Version: 27.10.2021 – This page is updated at irregular intervals. In order to ensure optimum transparency, we therefore recommend that you frequently visit this page.
The following provides information about how your personal data is handled when using our application and about your rights in this regard.
Important: The care provider is solely responsible for medical questions. They are the ones to contact if you have not received the email (link to the patient app) or SMS (token), not even in your spam folder. Please also take note of the data protection information provided by your care provider.
Table of contents
2. Purpose, type, legal basis and scope of data processing
3. Data recipients
4. Preservation of your rights as a "data subject" within the meaning of data protection law
5. Contact for further questions about the app
6. Affiliated partner data protection information
The care provider (doctor’s office, clinic, other medical facility) is responsible for processing your personal and medical data.
As a user of the application, you are jointly responsible for ensuring that no unauthorized person can gain access to the data or device you are using
What is your data needed for and "are they allowed to do that"?
The application enables the care provider to provide you, as a patient, with important information (on treatment, stay, etc.) in a modern electronic form, regardless of location or system, and to collect relevant data at an early stage and to incorporate it into the treatment process in order to initiate this and other relevant processes. The use of the patient app is voluntary. After the data on your device has been transmitted to the care provider, your previously recorded data will be deleted immediately. Incomplete data that you do not transmit to the care provider will be deleted after a maximum of 14 days.
The patient app is a progressive web app. It is opened independently of an app store via a personal link sent on the especially secure Microsoft Azure Public Cloud (“Azure”) on the private device selected by the patient in the browser. It is also possible to install the application on the device.
The patient app can only be used if the patient can authenticate themself with the individual link sent to them personally by email and additionally with the token (PIN) sent via SMS.
A time-limited account is created for the patient on the Azure Cloud under a clearly identifiable identification number ("UUID") as a pseudonym. This ensures that only the authorized patient can log into the app and see and edit the information/data relevant to them.
The entire data processing in the Azure Cloud takes place on the basis of the UUID pseudonym and does not allow any conclusions to be drawn about the person. For even more security, all data except for the UUID is also effectively encrypted according to the current secure standard. Access is only given to the patient themself via the patient app and the care provider after the data has been transmitted to the medical facility.
Your answers will be saved in a separate folder on your chosen private device until you have successfully transferred them to your care provider.
If no transfer takes place, the data will be deleted after 14 days at the latest, as far as this is technically possible via the app (depending on the authorizations on the device). Therefore, please make sure that you are careful in your choice of device. In an Internet café, not only can unauthorized people look over your shoulder, but you usually also have no control over whether your entries are spied on in the background or whether they can actually be deleted afterwards.
Your data is encrypted depending on the type of information and stored in separate databases on Azure based on your UUID. As soon as they have been completely and successfully transferred to your care provider (usually daily, depending on the configuration of your care provider’s system), they are automatically deleted by Azure.
Further processing of the data (review and completion in consultation with the doctor) takes place exclusively within your care provider’s system. To do this, it is saved in the patient's medical history. In addition, the data is archived as a PDF.
Logs and evaluations take place automatically in the background in the patient app, in the care provider’s system, and on Azure. This information is required by care providers and developers to ensure proper operation, to improve user-friendliness, to optimize the system, to defend against attacks and for verification purposes. A direct personal reference is not of concern. Even if, for example, the IP address of the connection used is contained in such log files by default, no possible inference about the data subject can be made. Azure only receives pseudonymized encrypted data.
Use of the app is free and voluntary.
We collect, save and use personal data only to the extent permitted. As the application developer, we follow the data protection principle of data minimization and avoid the processing of personal data as much as possible. Therefore, Thieme Compliance GmbH is not a processor in the traditional sense.
Subsequent recipients can receive or process data by using the app. Remember that you have an influence on this yourself and should conscientiously take responsibility for any especially sensitive data
Your care provider will receive the data required for the contractually agreed treatment directly from you via the patient app. The data is encrypted and transmitted to the care provider via the Azure cloud interface and only decrypted in their system for further processing.
As a patient, you will receive an email with the link to download and use the patient app. An access code is also sent via SMS. Both components are required for 2-factor authentication, without which the app cannot be used.
If possible, please be sure to use your own device, on which you can control and, above all, restrict access to and delete your data. Otherwise you may allow unwanted third parties (household members, Internet café operators, etc.) to access your medical history.
Only care providers can make use of our support in the event of technical problems. The patient app is not supported.
Either the care provider’s email server or a German email provider is used to send the link to the patient app.
The token is sent by SMS from the carefully selected German service provider SMS77 to the mobile number provided by the patient.
In the event of exceptional technical problems from the care provider, we use our development specialists. In individual cases, the personal or health data processed here may be required in order to isolate the error and work out a solution.
Data is only transferred when necessary, for a limited period of time, and via a data transfer platform in Germany that specializes in highly sensitive data.
There is no processing of personal data outside the European Union (EU) or the European Economic Area (EEA) and such is not planned, unless otherwise expressly described below. At Microsoft Azure, we use servers in the EU; according to Microsoft, this should become standard for all of their servers from autumn 2022. In addition, all data is transferred to Azure only using a pseudonym and is also effectively encrypted. Due to a strict separation of the functionalities, only a subset of the data is available at any time.
We do not pass on your data to unauthorized third parties and of course we do not sell it.
As a rule, the provider of your device or your telecommunications provider offers you the option of a backup in their cloud, if this option is activated on your device. Elements of the operating system or other installed apps usually also collect data about you, your location, apps used, search terms or even usage and communication data in the background. This is especially true for services with artificial intelligence such as voice assistants (Siri, Alexa, etc.). Please check the provider information and regularly check the data protection settings on your device.
In accordance with the requirements of the GDPR with regard to the products and services that we offer on the European (German) market, we offer a variety of approaches for the corresponding data protection–compliant technology design and data protection–friendly default settings, as far as this – for example with regard to the integration in the care provider’s system – is possible.
The effectiveness and sustainability of the data protection measures we have implemented are ensured by management (as the responsible party), data protection and compliance (standardized procedure for the continuous optimization of our data protection level), as well as by external experienced data protection specialists.
When you contact us, for example by email or telephone, we save and use your information to process your request and as part of our retention and verification obligations. If your request also concerns the care provider, we are obliged to forward it to the responsible party if there is a specific need for action so that they can fulfill their obligations.
Your care provider and their data protection officer are responsible for processing your patient data. Thieme Compliance is only responsible for the technical data of the app itself and can only provide you with information on this.
Thieme Compliance GmbH, Am Weichselgarten 30a, 91058 Erlangen
Telephone: +49 9131 93406-40, email: firstname.lastname@example.org
You can find our detailed data protection information and the latest version of this document at www.thieme-compliance.de/datenschutz. Our Data Privacy Officer (DPO) Ms. Blossey will be happy to answer any further data protection concerns you may have regarding the app, most conveniently by email at email@example.com.
You can exercise your right to lodge a complaint with any supervisory authority regarding data processing by your care provider (medical facility) that is not in compliance with data protection regulations.
Adesso SE (development & testing):
EcpliseSource Group (Entwicklung & Test):
Here you can find the data protection information of the patient app as a download.