Data policy

B. Processing of personal data

1. Calling up our web pages and server log files

In order to call up the contents of our web pages and display them correctly on your end device, your browser automatically sends data requests to our servers. Each data request from your contains, among other things, this information: (dynamic) IP address, browser type and version, operating system and version, called domain, previously visited website and date and time of access. The data requests of your browser are automatically stored in so-called "server log files".

The data processing shown is absolutely necessary to ensure the retrievability as well as the correct display of our web pages on your end device. In addition, the log files can be used to identify cyber attacks and thus ensure the accessibility of our websites (Art. 6 para. 1 sentence 1 lit. b GDPR).

2. Contact

We process personal when you communicate them to us. This may, for example, involve data that you enter in one of our contact forms (callback service or general contact form) or transmit to us in the course of an enquiry. As far as certain input fields are marked as "mandatory", we collect these fields only the data that is necessary for the fulfillment of the contract or the execution of the desired action. Of course, you can provide us with additional information.

Your personal data will only be processed for the fulfillment of the contract with you or the execution of the requested measures, e.g. preparing a quote, answering a contact request (Art. 6 para. 1 sentence 1 lit. b GDPR) and for advertising purposes (Art. 6 para. 1 sentence 1 lit. f GDPR).

3. For physicians: Physician portal

As a physician, you can register on our website for our password-protected, free referring physician portal. Within the scope of the registration, we collect title, first and last name, name of your doctor´s office, address, telephone number and e-mail address as mandatory information.

Once registration is completed, you will receive a password-protected account in which you can voluntarily provide us with additional personal data. These data can be changed by you at any time. In this portal you can review the examination results of your patients assigned to us. The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. b GDPR.

If you deposit other physicians working in your doctor´s office with their title, first and last name during your registration, these data will only be used to grant these physicians access to the examination results (Art. 6 para. 1 sentence 1 lit. b GDPR).

The account and the personal data contained therein can be deleted at any time by sending an e-mail to info@ihre-radiologen.de . If statutory retention requirements exist, the data will be restricted until the expiration of the retention obligations and then deleted.

4. Make an appointment via Doctolib

On our website we give you the opportunity to make an appointment online in our doctor´s offices. For this purpose we transfer you to the external website of the service provider Doctolib GmbH, Wilhelmstraße 118, 10963 Berlin ("Doctolib"). To make an appointment with us or other Doctolib contractors, you must first register at Doctolib. In this respect, Doctolib acts as Controller within the meaning of Art. 4 No. 7 GDPR.

If you make an appointment in one of our offices online via Doctolib after your registration, Doctolib will forward this appointment request with date and time as well as your first and last name, telephone number and e-mail address to us. This data is then stored by us for the purpose of organizing our office. The legal basis for this is Art. 6 para. 1 sentence 1 lit. b GDPR. With regard to this data processing, we are Controller within the meaning of data protection law; Doctolib will act as Processor in this respect, who is bound by our instructions and obliged according to data protection regulations and who is not allowed to use the data for any other purpose.

If you make an appointment with us by phone, we will – insofar as you have consented to this – send reminders via SMS or e-mail using Doctolib appointment management software. The sender of the e-mail/SMS is Doctolib as our processor. You can therefore receive a reminder message even if you did not make your appointment online on the Doctolib website. If you no longer wish to receive reminder messages, you can revoke your consent given in this respect at any time with effect for the future.

For further information on the usage of your personal data through Doctolib, please refer to the Data Privacy Notice of Doctolib.

5. BVG

On our website we use an Iframe of the Berliner Verkehrsbetriebe - AöR -, Holzmarktstraße 15-17, 10179 Berlin ("BVG") to support our patients in determining a travel route to our locations by public transport. If you calculate a route by using this application, you will be forwarded directly to the BVG website. In this process, the information entered in the application on our website is transmitted to BVG. By using this option to calculate your journey, you consent to the transfer of your entries to BVG (§ 25 para. 1 sentence 1 TTDSG).

We are generally obliged to inform you of your right to withdraw consent. The lawfulness of the processing carried out on the basis of the consent until the withdrawal is not affected by this. In the present case, the transfer takes place once at the time of consent.

For further information on the usage of your personal data through BVG, please refer to the Data Privacy Notice of BVG

6. Use of the Data Subject Request Tool (DSR) for the management of data subject requests

a. Scope of processing personal data

We use functionalities of the data protection plug-in „DSR“ of DataCo GmbH, Dachauer Str. 65, 80335, Munich, Bavaria, Germany (hereinafter referred to as: DataCo).

By using the button „Submit Data Subject Request“, all visitors of our website have the opportunity to make use of their data subject rights. To do so, you specify your relationship to our company, which data subject right you wish to exercise, provide further optional information and, if necessary, identify yourself with further characteristics. The data subject request will then be processed by us.

The following personal data will be processed by DataCo:

• First and last name
• Relationship to the controller (employee, customer, interested party, etc.)
• E-mail address
• Further voluntarily communicated personal data

For further information on the processing of data by DataCo, please click here: https://www.dataguard.com/privacy-policy

In addition, to ensure technical functionality, logfiles may be forwarded to DataCo GmbH, which include the following:

• Browser type and version used
• The user’s operation system
• The user’s internet service provider
• The user’s IP address
• Date and time of access
• Websites from which the user's system made the request

b. Purpose of the data processing

The use of DSR serves to protect the data protection rights of our website visitors. We enable you to make use of your data subject rights and to contact us quickly and easily.

c. Legal basis for data processing

The legal basis for the use of the DSR tool and the processing of corresponding data is your declaration of consent in accordance with art. 6 para. 1 s. 1 lit. a GDPR.

The legal basis for the use of the logfiles is our legitimate interest in ensuring the technical functionality of the tool according to art. 6 para. 1 s. 1 lit. f GDPR.

d. Duration of storage

Data will be stored for as long as necessary to fulfil the purposes described in this privacy policy or as required by law.

e. Objection and removal

The user has the possibility to revoke the consent to the processing of their personal data or object the processing of logfiles at any time by contacting the data controller by mail or by using the DSR tool.

7. Data processing on our social media company pages

We operate a so-called "company page" on these social media platforms:

• "Facebook": Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
• "Instagram": Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
• "LinkedIn": LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
• "Xing": New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany

a. General information about company pages, legal basis

When visiting a company page, the respective provider collects information that enables it to recognize users and comprehensively analyze user behavior. Based on the data collected in this way, the operator of the social media platform can also create user profiles. If you are logged in with your corresponding social media account when visiting a company page, the respective provider can also assign this visit to your account.

The respective provider merely provides us with an anonymized statistical evaluation of the use of our company website based on the information obtained. This enables us to make our contributions even more targeted in the future. In this respect, we have a legitimate interest in collecting and processing this information. In addition, we have a legitimate interest in being able to use as many communication options as possible and thus reach as many interested parties personally as possible. The legal basis for the operation of a company page is in this respect Art. 6 para. 1 sentence 1 lit. f GDPR.

We do not ourselves pass on to third parties any personal data that we collect via our company pages. However, we can neither influence nor exclude the possibility that the named providers transmit the collected data to third parties - in particular to their partner companies, which may also be based in countries outside the EU. In many third countries outside the EU, there is currently no level of data protection that corresponds to the EU.

In principle, you can assert your data subject rights (see also under C.) with regard to data processing by our company pages both against us and against the respective provider. However, we would like to point out that these can be asserted most effectively with the respective provider. This is because only the respective provider has access to the users' data and can take appropriate measures and provide information directly.

For more information on data processing by the respective provider, see:

Facebook:

• www.facebook.com/settings?tab=ads
• www.facebook.com/policies/cookies
• www.facebook.com/privacy/policy

Instagram:

• https://privacycenter.instagram.com/policies/cookies/

LinkedIn:

• www.linkedin.com/legal/privacy-policy ("Privacy Policy")
• www.linkedin.com/legal/cookie-policy ("Cookie-Richtlinie")
• www.linkedin.com/psettings/guest-controls ("Opt-Out")

Xing:

• https://privacy.xing.com/en

b. Agreements according to Art. 26 GDPR

We have concluded an agreement with Facebook and LinkedIn pursuant to Art. 26 GDPR in which the data protection obligations arising from the operation of our company website are divided between us and the respective provider. The providers have thereby assumed a large part of the data protection obligations, such as the fulfillment of the data subject rights pursuant to Art. 12-23 GDPR, the obligation to provide suitable technical and organizational measures to protect the security of personal data, and the reporting and notification obligations in the event of a data protection breach. If you contact us regarding your data subject rights, we will immediately forward your request to the respective provider. We are obligated to do so under the agreement with the respective provider.

For more information on the agreement between us and the respective provider, please see:

• https://www.facebook.com/legal/terms/page_controller_addendum
• https://www.linkedin.com/help/linkedin/answer/124838?lang=en
• https://legal.linkedin.com/pages-joint-controller-addendum

8. Transfer of personal data to third parties

A transfer of your personal data to third parties beyond the above mentioned will only take place if the data protection law permits such transfer, in particular if you have expressly agreed to the transfer (Art. 6 para. 1 sentence 1 lit. a GDPR and § 25 para. 1 sentence 1 TTDSG) or if this is necessary for the purpose of contractual performance (Art. 6 para. 1 sentence 1 lit. b GDPR).

The potential recipient of the personal data collected via the website is our Website-Administrator who is bound by our instructions and obliged according to data protection regulations and who is not allowed to use the data for any other purpose.

9. Storage duration

The personal data processed by us will be stored for as long as required for the respective purpose – in particular the processing of your request or your contract – in compliance with the statutory retention periods (e.g. in accordance with the German Commercial Code and the German Fiscal Code, ten years for tax-relevant documents and six years for other business letters) (Art. 6 para 1 sentence 1 lit. c GDPR). Storage beyond the statutory retention periods is possible if you have consented to this in accordance with Art. 6 para. 1 sentence. 1 lit. a GDPR and § 25 para. 1 sentence 1 TTDSG or the purpose of the data processing has not yet ceased.

C. Your Rights of the data subject

1. Right of objection

You may object to the use of personal data for direct marketing purposes at any time; you may also object to the use of personal data on the basis of Art. 6 para. 1 lit. e or f GDPR for reasons arising from your particular situation at any time with effect for the future, without incurring any transmission costs other than those according to the basic rates.

2. Right of access, rectification, erasure or restriction and portability

Under the conditions of Art. 15 to 20 GDPR, you have the right to receive information free of charge about the data we have stored about you, to have incorrect data rectified and to demand erasure, restriction of precessing and portability of your personal data. In some cases, however, we are not allowed to delete user data completely due to legal retention obligations.

3. Right of appeal

You have a right of appeal to a supervisory authority. In particular, the supervisory authority of your place of habitual residence, your place of work or the location of the alleged data protection violation is responsible. A list of supervisory authorities (for the non-public sector) with addresses can be found here.

4. Contact details of our data protection officer

For questions regarding the processing of personal data, please contact our Data Protection Officer:

External Data Protection Officer: DataCo GmbH
Nymphenburger Str. 86
80636 München

You can find further information on the data subject enquiry on this page.