Privacy Notice - Clinicians

1. Introduction

As a physician/healthcare provider which provides healthcare services to you over the digital KRY platform and app provided by DMS Digital Medical Supply Germany GmbH, we are delighted to have you as a patient. For us, you as an individual and as a patient always come first and this privacy notice (the “Privacy Notice”) explains how we handle your personal data when you get in touch with us to seek healthcare via the KRY App (the “Tele-Consultation Services”).

This Privacy Notice describes who is responsible for the processing of personal data (data controller) which is carried out in connection with your use of the Tele-Consultation Services, which personal data about you that is processed when you use the Tele-Consultation Services, how we process the personal data, and our legal basis to do so. We also describe which third parties that may receive and process personal data about you in order for us to provide you with the Tele-Consultation Services. You also receive information about your rights in relation to the processing of your personal data and what you can do to exercise these rights.

2. Who are we and who is responsible for the processing of your personal data?

In connection with choosing us or when getting directed to us as your healthcare provider via the KRY App, this Privacy Notice was made available to you and sent to your in-app inbox along with information about who we are and our contact details (referred to as “Physician/Healthcare Provider”, “we” or “us” below). We are the data controller of all processing of your personal data which we collect or otherwise process in connection with providing you with the Tele-Consultation Services, such as healthcare advice and treatment plans. Please get in touch with us using the contact details referred to above or contact datenschutz@kry.de.

As mentioned above, DMS Digital Medical Supply Germany GmbH, register number HRB 192856, Julie-Wolfthorn-Straße 1, 10115 Berlin (“KRY”) provides the KRY App on which we provide you with the Tele-Consultation Services. KRY does not provide any healthcare or any part of the Tele-Consultation Services. In relation to the Tele-Consultation Services, KRY only acts as our data processor in capacity of provider of the KRY App, including the administrative systems we use to help you and certain related services, such as patient support and administration of queries and requests that you may have.

3. Which personal data do we collect?

The section describes the categories of personal data about you which we process in connection with providing the Tele-Consultation Services. You are not required to provide the personal data. However, if you do not provide your personal data, we will not be able to provide the Tele-Consultation Services to you (i.e. we will not be able to provide healthcare advice) or, as the case may be, the provision of the Tele-Consultation Services may be delayed.

We process the following personal data about you:
Personal Data which we receive from KRY based on information you submitted to KRY in connection with registering for an account in the KRY App or scheduling a meeting, and which you have allowed KRY to share with us prior to a meeting:

Basic Data: your name, address, email address, phone and insurance type, and
Medical Data: information about your medical and prescription history, your physiological or medical condition, including photos of symptoms, and information that you are suffering from an illness.

Personal data which we collect directly from you during our consultation and medical assessment of you and which we generate as part of such meeting:

Consultation Data: information related to our medical assessment such as diagnosis, prescriptions, sick notes and details about your treatment plan. Such information may, to the extent relevant by the tele-doctors, be recorded in your medical records. With your consent, we may also collect and review your medical records from previous consultations with other healthcare providers who have provided you with services via the KRY App.

4. For which purposes and based on which legal basis is your personal data processed?

As part of providing the Tele-Consultation Services, we will process your personal data for the following specific purposes and based in the corresponding legal basis:

(i) to provide the Tele-Consultation Services to you in the form of healthcare, advice or administration within the scope of providing the healthcare itself and communicating with you (e.g. to follow-up on treatment or to remind you about consultations) via video, phone, email and other electronic communication, and to maintain records and up-to-date information about you as a patient. It may also include sharing information with other healthcare professionals as necessary for the provision of care to you, such as specialist services, therapists, pharmacists, hospitals, accident and emergency services and similar. The legal basis for our processing of your personal data for this purpose is that it is necessary for the performance of the healthcare treatment agreement you have with us (according to Art. 6 (1) (b), 9 (2) (h) GDPR in conjunction with Sec. 22 (1) no. 2 b German Federal Data Protection Act).

(ii) to provide you with support, such as answering your queries, requests and complaints. This includes, among other things, responding to inquiries and investigating complaints and support matters (including technical support), or to give you access to your personal data or medical records via our support service by telephone or via our digital channels. Depending on your matter, you may share additional personal data which we then process to be able to help you with your matter in the best possible manner. We provide support as set forth above as a part of the Tele-Consultation Services (i.e. necessary to perform the contract with you). To the extent the support services are related to care or processing of sensitive personal data about you), the processing takes place as part of the provision of the Tele-Consultation Services and on the same legal basis.
To the extent the support is not directly related to care or processing of sensitive personal data about you, our processing is based on our legitimate interest (Art 6 (1) (f) of the GDPR). We may engage KRY as data processor to assist us in providing such support;

(iii) to the extent necessary to fulfil our legal obligations in the field of healthcare and as otherwise set forth in statutes, court judgments, or decisions by public authorities (according to Art. 6 (1) (c) GDPR).

(iv) for safety, regulatory, and compliance purposes. For example, we may need to review your information and, where necessary, make disclosures in compliance with reasonable requests by regulatory bodies, or as otherwise required by law or regulation, and to respond to legal process or defend against claims (based on Art. 6 (1) (c), 6 (1) (f) and/or 9 (2) (f) GDPR).

5. How long do we keep your personal data?

In general, we only process your personal data as long as is necessary for the purposes for which the information in question is processed according to section 4 above (i.e. we keep it as long as it is necessary to enable us to provide the Tele-Consultation Services or to fulfil our respective legal obligations as further detailed above).

We store personal data for a longer period of time if applicable law requires or permits us to do so. In particular, medical records will be stored for a period of 10 years after completion of an individual treatment in order to comply with the statutory retention periods for medical records. In addition, if a judicial or disciplinary action is initiated, your personal data will be stored until the end of such action, including any potential periods for appeal, and will then be deleted or archived as permitted by applicable law.

6. Third parties with whom your personal data may be shared

6.1. KRY and other service providers
In order for us to be able to offer you the Tele-Consultation Services, we use external service providers that process personal data in certain cases (in particular in relation to hosting and technical infrastructure, care admin systems and medical records system). Such service providers act as our data processors and are contractually obliged to process the personal data only in accordance with our instructions. In particular, we engage KRY which provides the KRY App, including all functionality required for a video consultation, medical administration and communication with you. KRY is also engaged to provide the underlying IT infrastructure as well as certain services such as patient support. In capacity of our data processor, KRY processes your personal data for the sole purpose of providing the services requested by us, and only according to our instructions.

6.2. Other providers of healthcare services
As part of providing you with the Tele-Consultation Services, it may also be necessary to share information with third parties and/or healthcare professionals as necessary for the provision of care to you. For example specialist services, therapists, pharmacists, hospitals, accident and emergency services and similar.
Where applicable, you may be requested to enter into separate agreements directly with such third parties. We ask you to please note that this Privacy Notice does not apply to the processing of personal data which takes place through these third parties. For information regarding how other third parties process your personal data, please contact these suppliers.

6.3. Insurance companies
If you have been referred to us by your insurer or have an insurer with which KRY cooperates, we may disclose information to your insurer that you have used the Services as well as the outcome of health consultations, including copies of your medical records, however, only based on your separate consent which will be sought from you in connection with using our Services via your insurer. This Privacy Notice does not apply to the processing of personal data which is carried out by your insurer. For more information about how your insurer processes your personal data, please contact your insurer.

6.4 KRY as third party controller
As part of registering for the KRY App and/or using the Tele-Consultation Service, KRY asks for your consent to process some of your personal data, including health data for certain purposes. If you consent, KRY will process the following personal data:
information on your basic medical condition, symptoms, and medical history submitted to KRY prior to booking a consultation;
information on the medical treatment you receive, such as length of meeting, type of meeting, outcome (referral, prescription, sick notes, etc.), diagnosis code, date and time of meeting;
and billing data related to the medical treatment you receive, such as data on doctor services rendered, fees and payment method.
The personal data mentioned above will be processed by KRY for the following purposes:
scheduling and informing my health consultations with partner doctors operating on the KRY platform, operating the technical infrastructure of the KRY App (video calls and administrative systems) as necessary for your consultations with the partner doctors, quality control purposes (including ensuring acceptable levels of healthcare services by partner doctors operating on the KRY platform, and investigation of queries, requests and complaints);
payment, including settlement and assertion of the claims incurred in connection with the healthcare services provided by partner doctors;
and anonymization and use of Health Data in anonymous form for product improvement and development.
Please note that KRY, and not me, is responsible for the processing mentioned above as described in their privacy notice. If you have questions about such processing please reach out to KRY as described therein.

7. Do international data transfers out of the EEA take place?

Your health-related personal data (i.e. Medical Data and Consultation Data) is always stored within the European Economic Area ("EEA") and will in no case will be internationally transferred to recipients located outside the EEA.

Other personal data is primarily stored within the EU. However, some of the recipients of your personal data will be located or have relevant operations outside of your country and the EEA, where the data protection laws may provide a different level of protection compared to the laws in your jurisdiction and with regard to which an adequacy decision by the European Commission does not exist. KRY will take all necessary measures to ensure that transfers out of the EEA are adequately protected as required by applicable data protection law.

Recipients located outside of the EEA are located in the US. These companies are certified under the EU-U.S. Privacy Shield and, in each case, the transfer is thereby recognized as providing an adequate level of data protection from a European data protection law perspective. The recipients are also bound by data transfer agreements based on Standard Contractual Clauses (2010/87/EC and/or 2004/915/EC) as referred to in Art. 46 (5) GDPR, which are accessible upon request (please reach out to datenschutz@kry.de). KRY has established that all such recipients will provide an adequate level of protection for the personal data and that appropriate technical and organizational security measures are in place to protect personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing. Any onward transfer is subject to appropriate onward transfer requirements as required by applicable law.

8. Your rights as a user of the Tele-Consultation Services

You have a number of rights related to personal data we have about you which depending on the requirements and limitations set out in applicable data protection you may exercise.

You may at any time contact us in order to:
request access to, and information about, the personal data which is being processed in conjunction with the Tele-Consultation Services. You have the right to obtain a copy of the personal data undergoing processing. For additional copies requested by you, we may charge a reasonable fee based on administrative costs;
ask us to correct any incorrect information about you;
request that your personal data be erased (however, we ask you here to note that we have certain obligations by law to save certain personal data (see Section 6 above) including keeping medical records in connection with the use of the Tele-Consultation Services) and we may therefore not be able to honor your request in certain cases;
ask us to restrict the processing of your personal data where you believe (a) such data to be inaccurate, (b) our processing is unlawful, or (c) we no longer need to process such data for a particular purpose unless we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it;
object to the processing of your personal data where the legal justification for our processing of your personal data is our legitimate interest. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim;
if we use your personal data on the basis of your consent, you have the right to withdraw your consent at any time, free of charge. Withdrawal of consent does not affect our obligation to keep medical records, or to process your personal data in accordance with applicable law;
or request that your personal data be moved to another controller of personal data by receiving your personal data, to the extent it has been provided by you, in an electronic format which is generally used in order to be able to transfer it to another party (the right of data portability).

Should you wish to contact us regarding any of the rights above, we encourage you to contact us via our contact details provided above.

9. Right to file a complaint with the Data Protection Authority

With this Privacy Notice we truly hope that we have made it clear to you how we handle your personal data. However, should you still have any questions, please feel free to contact us via the contact details provided in Section 9 above.

In addition to the rights set out above, you also have the right to lodge a complaint with a Data Protection Authority, e.g. the competent Data Protection Authority of your place of residence

Issue Date: 25.11.19