This Privacy Policy applies to all services of Heart-Based Center AG (HBC) that involve the processing of personal data.
Personal data includes all information relating to an identified or identifiable natural person: Personal data such as personal details, contact details and insurance details, health-related data such as medical histories, diagnoses, treatment suggestions and findings as well as medical samples and sample residues.
A data subject is a person about whom we process personal data.
Processing includes any handling of personal data, regardless of the means and procedures used, such as querying, comparing, adapting, archiving, storing, reading, disclosing, obtaining, collecting, recording, deleting, disclosing, arranging, organizing, storing, modifying, disseminating, linking, destroying and using personal data.
The data is processed on the basis of the service contract concluded with the data subject and the legal requirements to fulfill the purpose of the service and the associated obligations.
We process personal data in accordance with Swiss data protection law, in particular the Federal Act on Data Protection (Data Protection Act, DSG) and the Ordinance on data protection (Data Protection Regulation, DSV).
We process personal data in accordance with at least one of the following legal bases if and insofar as the European Union's General Data Protection Regulation (GDPR) is applicable:
We also comply with all ethical guidelines issued by recognized healthcare organizations in Switzerland.
We use the data accessible to us exclusively for the purposes stated in the individual services.
In addition, we use the data accessible to us, including in particular health-related personal data as well as medical samples and sample residues, anonymously and in encrypted form for research purposes and analyses. This use has no influence on medical treatment.
We process all personal data in accordance with the applicable Swiss data protection laws. This means in particular that we represent and warrant that we will collect, process, use and dispose of all personal data directly or indirectly accessible to us in preparation, execution and completion of our services and our research and analysis activities exclusively and in full compliance with all relevant Swiss laws, regulations and ethical guidelines and that we will obtain all approvals from ethics committees and, if necessary, consents from persons required for the implementation of the agreement before commencing the respective part of the assigned work.
We process the personal data required to perform our activities and services under a service contract securely, reliably and in the interests of the data subject. Such personal data may include in particular
We can also use or reuse this personal data anonymously for research purposes, in particular the health-related data and samples (which are normally disposed of).
We process personal data for as long as is necessary for the respective purpose(s) or required by law. Personal data that no longer needs to be processed is anonymized or deleted.
We only process personal data with the consent of the data subjects or their parents or legal representatives. Such consent is not time-limited and applies to all personal data already collected or to be collected in the future. It has no influence on the therapeutic or medical treatment of the person concerned. If and to the extent that processing is permitted for other legal reasons, we may refrain from obtaining consent. For example, we may process personal data without consent in order to fulfill a contract, to comply with legal obligations or to protect overriding interests.
We also process personal data that we receive from third parties, obtain from publicly accessible sources or collect in the course of our activities and operations, if and to the extent that such processing is permitted for legal reasons. This also applies in particular to personal data of healthcare professionals with whom the data subject has been or is undergoing treatment, provided that the data subject has given their consent, and of doctors providing treatment (medical records of the data subject).
We may have personal data processed by third parties. We may process personal data jointly with third parties or transfer it to third parties.
Such third parties are in particular
Personal data is passed on to the authorities on the basis of statutory reporting obligations.
The transfer of personal data to health insurance or accident or disability insurance is carried out for the purpose of invoicing the service provided, in accordance with the legal requirements.
The necessary personal data is passed on to the debt collection agency for the purpose of collecting money claims due.
The transfer of personal data to research institutes and biobanks is anonymized or encrypted. Encryption means that all details that allow conclusions to be drawn about the person concerned, such as name or date of birth, are replaced by a code (key). The key can only be viewed by those persons who have been authorized to do so by the research management. Persons who do not know the key cannot identify the person concerned. All research projects are also subject to the strict legal provisions and controls applicable in Switzerland.
We take appropriate technical and organizational measures to ensure data security appropriate to the respective risk. With our measures, we guarantee in particular the confidentiality, availability, traceability and integrity of the processed personal data, without being able to guarantee absolute data security.
Our data is accessed using transport encryption such as SSL/ TLS/ HTTPS or other equivalent systems.
We are aware that our digital communication - like in principle all digital communication - is subject to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA) and other countries. However, we cannot directly influence the corresponding processing of personal data by secret services, police forces and other security authorities. We also cannot rule out the possibility that individual data subjects may be subject to targeted surveillance.
We process personal data in principle in Switzerland. However, we may also export or transfer personal data to other countries, in particular in order to process it or have it processed there.
We can transfer personal data to all States and territories on earth and elsewhere in the Universe export, provided that the local law according to Decision of the Swiss Federal Council adequate data protection and - if and insofar as the General Data Protection Regulation (GDPR) is applicable - in accordance with Decision of the European Commission ensures adequate data protection.
We may transfer personal data to countries whose laws do not guarantee adequate data protection, provided that data protection is guaranteed for other reasons, in particular on the basis of standard data protection clauses or with other suitable guarantees. Exceptionally, we may export personal data to countries without adequate or appropriate data protection if the special requirements under data protection law are met, for example the express consent of the data subjects or a direct connection with the conclusion or execution of a contract. Upon request, we will be happy to provide data subjects with information about any guarantees or provide a copy of any guarantees.
We grant data subjects all rights in accordance with the applicable data protection law. Data subjects have the following rights in particular:
Claims under data protection law must be asserted in writing. If they are not opposed by our right to deferment, restriction or refusal of the claim and the processing cannot be based on any legal basis other than consent, the processing will be discontinued. The lawfulness of the data processing carried out until the revocation remains unaffected.
We may defer, restrict or refuse the exercise of the rights of data subjects to the extent permitted by law. We may inform data subjects of any requirements that must be met in order to exercise their rights under data protection law. For example, we may refuse to provide information in whole or in part with reference to business secrets or the protection of other persons. For example, we may also refuse to delete personal data in whole or in part with reference to statutory retention obligations.
In exceptional cases, we may charge costs for the exercise of rights. We will inform affected persons of any costs in advance.
We are obliged to take appropriate measures to identify data subjects who request information or assert other rights. Data subjects are obliged to cooperate.
Data subjects have the right to enforce their data protection claims by taking legal action or to lodge a complaint with a competent data protection supervisory authority.
The data protection supervisory authority for complaints by data subjects against private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
Possible data protection supervisory authorities for complaints from data subjects - if and insofar as the General Data Protection Regulation (GDPR) is applicable - are as follows Members of the European Data Protection Board (EDPB) is organized. In some member states in the European Economic Area (EEA), the data protection supervisory authorities are structured federally, especially in Germany.
We log every access by us to the data accessible to us comprehensively and completely and ensure up-to-date accessibility to this archive for the contracting parties at all times.
We use services from specialized third parties in order to be able to carry out our activities and operations in a permanent, user-friendly, secure and reliable manner. Among other things, we can use such services to embed functions and content in our software. In the case of such embedding, the services used collect the following data at least temporarily for technically compelling reasons IP addresses of the users.
For necessary security, statistical and technical purposes, third parties whose services we use may process data in connection with our activities and operations in aggregated, anonymized or pseudonymized form. This is, for example, performance or usage data in order to be able to use the respective service within the scope of the agreement.
We use the services of specialized third parties in order to be able to use the necessary digital infrastructure in connection with our activities and operations. These include, for example, hosting and storage services from selected providers.
We use third-party services to integrate documents into our software. Such documents may include PDF files, presentations, tables and text documents. This enables us not only to view but also to edit or comment on such documents.
Your files held by us will be kept for 20 years after your last meeting. After that, with your express consent, it will be kept or securely deleted or destroyed.
After a service has expired, we duly archive all documents and data and any copies of these that we have collected and processed on the basis of this service for 20 years. After that, they are completely and irreversibly deleted from all our systems. Data that we need or could use for statistical and scientific purposes and for the further development of our services will be kept anonymized for an unlimited period of time and used for these purposes if necessary.
If you have any questions about data protection or wish to exercise your data protection rights, please contact the specialist responsible for you.
