Deutsch
A A A
DE

Data Protection


1. Name and Contact Information for the Party Responsible for Processing Data

This information on data protection applies to data processed by:

RHÖN-KLINIKUM Aktiengesellschaft (hereinafter also referred to as „RHÖN-KLINIKUM AG“)
Schlossplatz 1
97616 Bad Neustadt / Saale
Germany
Telephone: +49 9771 65-0
Facsimile: +49 9771 97467

Send message

2. Contact Information for the Data Protection Officer

Group Data Protection Officer at RHÖN-KLINIKUM AG
Schlossplatz 1
97616 Bad Neustadt / Saale
Germany

Send message

3. Processing Personal Data, Type and Purpose of its Use

a) General Information

This webpage can be visited without having to register. Personal data are generally only processed with your consent. An exception hereto applies where it is not possible to obtain prior consent due to circumstances and/or statutory provisions permit the data to be processed. Personal data in the sense of Art. 4, No. 1, EU General Data Protection Regulation (GDPR), means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The following informs you as a user of this webpage about the type, scope and purpose of collecting and using your data.

b) Legal Basis for Processing Personal Data

Art. 6, Subsection (1), Lit. a), GDPR, serves as the legal basis as far as consent by the person concerned is to be given for the processing of the personal data. Art.6, Subsection (1), Lit. b), GDPR, serves as the legal basis for processing personal data which is necessary for the performance of a contract to which you are a contractual party.

This also applies to processing which is necessary to take steps prior to entering into a contract, e. g. in the preparation of contracts, such as for medical treatment or hiring staff. Art. 6, Subsection (1), Lit c), GDPR, serves as the legal basis for processing personal data which is necessary for compliance with a legal obligation to which RHÖN-KLINIKUM AG is subject. Art. 6, Subsection (1), Lit d), GDPR, serves as the legal basis for the case where processing personal data is necessary in order to protect your vital interests or those of another natural person. Art. 6, Subsection (1), Lit f), GDPR, serves as the legal basis for processing personal data which is necessary for the purposes of a legitimate interest pursued by RHÖN-KLINIKUM AG or by a third party and if your interests, fundamental rights and freedoms do not override the former interest.

c) Erasure of Data and General Storage Period

Your personal data are erased or blocked as soon as the purpose for storing the data no longer exists. The data can be stored for a longer period if this was envisaged by European or national legislation in European Union regulations, laws or other regulations to which RHÖN‑KLINIKUM AG is subject (e. g. retention periods for patient records or diagnoses). Data are also blocked or erased if a storage period which is prescribed by the above norms expires unless it is necessary to retain the data in order to enter into or perform a contract.

d) Data Processing in Connection with the Contact Form and E-Mail

If a user chooses to contact us electronically via a contact form on our webpage, the data entered in the contact form are transmitted to us and stored.

The order service (Investor Relations) collects the following data:
First Name, Last Name, Company Name, Road, Postcode, Town, Telephone No., Facsimile No., Country, E-Mail Address

Before the data are sent, you are reminded of this data protection declaration and your consent is obtained for the data to be processed.

It is also possible to contact us in a non-encrypted manner via the e-mail addresses provided on the webpage. Your personal data which are transmitted with the e-mail are stored in this case. You will receive the information that non-encrypted communication via e-mail does not generally provide a secure method for transmitting data via the internet. Please do not send sensitive data, such as medical data, to RHÖN-KLINIKUM AG via e-mail and/or the contact form. We strongly advise you to use the postal service or the telephone for this.

The data are processed for the purpose of communication and/or contact pursuant to Art. 6, Subsection (1), Sentence 1, Lit. a) GDPR based on your voluntary consent. Personal data are therefore only collected when and to the extent that you provide the data voluntarily. The data are only passed on to third parties without your consent if RHÖN-KLINIKUM AG is obliged to do so by law (Art. 6, Subsection (1), Lit. c), GDPR). Another legal basis for processing data transmitted via e‑mail is Art. 6, Subsection (1), Lit. f), GDPR. If the e-mail contact is geared towards entering into a contract, another legal basis for processing the data is Art. 6, Subsection (1), Lit. b), GDPR.

The data are erased as soon as they are no longer required for achieving the purpose of their collection. This is the case for the personal data in the contact form and the data transmitted via e-mail when the respective conversation with the user is finished. The conversation is finished when it can be derived from the circumstances that the subject matter concerned is completely clarified.

Messages are stored for as long as they are required for the respective matter to be processed.

4. Information about log files and cookies

a) Log Files

Due to our legitimate interest according to Art. 6 para. 1 lit. f) DS-GVO, we collect data about accesses to our websites and store them as "server log files" on the website server. The following data is logged:

  • IP address
  • Time of the call
  • Visited website
  • http status
  • Size of the request
  • User agent
  • Referrer (source from which the website was called)

The server log files are stored for a maximum of 7 days and then deleted via an automatic process. The data is stored for security reasons, e.g. to be able to clarify cases of misuse. If data must be retained for evidentiary reasons, it is exempt from deletion until the incident has been finally clarified.

b) Cookies

Cookies are small files that are automatically created by your browser and stored on your device (laptop, tablet, smartphone, etc.) when you visit a website. Persistent cookies remain on your computer for a certain period of time. Session cookies are cookies that are only stored on your computer for the duration of an Internet session. We use a session cookie to ensure server operation.

5. Passing on Data

We do not pass your personal data on to third parties for purposes other than those listed below. We only pass your personal data on to third parties if:

  • You have given your explicit consent thereto pursuant to Art. 6, Subsection (1), Sentence 1, Lit. (a), GDPR;
  • Passing on the data is necessary pursuant to Art. 6, Subsection (1), Sentence 1, Lit. f), GDPR, for the establishment, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest worthy of protection that we do not pass on your data;
  • There is a legal obligation for passing on the data pursuant to Art. 6, Subsection (1), Sentence 1, Lit. c), GDPR; and
  • This is permitted by law and necessary for processing contractual relationships with you pursuant to Art. 6, Subsection (1), Sentence 1, Lit. b), GDPR.

6. Use of external services

For the purpose of data processing, the external service provider Insignio CRM GmbH, Ludwig-Erhard-Straße 14, 34131 Kassel, Germany, is used, which processes the data strictly in accordance with instructions within the scope of commissioned processing pursuant to Art. 28 DS-GVO. The service provider Insignio CRM GmbH uses the subcontractors Interlutions GmbH, Neusser Str. 27-29, 50670 Cologne and Leaseweb Deutschland GmbH, Kleyerstraße 75-87, 60326 Frankfurt am Main to process the data. The subcontractors are obligated in accordance with the requirements of the order processing agreement between RHÖN-KLINIKUM AG and Insignio CRM GmbH.

External services are used on our website. External services are services from third-party providers that are used on our website. This can be done for various reasons, for example for embedding videos or for the security of the website. When using these services, personal data is also passed on to the respective providers of these external services. If we do not have a legitimate interest in using these services, we will obtain your consent as a visitor to our website, which can be revoked at any time, before using them (Art. 6 para. 1 lit. a DSGVO).

a) Analytics

In order to analyze user behavior, we process personal data of website visitors. By evaluating the data obtained, we are able to compile information about the use of the individual components of our website. This enables us to increase the user-friendliness of our website. By means of the analysis tools used, user profiles could, for example, be created for the playout of targeted or interest-related advertising messages, our website visitors could be recognized the next time they visit our website, their click/scroll behavior, their downloads could be measured, heat maps could be created, page views could be recognized, the duration of visits or bounce rates could be measured, and the origin of the website visitors (city, country, from which page the visitor comes) could be traced. With the help of the analysis tools, our market research and marketing activities can be improved.

The processing of the data is based on the legal basis of consent (Art. 6 para. 1 lit. a DSGVO). As a website visitor, you have consented to the processing of your personal data with your voluntary, explicit consent given in advance. Without separate consent, the personal data will not be processed by us in the manner described above, provided that there is no other legal basis within the meaning of Art. 6 para.1 DSGVO on which we base the processing. We proceed in the same way if you revoke your consent. The lawfulness of the processing carried out until the revocation remains unaffected.

Matomo
We use the service Matomo on our website. The provider of the service is InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand.

As this service is hosted locally on the web server, there is no data transfer to third parties.

b) Consent Management

In order to comply with data protection requirements, we use a consent management tool on our website. With this tool, we obtain necessary consents for the setting of cookies or the use of external services. The consents are stored.

The processing is necessary for the fulfillment of a legal obligation to which the controller (operator of the website) is subject. Therefore, Art. 6 (1) lit. c DSGVO is used as the legal basis for the processing.

Cookiebot
We use the service Cookiebot on our website. The provider of the service is Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark.
Further information can be found in the provider's privacy information at the following URL: https://www.cookiebot.com/de/privacy-policy/.

c) Content Delivery Network (CDN)

We use a Content Delivery Network (CDN) to optimize the performance and availability of our website. For this purpose, this service provider, which provides this network, processes your IP address and the information about when you visited our website. All further information on data processing by this service provider can be found in its privacy policy.
We base this processing on a legitimate interest (Art. 6 para. 1 lit. f DSGVO).

Our legitimate interest in using a content delivery network is to be able to present our website as quickly, securely and reliably as possible.

Bootstrap CDN
We use the Bootstrap CDN service on our website. The provider of the service is Prospect One Ltd, Królewska 65A/1, PL-30-081 Krakow, Poland.
Using the service may result in data transfer to a third country (USA).
Further information can be found in the provider's privacy information at the following URL: https://www.jsdelivr.com/terms/privacy-policy-jsdelivr-net.

CloudFlare
We use the CloudFlare service on our website. The provider of the service is Cloudflare Ltd, 2nd Floor 25 Lavington Street London SE1 0NZ, United Kingdom.
The use of the service may result in data transfer to a third country (USA).
Further information can be found in the privacy information of the provider at the following URL: https://www.cloudflare.com/de-de/privacypolicy/.

d) Content Management System

A content management system enables the creation, editing, organization, and display of digital content. We use a content management system to create content for our website. This enables us to create a more appealing website.

We base this processing on a legitimate interest (Art. 6 para. 1 lit. f DSGVO).

Our legitimate interest is the technically error-free presentation and optimization of the website.

Typo3 CMS
We use the service Typo3 CMS on our website. The provider of the service is TYPO3 Association, Sihlbruggstrasse 105, 6340 Baar, Switzerland.
As this service is hosted locally on the web server, there is no data transfer to third parties.

e) CRM systems

In order to better manage our customer relationships, we use a customer relationship management system. Through this it is possible to display customer relationship processes clearly and to maintain them in an organized manner. This includes existing and potential customers. This involves the processing of personal data, such as name and address.
The processing of the data is based on the legal basis of consent (Art. 6 para. 1 lit. a DSGVO). As a website visitor, you have consented to the processing of your personal data with your voluntary, explicit consent given in advance. Without separate consent, the personal data will not be processed by us in the manner described above, provided that there is no other legal basis within the meaning of Art. 6 para.1 DSGVO on which we base the processing. We proceed in the same way if you revoke your consent. The lawfulness of the processing carried out until the revocation remains unaffected.

EQS Cockpit
We use the EQS Cockpit service on our website. The provider of the service is EQS Group AG, Karlstraße 47, 80333 Munich, Bavaria, Germany.
Further information can be found in the provider's data protection information at the following URL: www.eqs.com/de/ueber-eqs/datenschutz/

7. Rights of Affected Persons

You have the right:

a) Pursuant to Art. 15, GDPR, to obtain access to your personal data which RHÖN‑KLINIKUM AG has processed. You can request access, in particular, to the purposes for processing the data, the category of the personal data, the categories of recipients to whom your data were or will be disclosed, the envisaged storage period, the existence of a right to request rectification, erasure and/or restriction of the data processing or objection thereto, the existence of a right to lodge a complaint, the source of your data if not collected from RHÖN-KLINIKUM AG as well as the existence of automated decision-making, including profiling, and as necessary meaningful information to their details;

b) Pursuant to Art. 16, GDPR, to obtain without undue delay rectification or completion of your personal data stored at RHÖN-KLINIKUM AG;

c) Pursuant to Art. 17, GDPR, to obtain the erasure of your personal data stored at RHÖN‑KLINIKUM AG unless the data processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;

d) Pursuant to Art. 18, GDPR, to obtain the restriction of processing your personal data if you contest the accuracy of the data, the processing is unlawful and you oppose the erasure of the data, RHÖN-KLINIKUM AG no longer needs the data but you require the data for the establishment, exercise or defence of legal claims or you have objected to the data being processed pursuant to Art. 21, GDPR;

e) Pursuant to Art. 20, GDPR, to receive your personal data which you provided to RHÖN‑KLINIKUM AG in a structured, commonly used and machine-readable format or to transmit said data to another party responsible for processing data;

f) Pursuant to Art. 7, Subsection (3), GDPR, to withdraw at any time your consent once given to RHÖN-KLINIKUM AG. This results in the fact that RHÖN-KLINIKUM AG is no longer permitted in the future to continue to process the data which were the basis for the consent; and

g) Pursuant to Art. 77, GDPR, to lodge a complaint with the competent supervisory authority. The data protection supervisory authority is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA - Bavarian Data Protection Authority), Promenade 27, 91522 Ansbach, Germany.

Should you wish to make use of any of your rights as an affected person as stated in a) to f), it is sufficient to send a letter or e‑mail addressed to the Data Protection Officer in cipher 2 of this data protection declaration.

8. Right to Object

If your personal data are processed based on legitimate interests pursuant to Art. 6, Subsection (1), Sentence 1, Lit. (f), GDPR, you have the right pursuant to Art. 21, GDPR, to object to the processing of your personal data on grounds relating to your particular situation or if the objection is directed against direct marketing. In the latter case you have a general right to object, which right shall be granted by RHÖN-KLINIKUM AG without the need for details of a particular situation.

Should you wish to make use of your right of withdrawal or your right to object, it is sufficient to send a letter or e‑mail addressed to the Data Protection Officer in cipher 2 of this data protection declaration.

9. Data Security

This webpage uses Transport Layer Security together with AES 256 Bit encryption. You can see that this webpage is encrypted from the closed image of the key and/or lock in the status line at the bottom of your browser.

10. Existence of Automated Decision-Making / Profiling

Automated decision-making or profiling in the sense of Art. 22, GDPR, does not take place.

11. Validity und Modification of this Data Protection Declaration

This data protection declaration is currently valid as of 4th November 2022. It may become necessary to modify this data protection declaration when the webpage is updated or if statutory stipulations are changed. You can view and print the current data protection declaration under www.rhoen-klinikum-ag.com/datenschutzerklaerung.