Responsible body for processing according to GDPR/DSGVO
Responsible in the sense of the basic data protection regulation and other data protection laws applicable in the member states of the European Union and other regulations with data protection character (Schengen Data Protection Act, SDSG) is:
Together hereinafter referred to as "docjo", a 100% subsidiary of docdok.health Ltd.
Data protection officer: Nils Möllers, Keyed GmbH
2What is personal data?
The term personal data is defined in the Federal Data Protection Act (BDSG), the Schengen Data Protection Act (SDSG) and in the European basic data protection regulation EU-GDPR. Accordingly, these are individual details about personal or factual circumstances of an identified or identifiable natural person. This includes for example your civil name, your address, your telephone number or your date of birth. When using the app, special personal data is also collected, such as: illness data. For this purpose, docjo takes increased measures to ensure an adequate level of protection in accordance with Art 32 GDPR is guaranteed.
3Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6 para. 1 lit. a) GDPR and Art. 9 Para. 2 lit. a) GDPR as the legal basis for the processing of personal data.
In the processing of personal data necessary for the performance of a contract to which the data subject is a party, Article 6, paragraph 1 lit. b GDPR applies as the legal basis. This also applies to processing operations which are necessary to carry out pre-contractual measures or which are required for support requests.
Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR applies as the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 Para. 1 lit. d) GDPR is the legal basis.
If the processing is necessary to safeguard a legitimate interest of our company or of a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 lit. f) GDPR applies as the legal basis for processing.
4What data is collected for specific purposes?
docjo collects, stores and processes data which you provide to docjo or which you transfer by using and registering the app. We process the following personal data for the purpose of communication & processing on the basis of article 6 paragraph. 1 lit. b) GDPR.
Pseudonym / Nickname;
Date of birth;
Name of doctor / hospital;
Consent to receive notifications;
Text input in chat, answers to questions in chat
We process the following personal data for the purpose of analyzing user behavior, optimizing the app and troubleshooting on the basis of article 6 paragraph. 1 lit. f) GDPR:
Meta/communication data, e.g. duration and frequency of visits, device information, operating system, IP addresses, server log files.
Data on app usage (including data on information viewed);
Communications with us via phone, email, text messages (SMS, push notifications, etc.).
Individualized and person-related or anonymous and group-related recognition, classification and analysis of current and potential user needs and user interests;
Individualized and personal or anonymous and group-related classification and analysis of user potential;
For example, we process special personal data for the purpose of providing functionalities of the App based on Art. 9 Para. 2 lit. a) GDPR:
General health state;
Past medical history
Family medical history
Physical activity habits
5Disclosure to Third Parties
All data is hosted in Germany by a specialized server hosting company. The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services which we use for the purpose of operating the docjo system. The processors for hosting services are:
NETWAYS GmbH, Deutschherrnstr. 15-19, 90429 Nürnberg, Germany
sms.at mobile internet services GmbH, Brauquartier 5/13, 8055 Graz, Austria
The legal basis for this processing is the consent according to Art. 6 Para. 1 lit. a) GDPR.
Duration of Data Storage
The data will be deleted as soon as it is no longer required to fulfill the purpose for which it was collected. Furthermore, the data will be deleted if you revoke your consent or request the deletion of your personal data.
Further data protection information via link
More Information about NETWAYS and data protection can be found here:
More Information about websms and data protection can be found here:
Further information on Google Firebase and data protection can be found here: https://www.google.com/policies/privacy/
More information about Apple and data protection can be found here: https://www.apple.com/privacy/
5.2 Disclosure for scientific purposes
We pseudonymize or anonymize your personal data according to suitable technical and organizational measures in accordance with Article 32 Paragraph 1 lit. a) GDPR, so that no conclusions can be drawn about your person. Disclosure for scientific purposes primarily relates to the following data (not exhaustive):
• information on general health;
• information on well-being;
• Information on health problems and complaints;
• Information on specific illnesses (high cholesterol, diabetes, COPD etc.);
• information on professional activities;
• information on sporting activities;
• information on diet and allergies;
• Information on previous treatments and stays in hospitals;
• Information on family health conditions and illnesses;
• Information on drugs used.
This anonymized data can be aggregated and forwarded to research institutes, universities and clinics. Our legal basis for this is formed from Article 6 Paragraph 1 lit. f) GDPR, as docjo has a legitimate interest in the improvement and anonymized evaluation of the data-supported results.
6Your rights as a data subject
Should your personal data be processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the data controller:
6.1The right to information
You may request confirmation from the data controller as to whether we are processing or have processed personal data concerning you.
In the event of such processing, you may request the following information from the data controller:
the purposes for which the personal data is being processed;
the categories of personal data being processed;
the recipients or categories of recipients to whom your personal data has been or will be disclosed;
how long we plan to store your personal data, or, if specific information in this respect is not possible, our criteria for determining the retention period;
the existence of a right to rectification or erasure of your personal data, a right to have the processing limited by the controller or a right to object to such processing
the existence of a right to appeal to a supervisory authority;
all available information on the origin of the data, if the personal data is not being collected from the point of access of the data subject;
the existence of automated decision-making, including profiling, in accordance with Art. 22 Para. 1 and 4 GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.
You have the right to request information regarding whether your personal data will be transmitted to a third-party country or an international organization. In this regard, you can request the appropriate guarantees in accordance with Art. 46 of the GDPR in relation to the transmission.
6.2Right to correction
You have a right of rectification and/or integration vis-à-vis the controller if the personal data processed concerning you is incorrect or incomplete. We are required to make the correction immediately.
6.3The right to restrict processing
Under the following conditions, you may request that the processing of your personal data be restricted:
if you dispute the accuracy of your personal data for a period that allows the person responsible to verify the accuracy of the personal data
the processing is unlawful and you refuse to delete the personal data and instead request the restriction of the use of the personal data;
the data controller no longer needs the personal data for the purposes of the processing, but you need it in order to assert, exercise or defend legal claims, or
you have objected to processing pursuant to Art. 21 Para. 1 GDPR and it has not yet been determined whether the justified reasons of the person responsible outweigh your reasons.
If the processing of your personal data has been restricted, such data, apart from being stored, may be processed only with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or a Member State.
If the restriction on processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
6.4The right to deletion
You may request that your personal data be deleted immediately by the person in charge, and the person in charge is obliged to delete this data immediately if one of the following reasons applies:
The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
You revoke your consent, to which the processing is subject according to the terms of this agreement. Art. 6 Para. 1 lit. a) or Art. 9 para. 2 lit. a) GDPR, and there is no other legal basis for the processing.
You object in accordance with Art. 21 Para. 1 GDPR objection to the processing and there are no legitimate reasons for the processing, or you submit an objection in accordance with Art. Art. 21 Para. 2 DSGVO objected to the processing.
The personal data concerning you have been processed unlawfully.
The deletion of personal data concerning you is necessary to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject.
The personal data concerning you has been collected in relation to services offered by information society services pursuant to Art. 8 para. 1 GDPR was levied.
Has the responsible person made your personal data public and is he in accordance with. Art. 17 Para. 1 GDPR is obliged to delete them, it shall take reasonable measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you, as a data subject, have requested them to delete all links to these personal data or copies or replications of these personal data.
The right to deletion does not exist insofar as the processing is necessary
to exercise the right to freedom of expression and information;
to comply with a legal obligation requiring processing under Union or national law to which the controller is subject or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the field of public health in accordance with Art. 9 Para. 2 lit. h and i, as well as Art. 9 Para. 3 GDPR;
for the purposes of archiving, the purposes of scientific or historical research, or statistical purposes which fall within the public interest in accordance with Art. 89 Para. 1 GDPR, insofar as the exercise of the right specified in para. 1 GDPR, is likely to make it impossible or seriously prejudicial to the achievement of the purposes of such processing, or to assert, exercise or defend legal claims.
6.5The right to information
If you have asserted the right to rectification, erasure or restriction of processing against the data controller, they are obliged to inform all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed as to these recipients by the data controller.
6.6The right to data portability
You have the right to receive your personal data, which you have provided to the responsible person, in a structured, common and machine-readable format. Moreover, you have the right to transmit this data to another data controller without any obstruction from the data controller to whom the personal data has been given, if
the processing is based on your consent in accordance with Art. 6 Para. 1 lit. a) GDPR or Art. 9 Para. 2 lit. a) GDPR or on the basis of a contract in accordance with Art. 6 Para. 1 lit. b) GDPR and
the processing is carried out using automated procedures.
In exercising this right, you also have the right to obtain that your personal data be transferred directly from one responsible party to another, as far as this is technically feasible. The freedoms and rights of other persons may not be affected by this.
The right to data transferability shall not apply to processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6.7The right to object
You have the right to object at any time, for reasons connected with your specific situation, to the processing of your personal data, which is carried out in accordance with art. 6, par. 1 lit. e) or f) GDPR; this also applies to profiling based on these provisions.
The person responsible will no longer process your personal data unless he/she can demonstrate compelling reasons for processing which are worthy of protection and which outweigh your interests, rights and freedoms, or unless the processing serves to assert, exercise or defend legal claims.
If your personal data are processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purpose of such marketing, including profiling, insofar as it is connected with such direct marketing.
If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object to using an automated process involving the use of technical specifications.
6.8The right to revoke consent under data protection law
You have the right to withdraw your declaration of consent under data protection law at any time. Withdrawing consent does not affect the legality of processing carried out based on consent before its withdrawal.
6.9Automated decision in individual cases, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects in relation to it or significantly affects it in a similar way. This does not apply if the decision:
is necessary for either the conclusion or performance of a contract between the you and a data controller;
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
is based on your explicit consent.
However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 of the GDPR, unless Art. 9 para. 2 lit. a) or g) GDPR applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests.
With regard to the cases mentioned in a. and c., the responsible person shall take appropriate measures to protect the rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person from the responsible person, to present his or her point of view and to challenge the decision.
6.10The right to file a legal complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State in which you are resident, your place of work or the place of suspected infringement, if you consider that the processing of your personal data is in breach of the GDPR.
The supervisory authority to which the complaint is submitted informs the complainant about the status and results of the complaint, including the possibility of a judicial remedy in accordance with Article 78 GDPR.
7User surveys for product optimization
Our aim is to ensure that users feel maximum satisfaction when using our digital solutions. As developers, we rely on receiving direct feedback from our users. For this purpose, information about suggestions for improvement, bugs or malfunctions and other functions are usually included. As a rule, information about the product is primarily collected, but this information is linked to your user data, so that personal data must be processed.
Our legal basis for contacting us to participate in a feedback conversation or a feedback form is formed by Art. 6 Para. 1 lit. f) GDPR. The data will be deleted as soon as it is no longer required to fulfill the purpose for which it was collected. Furthermore, the data will be deleted if you request the deletion of personal data (information from the surveys).
8Integration of other third-party services and content
Our app and related communications (e.g. emails) may contain links to third-party websites. However, we have no influence on information and offers on third-party websites. We also cannot influence how third-party providers handle the data collected on their own websites. We are therefore not responsible for the compliance with data protection and other legal regulations by third-party providers with links in the app or related communication. If you have any questions about this, please contact these third party providers directly.
9Duration of the storage of personal data
Personal data is stored for the duration of the respective legal retention period. After the deadline has expired, the data will be routinely deleted, unless there is a need to initiate or fulfill a contract.
We have taken extensive technical and operational precautions to protect your data from accidental or intentional manipulation, loss, destruction or access by unauthorized persons. Our safety procedures are regularly checked and adapted with the latest technological advancements. In addition, we guarantee data protection on an ongoing basis through constant auditing and optimization of our data protection organization.
docjo reserves all rights to make changes and updates to this data protection declaration. This data protection declaration was created on December 3, 2020 by Keyed GmbH.