Privacy Policy for the Alcedis GmbH App
I General information on data protection
1 Data protection
We are pleased that you have expressed interest in us by visiting our online offering. As the operator of this site, Alcedis GmbH takes the responsibility of protecting your personal data very seriously. We treat your personal data as confidential and in accordance with the statutory data protection regulations.
This Privacy Policy explains the nature, scope, and purpose of the processing of personal data within our offering and the associated functions and content. This processing begins as soon as you as a user download, install, run or receive content or use additional services. With regard to the terms that are used, including “personal data”, “processing” or “Controller,” we refer to the definitions provided in Art. 4 of the General Data Protection Regulation (GDPR).
The app is a computer program that is installed on your mobile device (smartphone with the iOS or Android operating system), which is the environment in which it can run. The app will be available for download from third-party portals (Android Marketplace or Apple’s iTunes App Store).
The Alcedis GmbH app serves as a global point of access for all Alcedis eCRFs, and it provides corporate users with a portal to access eCRFs for interventional and non-interventional studies.
This Privacy Policy applies to all services offered through the app.
2 Controller
The Controller (app provider) within the meaning of the GDPR and other national data protection laws and regulations is:
Alcedis GmbH
Winchesterstr. 3
35394 Gießen
Tel: +49 641-94436-0
Fax: +49 641-94436-70
E-Mail: info@alcedis.de
Managers: Dr. Elke Heidrich-Lorsbach, Mr. Michael Lorsbach,
Mr. Hanno Härtlein
3 Data Protection Officer
The Data Protection Officer of the Controller is:
Maxim Fink
Gds Gesellschaft für Datenschutz Mittelhessen mbH
Auf der Appeling 8
35043 Marburg
Tel.: 06421 80413 10
E-Mail: datenschutz@gdsm.de
II Installation of the app
To install the app, you may need to first enter into a user agreement with a third party provider (Google Inc. or iTunes SARL, hereinafter referred to as the “Third Party Provider”) in order to access a third party portal or online store (Android Marketplace or iTunes App Store, hereinafter referred to as “Third Party Portal”).
Alcedis GmbH is not a party to such an agreement and has no influence over the data processing by the Third Party Provider. You may find out from the Third Party Provider’s Privacy Policy which data is processed and how by Third-Party providers during the Third Party Portal registration process.
III Registration and encryption
In order to be able to use the app to the fullest extent possible, you must be registered with Alcedis GmbH as part a clinical or non-interventional study. In each case, the app accesses login and user data that was previously registered by the user in the app. This requires the user to sign up for a valid account within the app. The data that is collected during the registration process is required in order to provide the user with access to the services and support.
Unauthorized use of the app can be prevented through the use of a PIN code, which can be used to protect the app from being accessed by third parties. The user’s access data can be stored in an encrypted form.
Your access data is stored on your smartphone using “hardware encryption.” The respective data is decrypted only at the time when the app is launched and unlocked. When you exit or quit the app, the data will be encrypted again. In addition, only encrypted data is stored in device backups.
On Android devices, encryption may only be performed if your device/startup screen is secured by a PIN, a pattern or a fingerprint, for example. If this is not the case, you will receive a corresponding notice from the app offering to save the data unencrypted.
IV Use of the service
As soon as you use one of the services via the app or attempt to do so, your mobile device will establish an online connection to the server belonging to Alcedis GmbH’s service provider. Data must be transmitted to the server in order to allow the user to retrieve content on his mobile device.
The Alcedis GmbH processes the personal data of the users of our app only to the extent that is required to provide a functional app together with our content and services.
When you use the app, the service provider of Alcedis GmbH processes data that is required by services in order for them to function. Data is only accessed for this purpose.
The following data (so-called server log files) are collected here:
– Information about the browser type (version, language version, etc.)
– User operating system
– User IP address
– Date and time of access
– Status information (for example, error messages)
– Called functions/settings
Data is also stored in the log files of our system. This data is not stored together with other the personal data of the user.
We reserve the right to subsequently check this data or to hire a third party to check it if we become aware of any concrete indications of illegal use.
Our log files are completely anonymized.
V Permissions that are unlocked for the app:
Depending on the operating system version, you will be asked to grant permission to use various features before installing the app or launching it for the first time. If you decline, you will not be able to install the app. You can grant or revoke the permission later in the operating system settings. You may not be able to use all the features of our app in this case.
A large part of the app content (texts, graphics, and functional areas) form part of the app and are also available in offline mode, i.e., when you are not connected to the Internet.
However, proper operation of the app requires configuring a set of permissions on the user’s mobile device:
Android:
Network status, full Internet access:
This permission is required to enable the sending of an e-mail and to open links to websites, for example.
iOS:
Mobile data:
The use of mobile data allows you to retrieve data even outside of an area with WiFi access.
VI Links to other websites
This app may contain hyperlinks to third party websites when they are required. If you follow a hyperlink to any of these websites, please note that we cannot accept any responsibility or guarantee for third-party content or the observance of data protection conditions. Please make sure you are aware of the applicable data protection conditions before you submit personal data to these websites. The respective operators are solely responsible for the content of linked pages. There was no indication that the content of the page that is accessed by the link does not comply with the legal provisions or violates common decency at the time of linking. We ask that you immediately notify us if a third-party site to which we link using hyperlinks does not comply or no longer complies with legal requirements or common decency. The license and usage conditions of the respective operator of the Internet offering apply.
We do not pass on any personal data to the third party within the scope of the linking.
VII Data privacy
Appropriate technical and organizational measures are taken to ensure that user personal data are protected against loss, inaccurate modification or unauthorized access by third parties and that by default only the personal data that is required for a particular processing purpose is in fact processed. This obligation applies to the scope of personal data that is collected, the extent of its processing, its retention period, and its accessibility. Such measures must in particular ensure that the personal data of an indefinite number of natural persons is not disclosed by default without the express consent of the data subject.
Certain sensitive data is encrypted when it is transmitted.
This app uses SSL encryption for the transfer of confidential information for security and privacy reasons.
If SSL encryption is enabled, the data that you submit to us will not be able to be read by third parties.
VIII Legal basis for the processing of personal data
In accordance with Art. 13 GDPR, we inform you about the legal basis for the data processing. Unless the legal basis is stated in the Privacy Policy, the following applies:
Insofar as personal data is processed with the consent of the data subject, Art. 6 (1) (a) GDPR acts as the legal basis.
When processing the personal data that is necessary for processing an agreement to which the data subject is a party, Art. 6 (1) (b) GDPR acts as the legal basis. This also applies to processing operations that are necessary for carrying out precontractual measures.
Insofar as the processing of personal data is necessary to fulfill a legal obligation to which the Controller is subject, Art. 6 (1) (c) GDPR serves as the legal basis.
In the event that the vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) (d) GDPR acts as the legal basis.
If processing is necessary to safeguard a legitimate interest of the Controller or a third party, and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) (f) GDPR acts as the legal basis for the processing.
IX Data deletion and storage period
The personal data of the data subject shall be deleted or its processing shall be restricted as soon as the purpose for the processing no longer applies. Furthermore, data may be processed if so provided under EU or national laws or other provisions to which the Controller is subject. The restriction or erasure of data will be carried out even if the storage period prescribed by the above-mentioned standards expires, unless data storage is a necessity for concluding or carrying out an agreement.
If the user uninstalls the app on the mobile device, if the user unsubscribes from the service via the app, or if the app is not used for a period of 6 months, the affected data will be deleted immediately, unless conflicting legal or official storage requirements provide otherwise.
X Rights of the data subject
If your personal data is processed, you are a data subject within the meaning of the GDPR, and you have the following rights against the Controller:
1 Right to information
You may ask the Controller to confirm whether your personal data is processed by us.
If such processing takes place, you can request the following information from the Controller:
– The purposes for which the personal data is processed;
– The categories of personal data that are processed;
– The recipients or categories of recipients to which your personal data has been disclosed or are still being disclosed;
– The planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the storage period;
– The existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the Controller or a right to object to such processing;
– The existence of a right of appeal to a supervisory authority;
– All available information on the source of the data if the personal data was not collected from the data subject;
– The existence of an automated decision-making procedure, including profiling under Article 22 (1) and (4) GDPR and (at least in these cases) meaningful information about the utilized logic and the scope and intended impact of such processing on the data subject.
You have the right to request information about whether your personal information has been transmitted to a third country or an international organization. In this connection, you can request the appropriate guarantees in accordance with Art. 46 GDPR due to the transmission of information.
2 Right to rectification
You have a right to request the rectification and/or supplementation of data from the Controller, provided your personal data that is subject to processing is incorrect or incomplete. The Controller must immediately make all necessary corrections.
3 Right to restriction of processing
You may request the restriction of the processing of your personal data under the following conditions:
– If you contest the accuracy of your personal information for a period of time that enables the Controller to verify the accuracy of your personal data;
– The processing is unlawful and you refuse the deletion of personal data, and you instead request the restriction of the use of the personal data;
– The Controller no longer requires personal data for the purposes of processing, but you need it to assert, exercise or defend against legal claims, or
– If you have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether the legitimate reasons of the Controller prevail over your reasons for objection.
If the processing of your personal data has been restricted, this data may only be used with your consent or for the purpose of asserting, exercising or defending against legal claims or protecting the rights of another natural or legal person or for reasons of important public interest of the EU or a Member State.
If the limitation of processing is instituted in accordance with the above conditions, you will be informed by the Controller before the restriction is lifted.
4 Right to deletion
a) Deletion right
You may request the Controller to delete your personal information without delay, and the Controller is required to delete that information immediately if one of the following is true:
– Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
– You revoke your consent to data processing in accordance with Art. 6 (1) (a) or Art. 9 (2) (a) GDPR and there is no other legal basis for processing.
– You file an objection to processing in accordance with Art. 21 (1) GDPR and there are no prior justifiable reasons for processing, or you file an objection to processing in accordance with Art. 21 (2) GDPR.
– Your personal data has been processed unlawfully.
– The deletion of your personal data is required to fulfill a legal obligation under EU law or the law of the Member States to which the Controller is subject.
– The personal data concerning you was collected in relation to information society services that are offered pursuant to Art. 8 (1) GDPR.
b) Information that is sent to third parties
If the Controller has made your personal data public and is in accordance with Article 17 (1) GDPR obligated to erase this data, then it is obligated while taking into account the available technology and the costs of implementation, including appropriate technical measures, to inform data controllers who process this personal data that you as a data subject have requested the deletion of any links to such personal data or copies or duplicates of such personal data.
c) Exceptions
There is no right to erasure if the processing is necessary
– to exercise the right to freedom of expression and information;
– to fulfill a legal obligation required by the law of the EU or of the Member States to which the Controller is subject, or to perform a task of public interest or in the exercise of official authority that is conferred by the Controller;
– for reasons of public interest in the area of public health pursuant to Art. 9 (2) (h) and (i) as well as Art. 9 (3) GDPR;
– for archival purposes of public interest, scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) GDPR, insofar as the law referred to in Section (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
– to assert, exercise or defend against legal claims.
5 Law and information
If you have asserted your right of rectification, erasure or restriction of processing against the Controller, it is obliged to notify all recipients to whom your personal data has been disclosed of this correction or deletion of the data or restriction of processing, unless: this proves to be impossible or requires a disproportionate effort.
You have a right to be informed about these recipients by the Controller.
6 Right to data portability
You have the right to receive a report of the personally identifiable information that you provide to the Controller in a structured, common, and machine-readable format. In addition, you have the right to pass this data on to another controller without obstruction by the controller to which the personal data was provided, insofar as
– the processing is based on prior consent in accordance with Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on the basis of an agreement in accordance with Art. 6 (1) (b) GDPR
– the processing is done using automated procedures.
In exercising this right, you also have the further right to obtain that data relating to you that is directly transmitted by one controller to another controller, insofar as this is technically feasible. The freedoms and rights of other persons may not be affected.
The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task in the public interest or in the exercise of official authority that is conferred by the Controller.
7 Right of objection
You have the right at any time, for reasons that arise from your particular situation, to contest the processing of your personal data that is processed pursuant to Art. 6 (1) (e) or (f) GDPR. This also applies to profiling based on these provisions.
The Controller will cease to process your personal data unless it can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of asserting, exercising or defending against legal claims.
If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is pursued for such direct advertising.
If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
Regardless of Directive 2002/58/EC, you have the option in a situation where a data processing service is hired of exercising your right to object to the use of automated procedures that use technical specifications.
8 Right to revoke informed consent related to data protection
You have the right to revoke your informed consent related to data protection at any time. The revocation of consent does not affect the legality of the processing that was conducted on the basis of the consent before the revocation.
9 Automated decision on an individual basis including profiling
You have the right not to be subject to a decision based exclusively on automated processing (including profiling) that entails legal consequences against you or significantly impairs you in a similar manner. However, this provision does not apply if the decision
– is required for the conclusion or performance of a agreement between you and the Controller,
– is permissible on the basis of EU or Member State laws to which the Controller is subject, and those legal provisions contain adequate measures to safeguard your rights and freedoms as well as your legitimate interests, or
– is taken with your express consent.
However, these decisions must not be based on special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9 (2) (a) or (g) GDPR applies and reasonable measures have been taken to protect your rights and freedoms as well as your legitimate interests.
If the decision is not based on legal provisions, the Controller will take appropriate measures to uphold the rights and freedoms and your legitimate interests, including at minimum your right to require the Controller to present a person to intervene, who will be allowed to express his own position and to challenge the decision.
10 Right to appeal the decision before a supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to file a complaint with a supervisory authority, in particular in the Member State of your residence or place of work or the place of alleged infringement if you believe that the processing of your personal data violates the GDPR.
The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of seeking a judicial remedy under Art. 78 GDPR.
The Controller’s supervisory authority that is responsible for data protection is:
The Hessian Commissioner for Data Protection and Freedom of Information
Prof. Dr. Michael Ronellenfitsch
Gustav-Stresemann-Ring 1
65189 Wiesbaden
https://datenschutz.hessen.de/
XI Collaboration with contractual processors and third parties
Otherwise, we will only transfer your personal data to third parties if this is legally permitted within the scope of the purpose of data processing or if you have provided your consent.
If, during the course of our data processing, we disclose data to other persons and companies (contractual processors or third parties), transmit data to them or otherwise grant them access to the data, this will only be done on the basis of legal consent (e.g., if the data is transmitted to third parties as required by the payment service provider pursuant to Art. 6 (1) (b) GDPR) if you have indicated that you consented to a legal obligation or if such disclosure is made on the basis of our legitimate interests (e.g., due to the use of agents, web hosting services, etc.).
If we task processors with the processing of data, this shall be done on the basis of Art. 28 GDPR.
XII. Other notes
Additional information about data protection at Alcedis GmbH can be found by following the link: https://www.alcedis.de/privacy-policy/ . We change our security and data protection measures to the extent required by technical and legal developments and adapt our data protection guidelines accordingly. Please take note of the current version of the Privacy Policy.
Privacy Policy version: 29th March 2019