Declaration of Consent for Data Protection Regarding the Preventicus Heartbeats App
I may revoke my consent for the future at any time. However, the revocation of my consent does mean that contractual use of the PREVENTICUS Heartbeats app or Telecare Centre is no longer possible. Processing on a statutory basis cannot be ruled out either if consent is revoked.
Additional data protection regulations may apply for certain categories of data processing, e.g. if you are using the PREVENTICUS Heartbeats app to take part in a study or a telemedical care programme of your health insurance.
The PREVENTICUS Heartbeats app is a medical product classified for the European Economic Area, which complies with the basic requirements of Guideline 93/42/EEC and its national implementations.
For more information, please refer to the Terms and Conditions of Use.
PREVENTICUS will process your personal data confidentially and strictly for specific purposes. Your health data will exclusively be processed on servers in Germany.
- Who is responsible for data processing and who should I contact?
Responsible in terms of the General Data Protection Regulation (GDPR) is:
You can contact our Data Protection Officer by means of the above contact details or by email at email@example.com
- What are personal data?
Personal data is information that can identify someone or that can be used to contact someone, such as an e-mail address.
We do not need your name or any other contact details from you for you to use the PREVENTICUS Heartbeats app, but we save your data without a name reference (pseudonymised) on our systems from the start.
The PREVENTICUS Heartbeats app is therefore not used to process any personal data that can be directly attributed to you. PREVENTICUS cannot identify or individually contact any unregistered users based on the data generally saved in PREVENTICUS Heartbeats.
III. What kind of data do we collect?
III.a Health data
You can use the PREVENTICUS Heartbeats app to take measurements of your own pulse using your smartphone and document them with the app. The PREVENTICUS Heartbeats app then uses the information provided to help automatically detect and classify arrhythmias (extrasystoles, atrial fibrillation), provided sufficiently accurate and valid measurements are available (“health data”). Your heart rhythm and pulse waves will be stored on our servers.
III.b Sensor data
In addition to the classification of the measurements, not only your smartphone’s camera but also other sensor data are used for and added to the measurements. This is done to ensure that any movements that could impair the measurement result are taken into account.
As a result of your registration, your licence can be transferred regardless of the operating system you are using and your measurement data can be reproduced if you change or lose your smartphone. It also enables you to take part in a care programme or medical study.
III.c Other data you communicate to us
We generally require neither your name nor any other personal contact data from you, but save your data initially without a name reference (anonymously) on our systems. Processing takes place solely on servers in Germany.
You do, however, have the possibility to add your name and, in a free-text field, store the reason for the measurement or symptoms (heart palpitations, dizziness, irregular heartbeat, chest pains, etc.) for personal purposes in stored PDF reports, for instance to be used for assistance when forwarding the information to your physician. In your user profile you can also state your sex and year of birth, thus enabling us to better assess your measurement results.
If you would like to register with us, please communicate your e-mail address and a password set by you. Optionally, you can assign a user name, state your name and enter a promotional code in the field ‘ID health partner’.
Your data will then be saved in a pseudonymised manner. This means that your personal data is stored in encrypted form in a separate database from your health data and can be assigned if necessary. Processing takes place solely on servers in Germany.
Registration enables the transfer of your licence irrespective of the operating system and the recovery of your measurement data, should you change or lose your smartphone.
III.e Interoperability option
PREVENTICUS Heartbeats may be opened and used for heart rhythm measurements by dedicated medical applications. In this case, PREVENTICUS Heartbeats performs its measurements with subsequent pseudonymized data analysis on servers hosted in Germany. The pseudonymized results are securely transferred back to the dedicated medical applications. In this scenario, PREVENTICUS Heartbeats does not receive any personal data from the dedicated medical applications except being necessary for data analysis (age and gender). Only the dedicated medical applications connected to PREVENTICUS Heartbeats may be able to merge pseudonymized measurement results from PREVENTICUS Heartbeats with potentially personal user data derived in the dedicated medical applications. PREVENTICUS Heartbeats is an independent medical application. When using the interoperability option, please refer to the privacy notices of the third-party compatible medical app you are using.
PREVENTICUS has no influence on any further processing of your measurement results in these third-party medical applications.
List of dedicated medical applications being interoperable with PREVENTICUS Heartbeats:
- mAFA. Mobile Health Technology for Atrial Fibrillation Management Integrating Decision Support, Education, and Patient Involvement: mAF App Trial
- MAFA and its connected application is scientific project in China mainland led by Prof. GUO YUTAO (301 hospital Beijing, PRC).
- UKSH App: Health Hub (IBM Project Electronic Health Record)
III.f. General data we collect regarding the use of our app
Heartbeats uses Google Analytics for Firebase and Firebase Crashlytics services based on your consent. We use these services to collect statistically aggregated data on app usage, especially in relation to system crashes and errors (Firebase Crashlytics) for error detection and correction, as well as certain user-triggered events (Google Analytics for Firebase) for the optimisation of our app. Please note that Google may also transfer data to the USA. With your consent, you also agree to such transfers in accordance with Art. 49 (1) sentence 1 lit. a DSGVO. In particular, there is a risk that your usage data may be processed by US authorities for control and monitoring purposes, possibly without any legal remedy. We have entered into a data protection agreement with Google LLC, including so-called standard contractual clauses. These are intended to guarantee an adequate level of data protection for data subjects affected by processing in insecure third countries, in particular legally binding and enforceable rights. For more information, including to request a copy of the documents used to protect your data, please contact us.
For Crashlytics, information is collected about the device (including the UUID and anonymised IP address), the app version installed, and other information, mainly related to the user’s software and hardware. For Analytics, when the user performs a certain action, an identifier corresponding to the event, the instance ID of your terminal device, is sent to Google. The usage and device data is aggregated and analysed exclusively in pseudonymised form by Google LLC as our order processor. Your data will not be passed on to third parties.
You can deactivate the analysis service Firebase Crashlytics and Firebase Analytics of Google LLC at any time and thus revoke your consent to the collection of this data with effect for the future. To do so, open the settings (cogwheel in the top right-hand corner) and click on “Deactivate”.
Insofar as you participate in a care programme used via Heartbeats that your health insurance company jointly organises with us, among others, the data collection Firebase Crashlytics and Google Analytics for Firebase will be deactivated by us at the start of the contract of the respective care programme and reactivated after termination.
Furthermore, the Firebase Cloud Messaging service by Google Inc. will be used for the Android app, as well as the Apple Push Notifications service for the iOS app to send push notifications or so called in app messages (messages that are exclusively being shown inside the app) to your device. During this process Firebase and Apple are generating a calculated key, that consists of the app identifier and your device identifier. This key will be stored on our Push platform with configured settings to provide you with the information of your choosing. The Firebase or Apple server cannot draw any conclusions regarding the users app behavior or collect any other data that is associated with your person. Firebase and Apple are only utilized as a message transmitter.
Push notifications can be disabled in your devices operating system settings at any time. We are not processing any personal data in relation to push notifications.
III.f.3. Scientific research purposes
For scientific research purposes, we process the IP address for the anonymous classification of your residential district, as well as further statistical data, such as age and gender.
- Data processing for payment processing when using the full version
If you would like to use the full version, your app store operator will exclusively process your payment details for handling your purchase. Your contact and payment data is not communicated to us. Please observe the data protection provisions and user regulations of your respective app store operator, Apple App Store and Google Play Store.
- Where do we store your personal data?
By using this app, in accordance with your consent to the use of Google Analytics for Firebase and Firebase Crashlytics, data will be transferred to countries outside the European Economic Area (“EEA”). For those countries exists no adequacy agreement with the European Union, because in those countries are no comparable data protection regulations (so called third countries). All other data is processed exclusively in data centres in Germany.
- To what end do we process your data (purpose of processing) and on which legal basis?
We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):
VI.a to meet contractual obligations (Art. 6 (1) (b) GDPR)
PREVENTICUS processes contractual information in relation to accounts in order to allocate and provide you and other providers with the contractually agreed services as well as ensure all information reaches the correct recipients.
We store and anonymise your measurements and the evaluations and health values we have created in this respect for scientific and statistical purposes and for the continuous improvement of the app and measurement systems, without prejudice to the cancellation or termination of your account. PREVENTICUS will also delete the link to the account forever. The data will be anonymised in such a way that the pertinent individuals cannot or can no longer be identified.
VI.b to process personal health data based on your consent (Art. 6 (1) (a) GDPR, Art. 9 (2) (a) GDPR)
Based on your consent, we process your health data to detect arrhythmias (extrasystoles, atrial fibrillation) and to classify the results in an analysis report for your information.
VI.c to exercise or defend legal claims (Art. 9 (2) (f) GDPR)
Where necessary, we will process your data for the establishment, exercise or defence of legal claims.
VI.d. within the framework of the balancing of interests (Art. 6 para. 1 lit. f DSGVO in conjunction with § 27 BDSG)
Within the scope of our legitimate interests, we will store and anonymise your measurement series and related evaluations or health data for scientific purposes. For this purpose, PREVENTICUS will finally delete the allocation to the account. In addition, we process the IP address for the anonymous classification of your district of residence as well as other statistical data such as age and gender, if available. The data is thus anonymised in such a way that the persons concerned cannot be identified or can no longer be identified.
VII. Who is my personally identifiable data transferred to?
In general, only those persons within PREVENTICUS have access to this data who require it for the fulfilment of our contractual or, if applicable, legal obligations. Service providers and vicarious agents deployed by us may also receive data for these purposes. The specifically applies to our ISO27001-certified hosts.
Beyond this we do not communicate your personal or personally identifiable data to third parties.
You are free to communicate the analyses generated via the app (menu option Report) to third parties.
Accordingly, we do not communicate your personal or personally identifiable data to third parties without your explicit previous consent.
VIII. Is the provision of the personal data legally or contractually stipulated?
You are under no obligation to provide us with the above-mentioned personal data via the website.
- How long is my data stored for?
We generally process and save your personal data as long as is necessary for the fulfilment of the purpose or as far as is legally required.
- Your rights as an affected person
Each person affected by our personal data processing has the right of access in accordance with Article 15 GDPR, the right of rectification in accordance with Article 16 GDPR, the right to deletion in accordance with Article 17 GDPR, the right to the limitation of processing in accordance with Article 18 GDPR, the right of opposition from Article 21 GDPR as well as the right of data portability from Article 20 GDPR. In the case of access and deletion rights, the limitations according to §§ 34 and 35 of the German Federal Data Protection Act (BDSG) shall apply. Furthermore, a right to appeal to a data protection authority exists in accordance with Article 77 GDPR in conjunction with § 19 of the German Federal Data Protection Act (BDSG).
Except in the case of registered users, PREVENTICUS is unable to identify users. Due to the lack of sufficiently identifiable characteristics, PREVENTICUS is unable to allocate the health data to a non-registered user. In these cases, Articles 15 to 20 do not apply.
X.I. Information regarding your right of opposition in accordance with Article 21 GDPR
X.I.I. Individual right of opposition
You have the right, for reasons resulting from your particular situation, to file an opposition at any time against the processing of your personal data, which has taken place based on Article 6 par. 1 f GDPR (data processing based on a balancing of interests); this also applies, where relevant, to a profiling based on this provision within the meaning of Article 4 par. 4 GDPR. See in particular section 3.4.
If you file an opposition, we will no longer process your personal data, unless we can present proof that compelling protection reasons for processing exist that outweigh your interests, rights and freedoms, or that processing serves the assertion, execution or defence of legal claims.
If you oppose the processing for purposes of direct advertising, we will no longer use your personal data for these purposes.
X.I.II. Revocation of consents granted
You can revoke a consent granted to us at any time.
This also applies to the revocation of declarations of consent granted to us prior to the validity of the EU General Data Protection Regulation, meaning prior to 25 May 2018. The legality of the processing performed based on the consent until the time of revocation shall not be affected by the revocation of the consent.
X.I.III. Implementation of the opposition or revocation of consent granted
Opposition can take place informally and can be performed, for instance:
- by clicking on Unsubscribe in the bottom section of an e-mail message (newsletter);
- by using our contact form under contact for your opposition;
- by means of written notification to the address stated in section 1
- by telephone via the number +49 (0) 3641 / 55 98 45 – 0
- or by sending an e-mail to firstname.lastname@example.org
- In order to unsubscribe from receiving e-mails or other advertising materials, you can also follow the instructions given in the respective notification.
Please contact the Data Protection Officer directly with regard to your data protection rights.
Right of modification
PREVENTICUS is entitled to modify the data protection declaration at any time and, in particular, to adjust it to amendments in the legal situation brought about by law or legislation. The respectively most recent version can be accessed and viewed at this point. Amendments to the data protection provisions shall come into effect at this point upon the day of their publication.
Jena, June 24, 2021