Privacy policy

The protection of your personal data is a high priority at gematik. Personal data is only collected and processed on this website to the extent that is technically necessary. The provisions of data protection laws are adhered to as a matter of course. This privacy policy informs you about the processing of your personal data in connection with the use of this website.

Name and address of the data controller

The data controller as defined by the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

gematik GmbH
Friedrichstraße 136
10117 Berlin

Data protection officer

The contact details of the data protection officer at gematik are:

gematik GmbH
Data protection officer
Friedrichstraße 136
10117 Berlin

Email: datenschutz@gematik.de

General information on data processing

Scope of the processing of personal data

As a rule, we only process personal data concerning our users insofar as this is necessary to provide a functional website and to supply our content and services. Our users’ personal data is regularly only processed with the specific user’s consent. An exception applies in those cases in which prior consent cannot be obtained for practical reasons and the processing of the data is permitted by law.

Legal basis for the processing of personal data

If we obtain the consent of the data subject for the processing of personal data, Article 6 (1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

When personal data is processed for the purpose of fulfilling a contract to which the data subject is a party, Article 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to perform pre-contractual measures.

Where the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Article 6 (1) (c) GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6 (1) (d) GDPR serves as the legal basis.

If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not override the first-mentioned interest, Art. 6 (1) (f) GDPR serves as the legal basis for the processing.

Data deletion and storage duration

The data subject’s personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage can also take place if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the data controller is subject. The data will also be blocked or deleted if a storage period prescribed by the specified rules expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

Data protection in the application process

Description and scope of data processing

The following information describes which data, including personal data, gematik processes on this website for the application process. Information that you enter on this website is processed on systems by the service provider Heroes commissioned by gematik. The service provider provides hosting services for the application process. It has no access to your personal data.

As part of the application process, gematik collects information including the following types:

  • Contact information (e.g. name, postal address, email address)
  • Nationality and age
  • Academic and professional qualifications, skills and competencies
  • CVs, letters of reference, certificates of study and other documents that accompany job applications
  • Information on professional career
  • Information on previous job applications
  • Your answers to job-specific questions
  • Information on how you found out about our vacancies
  • Other information that you voluntarily provide to gematik via this website
Legal basis for data processing

The legal basis for the processing of the data is section 26 (1) German Federal Data Protection Act (BDSG) for the establishment of an employment relationship.

Purpose of data processing

gematik uses the information you provide on this website for the following purposes:

  • To assess your qualifications for the desired position
  • To process your application
  • To notify you of or consider you for future vacancies that may be of interest to you (if you give us permission to do so)
  • To support any offers about employment at gematik or your induction in the company
  • As the basis for your personnel file
  • As a means of contacting you and requesting further information from you (if necessary)
  • To comply with the relevant legal provisions and gematik’s company guidelines

gematik will pass on the information recorded in the application process to the departments within gematik responsible for processing your application for the purposes described in this privacy policy.

Storage duration

The data of unsuccessful applicants will be automatically deleted after six months, unless consent has been given for a longer storage duration.

Objection and removal option

On request, we will also provide you with access to information about the data stored about you at any time or delete this immediately if you want to withdraw your application. If necessary, address your request to our company data protection officer. You will find their contact details at the beginning of this privacy policy. You will find a complete overview of your rights in our supplementary document “Rights of the data subject” at the end of this privacy policy.

Provision of the website and creation of log files

Description and scope of data processing

Every time our website is accessed, our system automatically collects data and information from the computer system of the computer from which the access is made.

The following data is collected:

  • Information about the browser type and the version used
  • IP address of the user
  • Date and time of access

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

Legal basis for data processing

The legal basis for the temporary storage of the data and the log files is Art. 6 (1) (f) GDPR.

Purpose of data processing

The system needs to temporarily store the user’s IP address to enable the website to be delivered to the user’s computer. To do this, the user’s IP address must be stored for the duration of the session. Storage in log files ensures the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our IT systems. The data is not evaluated for marketing purposes in this context. These purposes also constitute our legitimate interest in data processing pursuant to Art. 6 (1) (f) GDPR.

Storage duration

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. Where data is collected for the provision of the website, this happens when the respective session has ended. If the data is stored in log files, this happens after seven days at the latest. Storage beyond such periods is possible. In this case, the users’ IP addresses are deleted or pseudonymised so that they can no longer be assigned to the client making the access.

Objection and removal option

The collection of the data for the provision of the website and the storage of the data in log files is essential for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

Use of cookies

a) Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. When a user accesses a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables the browser to be clearly identified when the website is accessed again. We use cookies to make our website more user-friendly. Some elements of our website require that the browser making the access can also be identified after moving to a different page. Login information is stored and transmitted in the cookies. The storage of cookies can be prevented in the browser settings.

b) Legal basis for data processing

The legal basis for the processing of personal data using cookies is Article 6 (1) (f) GDPR.

c) Purpose of data processing

The purpose of using technically required cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. This requires the browser to be recognised even after moving to another page. The user data collected by technically required cookies is not used to create user profiles. These purposes also constitute our legitimate interest in the processing of personal data in accordance with Art. 6 (1) (f) GDPR.

d) Duration of storage, objection and removal option

Cookies are stored on the user’s computer and transmitted to our site from there. As a user, you therefore have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may not be possible to use all functions of the website to their full extent.

e) Use of Matomo

Data is collected and stored on this website using the web analysis software Matomo (www.matomo.org), a service provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, (“Mataomo”) on the basis of our legitimate interest in statistical analysis of user behaviour for optimisation purposes in accordance with Art. 6 (1) (f) GDPR. This data enables pseudonymised usage profiles to be created and evaluated for the same purpose. Cookies may be used for this purpose. Cookies are small text files that are stored locally in the cache of the page visitor’s Internet browser. Among other things, the cookies enable the Internet browser to be recognised. The data collected with Matomo technology (including your pseudonymised IP address) is processed on our servers.

The information generated by the cookie in the pseudonymised user profile is not used to personally identify the visitor to this website and is not merged with personal data about the bearer of the pseudonym.

If you do not agree to the storage and evaluation of this data from your visit, you can object to the storage and use at any time with a click of the mouse. In this case, an “opt-out cookie” is stored in your browser, which means that Matomo does not collect any session data. Please note that if you completely delete your cookies, the opt-out cookie will also be deleted and you may have to reactivate it.

f) Use of Vimeo plugins

We use Vimeo for the integration of videos, among other services. Vimeo is operated by Vimeo, LLC with headquarters at 555 West 18th Street, New York, New York 10011.

We use plugins from the provider Vimeo on some of our websites. If you access the Internet pages of our website with such a plugin, a connection to the Vimeo servers is established and the plugin is displayed. This will tell the Vimeo server which of our websites you have visited. If you are logged in as a member of Vimeo, Vimeo will assign this information to your personal user account. When using the plugin, for example by clicking the start button of a video, this information is also assigned to your user account. You can prevent this assignment by logging out of your Vimeo user account before using our website and deleting the relevant Vimeo cookies.

Further information on data processing and information on data protection by Vimeo can be found at: https://vimeo.com/privacy

g) Use of YouTube plugins

We use YouTube for videos that explain our work and our products. YouTube has its own cookies and its own privacy policy over which we have no control.

We use YouTube in enhanced privacy mode to restrict YouTube’s use of cookies. Depending on your browser’s parameters, certain elements can nevertheless be saved on your computer.

You have to accept these cookies before you can watch the videos.

If you have configured your browser in such a way that no third-party cookies are accepted, these elements will not be saved.

To protect your data, we notify you of this before external content from third-party providers is displayed and data is transferred. You can then consent to the data transfer and display the content with a click (called the “two-click solution”)

Contact form, email contact and press mailing list

Description and scope of data processing

Contact forms are available on our website that can be used to contact us electronically. If a user makes use of this option, the data entered in the input form will be transmitted to us and saved. Your consent to processing of the data is obtained as part of the transmission process and reference is made to this privacy policy.

Alternatively, you can contact us using the email address provided. In this case, the user’s personal data transmitted with the email will be saved.

In this context, the data will not be passed on to third parties. The data will only be used to process the conversation.

Legal basis for data processing

If the user has given their consent, the legal basis for processing the data is Article 6 (1) (a) GDPR.

The legal basis for the processing of the data transmitted in the course of sending an email is Article 6 (1) (f) GDPR. If the aim of the email contact is to conclude a contract, the additional legal basis for processing is Art. 6 (1) (b) GDPR.

Purpose of data processing

We process the personal data from the input form solely to enable us to process the contact. If you contact us by email, the necessary legitimate interest in processing the data also applies.

The other personal data processed during the sending process helps prevent misuse of the contact form and ensures the security of our IT systems.

Storage duration

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. As regards the personal data from the input form of the contact form and data sent by email, this happens when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively resolved. The additional personal data collected during the transmission process will be deleted after a period of seven days at the latest. The data for the delivery of the press releases will be deleted as soon as the user has unsubscribed.

Objection and removal option

The user has the option to revoke their consent to the processing of personal data at any time. If the user contacts us by email, they can object to the storage of their personal data at any time – by email or by post. In such a case, the conversation cannot be continued. In this case, all personal data stored in the course of the contact process will be deleted. The data for the delivery of the press releases will be deleted as soon as the user has stated by email that they no longer wish to receive any further information.

Newsletter

If you would like to receive the newsletter offered on the website, we need an email address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or is only collected on a voluntary basis. We use this data exclusively to send the requested information and do not pass it on to third parties.

Rapidmail

This website uses Rapidmail to send newsletters. The provider is rapidmail GmbH, Augustinerplatz 2, 79098 Freiburg i.Br., Germany.

Rapidmail is a service with which the dispatch of newsletters can be organised and analysed, among other things.

The data you enter for the purpose of subscribing to the newsletter will be stored on the Rapidmail servers in Germany. To prevent analysis by Rapidmail, you need to unsubscribe from the newsletter. We provide a link for this in every newsletter message.

Data analysis through Rapidmail

The emails sent with Rapidmail contain what is termed a “tracking pixel” that connects to the Rapidmail servers when the email is opened for analysis purposes. In this way it can be determined whether a newsletter message has been opened.

Further, Rapidmail helps us determine whether and which links are clicked in the newsletter message. All links in the email are what are termed tracking links that enable your clicks to be counted.

You can find more information about the analysis functions of Rapidmail via the following link: https://de.rapidmail.wiki/ategorien/statistiken/.

Legal basis

The data is processed on the basis of your consent (Art. 6 (1) (a) GDPR). You can revoke this consent at any time. The legality of the data processing operations that have already been performed remains unaffected by the revocation.

Storage period

The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and will be deleted from the newsletter distribution list after you unsubscribe from the newsletter. This does not affect data that we have saved for other purposes. After you have been removed from the newsletter distribution list, your email address may be stored in a blacklist by us or the newsletter service provider in order to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This is both in your interest and in our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 (1) (f) GDPR). There is no time limit to storage in the blacklist. You can object to the storage provided that your interests override our legitimate interests.

For more information, see the Rapidmail privacy policy at:

https://www.rapidmail.de/newsletter-marketing-dsgvo-und-datenschutz-konform.

Protection of your data with the service provider

We have entered into a contract with Rapidmail in which we oblige Rapidmail to protect the data of our customers and not to pass it on to third parties. This contract can be viewed at the following link:

https://de.rapidmail.wiki/files/adv/muster-aufsdatenverarbeitung.pdf.

Our social media accounts

Data processing by social networks

We maintain publicly accessible profiles on social networks. The individual social networks we use can be found below.

Social networks such as Twitter etc. can generally analyse your user behaviour comprehensively when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners).

Visiting our social media accounts triggers numerous data protection-related processing operations. Specifically:

If you are logged into your social media account and visit our accounts, the operator of the social media portal can assign this visit to your user account. Under certain circumstances, your personal data can also be recorded if you are not logged in or do not have an account with the respective social media portal. In this case, this data is recorded, for example, using cookies that are stored on your device or by recording your IP address.

The operators of the social media portals can use the data collected in this way to create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you inside and outside the respective accounts. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are or were logged in.

Please also note that we cannot retrace all processing steps on the social media portals. Depending on the provider, further processing operations can therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and data protection provisions of the respective social media portals.

Legal basis

Our social media accounts are intended to ensure the widest possible presence on the Internet. This is a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. The analysis processes initiated by the social networks may be based on different legal bases that must be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6 (1) (a) GDPR).

Data controller and assertion of rights

If you visit one of our social media sites (e.g. Twitter), we and the operator of the social media platform are jointly responsible for the data processing operations initiated during this visit. In principle, you can exercise your rights (access, correction, erasure, restriction of processing, data portability and complaint) against us as well as the operator of the respective social media portal (e.g. against Twitter).

Please note that, despite the shared responsibility with the social media portal operators, we do not have full influence over the data processing operations of the social media portals. Our options are largely based on the company policy of the respective provider.

Storage period

The data we collect directly via the social media account will be deleted from our systems as soon as the purpose for storing it no longer applies, you ask us to delete it, revoke your consent to storage or the purpose for storing the data no longer applies. Saved cookies remain on your device until you delete them. This is without prejudice to mandatory legal provisions – esp. retention periods. We have no influence over the storage period of your data, which is stored by the operators of the social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g. in their privacy policy, see below).

Social networks in detail

Twitter

We use the microblogging service Twitter. The provider is Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. You can adjust your Twitter data protection settings yourself in your user account. To do so, click the following link and log in: https://twitter.com/personalization.

Details can be found in Twitter’s privacy policy: https://twitter.com/de/privacy.

YouTube with extended data protection

This website integrates videos from YouTube. The operator of the website is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. 

We use YouTube in extended data protection mode. According to YouTube, this mode ensures that YouTube does not store any information about visitors to this website before they watch the video. However, extended data protection mode does not necessarily rule out the transfer of data to YouTube partners. This is how YouTube connects to the Google DoubleClick network regardless of whether you are watching a video.

A connection to the YouTube servers is established as soon as you launch a YouTube video on this website. The YouTube server is told which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

Further, YouTube can save various cookies on your device after launching a video. YouTube can use these cookies to obtain information about visitors to this website. Among other things, this information is used to collect video statistics, improve user-friendliness and prevent attempted fraud. The cookies remain on your device until you delete them. If necessary, further data processing operations over which we have no influence can be triggered after the launch of a YouTube video.

YouTube is used in the interest of presenting our online offers in an appealing manner. This represents a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. If corresponding consent has been requested (e.g. consent to the storage of cookies), processing takes place exclusively on the basis of Art. 6 (1) (a) GDPR; the consent can be revoked at any time.

You can find more information about data protection at YouTube in their privacy policy at:

https://policies.google.com/privacy?hl=de.

Registration and orders

Description and scope of data processing

We offer users the opportunity to register by providing personal data or to place orders on our website. The data is entered into an input form and transmitted to us and stored. Data is not transferred to third parties. The user’s consent to the processing of the personal data concerned is obtained as part of the registration process.

Legal basis for data processing

If the user has given their consent, the legal basis for processing the data is Article 6 (1) (a) GDPR or Article 6 (1) (b) GDPR for orders.

Purpose of data processing

Users need to register to enable the availability of certain content and services on our website. In the context of orders, the data is used for the purpose of executing the orders.

Storage duration

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is done for the data collected during the registration process if the registration on our website is cancelled or changed. In the context of orders, the data will be deleted after the statutory retention periods have expired.

Objection and removal option

As a user, you can cancel your registration at any time. You can have the stored data concerning you amended at any time.

Audio and video conferencing

Data processing

We use online conference tools for communication with our customers, among other services. The individual tools we use are listed below. If you communicate with us using video or audio conferencing means via the Internet, your personal data will be recorded and processed by us and the provider of the respective conference tool.

The conference tools collect all data that you provide/use to use the tools (email address and/or your telephone number). The conference tools also process the duration of the conference, start and end (time) of participation in the conference, number of participants and other “context information” in connection with the communication process (metadata).

Further, the provider of the tool processes all technical data that is required to manage the online communication. This includes in particular IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or loudspeaker as well as the type of connection.

If content is exchanged, uploaded or made available in any other way within the tool, it is also stored on the servers of the tool provider. Such content includes in particular cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards and other information that is shared while using the service.

Please note that we do not have full influence over the data processing operations of the tools used. Our options are largely based on the company policy of the respective provider. Further information on data processing by the conference tools can be found in the privacy policies of the tools used, which we have listed beneath this text.

Purpose and legal basis 

The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6 (1) (1) (b) GDPR). Further, the use of the tools serves to generally simplify and accelerate communication with us or our company (legitimate interest within the meaning of Art. 6 (1) (f) GDPR). If consent has been requested, the relevant tools are used on the basis of this consent; the consent can be revoked at any time with effect for the future. 

Storage period

The data we collect directly via the video and conference tools will be deleted from our systems as soon as you ask us to delete it, revoke your consent to storage or the purpose for storing the data no longer applies. Saved cookies remain on your device until you delete them. This is without prejudice to mandatory statutory retention periods.

We have no influence over the storage period of your data, which is stored by the operators of the conference tools for their own purposes. For details, please contact the operators of the conference tools directly.

Conference tools used

We use the following conference tools:

Microsoft Teams

We use Microsoft Teams. The provider is Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Details on data processing can be found in the Microsoft Teams privacy statement: https://privacy.microsoft.com/de-de/privacystatement.

Conclusion of a data processing contract

We have concluded a data processing contract with the provider of Microsoft Teams and fully implement the strict requirements of the German data protection authorities when using Microsoft Teams.