address, telephone number, email address and IP address. Data is considered anonymous if no personal reference to the individual/ user can be made.
Responsible body and data protection officer
Postal address
Balanstraße 71a
81541 Munich
T | +49 (0) 89 4445 1156
F | +49 (0) 89 4445 1157
E | info@myoncare.com
Contact info of the data protection officer
privacy@myoncare.com
Last updated on 02 November 2022.
Your rights as a data subject
We would first like to inform you of your rights as a data subject. These rights are set out in Articles 15 – 22 GDPR, and include:
- The right of access (Art. 15 GDPR),
- The right to rectification (Art. GDPR),
- The right to erasure / right to be forgotten (Art. 17 GDPR),
- The right to restriction of data processing (Art. 18 GDPR),
- The right to data portability (Art. 20 GDPR),
- The right to object to data processing (Art. 21 GDPR).
To exercise these rights, please contact: privacy@myoncare.com. The same applies if you have any questions regarding data processing at our company or when you withdraw your consent. You also have the right of appeal to the relevant data protection supervisory authority.
Right to object
Please note the following with respect to your right to object:
When we process your personal data for the purpose of direct marketing, you have the right to object to this data processing at any time without providing the reasons for such objection. This also applies to profiling insofar as it is associated with direct marketing.
If you object to the processing for direct marketing purposes, we will no longer process your personal data for such purposes. The objection is free of charge and can be made in any form, if possible to: privacy@myoncare.com
Should we process your data to protect legitimate interests, you may object to such processing at any time for reasons that arise from your specific situation; this also applies to profiling based on these provisions.
We will then cease to process your personal information unless we can demonstrate compelling legitimate grounds for processing such information that outweigh your interests, rights and freedoms, or the processing is intended to assert, exercise or defend legal claims.
Purposes and legal bases of data processing
The processing of your personal data complies with the provisions of the EU GDPR and all other applicable data protection regulations. Legal bases for data processing arise in particular from art. 6 GDPR.
We use your data to initiate business, to fulfil contractual and legal obligations, to conduct the contractual relationship, to offer products and services and to consolidate customer relationships, which may include marketing and direct marketing.
Your consent also constitutes permission to data processing under data privacy law. In this respect, we will inform you of the purposes of data processing and your right of objection. If the consent also relates to the processing of special categories of personal data, we will explicitly notify you in the consent process.
Processing of special categories of personal data within the meaning of art. 9 (1) GDPR may only take place where necessary on the grounds of legal regulations and there is no reason to assume that your legitimate interests should prevail to the exclusion of processing such data or you have given your consent to the processing of these data according to art. 9 (2) GDPR.
Google services may transfer data to countries outside the EU/EEA (third country data transfer), e.g. to the USA, as part of the processing for the aforementioned purposes. Countries outside the European Economic Area may not offer a level of data protection comparable to that in Europe. Such countries for which the Commission has not explicitly determined that they provide an adequate level of protection with respect to data privacy are referred to as “unsafe third countries.” There is an increased risk that government authorities may access this data. We have no influence on these processing activities.
Data transfers / Disclosure to third parties
We will only transmit your data to third parties within the scope of given statutory provisions or based on consent. In all other cases, information will not be transferred to third parties unless we are obliged to do so owing to mandatory legal regulations (disclosure to external bodies, including the supervisory authorities or law enforcement authorities).
Data recipients / categories of recipients
In our organisation, we ensure that only individuals who are required to process the relevant data to fulfil their contractual and legal obligations are authorised to handle personal data.
In many cases, service providers assist our specialist departments to fulfil their tasks. The necessary data protection contracts have been concluded with all service providers.
Transfers of personal data to third countries
A transfer of data to third countries (outside the European Union or the European Economic Area) shall only take place if required by law or if you have provided your consent for such a transfer.
We transfer your personal data to service providers or group companies outside the European Economic Area as follows: United States of America.
In such cases, compliance with the required level of data protection is ensured by EU standard contractual clauses, the binding corporate data protection regulations of the service provider according to the established data protection contracts.
Period of data storage
We store your data for as long as such is required for the relevant processing purposes. Please note that numerous retention statutory periods require that data must be stored for a specific period of time. This relates in particular to retention obligations for commercial or fiscal purposes (e.g. commercial code, tax code, etc.). The data will be routinely deleted after use unless a further period of retention is required.
We may also retain data if you have given us your permission to do so, or in the event of any legal disputes and we use the evidence within the statutory limitation period, which may be up to 30 years; the standard limitation period is 3 years.
Secure transfer of data
We implement the appropriate technical and organisational security measures to ensure the optimal protection of the data stored by us against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. The security levels are continuously reviewed in collaboration with security experts and adapted to new security standards.
The data exchange to and from our website is encrypted. We provide https as the transmission protocol for our website and always use the latest encryption protocols. When you use the contact form on our website to get in touch with us, the content is sent via https to a secure server of Site Ground, where the data of the form is stored in an encrypted database. Site Ground employees do not have direct access to this data. It is also possible to use alternative communication channels.
Obligation to provide data
A range of personal data is required to establish, implement and terminate the obligation and the fulfilment of the relevant contractual and legal obligations. The same applies to the use of our website and the various functions we provide.
We have summarised the relevant details in the above point. In some cases, legal regulations require data to be collected or made available. Please note that it will not be possible to process your request or execute the underlying contractual obligation without this information.
Data categories, sources and origin of data
The data we process is defined by the relevant context: it depends on whether, for example, you enter a request on our contact form or if you want to send us an application or submit a complaint.
Please note that we may also provide information at specific points for specific processing situations separately where appropriate, e.g. when downloading our flyer or when making a contact request.
We collect and process the following data when you visit our website:
- Your IP address which is immediately hashed by removing the last two digits
- The URL and the title of the page you are viewing
- The browser (name) you are using
- Viewport or viewing pane (the size of the browser window)
- Your screen resolution
- Whether or not you have Java enabled
- The language enabled in your browser
For reasons of technical security (in particular to safeguard against attempts to attack our web server), this data is stored in accordance with Article 6 (1) lit f GDPR. Anonymisation takes place immediately by abbreviating the IP address so that no reference is made to the user.
WordPress
Oncare uses the web design platform WordPress (WordPress, Org) to manage our website and the provider Site Ground (SiteGround Spain S.L.) to host the website. For more details on the data processed by WordPress and Site Ground see sections ‘Data categories, sources and origin of data’ and ‘Secure transfer of data’ below and the privacy policy of WordPress and Site Ground.
Google Fonts
We use Google Fonts provided by Google Inc on our website. The company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for the European area. We have embedded the Google fonts locally, on our web server – not on Google’s servers. This means that there is no connection to Google servers and therefore no data transfer or storage. This is an interactive directory of over 800 fonts that Google provides free of charge. To prevent any information transfer to Google servers, we have downloaded the fonts to our server. In this way, we act in a privacy compliant manner and do not send any data to Google Fonts.
Cookie Pro
This website uses the cookie consent tool “CookiePro” provided by OneTrust LLC, 1200 Abernathy Rd NE, Sandy Springs, GA 30328, USA (“OneTrust”) to obtain effective user consent for cookies and cookie-based applications. By integrating a corresponding JavaScript code, users are shown a banner when they access the page, in which consent can be given for certain cookies and/or cookie-based applications. The tool blocks the setting of all cookies requiring consent until the respective user gives corresponding consent. This ensures that such cookies are only set on the respective end device of the user if consent has been granted. In order to be able to clearly assign page views to individual users and to individually record, log and store the consent settings made by the user for a session duration, certain user information (including the IP address) is collected by the cookie consent tool when our website is accessed, transmitted to OneTrust servers and stored there.
This data processing is carried out pursuant to Art. 6 (1) p.1 lit. f GDPR on the basis of our legitimate interest in a legally compliant, user-specific and user-friendly consent management for cookies and thus in a legally compliant design of our website. Further legal basis for the described data processing is furthermore Art. 6 (1) p. 1 lit. c GDPR. We, as the controller, are
subject to the obligation to make the use of technically unnecessary cookies dependent on the respective user consent.
SEOPress
We use SEOPress plugins on our website, a service provided by SEOPress SAS, 26 allée de Cantau, 64600 Anglet, France. The plugin handles the technical optimization of our websites for search engines and also assists with content development. You can prevent the storage of cookies by selecting the appropriate settings on your browser; we would like to point out that in this case you may not be able to use all functions of this website to their full extent. For more information please visit https://www.seopress.org/privacy-policy/. This data processing is carried out pursuant to Art. 6 (1) p.1 lit. f GDPR on the basis of our legitimate interest.
Polylang Pro
We use Polylang for the multilingualism of our website. Polylang is a product provided by WP SYNTEX, 28, rue Jean Sebastien Bach, 38090 Villefontaine, France. Polylang cookies are set solely to recognize and record the language used or selected by the user. These cookies are stored for one year and after that period deleted. For more information on data privacy compliance, please visit: https://polylang.pro/privacy-policy/.
This data processing is carried out pursuant to Art. 6 (1) p.1 lit. f GDPR on the basis of our legitimate interest.
We collect and process the following data as part of a contact request:
- Name and salutation
- E-mail address
- Type of your request
- Information on your interests and inquiries (your message)
- Company / organization
We process the following data as part of a job application you send us:
- Name and salutation
- Contact details you provide to us
- Information on your professional career (CV), qualifications and certificates
- Information you provide during application interviews and our notes thereof
- The position you applied for, your salary expectations, you expected entry date and in exceptional cases your piece of identification
- Any other information you provide to us during the application
We collect and process the following data in the context of job applications:
- Last name, first name (maybe also title)
- Address
- Contact details (telephone number, e-mail address)
- If applicable, contact data in electronic communication solutions (e.g. Skye, MS Teams) that you submit to us
- Qualification data (CV, professional qualifications, work experience)
- In addition, we use data that we have permissibly obtained from publicly accessible directories (e.g. professional networks).
Thank you for your interest in working for Oncare GmbH. We are aware of the importance of your data and process the personal data you provide us only for the purpose of effective and correct processing and for contacting you as part of the job application process. The data will not be transferred to third parties without your consent.
You will be asked to provide personal information. We observe the principle of data economy and data avoidance by only requiring you to provide us with tdata that we need to review your job application documents, such as your CV, or that we are legally obligated to collect. To protect the security and confidentiality of your data, we implement appropriate security measures. In addition, we recommend that you send us your application documents in “zipped” form (e.g. 7z or .zip) with password protection by e-mail. Afterwards, please give us the password by telephone. Alternatively, you can also send us your application documents by post mail. We store your data for the above-mentioned purposes until the application process has been completed and related deadlines have expired – at the latest six months after receipt of a decision.
If your job application is unfortunately unsuccessful, your data will be deleted by us within six months of rejection. If your application is successful, your application documents will be included on the HR files and will only be deleted after you have left the company and statutory retention periods have expired.
We are supported by our service provider JOIN Solutions GmbH (hereinafter “Join”) in carrying out the application process. For this purpose, we use a widget of the provider JOIN, Schönhauser Allee 36, 10435 Berlin, Germany. If you apply to a job, your application data will be processed by Join on our behalf as instructed. We have concluded the required data protection agreement with Join for data processing on our behalf, in which Join is obligated to process the data in accordance with the principles of GDPR and in accordance with our instructions.
Join widget: We use a Join widget to display current job offers. Cookies are set by the Join widget. The legal basis for the processing is Art. 6 (1) p. 1 lit. a GDPR.
Contact form / Contact via email (Article 6 (1) p.1. lit a, b GDPR)
A contact form is available on our website which can be used to contact us electronically. If you write to us using the contact form, we will process the data you submitted in the contact form to respond to your queries and requests.
In so doing, we respect the principle of data minimisation and data avoidance, such that you only have to provide the information we require to contact you, which is your name, salutation, email address and the type of your request. Your IP address will also be processed (and hashed immediately) for technical reasons and for legal protection. All other data is voluntary, and additional fields are optional (e.g. to provide a more detailed response to your questions).
If you contact us by email, we will process the personal information provided in the email solely for the purpose of processing your request.
Automated decisions in individual cases
We do not use purely automated processing to make decisions.
Cookies
Our website uses “cookies” at various locations, which serve to make our offer more user- friendly, effective and secure. Cookies are small text files that are placed on your computer and stored by your browser (locally on your hard disk). Cookies enable us to analyse how users use our websites so we can design the website content in accordance with the visitor’s needs. Cookies also allow us to measure the effectiveness of a particular advertisement and, for example, to place it based on the user’s interests.
When you first visit our website, a pop-up (CookiePro) opens from which you can give your consent to the use of categories of cookies which are described below as well as in the CookiePro pop-up itself.
The following categories of cookies are used on our website:
- Necessary cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. These cookies include for example the ones used by CookiePro (OneTrust) to maintain cookies based on your consent. You can set your browser to block or alert you about these cookies, but some parts of the site will then not work. These cookies do not store any personally identifiable information.
- Performance cookies: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance.
- Targeting cookies: These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Most of the cookies we use are “session cookies”, which will be automatically deleted after your visit. Persistent cookies are automatically deleted from your computer when their validity period (maximum 14 months) has expired or you delete them yourself prior to expiry.
In order to revoke your consent to the use of cookies (except for strictly necessary cookies which are always enabled), you can navigate to the footer of the website and deactivate categories of cookies in the CookiePro pop-up via the link ‘Cookies Settings’.
Furthermore, cookies are stored on the user’s computer which then transmits them to us. As a user, you therefore exercise full control over the use of cookies. You can change the settings in your Internet browser to disable or restrict the sending of cookies. In addition, cookies that have already been saved on your computer can be deleted at any time via an Internet browser or other software programs. All this is possible in all the current Internet browsers.
Please note: If you deactivate the placing of cookies on your device, you may not be able to access all our website functions in certain circumstances.
Web tracking (Article 6 (1) p. 1 lit a EU GDPR)
Google Analytics
Based on your consent (art. 6 (1) lit a EU GDPR) we use Google Analytics, a web analysis service of Google LLC (“Google”). Google uses cookies. The information generated by the cookie about the use of the website by the user is usually transferred to a Google server in the USA and stored there.
Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with further services associated with the use of this online offer and the use of the Internet. The processed data can be used to create pseudonymous user profiles of the users.
We only use Google Analytics with activated IP anonymisation. This means that the IP address of users is shortened by Google within member states of the European Union or in other states
that are parties to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there.
The IP address transmitted by the user’s browser is not merged with other data from Google. Users can prevent the storage of cookies by adjusting their browser software accordingly; users can also prevent the collection of data generated by the cookie and related to their use of the online offer to Google and the processing of this data by Google as described in section ‘Cookies’ above.
Further information on the use of data by Google, setting and objection options, can be found in the privacy policy of Google and in the settings for the display of advertising by Google.
The personal data of users will be deleted or made anonymous after 12 months.
Google Marketing Platform (Doubleclick before)
On this website we use Google Marketing Platform (hereinafter Doubleclick), a Google service. Doubleclick is a service provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). We use Doubleclick to make your stay on our website as pleasant as possible by integrating Google Maps. Doubleclick uses cookies, in particular to provide tailored ads to you.
You can be addressed again by Google with suitable advertising offers on pages of Google Network, as you have visited or used corresponding websites and offers before. The information generated by the cookie may be transferred to a Google server in the USA and stored there. Google may also use the IP address of your browser for the display of ads. No data transmission takes place without your previously declared consent (Art. 6 para. 1 p. 1 lit. a GDPR) on our cookie banner. You can revoke this at any time by the “Cookie Settings” in the footer of our website. You can also deactivate the use of cookies by Google. Please note that you will not be able to access Google services embedded on our website (Google Maps) without your consent or if you deactivate them.
Doubleclick is a service of a third company (Google) that is independent of us and we cannot influence whose data processing procedures. Further information how Google handles the data it collects from you, as well as other Google privacy policies, are available at http://www.google.com/intl/de/policies/privacy/.
Google Maps-Plugin
Our website uses Google Maps (Google LLC) plugins. The plugins are deactivated until you specifically activate it by clicking on the plugin or have given your consent via our
cookie banner (consent according to Art. 6 para. 1 p. 1 lit. a) GDPR). Google will store your IP address after activation. It is usually transferred to a Google server in the USA and stored there.
You can find more information on the handling of user data in Google’s privacy policy at https://www.google.de/intl/de/policies/privacy. However, you use this platform and its functions on your own responsibility. We would also like to point out that your data may be processed outside the European Union.
YouTube-Plugin
Our website uses YouTube plugins, YouTube is operated by Google. The operator is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. When you visit one of our pages equipped with a YouTube plugin, a connection to YouTube’s servers is established. This informs the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surf behavior directly to your personal profile. You can prevent this by logging out of your YouTube account. For more information on the handling of user data, please see YouTube’s privacy policy at: https://www.google.de/intl/de/policies/privacy.
LinkedIn Insight Tag
Our website uses the conversion tool “LinkedIn Insight Tag” provided by LinkedIn Ireland Unlimited Company. The tool creates a cookie in your web browser that allows the collection of, among other things, the following data: IP address, device and browser properties, and page events (e.g. page views). LinkedIn itself also collects log files (URL, referrer URL, IP address, device and browser properties and time of access). IP addresses are shortened or (if used to reach LinkedIn members across devices) pseudonymized. The direct identifiers of LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymized data are deleted within 180 days. The data collected by LinkedIn cannot be assigned to specific individuals by us. LinkedIn stores the personal data of the website visitors on its servers in the USA and uses it for its own advertising measures. You can find more detailed information on data protection at LinkedIn in the LinkedIn privacy notices.
The use of LinkedIn Insight is based on Art. 6 para. 1 p. 1 lit. f GDPR.
Privacy policy / Notes on data protection in social media
Oncare GmbH maintains presences in the social medias, especially on Xing and LinkedIn. In case that we have control over the processing of your data, we will ensure that applicable data protection regulations. Below you find the most important information on data protection laws regarding our social media presences.
Name and address of the controller
The following companies are responsible (as controller) for our social media presences, beside Oncare GmbH, according to the EU General Data Protection Regulation (GDPR) and other data protection provisions:
- LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland)
- Xing (New Work SE, Dammtorstraße 30, 20354 Hamburg, Deutschland)
However, you use these platforms and their functions on your own responsibility, especially the use of interactive functions (e.g. commenting, sharing, rating). We would also like to point out that your data may be processed outside the European Union.
Purposes and legal basis
We maintain the social media presences in order to communicate with users and to inform them about our products and services. Furthermore, we collect data for statistical purposes in order to develop and optimize our content and to design our products/services more attractive. The data required for this purpose (e.g. total number of page views, page activity and data provided by visitors, interactions) is processed by the social networks and made available to us. We have no influence on the generation and presentation.
In addition, your personal data will be processed by the social media providers for market research and advertising purposes. It is possible that, for example, based on your usage behavior and your interests, usage profiles are created. With the consequence that ads are placed inside and outside platforms that match your interests. Cookies are usually stored on your computer for this purpose. Data that are not collected directly on your end devices may also be stored in your usage profiles. Storage and analysis also takes place across devices; this applies in particular, but not exclusively, if you are registered as a member and logged in your account.
We do not collect or process any further personal data.
The processing of your personal data by Oncare GmbH is based on our legitimate interests to get appropriate information and reach sufficient communication pursuant to Art. 6 (1) p. 1 lit. f.
GDPR. If you are asked for consent to data processing, i.e. if you declare your consent by confirming a button or similar (opt-in), the legal basis of the processing is Art. 6 (1) p. 1 lit. a., Art. 7 GDPR.
Your rights / objection option
If you are a member of a social network and do not want the network to collect data about you by our presence and link it to your social media membership data with the respective network, you must
- log out of the social network before visiting our social media site,
- delete the cookies present on the device and
- close and restart your
After logging in again, however, you will once more be recognizable to the network as a specific user. For a detailed description of the processing and the possibilities to object (opt-out), we refer to the following information:
Privacy Statement: https://www.linkedin.com/legal/privacy-policy;
Opt-Out: https://www.linkedin.com/legal/cookie-policy and http://www.youronlinechoices.com;
Privacy Statement: https://privacy.xing.com/de/datenschutzerklaerung;
Opt-Out: http://www.youronlinechoices.com.
You have the following rights regarding the processing of your personal data:
The right of access, right to rectification, right to erasure / right to be forgotten, right to restriction of data processing, right to data portability, right to object to data processing and the right to file a complaint about unlawful processing of your personal data with the competent data protection authority. As Oncare does not have full access to your personal data, you should contact the social media provider directly if you wish to assert your claim, because your provider has access to the personal data of the users and can take appropriate measures and provide information. If you still need help, we support you. Please contact privacy@myoncare.com.
Online offers for children
Persons under the age of 16 may not submit personal data to us or give a declaration of consent without the authorisation of their legal guardian. We encourage parents and guardians to actively participate in the online activities and interests of their children.
Links to other providers
Our website also contains clearly identifiable links to the Internet sites of other companies. Although we provide links to websites of other providers, we have no influence on their content, and no guarantee or liability can therefore be assumed for such. The content of these pages is always the responsibility of the respective provider or operator of the pages.
The linked pages were checked at the time of linking for potential legal violations and identifiable infringements. No illegal content was identified at the time of linking. However, a permanent content control of the linked pages is not reasonable without concrete evidence of an infringement and, upon notification of a violation of rights, such links will be promptly removed.
PRIVACY POLICY EUROPE
Welcome to myoncare, the digital health portal and mobile app (“App”) for efficient and needs-oriented patient care and support for corporate health management programs.
For us at Oncare GmbH (hereinafter referred to as “Oncare” or “we”, “us”, “our”), the protection of your privacy and any personal data relating to you while using the myoncare App is of major relevance and importance. We are aware of the responsibilities arising from your trust to provide and save your personal (health) data in the myoncare App. Therefore, our technology systems used for myoncare Services are set up according to the highest standards and the lawful processing of personal data is core to our business ethics.
We process your personal data in accordance with the applicable legal provisions for the protection of personal data, in particular the EU General Data Protection Regulation (“EU GDPR”) and the country-specific laws applicable to us. This Privacy Notice tells you why and how Oncare processes your personal (health) data which we collect from you or which you provide to us, when you decide to use myoncare App. In particular, you will find a description of the personal data, which we collect and process as well as the purpose and on which basis we are processing the personal data and the rights to which you are entitled.
Please read this Privacy Notice carefully to ensure that you understand each provision. After reading the Privacy Notice, you will have the option to consent to the Privacy Notice and the processing of your personal (health) data as described in this Privacy Note. If you give consent, the Privacy Notice will be part of the contract between you and Oncare.
DEFINITIONS
“App User” means any user of the myoncare App (Patient and/or employee).
“Company” means your employer, if you and your employer are using myoncare Tools for the employer’s corporate health management program.
“Data Service Provider” means any agent engaged and instructed by Company for collection, screening and interpretation of pseudonymized or anonymized employee data in corporate health management programs based on a separate service agreement with the Company (e.g. data analyst, general health prevention services, data evaluation services etc.) and as identified by a separate information sheet to the employees.
“Health Care Provider” means your doctor, clinic, health care institutions or other health care professional acting on its own or on behalf of your doctor, clinic or health care institutions.
“myoncare App” means the myoncare mobile app intended for the use by patients or employees who want to use the services provided by Oncare.
“myoncare Portal” means the myoncare web-portal intended for professional use by Portal Users and functioning as interface between such Portal Users and App Users.
“myoncare Services” means the services, functionalities and other offerings which are or may be offered to Portal Users via the myoncare Portal and/or to App users via the myoncare App, as applicable.
“myoncare Tools” means both, myoncare App and myoncare Portal, together.
„Oncare“ means ONCARE GmbH, Germany.
“Portal User” means any Health Care Provider, Company or Data Service Provider using the web-based myoncare Portal.
“Privacy Notice” means this statement made to you as patient or employee and user of the myoncare App that describes how we collect, use and retain your personal information, and provides you with information on your comprehensive rights.
“Standard Terms” means the Standard Terms and Conditions for using the myoncare App.
RESPONSIBLE ENTITY
Oncare GmbH, a company registered with the Munich Local Court with the Register number 219909 with its offices located at Herrenwiesstr. 12, 82031 Gruenwald, Germany, offers and operates the mobile application myoncare App giving access to myoncare Services. This Privacy Notice applies to all personal data processing by Oncare related to the use of myoncare App.
WHAT IS PERSONAL DATA
“Personal data” is all information that makes it possible to identify a natural person. In particular, this includes your name, date of birth, address, telephone number, e-mail address and IP address. “Health data” is personal data that relates to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Data is considered “anonymous” if no personal reference to the person/user can be made. In contrast, “pseudonymized” data is data from which personal reference or personal identifiable information is replaced by one or more artificial identifiers, or pseudonyms, but which can, in general, be re-identified by the identifier key.
WHICH PERSONAL DATA WILL BE PROCESSED WHILE USING MYONCARE APP
We may process the following data categories about you while using the myoncare App:
- Operational Data: Personal data provided to us when you register to our myoncare App, contact us regarding any problems with the App or otherwise interact with us with the purpose of using the App (“Operational Data”);
- Treatment Data: You or your Health Care Provider will enter personal data, such as name, age, height, weight, indication, disease symptoms and further information in connection with your treatment (e.g. in a care plan) with the support of myoncare App (“Treatment Data”). Treatment Data are, therefore, personal data which are collected or processed, when you interact with your Health Care Provider via myoncare App;
- Activity Data: Personal data which will be processed by us when you connect myoncare App to a Health App (e.g. AppleHealth, GoogleFit). Your Activity Data is transferred to your connected Health Care Provider as Portal User.
- Product Safety Data: Personal data which will be processed to fulfill our legal obligations as manufacturer of the myoncare App as medical device. In addition, your personal data may be processed to fulfill legal safety or vigilance purposes of medical device or pharmaceutical companies. (“Product Safety Data”).
- Reimbursement Data: Personal data which are required for the reimbursement process between your Healh Care Provider and your heath insurer (“Reimbursement Data”).
- Corporate Health Management Data: Personal or aggregated data which will be collected in concrete projects and questionnaires as asked by your employer (either directly or by Data Service Provider engaged by your Company). The data may relate to certain health information, your opinion regarding your personal well-being, your opinion as employee to a specific internal or external situation or data regarding the care or health situation in general (“Corporate Health Management Data”).
PROCESSING OF OPERATIONAL DATA
– Applicable to all App Users –
You might provide us with certain personal data in case you are contacting us to understand or discuss the functions and usage of the App or in case of a service request.
In the event of a service request, the following personal data may also be viewed by authorized Oncare employees:
• The personal data that you have provided to your Health Care Provider through our App (e.g. name, date of birth, profile picture, contact details)
• The health data you have provided to your Health Care Provider, the Data Service Provider or Company through our myoncare App (e.g., information about medications taken, responses to questionnaires including disease-related or condition-related information, diagnoses and therapies provided by health care professionals, planned and completed tasks)
Authorized Oncare employees who have access to your Health Care Provider’s, Data Service Provider’s or Company’s database for the purpose of processing a service request are contractually required to keep all personal information strictly confidential.
When myoncare App is downloaded, the necessary information is transferred to the app store provider. We have no influence on this data collection and are not responsible for it. We process the personal data provided to us by the provider of the app store within the framework of our contractual relationship for the purpose of further developing our myoncare Apps and Services.
For the processing of Operational Data, Oncare acts as data controller responsible for the legitimate processing of your personal data.
Types of Data: Your name, e-mail-address, date of birth, registration date, pseudo keys generated by the app; device token to identify your device, your pseudo identification number, your IP address, type and version of the operating system used by your device.
The app uses Google Maps API to use geographical information. When using Google Maps, Google also collects, processes and uses data about the use of the map functions. For more information about the scope, legal basis and purpose of data processing by Google as well as the storage period, please refer to Google’s privacy policy.
Purposes of processing of Operational Data: We use the Operational Data to maintain the functionalities of myoncare App and to get in direct contact with you if required or initiated by you (e.g. in case of change of Standard Terms, necessary support, technical problems etc.).
Justification of Processing: The processing of Operational Data is justified based on Article 6 Paragraph 1 lit. b EU GDPR to fulfill the contract you conclude with Oncare for the purpose of the use of myoncare App.
PROCESSING OF TREATMENT DATA
– Applicable to App Users using the App with their Health Care Provider –
During the use of myoncare App, your doctor, a clinic or other health care provider treating you (“Health Care Provider”) will enter your personal data to myoncare Portal to start myoncare Services (e.g. provision of individual Careplan, reminder for intake of medicines etc.). In addition, you and your Health Care Provider will be able to upload documents and files related to you to myoncare App and myoncare Portal and can share the files with the other. Your Health Care Provider can upload a privacy policy for your information and define other consent requirements for you as a patient, for which your consent must be given. The files will be stored in a cloud database hosted in Germany. Your Health Care Professional can allow sharing such files with other Portal Users of his institution for medical reasons, but other Portal Users will not be able to access the files.
Your Health Care Provider will be responsible for a legitimate processing of the personal data.
We process such personal data, including your health data, under an agreement with and in accordance with the instructions of your Health Care Provider. For the purposes of this agreement, the Health Care Provider is responsible of processing your personal data and health data within the meaning of applicable data protection laws as data controller, and Oncare is the processor of such personal (health) data. This means that Oncare processes the Personal Data only according to the instructions of the Health Care Provider. If you have any questions or concerns regarding the processing of your personal data or health data, you should primarily contact your Health Care Provider.
Types of Data: Name, date of birth, profile information, contact details and also health data, such as symptoms, photos, information about medications taken, responses to questionnaires including disease-related or condition-related information, diagnoses and therapies provided by health care professionals, planned and completed tasks.
Purposes of Treatment Data processing: We process your Treatment Data to be able to provide our myoncare Services to your Health Care Provider and to you. Your health data, which you enter in our myoncare App, will be used by your Health Care Provider for consultation and support to you. We process this personal data as part of an agreement with and in accordance with the instructions of your Health Care Provider. The transmission of this Treatment Data is pseudonymized and encrypted. To exercise your rights as a data subject, please contact your Health Care Provider.
Justification of processing of Treatment Data: Your personal data will be processed by your Health Care Provider in accordance with the provisions of the EU GDPR and all other applicable data protection regulations. Legal basis for data processing in particular arise from Art. 9 Paragraph 2 lit. h EU GDPR for health data as special sensitive data as well as your consent according to Art. 6 Paragraph 1 lit. a and 9 Paragraph 2 lit. a EU GDPR. The processing of data by Oncare for your Health Care Provider is, in addition, based on Art. 28 GDPR (data processing agreement)
Your doctor as data controller will be responsible to obtain your consent. Even if you can use myoncare App without such consent, most of the functions will not work anymore (e.g. sharing of data with your Health Care Provider). Therefore, denial or revocation of consent to process Treatment Data will lead to a heavy limitation of functionality of the App services and your doctor will not be able to support you via myoncare App anymore.
PROCESSING OF ACTIVITY DATA
– Only applicable if you agree to share Activity Data via myoncare Tools –
myoncare Tools offer you the possibility to connect the myoncare App to certain health apps (e.g. AppleHealth, GoogleFit), that you are using (“Health App”). To enable processing of Activity Data, we are asking you to consent to the processing beforehand. If the connection is established after you granted your consent, Activity Data collected by the Health App is transferred to your connected Portal Users with the purpose of providing additional, contextual information about your activity to them. Please note that Activity Data are not validated by myoncare Tools and shall not be used by your connected Portal Users for diagnostic purposes or the basis for medical decision making. Please also note, that your connected Portal Users are not required to monitor your Activity Data or provide any feedback to you regarding your Activity Data.
Activity Data is shared with your connected Portal Users each time you start myoncare App. At any time you can revoke your consent to share your Activity Data from within the settings in myoncare App. Please note that your Activity Data are not shared anymore from this time point onwards. Already shared Activity Data will not be deleted from the myoncare Portal of your connected Portal Users.
The processing of Activity Data by you falls within your own data responsibility.
Types of data: The type and extent of data transferred depend on your decision and the data available in your connected Health App. Data can include, inter alia, weight, height, taken steps, burned calories, hours of sleep, heart rate and blood pressure.
Purposes of processing of Activity Data: Your Activity Data is transferred to your connected Portal Users with the purpose of providing additional, contextual information about your activity to them.
Justification of Processing: The processing of the Activity Data is done under your own responsibility.
PROCESSING OF PRODUCT SAFETY DATA
– Applicable to App Users whose Health Care Provider uses the medical device variant of myoncare Tools –
myoncare App is classified and marketed as medical device according to the European medical device regulations. As manufacturer of the App, we have to fulfill certain legal obligations (e.g. surveillance of functionality of the App, evaluation of incident reports which might be connected to the use of the App, tracking of users etc.). In addition, your Health Care Provider and you might communicate and collect personal data in myoncare App regarding specific medical devices or pharmaceuticals used in your treatment. The manufacturers of such medical devices or pharmaceuticals also have legal obligations regarding the surveillance of the market (e.g. collection and assessment of side effect reports).
Oncare is data controller for Product Safety Data.
Types of Data: Case reports, personal data provided in an incident report and results of evaluation.
Processing of Product Safety Data: We will store and assess any personal data related to our legal obligations as manufacturer of a medical device and transfer such personal data (if possible after pseudonymization) to competent authorities, notified bodies or other data controllers with supervisory responsibilities. In addition, we will store and transfer personal data related to medical devices and/or pharmaceuticals, if we receive any notices by your Health Care Provider, by you as patient or any third person (e.g. our distributors or importers of the myoncare Tools in your country) that has to be reported to the manufacturer of the product to enable the manufacturer to fulfill its legal product safety obligations.
Justification of processing of Product Safety Data: Legal basis for the processing of personal data to fulfill legal obligations as medical device or pharmaceutical manufacturer is Art. 9 Paragraph 2 lit. i EU GDPR in accordance with the post-market surveillance obligations provided by the German Medical Device Act and Medical Device Directive (from 26 May 2021 on regulated in Chapter VII of the new Medical Device Regulation (EU) 2017/745) and/or German Pharmaceutical Act.
PROCESSING OF REIMBURSEMENT DATA
– Applicable to App Users using the App with their Health Care Provider for reimbursement purposes –
myoncare App will support your Health Care Provider to start standard reimbursement processes for the health services provided to you via myoncare App. To enable the reimbursement process, myoncare App will support the collection of your personal (health) data by your Healh Care Provider for transfer of such data to your cost payer (either his/her Association of Statutory Health Insurances and/or your health insurer). This data processing is just an initial data transfer for the Health Care Provider to receive reimbursement by your health insurer. The kind and amount of personal data processed does not differ to other reimbursement routines of the Health Care Provider. Your Health Care Provider is data controller for Reimbursement Data. Oncare is acting as data processor based on the data processing agreement with your Health Care Provider.
Types of Data: Name, diagnosis, indications, treatment, period of treatment, other data required for reimbursement administration.
Processing of Reimbursement Data: Your Health Care Provider will transfer your Treatment Data required to receive reimbursement to the cost payer (either his/her Association of Statutory Health Insurances and/or your health insurer) and the cost payer will process the Reimbursement Data to provide reimbursement to your Health Care Provider.
Justification of processing of Reimbursement Data: The Reimbursement Data are processed on the basis of Sec. 295 and Sec. 301 German Social Code V. The processing of data by Oncare for your Health Care Provider is, in addition, based on Art. 28 GDPR (data processing agreement).
PROCESSING OF CORPORATE HEALTH MANAGEMENT DATA
– Applicable to App Users using the App with the corporate health management program of their Company –
During the use of myoncare App in the corporate health management program of your Company, certain personal (health) data will be shared in an aggregated form as Corporate Health Management Data with your Company and any Data Service Providers (e.g. data analyst or research companies) engaged by your Company. Neither your Company nor any Data Service Provider will be able to allocate such data to your identity. Oncare recommends not to share personal information when using the myoncare Services in the context of corporate health management.
We process such Corporate Health Management Data, including your health data, under an agreement with and in accordance with the instructions of your Company and/or any Data Service Providers. For the purposes of this agreement, the Company is responsible for processing your Corporate Health Management Data as data controller, and Oncare as well as any Data Service Provider engaged by your Company, if any, are the processor of such data. This means that Oncare and any Data Service Provider process the Corporate Health Management Data only according to the instructions of the Company. If you have any questions or concerns regarding the processing of your Corporate Health Management Data , you should primarily contact your Company.
Purposes of Corporate Health Management Data processing: We process your Corporate Health Management Data to be able to provide our myoncare Services to your Company and to you. Your Corporate Health Management Data, which you enter in our myoncare App, will be used by your Company (either directly or via a Data Service Provider) in its corporate health management program. We process this Corporate Health Management Data as part of an agreement with and in accordance with the instructions of your Company and/or any Data Service Provider for its corporate health management program. The transmission of this Corporate Health Management Data is pseudonymized and encrypted. To exercise your rights as a data subject, please contact your Company.
Justification of processing of Corporate Health Management Data: Your Corporate Health Management Data will be processed by your Company in accordance with the provisions of the EU GDPR and all other applicable data protection regulations. Legal basis for data processing in particular arise from your consent according to Art. 6 Paragraph 1 lit. a and 9 Paragraph 2 lit. a EU GDPR or any other legal justification valid for your Company. The processing of data by Oncare to Company (either directly or via any service provider engaged by your Company) is, in addition, based on Art. 28 GDPR (data processing agreement)
Your Company as data controller will be responsible to obtain your consent if required due to data protection regulations and process the Corporate Health Management Data according to applicable data protection legislation.
SECURE TRANSFER OF PERSONAL DATA
We implement the appropriate technical and organizational security measures to ensure the optimal protection of the personal data stored by us against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. The security levels are continuously reviewed in collaboration with security experts and adapted to new security standards.
The data exchange to and from the App is encrypted. We use TLS and SSL as encryption protocols for secure data transmission. In addition, data exchange is end-to-end encrypted and takes place using pseudo-keys.
DATA TRANSFERS / DISCLOSURE TO THIRD PARTIES
We will only transmit your personal data to third parties within the scope of given statutory provisions or based on your consent. In all other cases, information will not be transferred to third parties unless we are obliged to do so owing to mandatory legal regulations (disclosure to external bodies, including the supervisory authorities or law enforcement authorities).
All transfer of personal data is encrypted during transfer.
GENERAL INFORMATION ON CONSENT TO DATA PROCESSING
Your consent also constitutes permission to data processing under data privacy law. Before granting your consent, we will inform you about the purpose of the data processing and your right of objection.
If the consent also relates to the processing of special categories of personal data, myoncare App will explicitly notify you in the consent process. Processing of special categories of personal data according to Art. 9 Paragraph 1 EU GDPR may only take place where necessary on the grounds of legal regulations and there is no reason to assume that your legitimate interests should prevail to the exclusion of processing such personal data or you have given consent to the processing of this personal data according to Art. 9 Paragraph 2 EU GDPR.
For the data processing for which your consent is required (as explained in this Privacy Notice), the consent will be requested during registration process. After successful registration, the consents can be managed in the account settings of myoncare App.
DATA RECIPIENTS / CATEGORIES OF RECIPIENTS
In our organization, we ensure that only those persons are entitled to process personal data who are required to do so in order to fulfill their contractual and statutory duties. Your personal data and health data that you enter in our myoncare App will be made available to your Health Care Provider and/or Company either directly or via a Data Service Provider (depending on the type of use of myoncare Tools).
In certain cases, service providers support our specialist departments in fulfilling their tasks. The necessary data protection contracts have been concluded with all service providers which are data processor for the personal data. These service providers are Hetzner Online and Google (Google Firebase). Google Firebase is a “NoSQL database” that enables synchronization between the myoncare Portal of your Health Care Provider and the myoncare App. NoSQL defines a mechanism of storing data which is modeled in means other than just tabular relations by allowing for easier “horizontal” scaling compared to tabular/ relational database management systems in a cluster of machines.
For this purpose, a pseudo key of the myoncare App is stored in Google Firebase along with the corresponding Careplan. The data transfer is pseudonymized to Oncare and its service providers which means that Oncare and its service providers cannot relate to you as a data subject. This is achieved by encryption of the data during transfer between you and your Health Care Provider or Company (either directly or to any Data Service Provider) and the use of pseudo-keys instead of personal identifiers such as names or e-mail addresses to track these transfers. Re-identification happens once the personal data has reached the account of your Health Care Provider or Company in myoncare Portal or your account in myoncare App after verification via specific tokens.
Hetzner Online provides cloud storage in which the Firebase Manager, which manages the Firebase URLs for the myoncare Portal, is stored. In addition, Hetzner Online provides the isolated server domain of myoncare Portal in which your personal data is stored. Hetzner Online also hosts myoncare’s video and file management services, which enable encrypted video conferencing and exchange of files between you and your Health Care Provider, respectively. Access to your personal data by you and your Health Care Provider is ensured by sending specific tokens. This personal data is encrypted during transfer and pseudonymized during transfer and at rest to Oncare and its service providers. Service providers of Oncare do not have access to this personal data at any time.
TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES
No personal data collected by this myoncare App will be stored in the app stores. Personal Data will only be transferred to third countries (outside the European Union or the European Economic Area) if this is necessary for the performance of the contractual obligation, is required by law or you have given us your consent.
Synchronization of myoncare App with myoncare Portal takes place via Google Firebase. The Google Firebase servers are hosted in the EU.However, according to the Google Firebase Terms of Service, transient data transfers in countries where Google and its’ service providers have establishments are possible; in the case of certain Google Firebase services, data is only transmitted to the USA, insofar as no processing takes place in the European Union or the European Economic Area. Unauthorized access to your data is prevented by end-to-end encryption and secure access tokens. Hetzner Online is hosted in Nuremberg, Germany.
In order to process Activity Data, interfaces to Google cloud services (in case of GoogleFit) or to AppleHealth within the mobile device of the App User are used. myoncare Tools use these interfaces which are provided by Google and Apple, to request Activity Data from connected Health Apps. The request sent by myoncare Tools does not contain personal data but personal data is provided to myoncare Tools via these interfaces.
PERIOD OF PERSONAL DATA STORAGE
We store your personal data as long as they are needed for the respective processing purpose. Please note that numerous retention periods dictate that personal data must continue to be stored. This applies in particular to commercial law or tax law storage obligations (e.g. Commercial Code, Tax Code, etc.). In addition, your Health Care Provider also has to ensure storage of your medical files (varies between 1 and 30 years, depending on the nature of documents).
Please note that Oncare is also subject to storage obligations which are contractually agreed with your Health Care Provider on the basis of legal provisions. In addition, and only if your Health Care Provider uses the medical device variant of myoncare Tools, certain storage periods arising from medical device law are applicable to the App. If there are no further storage obligations, the personal data is routinely deleted once the purpose has been achieved.
In addition, we can store personal data if you have given us your permission to do so or if legal disputes arise and we use evidence within the framework of statutory limitation periods, which can be up to thirty years; the regular limitation period is three years.
OBLIGATION TO PROVIDE PERSONAL DATA
Various personal data are necessary for the establishment, performance and termination of the contractual relationship and the fulfillment of the associated contractual and legal obligations. The same applies to the use of our myoncare App and the various functions it provides.
We have summarized the details for you in the above point. In certain cases, personal data must also be collected or made available in accordance with statutory provisions. Please note that it is not possible to process your enquiry or to execute the underlying contractual obligation without providing this personal data.
GRANTED ACCESS RIGHTS
In order for the myoncare App to work on your device, it is necessary for the App to be granted various permissions to access certain functions of the device. For all devices, independent from the operating system used, it is necessary to grant the App certain permissions, which we call “basic permissions”. Depending on the operating system of the device you are using, it may have additional features that require additional permissions to make the app work. If applicable, we will list them in order of operating system (Android or iOS) after the “basic conditions”.
The basic permissions (Android and iOS) are:
- Retrieve WLAN connections
Required to ensure the functionality of the document download in connection with WLAN connections.
- Retrieve Network Connections
Required to ensure document download functionality in connection with network connections that are not WLAN connections.
- Disable screen lock (prevent stand-by mode)
Required so that the videos that are among the provided documents can be played directly in the app without being interrupted by screen lock.
- Access all networks
Access to all networks is required to download documents.
- Disable sleep mode
This is necessary so that the videos that are among the provided documents can be played directly in the app, without the playback being interrupted by the occurrence of sleep mode.
- Mobile data / access to mobile data
If the user wishes to download documents exclusively via WLAN, he can make the appropriate setting in the menu of the app and deactivate the use of mobile data. Access to mobile data is necessary to ensure the functionality of deactivating document downloads via mobile data.
- Camera access
Camera access is required for scanning of QR codes and for video consultations.
- Microphone access
This is required for video consultations.
- Access to files and photos
This is necessary for the exchange of files between you and your connected Portal Users.
- Access to web browsers
This is necessary to view received files from your connected Portal Users.
We use push notifications, which are messages sent to your mobile device as a service of the myoncare App via services such as Apple Push Notification Service or Google Cloud Messaging Service. These services are standard features of mobile devices. The service provider’s privacy policy governs the access, use, and disclosure of personal information as a result of your use of these services.
AUTOMATED DECISIONS IN INDIVIDUAL CASES
We do not use purely automated processing to make decisions.
YOUR RIGHTS AS DATA SUBJECT
We would like to inform you of your rights as a data subject. These rights are set out in articles 15 – 22 EU GDPR and include:
- Right of access (Art. 15 EU GDPR): You have the right be provided with a copy of any personal data that we hold about you;
- Right to erasure / right to be forgotten (Art. 17 EU GDPR): You can request us, without undue delay, to delete your personal data collected and processed by us. In this case, we will ask you to delete the myoncare App including your UID (unique identification number) from your smartphone/mobile phone.
- Right to rectification (Art. 16 EU GDPR): You can require us to update or correct any inaccurate personal data or to complete any incomplete personal data;
- Right to data portability (Art. 20 EU GDPR): In general, you can request us to provide you with personal data which you have provided to us and which are processed by using automated means, based on your consent or the performance of a contract with you, in machine readable format so that they can be “ported” to a replacement service provider.
- Right to restriction of data processing (Art. 18 EU GDPR): You can require us to “restrict” our use of your information, so that we can continue the use your information only subject to restrictions;
- Right to object to data processing (Art. 21 EU GDPR): You have the right to object to our use of your personal data and to revoke your consent at any time, if we process your personal data based on your consent. We will continue to provide our services if they do not depend on the consent that has been revoked.
To exercise these rights, please primarily contact your Health Care Provider or your Company or us at privacy@myoncare.com. We will require you to provide satisfactory proof of your identity to ensure that your rights are protected and that your personal data is disclosed only to you and not to any third person.
Please also contact us at any time at privacy@myoncare.com, if you have questions about data processing in our company or if you wish to revoke your consent. You also have the right to contact the relevant data protection supervisory authority.
DATA PROTECTION OFFICER
You can contact our data protection officer to answer all data protection questions at privacy@myoncare.com.
AGE RESTRICTION OF THE APPLICATION
A minimum age of 18 years is required to use myoncare App. If you are below 18 years old, your legal guardian will have to provide the privacy consent required to use the App.
CHANGES TO PRIVACY NOTICE
We explicitly reserve our right to modify this Privacy Notice in future at our own discretion. Modifications or additions may, for instance, be necessary to meet statutory requirements, correspond with technical and economic developments or to meet the interests of the App or Portal Users.
Any modifications are possible at any time and will be published in an appropriate manner and in an appropriate time frame to you before they take effect (e.g. by posting revised Privacy Notice at login or by providing advance notice to you of material changes).
ONCARE GmbH
Postal address
Balanstraße 71a
81541 Munich, Germany
T | +49 (0) 89 4445 1156
F | +49 (0) 89 4445 1157
Contact info of the data protection officer:
Last updated 07 April 2022.
* * * *
U.S. PRIVACY POLICY
Welcome to myoncare, the digital health portal and mobile app (“App”) for efficient and needs-oriented patient care and support for corporate health management programs.
This Privacy Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. This Privacy Notice tells you why and how Oncare processes your personal (health) information / data which we collect from you or which you provide to us, when you decide to use myoncare App.
For us at Oncare GmbH (hereinafter referred to as “Oncare” or “we”, “us”, “our”), the protection of your privacy and any personal data relating to you while using the myoncare App is of major relevance and importance. We are aware of the responsibilities arising from your trust to provide and save your personal (health) data in the myoncare App. Therefore, our technology systems used for myoncare Services are set up according to the highest standards and the lawful processing of personal data is core to our business ethics.
All information collected and stored by us or added by Health Care Providers is considered Protected Health Information (“PHI”) and/or medical information and is governed by laws that apply to that information, for example the Health Insurance Portability and Accountability Act (HIPAA). We are required by law to maintain the privacy and security of your protected health information.
How we use and disclose such PHI is in accordance with the applicable Notice of Privacy Practices. To understand how we use and disclose PHI, you should review the Notice of Privacy Practices. We continuously seek to safeguard your health information through administrative, physical, and technical means, and otherwise abide by applicable federal and state laws.
Please read this Privacy Notice carefully to ensure that you understand each provision. After reading the Privacy Notice, you will have the option to consent to the Privacy Notice and the processing of your personal (health) data as described in this Privacy Note. If you give consent, the Privacy Notice will be part of the contract between you and Oncare. We must follow the duties and privacy practices described in this notice. We will not use or share your information other than as described here.
DEFINITIONS
“App User” means any user of the myoncare App (Patient and/or employee).
“Company” means your employer, if you and your employer are using myoncare Tools for the employer’s corporate health management program.
„Covered Entity“ means: A health plan, a health care clearinghouse or a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.
“Data Service Provider” means any agent engaged and instructed by Company for collection, screening and interpretation of pseudonymized or anonymized employee data in corporate health management programs based on a separate service agreement with the Company (e.g. data analyst, general health prevention services, data evaluation services etc.) and as identified by a separate information sheet to the employees.
“EU General Data Protection Regulation”. The General Data Protection Regulation (GDPR) is a European privacy law. The regulation was put into effect on May 25, 2018. GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not. So the GDPR applies also to you as a U.S. citizen, because Oncare has its place of business in Germany.
“Health Care Provider” means your doctor, clinic, health care institutions or other health care professional acting on its own or on behalf of your doctor, clinic or health care institutions.
“Health information” means any information, including genetic information, whether oral or recorded in any form or medium, that:
– Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
– Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. “Protected health information” or “PHI” means individually identifiable health information that is (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium.
“Health Insurance Portability and Accountability Act”, “HIPAA” or the “Law”. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.”
“myoncare App” means the myoncare mobile app intended for the use by patients or employees who want to use the services provided by Oncare.
“myoncare Portal” means the myoncare web-portal intended for professional use by Portal Users and functioning as interface between such Portal Users and App Users.
“myoncare Services” means the services, functionalities and other offerings which are or may be offered to Portal Users via the myoncare Portal and/or to App users via the myoncare App, as applicable.
“myoncare Tools” means both, myoncare App and myoncare Portal, together.
„Oncare“ or “We” means ONCARE GmbH, Germany.
“Portal User” means any Health Care Provider, Company or Data Service Provider using the web-based myoncare Portal.
“Privacy Notice” means this statement made to you as patient or employee and user of the myoncare App that describes how we collect, use and retain your personal information, and provides you with information on your comprehensive rights.
“Standard Terms” means the Standard Terms and Conditions for using the myoncare App.
RESPONSIBLE ENTITY
Oncare GmbH, a company registered with the Munich Local Court with the Register number 219909 with its offices located at Herrenwiesstr. 12, 82031 Gruenwald, Germany, offers and operates the mobile application myoncare App giving access to myoncare Services. This Privacy Notice applies to all personal data processing by Oncare related to the use of myoncare App.
Oncare is a “business associate” (as that term is used under HIPAA) that provides services to and for health care providers and health care plans, referred to as “covered entities” under HIPAA, and enters into business associate agreements with these covered entities. Oncare will use and disclose PHI only in accordance with the business associate agreements and HIPAA.
We are required by U.S. law to maintain the privacy and security of your protected health information.
We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.
We must follow the duties and privacy practices described in this notice and give you a copy of it upon request.
We never sell identifiable personal information.
We will not use or share your information other than as described here unless you tell us we can.
U.S. Federal and state laws may place additional limitations on the disclosure of your health information related to drug or alcohol abuse treatment programs, sexually transmitted diseases, genetic information, or mental health treatment programs. When required by law, we will obtain your authorization before releasing this type of information.
WHAT IS PERSONAL DATA ACCORDING TO GDPR
We process your personal data in accordance with the applicable legal provisions for the protection of personal data, in particular the EU General Data Protection Regulation and the country-specific laws applicable to us. In particular, you will find a description of the personal data, which we collect and process as well as the purpose and on which basis we are processing the personal data and the rights to which you are entitled.
“Personal data” is all information that makes it possible to identify a natural person. In particular, this includes your name, date of birth, address, telephone number, e-mail address and IP address. “Health data” is personal data that relates to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Data is considered “anonymous” if no personal reference to the person/user can be made. In contrast, “pseudonymized” data is data from which personal reference or personal identifiable information is replaced by one or more artificial identifiers, or pseudonyms, but which can, in general, be re-identified by the identifier key.
WHICH HEALTH INFORMATION / PERSONAL DATA WILL BE PROCESSED WHILE USING MYONCARE APP
We use and disclose your health information for the normal business activities that the law sees as falling in the categories of treatment and healthcare operations. We may process the following health information / data categories about you while using the myoncare App:
- Operational information: Personal information provided to us when you register to our myoncare App, contact us regarding any problems with the App or otherwise interact with us with the purpose of using the App (“Operational Data”);
- Treatment information: You or your Health Care Provider will enter personal information, such as name, age, height, weight, indication, disease symptoms and further information in connection with your treatment (e.g. in a care plan) with the support of myoncare App (“Treatment Data”). Treatment Data are, therefore, personal data which are collected or processed, when you interact with your Health Care Provider via myoncare App;
- Activity information: Personal information which will be processed by us when you connect myoncare App to a Health App (e.g. AppleHealth, GoogleFit). Your Activity information is transferred to your connected Health Care Provider as Portal User.
- Product Safety information: Personal information which will be processed to fulfill our legal obligations as manufacturer of the myoncare App as medical device. In addition, your personal information may be processed to fulfill legal safety or vigilance purposes of medical device or pharmaceutical companies. (“Product Safety Data”).
- Reimbursement information: Personal data which are required for the reimbursement process between your Healh Care Provider and your heath insurer (“Reimbursement Data”).
- Corporate Health Management Information: Personal or aggregated information which will be collected in concrete projects and questionnaires as asked by your employer (either directly or by Service Provider engaged by your Company). The information may relate to certain health information, your opinion regarding your personal well-being, your opinion as employee to a specific internal or external situation or data regarding the care or health situation in general (“Corporate Health Management Data”).
PROCESSING OF OPERATIONAL DATA
– Applicable to all App Users –
You might provide us with certain personal data in case you are contacting us to understand or discuss the functions and usage of the App or in case of a service request.
In the event of a service request, the following personal data may also be viewed by authorized Oncare employees:
- The personal data that you have provided to your Health Care Provider through our App (e.g. name, date of birth, profile picture, contact details)
- The health information you have provided to your Health Care Provider, the Data Service Provider or Company through our myoncare App (e.g., information about medications taken, responses to questionnaires including disease-related or condition-related information, diagnoses and therapies provided by health care professionals, planned and completed tasks)
Authorized Oncare employees who have access to your Health Care Provider’s, Data Service Provider’s or Company’s database for the purpose of processing a service request are contractually required to keep all personal information strictly confidential.
When myoncare App is downloaded, the necessary information is transferred to the app store provider. We have no influence on this data collection and are not responsible for it. We process the personal data provided to us by the provider of the app store within the framework of our contractual relationship for the purpose of further developing our myoncare Apps and Services.
For the processing of Operational Data, Oncare acts as data controller responsible for the legitimate processing of your personal data.
Types of Data: Your name, e-mail-address, date of birth, registration date, pseudo keys generated by the app; device token to identify your device, your pseudo identification number, your IP address, type and version of the operating system used by your device.
The app uses Google Maps API to use geographical information. When using Google Maps, Google also collects, processes and uses data about the use of the map functions. For more information about the scope, legal basis and purpose of data processing by Google as well as the storage period, please refer to Google’s privacy policy.
Purposes of processing of Operational Data: We use the Operational Data to maintain the functionalities of myoncare App and to get in direct contact with you if required or initiated by you (e.g. in case of change of Standard Terms, necessary support, technical problems etc.).
Justification of Processing: The processing of Operational Data is justified based on Article 6 Paragraph 1 lit. b EU GDPR to fulfill the contract you conclude with Oncare for the purpose of the use of myoncare App.
PROCESSING OF TREATMENT HEALTH INFORMATION / DATA
– Applicable to App Users using the App with their Health Care Provider –
During the use of myoncare App, your doctor, a clinic or other health care provider treating you (“Health Care Provider”) will enter your health information / personal data to myoncare Portal to start myoncare Services (e.g. provision of individual Careplan, reminder for intake of medicines etc.). In addition, you and your Health Care Provider will be able to upload documents and files related to you to myoncare App and myoncare Portal and can share the files with the other. Your Health Care Provider can upload a privacy policy for your information and define other consent requirements for you as a patient, for which your consent must be given. The files will be stored in a cloud database hosted in Germany. Your Health Care Professional can allow sharing such files with other Portal Users of his institution for medical reasons, but other Portal Users will not be able to access the files.
Your Health Care Provider will be responsible for a legitimate processing of the health information / personal data.
We process such health information / personal data, including your health data, under an agreement with and in accordance with the instructions of your Health Care Provider. For the purposes of this agreement, the Health Care Provider is responsible of processing your health information / personal data and health data within the meaning of applicable data protection laws. This means that Oncare processes the health information / personal Data only according to the instructions of the Health Care Provider. If you have any questions or concerns regarding the processing of your health information / personal data or health data, you should primarily contact your Health Care Provider.
Types of Data: Name, date of birth, profile information, contact details and also health data, such as symptoms, photos, information about medications taken, responses to questionnaires including disease-related or condition-related information, diagnoses and therapies provided by health care professionals, planned and completed tasks.
Purposes of Treatment Data processing: We process your Treatment Health Information / Data to be able to provide our myoncare Services to your Health Care Provider and to you. Your health data, which you enter in our myoncare App, will be used by your Health Care Provider for consultation and support to you. We process this health information / personal data as part of an agreement with and in accordance with the instructions of your Health Care Provider. The transmission of this Treatment Data is pseudonymized and encrypted. To exercise your rights as a data subject, please contact your Health Care Provider.
Your doctor will be responsible to obtain your consent. Even if you can use myoncare App without such consent, most of the functions will not work anymore (e.g. sharing of data with your Health Care Provider). Therefore, denial or revocation of consent to process Treatment Health Information / Data will lead to a heavy limitation of functionality of the App services and your doctor will not be able to support you via myoncare App anymore.
GDPR Rules
Justification of processing of Treatment Health Information / Data: Your personal health information / data will be processed by your Health Care Provider in accordance with the provisions of the EU GDPR and all other applicable data protection regulations. Legal basis for data processing in particular arise from Art. 9 Paragraph 2 lit. h EU GDPR for health data as special sensitive data as well as your consent according to Art. 6 Paragraph 1 lit. a and 9 Paragraph 2 lit. a EU GDPR. The processing of data by Oncare for your Health Care Provider is, in addition, based on Art. 28 GDPR (data processing agreement)
PROCESSING OF ACTIVITY DATA
– Only applicable if you agree to share Activity Data via myoncare Tools
myoncare Tools offer you the possibility to connect the myoncare App to certain health apps (e.g. AppleHealth, GoogleFit), that you are using (“Health App”). To enable processing of Activity Data, we are asking you to consent to the processing beforehand. If the connection is established after you granted your consent, Activity Data collected by the Health App is transferred to your connected Portal Users with the purpose of providing additional, contextual information about your activity to them. Please note that Activity Data are not validated by myoncare Tools and shall not be used by your connected Portal Users for diagnostic purposes or the basis for medical decision making. Please also note, that your connected Portal Users are not required to monitor your Activity Data or provide any feedback to you regarding your Activity Data.
Activity Data is shared with your connected Portal Users each time you start myoncare App. At any time you can revoke your consent to share your Activity Data from within the settings in myoncare App. Please note that your Activity Data are not shared anymore from this time point onwards. Already shared Activity Data will not be deleted from the myoncare Portal of your connected Portal Users.
The processing of Activity Data by you falls within your own data responsibility.
Types of data: The type and extent of data transferred depend on your decision and the data available in your connected Health App. Data can include, inter alia, weight, height, taken steps, burned calories, hours of sleep, heart rate and blood pressure.
Purposes of processing of Activity Data: Your Activity Data is transferred to your connected Portal Users with the purpose of providing additional, contextual information about your activity to them.
Justification of Processing: The processing of the Activity Data is done under your own responsibility.
PROCESSING OF PRODUCT SAFETY DATA
– Applicable to App Users whose Health Care Provider uses the medical device variant of myoncare Tools-
myoncare App is classified and marketed as medical device according to the European medical device regulations. As manufacturer of the App, we have to fulfill certain legal obligations (e.g. surveillance of functionality of the App, evaluation of incident reports which might be connected to the use of the App, tracking of users etc.). In addition, your Health Care Provider and you might communicate and collect personal data in myoncare App regarding specific medical devices or pharmaceuticals used in your treatment. The manufacturers of such medical devices or pharmaceuticals also have legal obligations regarding the surveillance of the market (e.g. collection and assessment of side effect reports).
Types of Data: Case reports, personal data provided in an incident report and results of evaluation.
Processing of Product Safety Data: We will store and assess any personal data related to our legal obligations as manufacturer of a medical device and transfer such personal data (if possible after pseudonymization) to competent authorities, notified bodies or other data controllers with supervisory responsibilities. In addition, we will store and transfer personal data related to medical devices and/or pharmaceuticals, if we receive any notices by your Health Care Provider, by you as patient or any third person (e.g. our distributors or importers of the myoncare Tools in your country) that has to be reported to the manufacturer of the product to enable the manufacturer to fulfill its legal product safety obligations.
GDPR Rules
Oncare is data controller for Product Safety Data.
Justification of processing of Product Safety Data: Legal basis for the processing of personal data to fulfill legal obligations as medical device or pharmaceutical manufacturer is Art. 9 Paragraph 2 lit. i EU GDPR in accordance with the post-market surveillance obligations provided by the German Medical Device Act and Medical Device Directive (from 26 May 2021 on regulated in Chapter VII of the new Medical Device Regulation (EU) 2017/745) and/or German Pharmaceutical Act.
PROCESSING OF CORPORATE HEALTH MANAGEMENT DATA
– Applicable to App Users using the App with the corporate health management program of their Employer-
During the use of myoncare App in the corporate health management program of your Company, certain personal (health) data will be shared in an aggregated form as Corporate Health Management Data with your Company and any Data Service Providers (e.g. data analyst or research companies) engaged by your Company. Neither your Company nor any Data Service Provider will be able to allocate such data to your identity. Oncare recommends not to share personal information when using the myoncare Services in the context of corporate health management.
We process such Corporate Health Management Data, including your health data, under an agreement with and in accordance with the instructions of your Company and/or any Data Service Providers. For the purposes of this agreement, the Company is responsible for processing your Corporate Health Management Data as data controller, and Oncare as well as any Data Service Provider engaged by your Company, if any, are the processor of such data. This means that Oncare and any Data Service Provider process the Corporate Health Management Data only according to the instructions of the Company. If you have any questions or concerns regarding the processing of your Corporate Health Management Data , you should primarily contact your Company.
Purposes of Corporate Health Management Data processing: We process your Corporate Health Management Data to be able to provide our myoncare Services to your Company and to you. Your Corporate Health Management Data, which you enter in our myoncare App, will be used by your Company (either directly or via a Data Service Provider) in its corporate health management program. We process this Corporate Health Management Data as part of an agreement with and in accordance with the instructions of your Company and/or any Data Service Provider for its corporate health management program. The transmission of this Corporate Health Management Data is pseudonymized and encrypted. To exercise your rights as a data subject, please contact your Company.
GDPR Rules
Justification of processing of Corporate Health Management Data: Your Corporate Health Management Data will be processed by your Company in accordance with the provisions of the EU GDPR and all other applicable data protection regulations. Legal basis for data processing in particular arise from your consent according to Art. 6 Paragraph 1 lit. a and 9 Paragraph 2 lit. a EU GDPR or any other legal justification valid for your Company. The processing of data by Oncare to Company (either directly or via any service provider engaged by your Company) is, in addition, based on Art. 28 GDPR (data processing agreement)
Your Company as data controller will be responsible to obtain your consent if required due to data protection regulations and process the Corporate Health Management Data according to applicable data protection legislation.
SECURE TRANSFER OF PERSONAL DATA
We implement the appropriate technical and organizational security measures to ensure the optimal protection of the personal data stored by us against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. The security levels are continuously reviewed in collaboration with security experts and adapted to new security standards.
The data exchange to and from the App is encrypted. We use TLS and SSL as encryption protocols for secure data transmission. In addition, data exchange is end-to-end encrypted and takes place using pseudo-keys.
DATA TRANSFERS / DISCLOSURE TO THIRD PARTIES
We will only transmit your health information / personal data to third parties within the scope of given statutory provisions or based on your consent. In all other cases, information will not be transferred to third parties unless we are obliged to do so owing to mandatory legal regulations (disclosure to external bodies, including the supervisory authorities or law enforcement authorities). All transfer of personal data is encrypted during transfer.
We will share information about you if U.S. state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law. We may also use and disclose your health information to:
– Comply with federal, state or local laws that require disclosure.
– Assist in public health activities such as tracking diseases or medical devices.
– Inform authorities to protect victims of abuse or neglect.
– Comply with federal and state health oversight activities such as fraud investigations.
– Respond to law enforcement officials or to judicial orders, subpoenas or other processes.
– Conduct research following internal review protocols to ensure the balancing of privacy and research needs.
– Avert a serious threat to health or safety.
GENERAL INFORMATION ON CONSENT TO DATA PROCESSING
Your consent also constitutes permission to health information / data processing under data privacy law. Before granting your consent, we will inform you about the purpose of the processing and your right of objection. If the consent also relates to the processing of special categories of personal health information / data, myoncare App will explicitly notify you in the consent process.
For the health information / data processing for which your consent is required (as explained in this Privacy Notice), the consent will be requested during registration process. After successful registration, the consents can be managed in the account settings of myoncare App.
GDPR Rules
Processing of special categories of personal data according to Art. 9 Paragraph 1 EU GDPR may only take place where necessary on the grounds of legal regulations and there is no reason to assume that your legitimate interests should prevail to the exclusion of processing such personal data or you have given consent to the processing of this personal data according to Art. 9 Paragraph 2 EU GDPR.
DATA RECIPIENTS / CATEGORIES OF RECIPIENTS
In our organization, we ensure that only those persons are entitled to process personal data who are required to do so in order to fulfill their contractual and statutory duties. Your personal data and health data that you enter in our myoncare App will be made available to your Health Care Provider and/or Company either directly or via a Data Service Provider (depending on the type of use of myoncare Tools).
In certain cases, service providers support our specialist departments in fulfilling their tasks. The necessary data protection contracts have been concluded with all service providers which are data processor for the personal data. These service providers are Hetzner Online and Google (Google Firebase). Google Firebase is a “NoSQL database” that enables synchronization between the myoncare Portal of your Health Care Provider and the myoncare App. NoSQL defines a mechanism of storing data which is modeled in means other than just tabular relations by allowing for easier “horizontal” scaling compared to tabular/ relational database management systems in a cluster of machines.
For this purpose, a pseudo key of the myoncare App is stored in Google Firebase along with the corresponding Careplan. The data transfer is pseudonymized to Oncare and its service providers which means that Oncare and its service providers cannot relate to you as a data subject. This is achieved by encryption of the data during transfer between you and your Health Care Provider or Company (either directly or to any Data Service Provider) and the use of pseudo-keys instead of personal identifiers such as names or e-mail addresses to track these transfers. Re-identification happens once the personal data has reached the account of your Health Care Provider or Company in myoncare Portal or your account in myoncare App after verification via specific tokens.
Hetzner Online provides cloud storage in which the Firebase Manager, which manages the Firebase URLs for the myoncare Portal, is stored. In addition, Hetzner Online provides the isolated server domain of myoncare Portal in which your personal data is stored. Hetzner Online also hosts myoncare’s video and file management services, which enable encrypted video conferencing and exchange of files between you and your Health Care Provider, respectively. Access to your personal data by you and your Health Care Provider is ensured by sending specific tokens. This personal data is encrypted during transfer and pseudonymized during transfer and at rest to Oncare and its service providers. Service providers of Oncare do not have access to this personal data at any time.
TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES
Personal Data will only be transferred to third countries if this is necessary for the performance of the contractual obligation, is required by law or you have given us your consent
Synchronization of myoncare App with myoncare Portal takes place via Google Firebase. The Google Firebase servers are hosted in the EU. However, according to the Google Firebase Terms of Service, transient data transfers in countries where Google and its’ service providers have establishments are possible; in the case of certain Google Firebase services, data is only transmitted to the US, insofar as no processing takes place in the European Union or the European Economic Area. Unauthorized access to your data is prevented by end-to-end encryption and secure access tokens. Hetzner Online is hosted in Nuremberg, Germany.
In order to process Activity Data, interfaces to Google cloud services (in case of GoogleFit) or to AppleHealth within the mobile device of the App User are used. myoncare Tools use these interfaces which are provided by Google and Apple, to request Activity Data from connected Health Apps. The request sent by myoncare Tools does not contain personal data but personal data is provided to myoncare Tools via these interfaces.
PERIOD OF PERSONAL DATA STORAGE ACCORDING TO GDPR
We store your personal data as long as they are needed for the respective processing purpose. Please note that numerous retention periods dictate that personal data must continue to be stored. This applies in particular to commercial law or tax law storage obligations (e.g. Commercial Code, Tax Code, etc.). In addition, your Health Care Provider also has to ensure storage of your medical files (varies between 1 and 30 years, depending on the nature of documents).
Please note that Oncare is also subject to storage obligations which are contractually agreed with your Health Care Provider on the basis of legal provisions. In addition, and only if your Health Care Provider uses the medical device variant of myoncare Tools, certain storage periods arising from medical device law are applicable to the App. If there are no further storage obligations, the personal data is routinely deleted once the purpose has been achieved.
In addition, we can store personal data if you have given us your permission to do so or if legal disputes arise and we use evidence within the framework of statutory limitation periods, which can be up to thirty years; the regular limitation period is three years.
OBLIGATION TO PROVIDE PERSONAL DATA
Various personal data are necessary for the establishment, performance and termination of the contractual relationship and the fulfillment of the associated contractual and legal obligations. The same applies to the use of our myoncare App and the various functions it provides.
We have summarized the details for you in the above point. In certain cases, personal data must also be collected or made available in accordance with statutory provisions. Please note that it is not possible to process your enquiry or to execute the underlying contractual obligation without providing this personal data.
GRANTED ACCESS RIGHTS
In order for the myoncare App to work on your device, it is necessary for the App to be granted various permissions to access certain functions of the device. For all devices, independent from the operating system used, it is necessary to grant the App certain permissions, which we call “basic permissions”. Depending on the operating system of the device you are using, it may have additional features that require additional permissions to make the app work. If applicable, we will list them in order of operating system (Android or iOS) after the “basic conditions”.
The basic permissions (Android and iOS) are:
- Retrieve WLAN connections
Required to ensure the functionality of the document download in connection with WLAN connections.
- Retrieve Network Connections
Required to ensure document download functionality in connection with network connections that are not WLAN connections.
- Disable screen lock (prevent stand-by mode)
Required so that the videos that are among the provided documents can be played directly in the app without being interrupted by screen lock.
- Access all networks
Access to all networks is required to download documents.
- Disable sleep mode
This is necessary so that the videos that are among the provided documents can be played directly in the app, without the playback being interrupted by the occurrence of sleep mode.
- Mobile data / access to mobile data
If the user wishes to download documents exclusively via WLAN, he can make the appropriate setting in the menu of the app and deactivate the use of mobile data. Access to mobile data is necessary to ensure the functionality of deactivating document downloads via mobile data.
- Camera access
Camera access is required for scanning of QR codes and for video consultations.
- Microphone access
This is required for video consultations.
- Access to files and photos
This is necessary for the exchange of files between you and your connected Portal Users.
- Access to web browsers
This is necessary to view received files from your connected Portal Users.
We use push notifications, which are messages sent to your mobile device as a service of the myoncare App via services such as Apple Push Notification Service or Google Cloud Messaging Service. These services are standard features of mobile devices. The service provider’s privacy policy governs the access, use, and disclosure of personal information as a result of your use of these services.
AUTOMATED DECISIONS (ACCORDING TO GDPR) IN INDIVIDUAL CASES
We do not use purely automated processing to make decisions.
YOUR HIPAA RIGHTS
You have the HIPAA right to:
– Inspect and copy certain portions of your health information. You may request that your health records is provided to you in an electronic format. A copy or a summary of your health information will be provided, usually within 30 days of your request. A reasonable, cost-based fee will be charged.
– Request amendment of your health information if you feel the health information is incorrect or incomplete. You can ask to correct health information about you that you think is incorrect or incomplete.
– Receive an accounting of certain disclosures of your health information made for the prior six (6) years, although this excludes certain disclosures for treatment, payment, and health care operations. A reasonable, cost-based fee will be charged.
– Request to restrict how to use or disclose your health information. You can ask not to use or share certain health information for treatment, payment, or operations.
– Obtain a paper copy of the notice even if you receive it electronically. You can ask for a paper copy of the notice at any time, even if you have agreed to receive the notice
electronically.
– File a complaint if you believe your privacy rights have been violated. You can file a complaint with the U.S. Department of Health and Human Services by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-800-368-1019 (Toll Free Call) or 1-800-537-7697 (TTD), or visiting https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf.
We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.
Many states have adopted a patient bill of rights applicable to patients of physicians and/or hospitals and other health care facilities. Some of those states require that physicians provide a copy of the bill of rights to their patients.
YOUR RIGHTS AS DATA SUBJECT ACCORDING TO GDPR
We would like to inform you of your rights as a data subject. These rights are set out in articles 15 – 22 EU GDPR and include:
- Right of access (Art. 15 EU GDPR): You have the right be provided with a copy of any personal data that we hold about you;
- Right to erasure / right to be forgotten (Art. 17 EU GDPR): You can request us, without undue delay, to delete your personal data collected and processed by us. In this case, we will ask you to delete the myoncare App including your UID (unique identification number) from your smartphone/mobile phone.
- Right to rectification (Art. 16 EU GDPR): You can require us to update or correct any inaccurate personal data or to complete any incomplete personal data;
- Right to data portability (Art. 20 EU GDPR): In general, you can request us to provide you with personal data which you have provided to us and which are processed by using automated means, based on your consent or the performance of a contract with you, in machine readable format so that they can be “ported” to a replacement service provider.
- Right to restriction of data processing (Art. 18 EU GDPR): You can require us to “restrict” our use of your information, so that we can continue the use your information only subject to restrictions;
- Right to object to data processing (Art. 21 EU GDPR): You have the right to object to our use of your personal data and to revoke your consent at any time, if we process your personal data based on your consent. We will continue to provide our services if they do not depend on the consent that has been revoked.
To exercise these rights, please primarily contact your Health Care Provider or your Company or us at privacy@myoncare.com. We will require you to provide satisfactory proof of your identity to ensure that your rights are protected and that your personal data is disclosed only to you and not to any third person.
Please also contact us at any time at privacy@myoncare.com, if you have questions about data processing in our company or if you wish to revoke your consent. You also have the right to contact the relevant data protection supervisory authority.
FILE A COMPLAINT
If you believe that your privacy has been violated, you may file a complaint with the Secretary of Health and Human Services in Washington, D.C. We will not retaliate or penalize you for filing a complaint with us or the Secretary. To file a complaint with us or receive more information contact:
Phone: +49 (0) 89 4445 1156
Email: privacy@myoncare.com
Address: Balanstraße 71a
81541 Munich, Germany
Attn: Complaint
To file a complaint with the U.S. Department of Health and Human Services write to 200 Independence Ave., S.W., Washington, D.C. 20201, or call 1-800-368-1019 (Toll Free Call) or 1-800-537-7697 (TTD), or file an online complaint at https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf.
DATA PROTECTION OFFICER ACCORDING TO GDPR
You can contact our data protection officer to answer all data protection questions at privacy@myoncare.com.
AGE RESTRICTION OF THE APPLICATION
A minimum age of 18 years is required to use myoncare App. If you are below 18 years old, your legal guardian will have to provide the privacy consent required to use the App.
CHANGES TO PRIVACY NOTICE
We explicitly reserve our right to modify this Privacy Notice in future at our own discretion. Modifications or additions may, for instance, be necessary to meet statutory requirements, correspond with technical and economic developments or to meet the interests of the App or Portal Users.
Any modifications are possible at any time and will be published in an appropriate manner and in an appropriate time frame to you before they take effect (e.g. by posting revised Privacy Notice at login or by providing advance notice to you of material changes).
ONCARE GmbH
Postal address
Balanstraße 71a
81541 Munich, Germany
T | +49 (0) 89 4445 1156
F | +49 (0) 89 4445 1157
Contact info of the data protection officer:
Last updated 07 April 2022.
* * * *
PRIVACY POLICY EUROPE
Welcome to myoncare, the digital health portal for efficient and needs-oriented patient care.
For us at Oncare GmbH (hereinafter referred to as “Oncare” or “we”, “us”, “our”), the protection of your privacy and any personal data relating to you while using the myoncare Portal is of major relevance and importance. We are aware of the responsibilities to provide and save your personal data in the myoncare Portal. Therefore, our technology systems used for myoncare Services are set up according to the highest standards and the lawful processing of personal data is core to our business ethics.
We process your personal data in accordance with the applicable legal provisions for the protection of personal data, in particular the EU General Data Protection Regulation (“EU GDPR”) and the country-specific laws applicable to us. This Privacy Notice tells you why and how Oncare processes your personal data which we collect from you or which you provide to us, when you decide to use myoncare Portal. In particular, you will find a description of the personal data, which we collect and process as well as the purpose and on which basis we are processing the personal data and the rights to which you are entitled.
Please read this Privacy Notice carefully to ensure that you understand each provision. After reading the Privacy Notice, you will have the option to consent to the Privacy Notice and the processing of your personal data as described in this Privacy Note. If you give consent, the Privacy Notice will be part of the contract between you and Oncare.
DEFINITIONS
“App User” means any user of the myoncare App (Patient and/or employee).
“Company” means your employer, if you and your employer are using myoncare Tools for the employer’s corporate health management program.
“Data Service Provider” means any agent engaged and instructed by Company for collection, screening and interpretation of pseudonymized or anonymized employee data in corporate health management programs based on a separate service agreement with the Company (e.g. data analyst, general health prevention services, data evaluation services etc.) and as identified by a separate information sheet to the employees.
“Health Care Provider” means your doctor, clinic, health care institutions or other health care professional acting on its own or on behalf of your doctor, clinic or health care institutions.
“myoncare App” means the myoncare mobile app intended for the use by patients or employees who want to use the services provided by Oncare.
“myoncare Portal” means the myoncare web-portal intended for professional use by Portal Users and functioning as interface between such Portal Users and App Users.
“myoncare Services” means the services, functionalities and other offerings which are or may be offered to Portal Users via the myoncare Portal and/or to App users via the myoncare App, as applicable.
“myoncare Tools” means both, myoncare App and myoncare Portal, together.
„Oncare“ means ONCARE GmbH, Germany.
“Portal User” means any Health Care Provider, Company or Data Service Provider using the web-based myoncare Portal.
“Privacy Notice” means this statement made to you as patient or employee and user of the myoncare App that describes how we collect, use and retain your personal information, and provides you with information on your comprehensive rights.
“Standard Terms” means the Standard Terms and Conditions for using the myoncare App.
RESPONSIBLE ENTITY
Oncare GmbH, a company registered with the Munich Local Court with the Register number 219909 with its offices located at Herrenwiesstr. 12, 82031 Gruenwald, Germany, offers and operates the mobile application myoncare App giving access to myoncare Services. This Privacy Notice applies to all personal data processing by Oncare related to the use of myoncare App.
WHAT IS PERSONAL DATA
“Personal data” is all information that makes it possible to identify a natural person. In particular, this includes your name, date of birth, address, telephone number, e-mail address and IP address. “Health data” is personal data that relates to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Data is considered “anonymous” if no personal reference to the person/user can be made. In contrast, “pseudonymized” data is data from which personal reference or personal identifiable information is replaced by one or more artificial identifiers, or pseudonyms, but which can, in general, be re-identified by the identifier key.
WHICH PERSONAL DATA WILL BE PROCESSED WHILE USING MYONCARE APP
We may process the following data categories about you while using the myoncare App:
- Operational Data: Personal data provided to us when you register to our myoncare App, contact us regarding any problems with the App or otherwise interact with us with the purpose of using the App (“Operational Data”);
- Treatment Data: You or your Health Care Provider will enter personal data, such as name, age, height, weight, indication, disease symptoms and further information in connection with your treatment (e.g. in a care plan) with the support of myoncare App (“Treatment Data”). Treatment Data are, therefore, personal data which are collected or processed, when you interact with your Health Care Provider via myoncare App;
- Activity Data: Personal data which will be processed by us when you connect myoncare App to a Health App (e.g. AppleHealth, GoogleFit). Your Activity Data is transferred to your connected Health Care Provider as Portal User.
- Product Safety Data: Personal data which will be processed to fulfill our legal obligations as manufacturer of the myoncare App as medical device. In addition, your personal data may be processed to fulfill legal safety or vigilance purposes of medical device or pharmaceutical companies. (“Product Safety Data”).
- Reimbursement Data: Personal data which are required for the reimbursement process between your Healh Care Provider and your heath insurer (“Reimbursement Data”).
- Corporate Health Management Data: Personal or aggregated data which will be collected in concrete projects and questionnaires as asked by your employer (either directly or by Data Service Provider engaged by your Company). The data may relate to certain health information, your opinion regarding your personal well-being, your opinion as employee to a specific internal or external situation or data regarding the care or health situation in general (“Corporate Health Management Data”).
PROCESSING OF OPERATIONAL DATA
– Applicable to all App Users –
You might provide us with certain personal data in case you are contacting us to understand or discuss the functions and usage of the App or in case of a service request.
In the event of a service request, the following personal data may also be viewed by authorized Oncare employees:
• The personal data that you have provided to your Health Care Provider through our App (e.g. name, date of birth, profile picture, contact details)
• The health data you have provided to your Health Care Provider, the Data Service Provider or Company through our myoncare App (e.g., information about medications taken, responses to questionnaires including disease-related or condition-related information, diagnoses and therapies provided by health care professionals, planned and completed tasks)
Authorized Oncare employees who have access to your Health Care Provider’s, Data Service Provider’s or Company’s database for the purpose of processing a service request are contractually required to keep all personal information strictly confidential.
When myoncare App is downloaded, the necessary information is transferred to the app store provider. We have no influence on this data collection and are not responsible for it. We process the personal data provided to us by the provider of the app store within the framework of our contractual relationship for the purpose of further developing our myoncare Apps and Services.
For the processing of Operational Data, Oncare acts as data controller responsible for the legitimate processing of your personal data.
Types of Data: Your name, e-mail-address, date of birth, registration date, pseudo keys generated by the app; device token to identify your device, your pseudo identification number, your IP address, type and version of the operating system used by your device.
The app uses Google Maps API to use geographical information. When using Google Maps, Google also collects, processes and uses data about the use of the map functions. For more information about the scope, legal basis and purpose of data processing by Google as well as the storage period, please refer to Google’s privacy policy.
Purposes of processing of Operational Data: We use the Operational Data to maintain the functionalities of myoncare App and to get in direct contact with you if required or initiated by you (e.g. in case of change of Standard Terms, necessary support, technical problems etc.).
Justification of Processing: The processing of Operational Data is justified based on Article 6 Paragraph 1 lit. b EU GDPR to fulfill the contract you conclude with Oncare for the purpose of the use of myoncare App.
PROCESSING OF TREATMENT DATA
– Applicable to App Users using the App with their Health Care Provider –
During the use of myoncare App, your doctor, a clinic or other health care provider treating you (“Health Care Provider”) will enter your personal data to myoncare Portal to start myoncare Services (e.g. provision of individual Careplan, reminder for intake of medicines etc.). In addition, you and your Health Care Provider will be able to upload documents and files related to you to myoncare App and myoncare Portal and can share the files with the other. Your Health Care Provider can upload a privacy policy for your information and define other consent requirements for you as a patient, for which your consent must be given. The files will be stored in a cloud database hosted in Germany. Your Health Care Professional can allow sharing such files with other Portal Users of his institution for medical reasons, but other Portal Users will not be able to access the files.
Your Health Care Provider will be responsible for a legitimate processing of the personal data.
We process such personal data, including your health data, under an agreement with and in accordance with the instructions of your Health Care Provider. For the purposes of this agreement, the Health Care Provider is responsible of processing your personal data and health data within the meaning of applicable data protection laws as data controller, and Oncare is the processor of such personal (health) data. This means that Oncare processes the Personal Data only according to the instructions of the Health Care Provider. If you have any questions or concerns regarding the processing of your personal data or health data, you should primarily contact your Health Care Provider.
Types of Data: Name, date of birth, profile information, contact details and also health data, such as symptoms, photos, information about medications taken, responses to questionnaires including disease-related or condition-related information, diagnoses and therapies provided by health care professionals, planned and completed tasks.
Purposes of Treatment Data processing: We process your Treatment Data to be able to provide our myoncare Services to your Health Care Provider and to you. Your health data, which you enter in our myoncare App, will be used by your Health Care Provider for consultation and support to you. We process this personal data as part of an agreement with and in accordance with the instructions of your Health Care Provider. The transmission of this Treatment Data is pseudonymized and encrypted. To exercise your rights as a data subject, please contact your Health Care Provider.
Justification of processing of Treatment Data: Your personal data will be processed by your Health Care Provider in accordance with the provisions of the EU GDPR and all other applicable data protection regulations. Legal basis for data processing in particular arise from Art. 9 Paragraph 2 lit. h EU GDPR for health data as special sensitive data as well as your consent according to Art. 6 Paragraph 1 lit. a and 9 Paragraph 2 lit. a EU GDPR. The processing of data by Oncare for your Health Care Provider is, in addition, based on Art. 28 GDPR (data processing agreement)
Your doctor as data controller will be responsible to obtain your consent. Even if you can use myoncare App without such consent, most of the functions will not work anymore (e.g. sharing of data with your Health Care Provider). Therefore, denial or revocation of consent to process Treatment Data will lead to a heavy limitation of functionality of the App services and your doctor will not be able to support you via myoncare App anymore.
PROCESSING OF ACTIVITY DATA
– Only applicable if you agree to share Activity Data via myoncare Tools –
myoncare Tools offer you the possibility to connect the myoncare App to certain health apps (e.g. AppleHealth, GoogleFit), that you are using (“Health App”). To enable processing of Activity Data, we are asking you to consent to the processing beforehand. If the connection is established after you granted your consent, Activity Data collected by the Health App is transferred to your connected Portal Users with the purpose of providing additional, contextual information about your activity to them. Please note that Activity Data are not validated by myoncare Tools and shall not be used by your connected Portal Users for diagnostic purposes or the basis for medical decision making. Please also note, that your connected Portal Users are not required to monitor your Activity Data or provide any feedback to you regarding your Activity Data.
Activity Data is shared with your connected Portal Users each time you start myoncare App. At any time you can revoke your consent to share your Activity Data from within the settings in myoncare App. Please note that your Activity Data are not shared anymore from this time point onwards. Already shared Activity Data will not be deleted from the myoncare Portal of your connected Portal Users.
The processing of Activity Data by you falls within your own data responsibility.
Types of data: The type and extent of data transferred depend on your decision and the data available in your connected Health App. Data can include, inter alia, weight, height, taken steps, burned calories, hours of sleep, heart rate and blood pressure.
Purposes of processing of Activity Data: Your Activity Data is transferred to your connected Portal Users with the purpose of providing additional, contextual information about your activity to them.
Justification of Processing: The processing of the Activity Data is done under your own responsibility.
PROCESSING OF PRODUCT SAFETY DATA
– Applicable to App Users whose Health Care Provider uses the medical device variant of myoncare Tools –
myoncare App is classified and marketed as medical device according to the European medical device regulations. As manufacturer of the App, we have to fulfill certain legal obligations (e.g. surveillance of functionality of the App, evaluation of incident reports which might be connected to the use of the App, tracking of users etc.). In addition, your Health Care Provider and you might communicate and collect personal data in myoncare App regarding specific medical devices or pharmaceuticals used in your treatment. The manufacturers of such medical devices or pharmaceuticals also have legal obligations regarding the surveillance of the market (e.g. collection and assessment of side effect reports).
Oncare is data controller for Product Safety Data.
Types of Data: Case reports, personal data provided in an incident report and results of evaluation.
Processing of Product Safety Data: We will store and assess any personal data related to our legal obligations as manufacturer of a medical device and transfer such personal data (if possible after pseudonymization) to competent authorities, notified bodies or other data controllers with supervisory responsibilities. In addition, we will store and transfer personal data related to medical devices and/or pharmaceuticals, if we receive any notices by your Health Care Provider, by you as patient or any third person (e.g. our distributors or importers of the myoncare Tools in your country) that has to be reported to the manufacturer of the product to enable the manufacturer to fulfill its legal product safety obligations.
Justification of processing of Product Safety Data: Legal basis for the processing of personal data to fulfill legal obligations as medical device or pharmaceutical manufacturer is Art. 9 Paragraph 2 lit. i EU GDPR in accordance with the post-market surveillance obligations provided by the German Medical Device Act and Medical Device Directive (from 26 May 2021 on regulated in Chapter VII of the new Medical Device Regulation (EU) 2017/745) and/or German Pharmaceutical Act.
PROCESSING OF REIMBURSEMENT DATA
– Applicable to App Users using the App with their Health Care Provider for reimbursement purposes –
myoncare App will support your Health Care Provider to start standard reimbursement processes for the health services provided to you via myoncare App. To enable the reimbursement process, myoncare App will support the collection of your personal (health) data by your Healh Care Provider for transfer of such data to your cost payer (either his/her Association of Statutory Health Insurances and/or your health insurer). This data processing is just an initial data transfer for the Health Care Provider to receive reimbursement by your health insurer. The kind and amount of personal data processed does not differ to other reimbursement routines of the Health Care Provider. Your Health Care Provider is data controller for Reimbursement Data. Oncare is acting as data processor based on the data processing agreement with your Health Care Provider.
Types of Data: Name, diagnosis, indications, treatment, period of treatment, other data required for reimbursement administration.
Processing of Reimbursement Data: Your Health Care Provider will transfer your Treatment Data required to receive reimbursement to the cost payer (either his/her Association of Statutory Health Insurances and/or your health insurer) and the cost payer will process the Reimbursement Data to provide reimbursement to your Health Care Provider.
Justification of processing of Reimbursement Data: The Reimbursement Data are processed on the basis of Sec. 295 and Sec. 301 German Social Code V. The processing of data by Oncare for your Health Care Provider is, in addition, based on Art. 28 GDPR (data processing agreement).
PROCESSING OF CORPORATE HEALTH MANAGEMENT DATA
– Applicable to App Users using the App with the corporate health management program of their Company –
During the use of myoncare App in the corporate health management program of your Company, certain personal (health) data will be shared in an aggregated form as Corporate Health Management Data with your Company and any Data Service Providers (e.g. data analyst or research companies) engaged by your Company. Neither your Company nor any Data Service Provider will be able to allocate such data to your identity. Oncare recommends not to share personal information when using the myoncare Services in the context of corporate health management.
We process such Corporate Health Management Data, including your health data, under an agreement with and in accordance with the instructions of your Company and/or any Data Service Providers. For the purposes of this agreement, the Company is responsible for processing your Corporate Health Management Data as data controller, and Oncare as well as any Data Service Provider engaged by your Company, if any, are the processor of such data. This means that Oncare and any Data Service Provider process the Corporate Health Management Data only according to the instructions of the Company. If you have any questions or concerns regarding the processing of your Corporate Health Management Data , you should primarily contact your Company.
Purposes of Corporate Health Management Data processing: We process your Corporate Health Management Data to be able to provide our myoncare Services to your Company and to you. Your Corporate Health Management Data, which you enter in our myoncare App, will be used by your Company (either directly or via a Data Service Provider) in its corporate health management program. We process this Corporate Health Management Data as part of an agreement with and in accordance with the instructions of your Company and/or any Data Service Provider for its corporate health management program. The transmission of this Corporate Health Management Data is pseudonymized and encrypted. To exercise your rights as a data subject, please contact your Company.
Justification of processing of Corporate Health Management Data: Your Corporate Health Management Data will be processed by your Company in accordance with the provisions of the EU GDPR and all other applicable data protection regulations. Legal basis for data processing in particular arise from your consent according to Art. 6 Paragraph 1 lit. a and 9 Paragraph 2 lit. a EU GDPR or any other legal justification valid for your Company. The processing of data by Oncare to Company (either directly or via any service provider engaged by your Company) is, in addition, based on Art. 28 GDPR (data processing agreement)
Your Company as data controller will be responsible to obtain your consent if required due to data protection regulations and process the Corporate Health Management Data according to applicable data protection legislation.
SECURE TRANSFER OF PERSONAL DATA
We implement the appropriate technical and organizational security measures to ensure the optimal protection of the personal data stored by us against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. The security levels are continuously reviewed in collaboration with security experts and adapted to new security standards.
The data exchange to and from the App is encrypted. We use TLS and SSL as encryption protocols for secure data transmission. In addition, data exchange is end-to-end encrypted and takes place using pseudo-keys.
DATA TRANSFERS / DISCLOSURE TO THIRD PARTIES
We will only transmit your personal data to third parties within the scope of given statutory provisions or based on your consent. In all other cases, information will not be transferred to third parties unless we are obliged to do so owing to mandatory legal regulations (disclosure to external bodies, including the supervisory authorities or law enforcement authorities).
All transfer of personal data is encrypted during transfer.
GENERAL INFORMATION ON CONSENT TO DATA PROCESSING
Your consent also constitutes permission to data processing under data privacy law. Before granting your consent, we will inform you about the purpose of the data processing and your right of objection.
If the consent also relates to the processing of special categories of personal data, myoncare App will explicitly notify you in the consent process. Processing of special categories of personal data according to Art. 9 Paragraph 1 EU GDPR may only take place where necessary on the grounds of legal regulations and there is no reason to assume that your legitimate interests should prevail to the exclusion of processing such personal data or you have given consent to the processing of this personal data according to Art. 9 Paragraph 2 EU GDPR.
For the data processing for which your consent is required (as explained in this Privacy Notice), the consent will be requested during registration process. After successful registration, the consents can be managed in the account settings of myoncare App.
DATA RECIPIENTS / CATEGORIES OF RECIPIENTS
In our organization, we ensure that only those persons are entitled to process personal data who are required to do so in order to fulfill their contractual and statutory duties. Your personal data and health data that you enter in our myoncare App will be made available to your Health Care Provider and/or Company either directly or via a Data Service Provider (depending on the type of use of myoncare Tools).
In certain cases, service providers support our specialist departments in fulfilling their tasks. The necessary data protection contracts have been concluded with all service providers which are data processor for the personal data. These service providers are Hetzner Online and Google (Google Firebase). Google Firebase is a “NoSQL database” that enables synchronization between the myoncare Portal of your Health Care Provider and the myoncare App. NoSQL defines a mechanism of storing data which is modeled in means other than just tabular relations by allowing for easier “horizontal” scaling compared to tabular/ relational database management systems in a cluster of machines.
For this purpose, a pseudo key of the myoncare App is stored in Google Firebase along with the corresponding Careplan. The data transfer is pseudonymized to Oncare and its service providers which means that Oncare and its service providers cannot relate to you as a data subject. This is achieved by encryption of the data during transfer between you and your Health Care Provider or Company (either directly or to any Data Service Provider) and the use of pseudo-keys instead of personal identifiers such as names or e-mail addresses to track these transfers. Re-identification happens once the personal data has reached the account of your Health Care Provider or Company in myoncare Portal or your account in myoncare App after verification via specific tokens.
Hetzner Online provides cloud storage in which the Firebase Manager, which manages the Firebase URLs for the myoncare Portal, is stored. In addition, Hetzner Online provides the isolated server domain of myoncare Portal in which your personal data is stored. Hetzner Online also hosts myoncare’s video and file management services, which enable encrypted video conferencing and exchange of files between you and your Health Care Provider, respectively. Access to your personal data by you and your Health Care Provider is ensured by sending specific tokens. This personal data is encrypted during transfer and pseudonymized during transfer and at rest to Oncare and its service providers. Service providers of Oncare do not have access to this personal data at any time.
TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES
No personal data collected by this myoncare App will be stored in the app stores. Personal Data will only be transferred to third countries (outside the European Union or the European Economic Area) if this is necessary for the performance of the contractual obligation, is required by law or you have given us your consent.
Synchronization of myoncare App with myoncare Portal takes place via Google Firebase. The Google Firebase servers are hosted in the EU.However, according to the Google Firebase Terms of Service, transient data transfers in countries where Google and its’ service providers have establishments are possible; in the case of certain Google Firebase services, data is only transmitted to the USA, insofar as no processing takes place in the European Union or the European Economic Area. Unauthorized access to your data is prevented by end-to-end encryption and secure access tokens. Hetzner Online is hosted in Nuremberg, Germany.
In order to process Activity Data, interfaces to Google cloud services (in case of GoogleFit) or to AppleHealth within the mobile device of the App User are used. myoncare Tools use these interfaces which are provided by Google and Apple, to request Activity Data from connected Health Apps. The request sent by myoncare Tools does not contain personal data but personal data is provided to myoncare Tools via these interfaces.
PERIOD OF PERSONAL DATA STORAGE
We store your personal data as long as they are needed for the respective processing purpose. Please note that numerous retention periods dictate that personal data must continue to be stored. This applies in particular to commercial law or tax law storage obligations (e.g. Commercial Code, Tax Code, etc.). In addition, your Health Care Provider also has to ensure storage of your medical files (varies between 1 and 30 years, depending on the nature of documents).
Please note that Oncare is also subject to storage obligations which are contractually agreed with your Health Care Provider on the basis of legal provisions. In addition, and only if your Health Care Provider uses the medical device variant of myoncare Tools, certain storage periods arising from medical device law are applicable to the App. If there are no further storage obligations, the personal data is routinely deleted once the purpose has been achieved.
In addition, we can store personal data if you have given us your permission to do so or if legal disputes arise and we use evidence within the framework of statutory limitation periods, which can be up to thirty years; the regular limitation period is three years.
OBLIGATION TO PROVIDE PERSONAL DATA
Various personal data are necessary for the establishment, performance and termination of the contractual relationship and the fulfillment of the associated contractual and legal obligations. The same applies to the use of our myoncare App and the various functions it provides.
We have summarized the details for you in the above point. In certain cases, personal data must also be collected or made available in accordance with statutory provisions. Please note that it is not possible to process your enquiry or to execute the underlying contractual obligation without providing this personal data.
GRANTED ACCESS RIGHTS
In order for the myoncare App to work on your device, it is necessary for the App to be granted various permissions to access certain functions of the device. For all devices, independent from the operating system used, it is necessary to grant the App certain permissions, which we call “basic permissions”. Depending on the operating system of the device you are using, it may have additional features that require additional permissions to make the app work. If applicable, we will list them in order of operating system (Android or iOS) after the “basic conditions”.
The basic permissions (Android and iOS) are:
- Retrieve WLAN connections
Required to ensure the functionality of the document download in connection with WLAN connections.
- Retrieve Network Connections
Required to ensure document download functionality in connection with network connections that are not WLAN connections.
- Disable screen lock (prevent stand-by mode)
Required so that the videos that are among the provided documents can be played directly in the app without being interrupted by screen lock.
- Access all networks
Access to all networks is required to download documents.
- Disable sleep mode
This is necessary so that the videos that are among the provided documents can be played directly in the app, without the playback being interrupted by the occurrence of sleep mode.
- Mobile data / access to mobile data
If the user wishes to download documents exclusively via WLAN, he can make the appropriate setting in the menu of the app and deactivate the use of mobile data. Access to mobile data is necessary to ensure the functionality of deactivating document downloads via mobile data.
- Camera access
Camera access is required for scanning of QR codes and for video consultations.
- Microphone access
This is required for video consultations.
- Access to files and photos
This is necessary for the exchange of files between you and your connected Portal Users.
- Access to web browsers
This is necessary to view received files from your connected Portal Users.
We use push notifications, which are messages sent to your mobile device as a service of the myoncare App via services such as Apple Push Notification Service or Google Cloud Messaging Service. These services are standard features of mobile devices. The service provider’s privacy policy governs the access, use, and disclosure of personal information as a result of your use of these services.
AUTOMATED DECISIONS IN INDIVIDUAL CASES
We do not use purely automated processing to make decisions.
YOUR RIGHTS AS DATA SUBJECT
We would like to inform you of your rights as a data subject. These rights are set out in articles 15 – 22 EU GDPR and include:
- Right of access (Art. 15 EU GDPR): You have the right be provided with a copy of any personal data that we hold about you;
- Right to erasure / right to be forgotten (Art. 17 EU GDPR): You can request us, without undue delay, to delete your personal data collected and processed by us. In this case, we will ask you to delete the myoncare App including your UID (unique identification number) from your smartphone/mobile phone.
- Right to rectification (Art. 16 EU GDPR): You can require us to update or correct any inaccurate personal data or to complete any incomplete personal data;
- Right to data portability (Art. 20 EU GDPR): In general, you can request us to provide you with personal data which you have provided to us and which are processed by using automated means, based on your consent or the performance of a contract with you, in machine readable format so that they can be “ported” to a replacement service provider.
- Right to restriction of data processing (Art. 18 EU GDPR): You can require us to “restrict” our use of your information, so that we can continue the use your information only subject to restrictions;
- Right to object to data processing (Art. 21 EU GDPR): You have the right to object to our use of your personal data and to revoke your consent at any time, if we process your personal data based on your consent. We will continue to provide our services if they do not depend on the consent that has been revoked.
To exercise these rights, please primarily contact your Health Care Provider or your Company or us at privacy@myoncare.com. We will require you to provide satisfactory proof of your identity to ensure that your rights are protected and that your personal data is disclosed only to you and not to any third person.
Please also contact us at any time at privacy@myoncare.com, if you have questions about data processing in our company or if you wish to revoke your consent. You also have the right to contact the relevant data protection supervisory authority.
DATA PROTECTION OFFICER
You can contact our data protection officer to answer all data protection questions at privacy@myoncare.com.
AGE RESTRICTION OF THE APPLICATION
A minimum age of 18 years is required to use myoncare App. If you are below 18 years old, your legal guardian will have to provide the privacy consent required to use the App.
CHANGES TO PRIVACY NOTICE
We explicitly reserve our right to modify this Privacy Notice in future at our own discretion. Modifications or additions may, for instance, be necessary to meet statutory requirements, correspond with technical and economic developments or to meet the interests of the App or Portal Users.
Any modifications are possible at any time and will be published in an appropriate manner and in an appropriate time frame to you before they take effect (e.g. by posting revised Privacy Notice at login or by providing advance notice to you of material changes).
ONCARE GmbH
Postal address
Balanstraße 71a
81541 Munich, Germany
T | +49 (0) 89 4445 1156
F | +49 (0) 89 4445 1157
Contact info of the data protection officer:
Last updated 07 April 2022.
* * * *
U.S. PRIVACY POLICY
Welcome to myoncare, the digital health portal and mobile app (“App”) for efficient and needs-oriented patient care and support for corporate health management programs.
This Privacy Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. This Privacy Notice tells you why and how Oncare processes your personal (health) information / data which we collect from you or which you provide to us, when you decide to use myoncare App.
For us at Oncare GmbH (hereinafter referred to as “Oncare” or “we”, “us”, “our”), the protection of your privacy and any personal data relating to you while using the myoncare App is of major relevance and importance. We are aware of the responsibilities arising from your trust to provide and save your personal (health) data in the myoncare App. Therefore, our technology systems used for myoncare Services are set up according to the highest standards and the lawful processing of personal data is core to our business ethics.
All information collected and stored by us or added by Health Care Providers is considered Protected Health Information (“PHI”) and/or medical information and is governed by laws that apply to that information, for example the Health Insurance Portability and Accountability Act (HIPAA). We are required by law to maintain the privacy and security of your protected health information.
How we use and disclose such PHI is in accordance with the applicable Notice of Privacy Practices. To understand how we use and disclose PHI, you should review the Notice of Privacy Practices. We continuously seek to safeguard your health information through administrative, physical, and technical means, and otherwise abide by applicable federal and state laws.
Please read this Privacy Notice carefully to ensure that you understand each provision. After reading the Privacy Notice, you will have the option to consent to the Privacy Notice and the processing of your personal (health) data as described in this Privacy Note. If you give consent, the Privacy Notice will be part of the contract between you and Oncare. We must follow the duties and privacy practices described in this notice. We will not use or share your information other than as described here.
DEFINITIONS
“App User” means any user of the myoncare App (Patient and/or employee).
“Company” means your employer, if you and your employer are using myoncare Tools for the employer’s corporate health management program.
„Covered Entity“ means: A health plan, a health care clearinghouse or a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.
“Data Service Provider” means any agent engaged and instructed by Company for collection, screening and interpretation of pseudonymized or anonymized employee data in corporate health management programs based on a separate service agreement with the Company (e.g. data analyst, general health prevention services, data evaluation services etc.) and as identified by a separate information sheet to the employees.
“EU General Data Protection Regulation”. The General Data Protection Regulation (GDPR) is a European privacy law. The regulation was put into effect on May 25, 2018. GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not. So the GDPR applies also to you as a U.S. citizen, because Oncare has its place of business in Germany.
“Health Care Provider” means your doctor, clinic, health care institutions or other health care professional acting on its own or on behalf of your doctor, clinic or health care institutions.
“Health information” means any information, including genetic information, whether oral or recorded in any form or medium, that:
– Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
– Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. “Protected health information” or “PHI” means individually identifiable health information that is (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium.
“Health Insurance Portability and Accountability Act”, “HIPAA” or the “Law”. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.”
“myoncare App” means the myoncare mobile app intended for the use by patients or employees who want to use the services provided by Oncare.
“myoncare Portal” means the myoncare web-portal intended for professional use by Portal Users and functioning as interface between such Portal Users and App Users.
“myoncare Services” means the services, functionalities and other offerings which are or may be offered to Portal Users via the myoncare Portal and/or to App users via the myoncare App, as applicable.
“myoncare Tools” means both, myoncare App and myoncare Portal, together.
„Oncare“ or “We” means ONCARE GmbH, Germany.
“Portal User” means any Health Care Provider, Company or Data Service Provider using the web-based myoncare Portal.
“Privacy Notice” means this statement made to you as patient or employee and user of the myoncare App that describes how we collect, use and retain your personal information, and provides you with information on your comprehensive rights.
“Standard Terms” means the Standard Terms and Conditions for using the myoncare App.
RESPONSIBLE ENTITY
Oncare GmbH, a company registered with the Munich Local Court with the Register number 219909 with its offices located at Herrenwiesstr. 12, 82031 Gruenwald, Germany, offers and operates the mobile application myoncare App giving access to myoncare Services. This Privacy Notice applies to all personal data processing by Oncare related to the use of myoncare App.
Oncare is a “business associate” (as that term is used under HIPAA) that provides services to and for health care providers and health care plans, referred to as “covered entities” under HIPAA, and enters into business associate agreements with these covered entities. Oncare will use and disclose PHI only in accordance with the business associate agreements and HIPAA.
We are required by U.S. law to maintain the privacy and security of your protected health information.
We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.
We must follow the duties and privacy practices described in this notice and give you a copy of it upon request.
We never sell identifiable personal information.
We will not use or share your information other than as described here unless you tell us we can.
U.S. Federal and state laws may place additional limitations on the disclosure of your health information related to drug or alcohol abuse treatment programs, sexually transmitted diseases, genetic information, or mental health treatment programs. When required by law, we will obtain your authorization before releasing this type of information.
WHAT IS PERSONAL DATA ACCORDING TO GDPR
We process your personal data in accordance with the applicable legal provisions for the protection of personal data, in particular the EU General Data Protection Regulation and the country-specific laws applicable to us. In particular, you will find a description of the personal data, which we collect and process as well as the purpose and on which basis we are processing the personal data and the rights to which you are entitled.
“Personal data” is all information that makes it possible to identify a natural person. In particular, this includes your name, date of birth, address, telephone number, e-mail address and IP address. “Health data” is personal data that relates to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Data is considered “anonymous” if no personal reference to the person/user can be made. In contrast, “pseudonymized” data is data from which personal reference or personal identifiable information is replaced by one or more artificial identifiers, or pseudonyms, but which can, in general, be re-identified by the identifier key.
WHICH HEALTH INFORMATION / PERSONAL DATA WILL BE PROCESSED WHILE USING MYONCARE APP
We use and disclose your health information for the normal business activities that the law sees as falling in the categories of treatment and healthcare operations. We may process the following health information / data categories about you while using the myoncare App:
- Operational information: Personal information provided to us when you register to our myoncare App, contact us regarding any problems with the App or otherwise interact with us with the purpose of using the App (“Operational Data”);
- Treatment information: You or your Health Care Provider will enter personal information, such as name, age, height, weight, indication, disease symptoms and further information in connection with your treatment (e.g. in a care plan) with the support of myoncare App (“Treatment Data”). Treatment Data are, therefore, personal data which are collected or processed, when you interact with your Health Care Provider via myoncare App;
- Activity information: Personal information which will be processed by us when you connect myoncare App to a Health App (e.g. AppleHealth, GoogleFit). Your Activity information is transferred to your connected Health Care Provider as Portal User.
- Product Safety information: Personal information which will be processed to fulfill our legal obligations as manufacturer of the myoncare App as medical device. In addition, your personal information may be processed to fulfill legal safety or vigilance purposes of medical device or pharmaceutical companies. (“Product Safety Data”).
- Reimbursement information: Personal data which are required for the reimbursement process between your Healh Care Provider and your heath insurer (“Reimbursement Data”).
- Corporate Health Management Information: Personal or aggregated information which will be collected in concrete projects and questionnaires as asked by your employer (either directly or by Service Provider engaged by your Company). The information may relate to certain health information, your opinion regarding your personal well-being, your opinion as employee to a specific internal or external situation or data regarding the care or health situation in general (“Corporate Health Management Data”).
PROCESSING OF OPERATIONAL DATA
– Applicable to all App Users –
You might provide us with certain personal data in case you are contacting us to understand or discuss the functions and usage of the App or in case of a service request.
In the event of a service request, the following personal data may also be viewed by authorized Oncare employees:
- The personal data that you have provided to your Health Care Provider through our App (e.g. name, date of birth, profile picture, contact details)
- The health information you have provided to your Health Care Provider, the Data Service Provider or Company through our myoncare App (e.g., information about medications taken, responses to questionnaires including disease-related or condition-related information, diagnoses and therapies provided by health care professionals, planned and completed tasks)
Authorized Oncare employees who have access to your Health Care Provider’s, Data Service Provider’s or Company’s database for the purpose of processing a service request are contractually required to keep all personal information strictly confidential.
When myoncare App is downloaded, the necessary information is transferred to the app store provider. We have no influence on this data collection and are not responsible for it. We process the personal data provided to us by the provider of the app store within the framework of our contractual relationship for the purpose of further developing our myoncare Apps and Services.
For the processing of Operational Data, Oncare acts as data controller responsible for the legitimate processing of your personal data.
Types of Data: Your name, e-mail-address, date of birth, registration date, pseudo keys generated by the app; device token to identify your device, your pseudo identification number, your IP address, type and version of the operating system used by your device.
The app uses Google Maps API to use geographical information. When using Google Maps, Google also collects, processes and uses data about the use of the map functions. For more information about the scope, legal basis and purpose of data processing by Google as well as the storage period, please refer to Google’s privacy policy.
Purposes of processing of Operational Data: We use the Operational Data to maintain the functionalities of myoncare App and to get in direct contact with you if required or initiated by you (e.g. in case of change of Standard Terms, necessary support, technical problems etc.).
Justification of Processing: The processing of Operational Data is justified based on Article 6 Paragraph 1 lit. b EU GDPR to fulfill the contract you conclude with Oncare for the purpose of the use of myoncare App.
PROCESSING OF TREATMENT HEALTH INFORMATION / DATA
– Applicable to App Users using the App with their Health Care Provider –
During the use of myoncare App, your doctor, a clinic or other health care provider treating you (“Health Care Provider”) will enter your health information / personal data to myoncare Portal to start myoncare Services (e.g. provision of individual Careplan, reminder for intake of medicines etc.). In addition, you and your Health Care Provider will be able to upload documents and files related to you to myoncare App and myoncare Portal and can share the files with the other. Your Health Care Provider can upload a privacy policy for your information and define other consent requirements for you as a patient, for which your consent must be given. The files will be stored in a cloud database hosted in Germany. Your Health Care Professional can allow sharing such files with other Portal Users of his institution for medical reasons, but other Portal Users will not be able to access the files.
Your Health Care Provider will be responsible for a legitimate processing of the health information / personal data.
We process such health information / personal data, including your health data, under an agreement with and in accordance with the instructions of your Health Care Provider. For the purposes of this agreement, the Health Care Provider is responsible of processing your health information / personal data and health data within the meaning of applicable data protection laws. This means that Oncare processes the health information / personal Data only according to the instructions of the Health Care Provider. If you have any questions or concerns regarding the processing of your health information / personal data or health data, you should primarily contact your Health Care Provider.
Types of Data: Name, date of birth, profile information, contact details and also health data, such as symptoms, photos, information about medications taken, responses to questionnaires including disease-related or condition-related information, diagnoses and therapies provided by health care professionals, planned and completed tasks.
Purposes of Treatment Data processing: We process your Treatment Health Information / Data to be able to provide our myoncare Services to your Health Care Provider and to you. Your health data, which you enter in our myoncare App, will be used by your Health Care Provider for consultation and support to you. We process this health information / personal data as part of an agreement with and in accordance with the instructions of your Health Care Provider. The transmission of this Treatment Data is pseudonymized and encrypted. To exercise your rights as a data subject, please contact your Health Care Provider.
Your doctor will be responsible to obtain your consent. Even if you can use myoncare App without such consent, most of the functions will not work anymore (e.g. sharing of data with your Health Care Provider). Therefore, denial or revocation of consent to process Treatment Health Information / Data will lead to a heavy limitation of functionality of the App services and your doctor will not be able to support you via myoncare App anymore.
GDPR Rules
Justification of processing of Treatment Health Information / Data: Your personal health information / data will be processed by your Health Care Provider in accordance with the provisions of the EU GDPR and all other applicable data protection regulations. Legal basis for data processing in particular arise from Art. 9 Paragraph 2 lit. h EU GDPR for health data as special sensitive data as well as your consent according to Art. 6 Paragraph 1 lit. a and 9 Paragraph 2 lit. a EU GDPR. The processing of data by Oncare for your Health Care Provider is, in addition, based on Art. 28 GDPR (data processing agreement)
PROCESSING OF ACTIVITY DATA
– Only applicable if you agree to share Activity Data via myoncare Tools
myoncare Tools offer you the possibility to connect the myoncare App to certain health apps (e.g. AppleHealth, GoogleFit), that you are using (“Health App”). To enable processing of Activity Data, we are asking you to consent to the processing beforehand. If the connection is established after you granted your consent, Activity Data collected by the Health App is transferred to your connected Portal Users with the purpose of providing additional, contextual information about your activity to them. Please note that Activity Data are not validated by myoncare Tools and shall not be used by your connected Portal Users for diagnostic purposes or the basis for medical decision making. Please also note, that your connected Portal Users are not required to monitor your Activity Data or provide any feedback to you regarding your Activity Data.
Activity Data is shared with your connected Portal Users each time you start myoncare App. At any time you can revoke your consent to share your Activity Data from within the settings in myoncare App. Please note that your Activity Data are not shared anymore from this time point onwards. Already shared Activity Data will not be deleted from the myoncare Portal of your connected Portal Users.
The processing of Activity Data by you falls within your own data responsibility.
Types of data: The type and extent of data transferred depend on your decision and the data available in your connected Health App. Data can include, inter alia, weight, height, taken steps, burned calories, hours of sleep, heart rate and blood pressure.
Purposes of processing of Activity Data: Your Activity Data is transferred to your connected Portal Users with the purpose of providing additional, contextual information about your activity to them.
Justification of Processing: The processing of the Activity Data is done under your own responsibility.
PROCESSING OF PRODUCT SAFETY DATA
– Applicable to App Users whose Health Care Provider uses the medical device variant of myoncare Tools-
myoncare App is classified and marketed as medical device according to the European medical device regulations. As manufacturer of the App, we have to fulfill certain legal obligations (e.g. surveillance of functionality of the App, evaluation of incident reports which might be connected to the use of the App, tracking of users etc.). In addition, your Health Care Provider and you might communicate and collect personal data in myoncare App regarding specific medical devices or pharmaceuticals used in your treatment. The manufacturers of such medical devices or pharmaceuticals also have legal obligations regarding the surveillance of the market (e.g. collection and assessment of side effect reports).
Types of Data: Case reports, personal data provided in an incident report and results of evaluation.
Processing of Product Safety Data: We will store and assess any personal data related to our legal obligations as manufacturer of a medical device and transfer such personal data (if possible after pseudonymization) to competent authorities, notified bodies or other data controllers with supervisory responsibilities. In addition, we will store and transfer personal data related to medical devices and/or pharmaceuticals, if we receive any notices by your Health Care Provider, by you as patient or any third person (e.g. our distributors or importers of the myoncare Tools in your country) that has to be reported to the manufacturer of the product to enable the manufacturer to fulfill its legal product safety obligations.
GDPR Rules
Oncare is data controller for Product Safety Data.
Justification of processing of Product Safety Data: Legal basis for the processing of personal data to fulfill legal obligations as medical device or pharmaceutical manufacturer is Art. 9 Paragraph 2 lit. i EU GDPR in accordance with the post-market surveillance obligations provided by the German Medical Device Act and Medical Device Directive (from 26 May 2021 on regulated in Chapter VII of the new Medical Device Regulation (EU) 2017/745) and/or German Pharmaceutical Act.
PROCESSING OF CORPORATE HEALTH MANAGEMENT DATA
– Applicable to App Users using the App with the corporate health management program of their Employer-
During the use of myoncare App in the corporate health management program of your Company, certain personal (health) data will be shared in an aggregated form as Corporate Health Management Data with your Company and any Data Service Providers (e.g. data analyst or research companies) engaged by your Company. Neither your Company nor any Data Service Provider will be able to allocate such data to your identity. Oncare recommends not to share personal information when using the myoncare Services in the context of corporate health management.
We process such Corporate Health Management Data, including your health data, under an agreement with and in accordance with the instructions of your Company and/or any Data Service Providers. For the purposes of this agreement, the Company is responsible for processing your Corporate Health Management Data as data controller, and Oncare as well as any Data Service Provider engaged by your Company, if any, are the processor of such data. This means that Oncare and any Data Service Provider process the Corporate Health Management Data only according to the instructions of the Company. If you have any questions or concerns regarding the processing of your Corporate Health Management Data , you should primarily contact your Company.
Purposes of Corporate Health Management Data processing: We process your Corporate Health Management Data to be able to provide our myoncare Services to your Company and to you. Your Corporate Health Management Data, which you enter in our myoncare App, will be used by your Company (either directly or via a Data Service Provider) in its corporate health management program. We process this Corporate Health Management Data as part of an agreement with and in accordance with the instructions of your Company and/or any Data Service Provider for its corporate health management program. The transmission of this Corporate Health Management Data is pseudonymized and encrypted. To exercise your rights as a data subject, please contact your Company.
GDPR Rules
Justification of processing of Corporate Health Management Data: Your Corporate Health Management Data will be processed by your Company in accordance with the provisions of the EU GDPR and all other applicable data protection regulations. Legal basis for data processing in particular arise from your consent according to Art. 6 Paragraph 1 lit. a and 9 Paragraph 2 lit. a EU GDPR or any other legal justification valid for your Company. The processing of data by Oncare to Company (either directly or via any service provider engaged by your Company) is, in addition, based on Art. 28 GDPR (data processing agreement)
Your Company as data controller will be responsible to obtain your consent if required due to data protection regulations and process the Corporate Health Management Data according to applicable data protection legislation.
SECURE TRANSFER OF PERSONAL DATA
We implement the appropriate technical and organizational security measures to ensure the optimal protection of the personal data stored by us against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. The security levels are continuously reviewed in collaboration with security experts and adapted to new security standards.
The data exchange to and from the App is encrypted. We use TLS and SSL as encryption protocols for secure data transmission. In addition, data exchange is end-to-end encrypted and takes place using pseudo-keys.
DATA TRANSFERS / DISCLOSURE TO THIRD PARTIES
We will only transmit your health information / personal data to third parties within the scope of given statutory provisions or based on your consent. In all other cases, information will not be transferred to third parties unless we are obliged to do so owing to mandatory legal regulations (disclosure to external bodies, including the supervisory authorities or law enforcement authorities). All transfer of personal data is encrypted during transfer.
We will share information about you if U.S. state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law. We may also use and disclose your health information to:
– Comply with federal, state or local laws that require disclosure.
– Assist in public health activities such as tracking diseases or medical devices.
– Inform authorities to protect victims of abuse or neglect.
– Comply with federal and state health oversight activities such as fraud investigations.
– Respond to law enforcement officials or to judicial orders, subpoenas or other processes.
– Conduct research following internal review protocols to ensure the balancing of privacy and research needs.
– Avert a serious threat to health or safety.
GENERAL INFORMATION ON CONSENT TO DATA PROCESSING
Your consent also constitutes permission to health information / data processing under data privacy law. Before granting your consent, we will inform you about the purpose of the processing and your right of objection. If the consent also relates to the processing of special categories of personal health information / data, myoncare App will explicitly notify you in the consent process.
For the health information / data processing for which your consent is required (as explained in this Privacy Notice), the consent will be requested during registration process. After successful registration, the consents can be managed in the account settings of myoncare App.
GDPR Rules
Processing of special categories of personal data according to Art. 9 Paragraph 1 EU GDPR may only take place where necessary on the grounds of legal regulations and there is no reason to assume that your legitimate interests should prevail to the exclusion of processing such personal data or you have given consent to the processing of this personal data according to Art. 9 Paragraph 2 EU GDPR.
DATA RECIPIENTS / CATEGORIES OF RECIPIENTS
In our organization, we ensure that only those persons are entitled to process personal data who are required to do so in order to fulfill their contractual and statutory duties. Your personal data and health data that you enter in our myoncare App will be made available to your Health Care Provider and/or Company either directly or via a Data Service Provider (depending on the type of use of myoncare Tools).
In certain cases, service providers support our specialist departments in fulfilling their tasks. The necessary data protection contracts have been concluded with all service providers which are data processor for the personal data. These service providers are Hetzner Online and Google (Google Firebase). Google Firebase is a “NoSQL database” that enables synchronization between the myoncare Portal of your Health Care Provider and the myoncare App. NoSQL defines a mechanism of storing data which is modeled in means other than just tabular relations by allowing for easier “horizontal” scaling compared to tabular/ relational database management systems in a cluster of machines.
For this purpose, a pseudo key of the myoncare App is stored in Google Firebase along with the corresponding Careplan. The data transfer is pseudonymized to Oncare and its service providers which means that Oncare and its service providers cannot relate to you as a data subject. This is achieved by encryption of the data during transfer between you and your Health Care Provider or Company (either directly or to any Data Service Provider) and the use of pseudo-keys instead of personal identifiers such as names or e-mail addresses to track these transfers. Re-identification happens once the personal data has reached the account of your Health Care Provider or Company in myoncare Portal or your account in myoncare App after verification via specific tokens.
Hetzner Online provides cloud storage in which the Firebase Manager, which manages the Firebase URLs for the myoncare Portal, is stored. In addition, Hetzner Online provides the isolated server domain of myoncare Portal in which your personal data is stored. Hetzner Online also hosts myoncare’s video and file management services, which enable encrypted video conferencing and exchange of files between you and your Health Care Provider, respectively. Access to your personal data by you and your Health Care Provider is ensured by sending specific tokens. This personal data is encrypted during transfer and pseudonymized during transfer and at rest to Oncare and its service providers. Service providers of Oncare do not have access to this personal data at any time.
TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES
Personal Data will only be transferred to third countries if this is necessary for the performance of the contractual obligation, is required by law or you have given us your consent
Synchronization of myoncare App with myoncare Portal takes place via Google Firebase. The Google Firebase servers are hosted in the EU. However, according to the Google Firebase Terms of Service, transient data transfers in countries where Google and its’ service providers have establishments are possible; in the case of certain Google Firebase services, data is only transmitted to the US, insofar as no processing takes place in the European Union or the European Economic Area. Unauthorized access to your data is prevented by end-to-end encryption and secure access tokens. Hetzner Online is hosted in Nuremberg, Germany.
In order to process Activity Data, interfaces to Google cloud services (in case of GoogleFit) or to AppleHealth within the mobile device of the App User are used. myoncare Tools use these interfaces which are provided by Google and Apple, to request Activity Data from connected Health Apps. The request sent by myoncare Tools does not contain personal data but personal data is provided to myoncare Tools via these interfaces.
PERIOD OF PERSONAL DATA STORAGE ACCORDING TO GDPR
We store your personal data as long as they are needed for the respective processing purpose. Please note that numerous retention periods dictate that personal data must continue to be stored. This applies in particular to commercial law or tax law storage obligations (e.g. Commercial Code, Tax Code, etc.). In addition, your Health Care Provider also has to ensure storage of your medical files (varies between 1 and 30 years, depending on the nature of documents).
Please note that Oncare is also subject to storage obligations which are contractually agreed with your Health Care Provider on the basis of legal provisions. In addition, and only if your Health Care Provider uses the medical device variant of myoncare Tools, certain storage periods arising from medical device law are applicable to the App. If there are no further storage obligations, the personal data is routinely deleted once the purpose has been achieved.
In addition, we can store personal data if you have given us your permission to do so or if legal disputes arise and we use evidence within the framework of statutory limitation periods, which can be up to thirty years; the regular limitation period is three years.
OBLIGATION TO PROVIDE PERSONAL DATA
Various personal data are necessary for the establishment, performance and termination of the contractual relationship and the fulfillment of the associated contractual and legal obligations. The same applies to the use of our myoncare App and the various functions it provides.
We have summarized the details for you in the above point. In certain cases, personal data must also be collected or made available in accordance with statutory provisions. Please note that it is not possible to process your enquiry or to execute the underlying contractual obligation without providing this personal data.
GRANTED ACCESS RIGHTS
In order for the myoncare App to work on your device, it is necessary for the App to be granted various permissions to access certain functions of the device. For all devices, independent from the operating system used, it is necessary to grant the App certain permissions, which we call “basic permissions”. Depending on the operating system of the device you are using, it may have additional features that require additional permissions to make the app work. If applicable, we will list them in order of operating system (Android or iOS) after the “basic conditions”.
The basic permissions (Android and iOS) are:
- Retrieve WLAN connections
Required to ensure the functionality of the document download in connection with WLAN connections.
- Retrieve Network Connections
Required to ensure document download functionality in connection with network connections that are not WLAN connections.
- Disable screen lock (prevent stand-by mode)
Required so that the videos that are among the provided documents can be played directly in the app without being interrupted by screen lock.
- Access all networks
Access to all networks is required to download documents.
- Disable sleep mode
This is necessary so that the videos that are among the provided documents can be played directly in the app, without the playback being interrupted by the occurrence of sleep mode.
- Mobile data / access to mobile data
If the user wishes to download documents exclusively via WLAN, he can make the appropriate setting in the menu of the app and deactivate the use of mobile data. Access to mobile data is necessary to ensure the functionality of deactivating document downloads via mobile data.
- Camera access
Camera access is required for scanning of QR codes and for video consultations.
- Microphone access
This is required for video consultations.
- Access to files and photos
This is necessary for the exchange of files between you and your connected Portal Users.
- Access to web browsers
This is necessary to view received files from your connected Portal Users.
We use push notifications, which are messages sent to your mobile device as a service of the myoncare App via services such as Apple Push Notification Service or Google Cloud Messaging Service. These services are standard features of mobile devices. The service provider’s privacy policy governs the access, use, and disclosure of personal information as a result of your use of these services.
AUTOMATED DECISIONS (ACCORDING TO GDPR) IN INDIVIDUAL CASES
We do not use purely automated processing to make decisions.
YOUR HIPAA RIGHTS
You have the HIPAA right to:
– Inspect and copy certain portions of your health information. You may request that your health records is provided to you in an electronic format. A copy or a summary of your health information will be provided, usually within 30 days of your request. A reasonable, cost-based fee will be charged.
– Request amendment of your health information if you feel the health information is incorrect or incomplete. You can ask to correct health information about you that you think is incorrect or incomplete.
– Receive an accounting of certain disclosures of your health information made for the prior six (6) years, although this excludes certain disclosures for treatment, payment, and health care operations. A reasonable, cost-based fee will be charged.
– Request to restrict how to use or disclose your health information. You can ask not to use or share certain health information for treatment, payment, or operations.
– Obtain a paper copy of the notice even if you receive it electronically. You can ask for a paper copy of the notice at any time, even if you have agreed to receive the notice
electronically.
– File a complaint if you believe your privacy rights have been violated. You can file a complaint with the U.S. Department of Health and Human Services by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-800-368-1019 (Toll Free Call) or 1-800-537-7697 (TTD), or visiting https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf.
We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.
Many states have adopted a patient bill of rights applicable to patients of physicians and/or hospitals and other health care facilities. Some of those states require that physicians provide a copy of the bill of rights to their patients.
YOUR RIGHTS AS DATA SUBJECT ACCORDING TO GDPR
We would like to inform you of your rights as a data subject. These rights are set out in articles 15 – 22 EU GDPR and include:
- Right of access (Art. 15 EU GDPR): You have the right be provided with a copy of any personal data that we hold about you;
- Right to erasure / right to be forgotten (Art. 17 EU GDPR): You can request us, without undue delay, to delete your personal data collected and processed by us. In this case, we will ask you to delete the myoncare App including your UID (unique identification number) from your smartphone/mobile phone.
- Right to rectification (Art. 16 EU GDPR): You can require us to update or correct any inaccurate personal data or to complete any incomplete personal data;
- Right to data portability (Art. 20 EU GDPR): In general, you can request us to provide you with personal data which you have provided to us and which are processed by using automated means, based on your consent or the performance of a contract with you, in machine readable format so that they can be “ported” to a replacement service provider.
- Right to restriction of data processing (Art. 18 EU GDPR): You can require us to “restrict” our use of your information, so that we can continue the use your information only subject to restrictions;
- Right to object to data processing (Art. 21 EU GDPR): You have the right to object to our use of your personal data and to revoke your consent at any time, if we process your personal data based on your consent. We will continue to provide our services if they do not depend on the consent that has been revoked.
To exercise these rights, please primarily contact your Health Care Provider or your Company or us at privacy@myoncare.com. We will require you to provide satisfactory proof of your identity to ensure that your rights are protected and that your personal data is disclosed only to you and not to any third person.
Please also contact us at any time at privacy@myoncare.com, if you have questions about data processing in our company or if you wish to revoke your consent. You also have the right to contact the relevant data protection supervisory authority.
FILE A COMPLAINT
If you believe that your privacy has been violated, you may file a complaint with the Secretary of Health and Human Services in Washington, D.C. We will not retaliate or penalize you for filing a complaint with us or the Secretary. To file a complaint with us or receive more information contact:
Phone: +49 (0) 89 4445 1156
Email: privacy@myoncare.com
Address: Balanstraße 71a
81541 Munich, Germany
Attn: Complaint
To file a complaint with the U.S. Department of Health and Human Services write to 200 Independence Ave., S.W., Washington, D.C. 20201, or call 1-800-368-1019 (Toll Free Call) or 1-800-537-7697 (TTD), or file an online complaint at https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf.
DATA PROTECTION OFFICER ACCORDING TO GDPR
You can contact our data protection officer to answer all data protection questions at privacy@myoncare.com.
AGE RESTRICTION OF THE APPLICATION
A minimum age of 18 years is required to use myoncare App. If you are below 18 years old, your legal guardian will have to provide the privacy consent required to use the App.
CHANGES TO PRIVACY NOTICE
We explicitly reserve our right to modify this Privacy Notice in future at our own discretion. Modifications or additions may, for instance, be necessary to meet statutory requirements, correspond with technical and economic developments or to meet the interests of the App or Portal Users.
Any modifications are possible at any time and will be published in an appropriate manner and in an appropriate time frame to you before they take effect (e.g. by posting revised Privacy Notice at login or by providing advance notice to you of material changes).
ONCARE GmbH
Postal address
Balanstraße 71a
81541 Munich, Germany
T | +49 (0) 89 4445 1156
F | +49 (0) 89 4445 1157
Contact info of the data protection officer:
Last updated 07 April 2022.
* * * *