Last updated: 19.07.2022
1 Controller’s name and contact details
Curalie GmbH, Leipziger Straße 61 A, 10117 Berlin, Germany
Phone: +49 30 549 071 27
2 Data protection officer contact details
The data protection officer of Curalie GmbH can be reached at the above address, Attn.: Data Protection Officer, or at firstname.lastname@example.org.
3 Content, scope, purpose and legal basis of processing of personal data
3.1 Registration in the Curalie Portal
The use of the Curalie Portal requires registration beforehand. During the registration process, identification and communication information will be processed to create a user account and authenticate you personally. This information includes:
- Last name and first name
- e-mail address
- Mobile phone number
- Password (randomly generated)
The processing of these data serves to provide the user account and for purposes of unique identification of the user.
These data are processed on the basis of statutory provisions that permit data processing because it is necessary in order to provide the Curalie Portal to you (point (b) of Article 6(1) GDPR).
Where you interact with your patients within the scope of programs offered by Curalie GmbH or third parties via the Curalie Portal, your user account is linked to the relevant account for that patient within the program. Tracking also takes place when you enter certain information within the program as part of supporting the patient. Furthermore, the link creates the possibility that the patient may view personal data of his or her treating physician or of employees of the healthcare institution.
Where you make use of a program offered by Curalie GmbH, Curalie GmbH is the controller responsible under data protection law for the processing of your personal data for the purpose of providing the program.
In the case of third-party provider programs, the relevant third-party provider is the controller responsible under data protection law for the processing of your personal data for the purpose of providing the program. If you decide to make use of the program in question, the third-party provider receives the data stored in your user account. The identity and contact information of the third-party provider responsible as the controller in the specific case are stored in the relevant program description.
These data are processed on the basis of statutory provisions that permit data processing because it is necessary in order to provide the Web application and the relevant program to you (point (b) of Article 6(1) GDPR).
3.3 Use data
Use data are also processed every time the Web app is accessed.
This includes but is not limited to the following data:
- Device’s current language settings
- Information on the user’s Internet service provider
- IP (Internet Protocol) address of the device accessing the App
- Date and time of retrieval
- User ID on the Curalie platform
- Session ID number
- Status report on whether retrieval was successful
- Referrer URL
- Operating system, browser data (operating system, interface, browser, language, browser software version)
We erase or anonymize the use data, including the IP addresses, without undue delay as soon as they are no longer needed for the aforementioned purposes.
In addition, the following user data are stored in the login data sets for a maximum of seven days each time a user logs in for purposes of identifying and investigating abuse:
- Date and time of login
- User ID on the Curalie platform
- Internet Protocol (IP) address
- Pseudonymized user ID
- However, the foregoing data are not stored together with other personal data.
The data are processed on the basis of statutory provisions that permit the data processing because it is necessary in order to provide the Web application to you in technical terms (point (b) of Article 6(1) GDPR) or because we have a legitimate interest in ensuring the security and functionality of the Web application and the proper use thereof, without there being an overriding interest on the part of the data subject that conflicts with this (point (f) of Article 6(1) GDPR).
Finally, we collect in anonymized form the numbers of times content and videos are accessed in order to be able to analyze the content.
1.4 Local storage
Where you have consented to this, we also store your personal data in your browser’s local storage. This storage serves to simplify repeated access to the website and thus contributes to improved user-friendliness. The data stored for this purpose in the local storage are only accessible to you (via the browser). Third parties and other websites cannot read out these data. These data are not combined with other data.
4 Possible recipients of your data
4.1 Employees of Curalie
The primary recipients of your data are the employees of Curalie GmbH. All employees have undertaken an obligation to maintain confidentiality and the secrecy of your data.
4.2 Law enforcement agencies
We may also be legally obligated to provide information in response to inquiries from certain public bodies. These bodies are law enforcement agencies, government agencies that impose fines for regulatory offenses, and fiscal authorities (point (c) of Article 6(1) GDPR).
4.3 Service providers
4.4 Affiliates / corporate transformations
5 Your rights as a data subject
As a data subject whose personal data are being processed, you have the following rights in particular:
- Right of access to information: You have the right to access information on the personal data concerning you.
- Right of rectification: You have the right to have inaccurate personal data concerning you rectified or incomplete personal data concerning you completed.
- Right of erasure: You can also obtain from us the erasure of your personal data, for example if your data are no longer required for the purposes for which they were collected or otherwise processed.
- Right to restriction of processing: You moreover have the right to obtain from us the restriction of processing of your personal data; in such a case, the data will be blocked from any and all processing. This right applies in particular if there is any dispute between us concerning the accuracy of the personal data.
- You have the right to withdraw your consent at any time – for example via the contact channels mentioned in Sec. 1 and above – with effect for the future. Should you wish to exercise this right, please note that the lawfulness of data processing that has already occurred is not affected. Additionally, if you withdraw consent, certain features of the Curalie Portal may be unavailable, or you may be unable to use it at all.
- Right to data portability: Where we process your personal data to perform a contract with you or on the basis of your consent, you also have the right to receive your personal data in a structured, commonly used and machine-readable format to the extent that you have provided the data to us.
- Right to object: Furthermore, you can object to the processing of data for reasons arising from your particular situation. However, this applies only in cases in which we process data to fulfill a legitimate interest of Curalie or a third party. If you can present that there is such a reason and we cannot assert any compelling legitimate interest in continuing the processing, we will no longer process these data for the purpose in question.
If you wish to assert any of your rights as a data subject with regard to personal data processed under our responsibility as the controller or have any questions regarding data protection and/or privacy within our organization, you can contact us using the contact channels mentioned in Sec. 1 and above. After your inquiry has been answered conclusively, we will erase your inquiry three years after the end of the relevant calendar year.
In the event that you wish to assert your rights as a data subject toward third-party providers, you can contact them at the contact addresses contained in the relevant program description at any time to do so.
Finally, you have the right to lodge a complaint with a data protection supervisory authority concerning our processing of personal data. The supervisory authority with jurisdiction over Curalie is: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstraße 219, 10969 Berlin, phone: 030 13889-0
6 Duration of storage of data
In the case of statutory retention obligations, which may apply for a period of ten to 30 years in the case of health data, erasure does not enter into consideration until after the relevant retention period has elapsed. Should erasure not be permissible based on statutory retention obligations, we restrict the processing thereof to mere archiving of these data sets.