Legal

Privacy Policy

Last updated: 1 August 2024

Preamble

With the following privacy policy we would like to inform you which types of your personal data (hereinafter also abbreviated as "data") we process for which purposes and in which scope. The privacy statement applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online services").

The terms used are not gender-specific.

Controller

Smart Media GmbH
Königstraße 27
70173 Stuttgart
Germany

Authorised representative: Marco Maurelli
E-mail: info@myhealthcarebroker.de

Overview of Processing Operations

The following summarises the types of data processed, the purposes for which they are processed and the concerned data subjects.

Categories of Processed Data

  • Inventory data (e.g. full name, residential address, contact information, customer number)
  • Payment data (e.g. bank details, invoices, payment history)
  • Contact data (e.g. postal and email addresses or phone numbers)
  • Content data (e.g. textual or pictorial messages and contributions)
  • Contract data (e.g. contract object, duration, customer category)
  • Usage data (e.g. page views, click paths, device types)
  • Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers)
  • Log data (e.g. log files concerning logins or access times)
  • Creditworthiness data (e.g. credit score, estimated default probability)

Categories of Data Subjects

  • Service recipients and clients
  • Employees
  • Prospective customers
  • Communication partners
  • Users (e.g. website visitors)
  • Business and contractual partners
  • Third parties

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations
  • Communication
  • Security measures
  • Direct marketing
  • Web analytics
  • Targeting
  • Office and organisational procedures
  • Affiliate tracking
  • Marketing
  • Profiles with user-related information
  • Provision of our online services and usability
  • Information technology infrastructure
  • Financial and payment management
  • Business processes and management procedures

Relevant Legal Bases

Relevant legal bases according to the GDPR: In the following, you will find an overview of the legal basis of the GDPR on which we base the processing of personal data. Please note that in addition to the provisions of the GDPR, national data protection provisions of your or our country of residence or domicile may apply.

  • Consent (Article 6 (1) (a) GDPR) — The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Performance of a contract and prior requests (Article 6 (1) (b) GDPR) — Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Compliance with a legal obligation (Article 6 (1) (c) GDPR) — Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate Interests (Article 6 (1) (f) GDPR) — The processing is necessary for the protection of the legitimate interests of the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject do not prevail.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations apply to data protection in Germany. This includes in particular the Federal Data Protection Act (BDSG), which contains special provisions on the right to access, the right to erase, the right to object, the processing of special categories of personal data, and automated individual decision-making including profiling.

Security Precautions

We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input, transmission, securing and separation of the data. We take the protection of personal data into account as early as the development or selection of hardware, software and service providers, in accordance with the principle of privacy by design and privacy by default.

TLS/SSL encryption (HTTPS): To protect the data of users transmitted via our online services from unauthorized access, we employ TLS/SSL encryption technology. When a website is secured with an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL.

Transmission of Personal Data

In the course of processing personal data, it may happen that this data is transmitted to or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include service providers tasked with IT duties or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and particularly conclude relevant contracts or agreements that serve to protect your data with the recipients of your data.

International Data Transfers

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if the processing is done within the context of using third-party services or the disclosure or transfer of data to other individuals, entities, or companies, this is only done in accordance with legal requirements.

If the data protection level in the third country has been recognized by an adequacy decision (Article 45 GDPR), this serves as the basis for data transfer. Otherwise, data transfers only occur if the data protection level is otherwise ensured, especially through standard contractual clauses (Article 46 (2)(c) GDPR), explicit consent, or in cases of contractual or legally required transfers (Article 49 (1) GDPR).

EU-US Trans-Atlantic Data Privacy Framework: Within the context of the "Data Privacy Framework" (DPF), the EU Commission has recognized the data protection level for certain companies from the USA as secure within the adequacy decision of 10 July 2023.

General Information on Data Retention and Deletion

We delete personal data that we process in accordance with legal regulations as soon as the underlying consents are revoked or no further legal bases for processing exist. This applies to cases where the original purpose of processing is no longer applicable or the data is no longer needed.

The following general deadlines apply for the retention and archiving according to German law:

  • 10 years — Books and records, annual financial statements, inventories, management reports, booking receipts and invoices (§ 147 AO, § 14b UStG, § 257 HGB).
  • 6 years — Other business documents: received commercial or business letters, copies of dispatched commercial or business letters, and other documents significant for taxation purposes (§ 147 AO, § 257 HGB).
  • 3 years — Data required to consider potential warranty and compensation claims or similar contractual claims, based on the regular statutory limitation period (§§ 195, 199 BGB).

Rights of Data Subjects

Rights under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

  • Right to Object: You have the right, on grounds arising from your particular situation, to object at any time to the processing of your personal data which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time.
  • Right of withdrawal for consents: You have the right to revoke consents at any time.
  • Right of access: You have the right to request confirmation as to whether the data in question will be processed and to be informed of this data and to receive further information and a copy of the data in accordance with the provisions of the law.
  • Right to rectification: You have the right to request the completion of the data concerning you or the rectification of the incorrect data concerning you.
  • Right to Erasure and Right to Restriction of Processing: In accordance with the statutory provisions, you have the right to demand that the relevant data be erased immediately or, alternatively, to demand that the processing of the data be restricted.
  • Right to data portability: You have the right to receive data concerning you which you have provided to us in a structured, common and machine-readable format, or to request its transmission to another controller.
  • Complaint to the supervisory authority: You have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you habitually reside, the supervisory authority of your place of work or the place of the alleged infringement.

Business Services

We process data of our contractual and business partners within the context of contractual and comparable legal relationships as well as associated actions and communication, or pre-contractually, e.g. to answer inquiries.

We process this data in order to fulfill our contractual obligations. These include, in particular, the obligations to provide the agreed services, any update obligations and remedies in the event of warranty and other service disruptions.

Agents and Brokerage Services: We process the data of our customers, clients and interested parties in accordance with the underlying assignment. Insofar as this is necessary for the performance of our assignment or required by law, we disclose or transmit customer data within the scope of cover requests, the conclusion and execution of contracts to providers of the brokered services, insurers, reinsurers, broker pools, technical service providers, and other service providers such as cooperating associations, as well as financial service providers, credit institutions, social insurance institutions, tax authorities, tax consultants, legal advisors, auditors, insurance ombudsmen and a Financial Supervisory Authority. Legal basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR).

Provision of Online Services and Web Hosting

We process user data in order to be able to provide them with our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the content and functions of our online services to the user's browser or terminal device.

Collection of Access Data and Log Files: Access to our online service is logged in the form of server log files. Server log files may include the address and name of the accessed web pages and files, date and time of access, transferred data volumes, browser type along with version, the user's operating system, referrer URL, and typically IP addresses and the requesting provider. Log file information is stored for a maximum period of 30 days and then deleted or anonymized.

Website hosting: This website is hosted on Cloudflare Pages. Service provider: Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA. Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR).

Framer: Creation, management and hosting of website components. Service provider: Framer B.V., Rozengracht 207B, 1016 LZ Amsterdam, Netherlands. Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR).

Providers and Services Used in the Course of Business

As part of our business activities, we use additional services, platforms, interfaces or plug-ins from third-party providers in compliance with legal requirements. Their use is based on our interests in the proper, legal and economic management of our business operations and internal organization.

DATEV: Software for accounting, communication with tax advisors as well as authorities and including document storage. Service provider: DATEV eG, Paumgartnerstr. 6–14, 90429 Nürnberg, Germany. Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR).

Contact

If you have questions about this privacy policy or wish to exercise any of your rights, please contact us:

Smart Media GmbH
Königstraße 27
70173 Stuttgart
Germany
E-mail: info@myhealthcarebroker.de
Phone: +49 711 96 98 17 20