PRIVACY POLICY

according to Art 13 GDPR

In the following, the specialist for plastic, aesthetic and reconstructive surgery, Dr Roland Resch, and his team (hereinafter jointly referred to as “Dr Resch”) inform patients (where reference is made in the following to female and male addressees, for reasons of better readability the masculine designation is regarded as gender-neutral and refers equally to both genders) about the collection of their personal data and about how it is processed by Dr Resch. Personal data means any information that relates directly or indirectly to the patient and identifies the patient or makes him/her identifiable. This privacy policy applies to all existing as well as future patients.

  1. Controller under data protection law (Art 13 (1) (a) GDPR)

Dr Roland Resch, Döblinger Hauptstraße 79, A-1190 Vienna, [email protected], is hereby announced as the controller under data protection law pursuant to Art 13 (1) (a) GDPR.

  1. Data protection officer (Art 13 (1) (b) GDPR)

Dr Roland Resch (with the data disclosed under point 1) is also named as the data protection officer pursuant to Art 37 GDPR.

  1. Purposes of the processing and legal basis for the processing (Art. 13 (1) (c) GDPR)

Dr Resch will not process the collected data for purposes other than those specified in the treatment contract with the patient and will process such data only if consent is given by the patient or for one or more other purposes expressly specified in accordance with the GDPR. Use for statistical purposes is excluded from this, provided the data collected is anonymised beforehand. The legal basis for the processing is derived from the purpose of the treatment contract or, where applicable, from an explicit consent given with regard to special categories of personal data.

  1. Legitimate interests pursued (Art 13 (1) (d) GDPR)

If the lawfulness of the processing is exceptionally based on Art 6 (1) (f) GDPR (legitimate interest of the controller or a third party), this legitimate interest is, as far as can be foreseen at present, in the field of medical diagnostics or other medical, sanitary or scientific tasks and technical analyses (e.g. point 19.9 of this privacy policy), provided that the data processing satisfies a balancing of the interests involved. If there is a legitimate interest not listed here, the data processing is only permissible – provided that no other legal basis is fulfilled – on condition that the legitimate interest is explicitly disclosed to the patient in writing.

  1. Recipients of personal data (Art. 13 (1) (e) GDPR)

In order to fulfil the treatment contract, it may also be necessary to forward data to third parties (in particular e.g. laboratories, hospitals, emergency medical care facilities, insurance companies, suppliers of medical products and medical service providers, authorities). Data is forwarded exclusively on the basis of the GDPR, in particular for the fulfilment of the treatment contract or on the basis of the patient’s prior consent. Dr Resch hereby informs that patient data may be passed on to the aforementioned third parties, in particular within the framework of the treatment contract and patient care.

  1. Third countries, international organisations (Art 13 (1) (f) GDPR)

Some of the recipients of the patient’s personal data mentioned in point 5 are located outside of Austria or process the patient’s personal data there. The level of data protection in other countries may not be the same as in Austria, especially in non-European countries. However, Dr Resch only transfers the patient’s personal data to countries for which the EU Commission has decided that they have an adequate level of data protection. Otherwise, Dr Resch will take adequate measures to ensure that all recipients are subject to an adequate level of data protection by agreeing on standard contractual clauses (210/87/EC, 207/915/EC).

  1. Storage period (Art 13 (2) (a) GDPR)

Dr Resch will not retain data for longer than is necessary for the fulfilment of contractual and legal obligations and for civil law or tax reasons.

  1. Rights of the data subject (Art 13 (2) (b) GDPR)

In particular, the patient has a right to information from the controller about the personal data concerning him, to rectification, erasure or restriction of processing, as well as a right to object to processing and the right to data portability. These rights are governed by the provisions of Art 16 to 21 GDPR.

  1. Withdrawal of consent (Art. 13 (2) (c) GDPR)

Where data processing is based on consent pursuant to Art 6 (1) (a) or Art 9 (2) (a) of the GDPR, the patient has the right to withdraw this consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent up to the time of withdrawal.

  1. Right to lodge a complaint (Art 13 (2) (d) GDPR)

Patients have the right to lodge a complaint with the supervisory authority, which is the Austrian Data Protection Authority, Wickenburggasse 8, A-1080 Vienna, e-mail: [email protected].

  1. Consequences of failure to provide data (Art. 13 (2) (e) GDPR)

The provision of the collected data is mandatory for the fulfilment of the treatment contract with the patient. IIf the required data are not provided, this may ultimately lead to a risk to the patient’s health (because, for example, certain medical information is indispensable for the performance of an anaesthetic and an intervention), which is why the failure to provide the required data inevitably means that the treatment contract cannot be fulfilled.

  1. Profiling (Art 13 (2) (f) GDPR)

If, in individual cases, Dr Resch makes use of automated decision-making including profiling pursuant to Art 22 (1) and (4) of the GDPR, he will expressly inform the patient of this fact within the scope of the existing duty to inform and provide him with meaningful information on the logic involved as well as the scope and the intended effects of such data processing for the patient.

  1. Further processing for other purposes (Art 13 (3) GDPR)

Should, in individual cases, personal data be further processed for a purpose other than the one for which it was collected, Dr Resch shall provide the patient with detailed information on the other purpose, if any, prior to such further processing, including all information that was already obligatory when the data was collected for the original purpose.

  1. Data not collected from the patient (Art 14 GDPR)

Should personal data not be collected from the patient, Dr Resch will disclose to the patient the name and contact details of the controller and, if applicable, of his representative, the contact details of the data protection officer, the purposes for which the personal data are to be processed and the legal basis for the processing, the categories of personal data processed and, if applicable, the recipients or categories of recipients of the personal data in relation to the third party providing the information. If this data controller intends to transfer the personal data to a recipient in a third country or an international organisation, Dr Resch must inform the patient of this (Art 14 (1) (f) GDPR). In all other respects, Art 14 (2) GDPR shall apply (this provision corresponds to the rights of the patient mentioned in points 7 to 13 of this privacy policy).

  1. Transfer of data to third parties

15.1 In order to fulfil your treatment contract, it may also be necessary to transfer your data to third parties (in particular 4myHealth GmbH, private or public hospitals, laboratories, institutes for imaging diagnostics, doctors’ letters to referring doctors, anaesthetists and anaesthetic nurses, operating theatre nurses and other contractual partners such as banks, legal advisors, auditors, courts, competent administrative authorities, debt collection agencies, medical associations, Statistics Austria, inspectorates, pharmacies, health care providers or non-medical health care professions as well as other service providers whom we use and to whom we make data available, etc.). Your data will be forwarded exclusively and on the basis of the GDPR, in particular for the performance of the treatment contract or on the basis of your prior consent.

15.2 Some of the above-mentioned recipients of your data are located outside of Austria and process your data there. The level of data protection in other countries may not be the same as in Austria. However, we only transfer your personal data to countries for which the EU Commission has decided that they have an adequate level of data protection. Otherwise, we take adequate measures to ensure that all recipients have an adequate level of data protection, for which we conclude standard contractual clauses (2010/87/EC, 2004/915/EC).

  1. Personal data

We only collect such personal data as are necessary for the performance and execution of the treatment contract – i.e. contractually or legally -, which the patient has voluntarily provided to Dr Resch or whose collection is covered by another legal ground. Personal data are all data that contain individual details about personal or factual circumstances, for example name, address, email address, telephone number, date of birth, age, gender, national insurance number, video recordings, photos, voice recordings of persons as well as biometric data such as fingerprints. Sensitive data, in particular health data or data related to criminal proceedings, may also be included.

  1. Data security

The protection of the patient’s personal data is ensured by appropriate organisational and technical precautions. These precautions relate in particular to protection against unauthorised, unlawful as well as accidental access, processing, loss, use and manipulation. Notwithstanding the efforts to maintain an appropriately high standard of due diligence at all times, it cannot be completely ruled out that information disclosed by the patient via the Internet may be viewed and used by other persons. Therefore, Dr Resch cannot accept any liability whatsoever for the disclosure of information due to errors in data transfer not caused by him or unauthorised access by third parties (e.g. hacker attack on email account, mobile phone, interception of faxes, etc.).

  1. Communication of a data breach

Dr Resch endeavours to ensure that data breaches are recognised at an early stage and, if necessary, reported immediately to the patient and the competent supervisory authority, including the respective categories of data affected.

  1. Contact with Dr. Resch

If the patient contacts Dr Resch by email or telephone, the data provided by the patient will be stored by Dr Resch for six months for the purpose of processing the enquiry and in case of follow-up questions. Should a treatment contract result from the enquiry, the storage period shall correspond to the storage period stated under point 7 of this privacy policy.

  1. Website

20.1 Collection of general information when visiting the website of Dr Resch

When the patient accesses the website of Dr Resch, information of a general nature is automatically collected by means of a cookie. This information (server log files) includes, for example, the type of web browser, the operating system used, the domain name of the patient’s internet service provider and the like. This is exclusively information which does not allow any conclusions to be drawn about the person of the patient. This information is technically necessary in order to correctly deliver the contents of websites requested by the patient and is compulsory when using the Internet. In particular, it is processed for the following purposes: Ensuring a smooth connection of the website, ensuring a smooth use of our website, evaluating system security and stability as well as for other administrative purposes. The processing of the patient’s personal data is based on Dr Resch’s legitimate interest arising from the aforementioned data collection purposes. Dr Resch does not use the patient’s data to draw conclusions about the patient’s person. Recipients of the data are only the responsible body and, if necessary, processors. Anonymous information of this kind may be statistically analysed by Dr Resch in order to optimise his website and the technology behind it.

20.2 SSL encryption

For the patient’s own security and to protect his data during transfer, Dr Resch uses state-of-the-art encryption procedures (e.g. SSL) via HTTPS.

20.3 Cookies

The website of Dr. Resch uses so-called cookies. These are small text files that are stored on the patient’s end device with the help of the browser. They do not cause any harm. Dr Resch uses cookies to make his offer user-friendly. Some cookies remain stored on the patient’s end device until he deletes them. They enable Dr. Resch to recognize the patient’s browser on the next visit. If the patient does not wish this to happen, he can set up his browser to inform the patient that cookies are being set and to allow this only in individual cases. If cookies are deactivated, the functionality of Dr Resch’s website may be limited.

20.4 Web analysis

The website of Dr Resch uses functions of the web analysis service Google Analytics, a web analysis service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA. Google Analytics uses cookies that enable an analysis of the use of the website by its users. The information thus generated is transferred to the provider’s server and stored there. The patient can prevent this by setting his browser so that no cookies are stored. Dr Resch has concluded a corresponding contract for commissioned data processing with the provider. The patient’s IP address is recorded, but pseudonymised immediately (e.g. by deleting the last 8 bits). This means that only a rough localisation is possible. The data processing is based on the provisions of the GDPR. Dr Resch’s concern in terms of the GDPR is the improvement of his offer and his website. Since the privacy of its users is important to Dr Resch, the user data are pseudonymised. The user data are retained for a period of 38 months.

20.5 Conversion tracking with the visitor action pixel from Facebook

With the patient’s consent, Dr Resch uses the “visitor action pixel” of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”) within his website. With its help, Dr Resch can track the actions of users after they have seen or clicked on a Facebook advertisement. This enables Dr Resch to record the effectiveness of Facebook ads for statistical and market research purposes. The data collected in this way is anonymous for Dr Resch, i.e. he does not gain knowledge of the personal data of individual users. However, this data is stored and processed by Facebook, whereof Dr Resch informs the patient according to his level of knowledge. Facebook may link this data to their Facebook account and also for their own advertising purposes,
in accordance with Facebook’s data usage policy https://www.facebook.com/about/privacy/. The patient may allow Facebook and its partners to display advertisements on and off Facebook. A cookie may also be stored on the patient’s computer for these purposes.

20.6 Google Web Fonts

In order to display the content correctly and in a graphically appealing manner across browsers, Dr Resch uses script libraries such as Google Web Fonts (google.com/webfonts) on his website. Google web fonts are transferred to the cache of the patient’s browser to avoid multiple loading. If the browser does not support Google Web Fonts or prevents access, content is displayed in a standard font. Calling up script libraries automatically triggers a connection to the operator of the library. It is theoretically possible – but currently also unclear – whether and, if so, for what purposes the operators of such libraries collect data. Patients can find the privacy policy of the library operator Google here: google.com/policies/privacy

20.7 Use of Google Maps

This website uses Google Maps API to visually display geographical information. When using Google Maps, Google also collects, processes and uses data about visitors’ use of the map functions. The patient can find more detailed information about data processing by Google in the Google privacy notices. There, the patient can also change his personal data protection settings in the data protection centre. The patient can find detailed instructions on managing his own data in connection with Google products here: https://support.google.com/accounts/answer/3024190

20.8 Google AdWords

Dr Resch’s website uses Google conversion tracking. If the patient has reached Dr Resch’s website via an ad placed by Google, a cookie is set on the patient’s computer by Google Adwords. The conversion tracking cookie is set when a user clicks on an ad placed by Google. These cookies lose their validity after 30 days and are not used for personal identification. If the patient visits certain pages of Dr Resch’s website and the cookie has not yet expired, Dr Resch and Google can recognise that the patient clicked on the ad and was redirected to this page. Each Google AdWords customer receives a different cookie. Cookies can therefore not be tracked via the websites of AdWords customers. The information obtained using the conversion cookie is used to create conversion statistics for AdWords customers who have opted for conversion tracking. The customers learn the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users. IIf the patient does not want to participate in the tracking, he can reject the setting of a cookie required for this – for example, via a browser setting that generally deactivates the automatic setting of cookies or he can set his browser so that cookies from the domain “googleleadservices.com” are blocked. The patient should note that he must not delete the opt-out cookies as long as he does not wish any measurement data to be recorded. If the patient has deleted all his cookies in the browser, he must set the respective opt-out cookie again.

20.9 Google reCAPTCHA

Dr Resch uses “Google reCAPTCHA” (hereinafter “reCAPTCHA”) on his website. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). The purpose of reCAPTCHA is to check whether data input on Dr Resch’s website (e.g. in a contact form) is made by a human or by an automated programme. To do this, reCAPTCHA analyses the behaviour of the website visitor on the basis of various characteristics. This analysis begins automatically as soon as the website visitor accesses the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent by the website visitor on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google. The reCAPTCHA analyses run completely in the background. Website visitors are not informed that an analysis is taking place. The data processing is based on Art 6 para (1) (f) GDPR. The website operator has a legitimate interest in protecting its web offers from abusive automated spying and from spam. Further information on Google reCAPTCHA and Google’s privacy policy can be found in the following links: https://www.google.com/intl/de/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html

20.10 Embedded YouTube videos

Dr Resch embeds YouTube videos on some of his websites. The operator of the corresponding plugins is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. When the patient visits a page with the YouTube plugin, a connection to YouTube servers is established. In the process, YouTube is informed which pages the patient visits. If the patient is logged into his YouTube account, YouTube can assign his surfing behaviour to him personally. The patient can prevent this by logging out of his YouTube account beforehand. If a YouTube video is started, the provider uses cookies that collect information about user behaviour. If the saving of cookies has been deactivated for the Google Ad programme, no such cookies will be saved when you watch YouTube videos, either. However, YouTube also stores non-personal usage information in other cookies. If the patient wishes to prevent this, he must block the storage of cookies in the browser.
Further information on data protection at “Youtube” can be found in the provider’s privacy policy at: google.de/intl/en/policies/privacy.

20.11 Social plugins

Dr. Resch offers patients the option of using so-called “social media buttons” on his website. To protect the patient’s data, Dr Resch uses the “Shariff” solution for implementation. This means that these buttons are only embedded on the website as a graphic that contains a link to the corresponding website of the button provider. By clicking on the graphic, the patient is redirected to the services of the respective provider. Only then will the patient’s data be sent to the respective providers. Unless the patient clicks on the graphic, no exchange takes place between the patient and the providers of the social media buttons. Information about the collection and use of the patient’s data in the social networks can be found in the respective terms of use of the corresponding providers. More information about the Shariff solution can be found here http://www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html.

20.12 Newsletter

The patient has the option of subscribing to Dr Resch’s newsletter via his website. For this purpose, Dr Resch requires the patient’s email address and his declaration that the patient agrees to receive the newsletter. As soon as the patient has subscribed to the newsletter, Dr Resch sends the patient a confirmation email with a link to confirm the subscription. The patient can cancel the subscription to the newsletter at any time. Cancellations must be sent to the following e-mail address: [email protected]. Dr Resch will then immediately delete the patient’s data regarding the newsletter mailing.

  1. Changes to the privacy policy

21.1 We expressly reserve the right to amend the privacy policy in order to adapt it to changes in the legal situation or in the event of changes to the service and data processing. However, this only applies with regard to declarations on data processing. Insofar the patient’s consent is required or components of the privacy policy contain regulations of the contractual relationship with the patient, the changes will only be made with the patient’s consent.

21.2 Patients are requested to inform themselves regularly about the current content of the privacy policy.