Data Privacy Declaration for management services and care research into managed care delivered by APST GmbH, use of the APST PLATFORM and the ALS and SMA Applications
1. Data Processing General Purpose
APST GmbH, at the address Westhafenstraße 1, 13353 Berlin, Tel: +49 (0)30 81031410, E-Mail: info@ambulanzpartner.de (hereinafter “APST“) offers a range of managed care services comprising coordination and networking facilities between patients (and their relatives), medical partners (e.g. doctors, social services) and providers of assistive technology devices, therapeutics and medication therapy (e.g. medical supply and equipment stores) as well as nursing care (hereinafter collectively “Providers”). The entity of participating patients, providers, medical partners and coordinators are subsumed under the term “Care Network”. The APST PLATFORM (www.ambulanzpartner.de) is the online coordination and communication platform digitally linking the care network participants. It features, among other things, an electronic patient record and digital process control for managed care and care research purposes. The “ALS App“ and “SMA App“ are mobile software applications facilitating participation in surveys and disease course and treatment ratings. The Internet platform and the two applications shall subsequently be referred to as “APST PLATFORM”.
2. Responsibilities
(1) APST is responsible for data privacy, protection and security for the APST PLATFORM user experience. For platform operation, APST closely cooperates with Charité – Universitätsmedizin Berlin (Charité – University Hospital Berlin, hereinafter “Charité“). On behalf of APST, personal data are stored on the Charité’s servers that meet the particular and most stringent data security and data privacy standards for health data. Data hosting services for the APST platform in the context of managed care are delivered by Charité. APST is the contracting party of hosting services and the responsible entity pursuant to the General Data Protection Regulation, GDPR (Datenschutz-Grundverordnung, DSGVO).
(2) The personal data captured and used via the APST PLATFORM are sensitive data protected with effective and reliable data privacy and data security measures. Together with Charité, APST ensures compliance with data privacy laws and, at that, is reportable to the County of Berlin Data Protection Authority. At APTS, top priority is equally given to company-internal data privacy and protection. Employees are bound to discretion and under obligation to act in conformity with the applicable data privacy laws.
(3) Our data privacy officers can be contacted at datenschutz@ambulanzpartner.de or by sending a letter for the attention of “(FAO) Data Privacy Officer”, at our address stated above.
3. Data Processing for Managed Care and Care Research Purposes
3.1. Purpose Limitation Principle, Legal Basis
(1) APST shall process your personal data only to the extent necessary for the rendering of managed care and care research services (see Table 1 and 2 in Section 3.4.). Transfer of your personal data to third parties outside the APST network shall require your explicit consent. Moreover, transfer to state organizations and authorities entitled to receive information shall not go beyond the statutory reporting duties unless a court order obliges APST to do so.
(2) The legal basis for data processing for managed care and care research purposes shall be the current contractual relationship (Art. 6 Section 1 p. 1 lit. b GDPR) as well as the patient’s consent (Art. 6 Section 1 p. 1 lit. a GDPR) and the patient’s signed consent form for care research (Art. 6 Section 1 p. 1 lit. a GDPR).
3.2. Managed Care
(1) APST shall process your personal data for care coordination purposes. Managed care is a service rendered by non-physician professionals. Comprised therein are organizational tasks in the provision of assistive technology devices and other medical devices. The following is included in care coordination:
- Receipt of care provision requests for assistive technology devices, therapeutics and nursing care by e-mail, fax, mail delivery or online
- Digital capturing of the care provision request on the APST PLATFORM
- Contacting patients, relatives or legal guardians by telephone to confirm and further specify the care provision request
- Identification of a suitable provider within the care network in the name and on behalf of the patient
- Identification of a suitable provider outside the care network (if no suitable provider is available within the network) in the name and on behalf of the patient
- Provision of a telephone service for patients, medical partners and providers
- Review and reminder service for pending care provision requests with providers
- Receipt, forwarding (doctor’s offices and outpatient department) and return of the patient’s health insurance card in the name and on behalf of the patient
To facilitate managed care, APST shall furthermore deliver data, document, prescription, and complaint management services, the extent of which is specified in the relevant sections of the Services Specifications for Patients (Sections 3.2 to 3.6 therein).
(3) In the context of the managed care concept, the patient-related and care related data depicted in Table 1 (Section 3.4.) shall be captured on the APST PLATFORM and used further by those medical partners, providers and coordinators with a mandate for care provision
(4) The users of the APSTPLATFORM (patients, medical partners, coordinators) agree that the users duly authorized to deliver the respective patient’s care and/or care coordination may view and exploit further all of the patient’s personal data for care provision purposes.
3.3. Care Research
(1) The data generated in the context of managed care shall be used to perform a systematic analysis of care provision – conditional upon obtainment of your informed consent. The care data digitalized on the APST PLATFORM are thus conducive to care coordination and research into managed care.
(2) The data collected in the managed care context (see Table 2 in Section 3.4.) shall be exploited for scientific or health economic analyses. Data utilization for research, publication, education and health-economic purposes shall take place exclusively by employing pseudonymized and/or anonymized data, subject to your informed consent to the respective cause. Depending on the choices you made in the Patient Information and Consent Form, your pseudonymized and/or anonymized data shall be used as follows:
- Display of my pseudonymized ratings submissions relating to treatments, providers, medical devices or medicinal products on the APST PLATFORM website (e.g. scoring for satisfaction with physiotherapy, an assistive technology device or a medicine)
- Analysis of my pseudonymized data for care research purposes in cooperation with academic institutions across Germany to promote the advancement of medical treatments (e.g. systematic analysis of necessary assistive technology devices over the course of ALS, Multiple Sclerosis and other neurological diseases);
- Analysis of my pseudonymized data for care research purposes in cooperation with organizations from the health care sector to promote the development and advancement of medical technology, medicines, sundry medical devices or treatment methods (e.g. systematic analysis of ALS patients’ user experience with regard to a specific device for the relevant ATD manufacturer).
3.4. Extent and Scope of Data Exploitation
(1) Data processing on the APST PLATFORM shall serve managed care and care research purposes.
(2) Personal data, i.e. individual information on a specific or identifiable patient’s personal and factual situation, shall be used solely for the purpose of realizing managed care. Utilization shall be limited to the very persons within the care network with a mandate for the provision of care and care coordination services for a particular patient.
(3) Table 1 illustrates the data used exclusively for managed care purposes and not for care research within the APST PLATFORM
Contact Details |
|
Social Profile |
|
Payer/Health Insurance Company |
|
Medical Profile |
|
Documents (Scans of Printouts) |
|
Provision of Therapeutics |
|
Provision of Assistive Technology Devices (ATD) |
|
Medication |
|
(4) Table 2 illustrates those pseudonymized and/or anonymized data used for care research and managed care purposes in conjunction with personal data (Table 1) within the APST PLATFORM.
Domestic Situation |
|
Social Profile |
|
Payer/Health Insurance Company |
|
Medical Profile |
|
Provision of Therapeutics |
|
Provision of Assistive Technology Devices (ATD) |
|
Medication |
|
Clinical Scales |
|
Applications |
|
4. Data Processing for Website Visits
(1) When using our websites merely for the purpose of gaining information, i.e. when no request or personal information is submitted and no login is performed, we shall process the data your browser sends to our server, and those data technically required to display our website to you and to safeguard stability and security:
- IP address
- Date and time of enquiry,
- Duration of website visit,
- Time zone difference to Greenwich Mean Time (GMT),
- Content of enquiry (precise page),
- Access status/http status code,
- Data volume transferred each time,
- Website this enquiry is coming from,
- Our websites that you visit,
- Internet service provider,
- Browser type,
- Server Log Files,
- Operating systems and their interface,
- Language and version of browser software.
(2) The relevant legal basis is Art. 6 Section 1 p. 1 lit. f) GDPR, i.e. our legitimate interest in displaying the websites that are accessed.
5. Data Processing for Contact
When you contact us via e-mail, telephone or by using a contact form, the information you supply to us (e.g. e-mail address, name, telephone number and content of the enquiry) shall be processed to answer your queries and/or deal with your issue. The legal basis for this is Art. 6 Section 1 p. 1 lit. b GDPR.
6. Data Processing for Newsletter Circulation
(1) We shall send e-mails and other electronic memorandums with commercial information (hereinafter “Newsletter“) only subject to your explicit consent (Art. 6 Section 1 lit. a GDPR) or to a legal permission. The newsletters contain the latest information on our projects, events, company and network. By subscribing to our newsletter you agree to receive it.
(2) Employment of shipping or mail order services, performance of statistical surveys and analyses as well as login procedure protocols shall be based on our legitimate entitlement pursuant to Art. 6 Section 1 lit. f GDPR. Our interest shall be aimed at employing a user-friendly and secure newsletter system, to satisfy both our business interests and your expectations.
(3) You may revoke your consent to receipt of our newsletter at any time.
**7. Your Rights **
(1) With regard to your personal data, you shall be entitled to the following rights in your dealings with us:
- Right to information (Art. 15 GDPR),
- Right to rectification and deletion (Art. 16 und 17 GDPR),
- Right to limitation of processing (Art. 18 GDPR),
- Right to objection against processing (Art. 21 GDPR),
- Right to data transferability (Art. 20 GDPR).
(2) You shall furthermore have the right to lodge a complaint with the Data Protection Authority about the way we process your data.
(3) We point out that you may revoke any data privacy consent you have given us at any time and with effect for the future. The same shall apply to your consent to be contacted for commercial purposes. To this end, please simply send an e-mail to: datenschutz@ambulanzpartner.de. The respective revocation may result in our offer no longer being available to you or with limitations only.
(4) In so far as our processing of your personal data is based on the weighing of interests (Art. 6 Section 1 S. 1 lit. f GDPR), you shall be entitled to object to such processing. When lodging such an objection, we will kindly ask you to tell us the reason why we are no longer allowed to process your personal data the way we do. For any substantiated objection, we shall verify the facts and either cease to process your data, adjust the processing method or elucidate to you our compelling protection-worthy reasons why we shall continue to process your data.
8. Data Security and Data Deletion
(1) The data accessible on the APST PLATFORM are sensitive data and shall thus be subject to the most stringent and state-of-the-art security standards.
(2) You may only access your data after entering an individual user name and password. We generally recommend safeguarding your access data (user name, password) as if they were valuables and to refrain from writing them down and keep them somewhere. You shall personally be responsible for the safety and security of your own computer and software, and under obligation to ensure adequate protection.
(3) Access to personal data shall be subject to access authorization as specified below:
Patient
- Personal contact details
- Personal social profile
- Personal medical profile
- Personal care processes
- Personal ratings
- Contact details and profile for medical partners and providers involved in the patient’s care provision
Medical Partners and Providers
- Access to all the data available on the platform for the patient for whom they have a mandate for treatment or provision (no data available for patients for whom they do not have a mandate for action)
Coordinator Role
- Access to all the data available on the platform for the patient for whom they have a mandate for coordination (no data available for patients for whom they do not have a mandate for coordination)
APST Network Manager, Data Manager and Administrator Roles
- Full data set with all patient-related and care-related data
- Full data set for all medical partners and providers
- Full data set for all patient ratings (survey administration) and participating parties (participant administration)
(4) Data shall be encoded for transfer from the user’s computer to the server and vice versa.
(5) The data processed by APST shall be deleted upon expiry of contract if no relevant retention periods are provided by law. Data shall be continued to be processed after the patient’s death, unless the contractual relationship has been terminated by the patient’s legal successor or the patient’s consent has been revoked. The processing of any data not deleted for reasons of compliance with legal provisions (e.g. settlement data pursuant to § 257 Section 1 German Commercial Code [Handelsgesetzbuch, HGB] and/or § 147 Section 1 commercial/tax regulations for data retention) shall be limited, i.e. data shall be disabled for operative use.
9. Final Provisions
(1) APST shall take technical and organizational security measures to protect the data processed, particularly against random or willful manipulation, destruction, or violation by an unauthorized person. Security measures shall be updated on a continuous basis according to technical progress.
(2) To the extent to which we use subsidiary companies to render our services, we shall take appropriate technical and organizational measures safeguarding protection of personal data pursuant to the applicable laws. Subsidiary companies shall predominantly be technical providers supporting us in our performance.
(3) APST shall update the Data Privacy Declaration from time to time according to technical progress and the further development of the services offered herein. In so far as the amendment made to the Data Privacy Declaration does not affect the utilization of the personal data we already have on you, the new Data Privacy Declaration shall be in full force and effect from the date of updating it. Any changes to the Data Privacy Declaration affecting the utilization of the personal data we already have on you shall only be implemented if this is considered an adequate and reasonable act for you. In such a case, you shall be notified in good time. You shall have the right to object to the Data Privacy Declaration within four (4) weeks of receiving notification of the new effective Data Privacy Declaration. In case of objection, we shall reserve the right to terminate the utilization contract. If no objection is lodged, the amended Data Privacy Declaration shall be considered agreed by you. We shall remind you of your right to objection and the significance of the notice period for objection when we notify you of such a change.
(4) APST shall be available to you for further queries and information on data privacy and protection, and the processing of your personal data via the address for correspondence stated on the legal information page on our website. For requests, suggestions, and information on data privacy you may furthermore contact the external data privacy officer for APST at datenschutz@ambulanzpartner.de.