Privacy policy

Collection of General Data and Information
The website of a. ö. Krankenhaus St. Vinzenz Betriebs GmbH collects a series of general data and information every time the website is accessed by an affected individual or an automated system. This general data and information are stored in the server’s log files. The following may be collected: (1) the types and versions of browsers used, (2) the operating system used by the accessing system, (3) the website from which an accessing system arrives at our website (so-called referrer), (4) the sub-webpages accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet Protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) other similar data and information that serve to protect against dangers in the event of attacks on our information technology systems.

When using this general data and information, we do not draw any conclusions about the affected individual. This information is instead needed to (1) deliver the contents of our website correctly, (2) optimise the contents of our website, (3) ensure the long-term functionality of our information technology systems and the technology of our website, and (4) provide law enforcement authorities with the necessary information for prosecution in the event of a cyberattack. The anonymous data of the server log files are stored separately from any personal data provided by you.

Routine Deletion and Blocking of Personal Data
We process and store your personal data only for the period necessary to achieve the purpose of the processing or as required by the European directives, regulations, or other applicable legislation to which we are subject. If the processing purpose ceases or a storage period prescribed by the European directives or another relevant legislator expires, your personal data will be routinely blocked or deleted in accordance with the statutory provisions, unless it is needed for other legal purposes.

Existence of Automated Decision-Making or Profiling
As a responsible organisation, we completely refrain from using automated decision-making or profiling.

Cookies
Our website uses cookies. Cookies are text files that are stored on a computer system via an Internet browser.

The use of cookies enables us to provide you with a user-friendly version of our website, which would not be possible without the use of cookies.

You can prevent the setting of cookies by our website at any time through the appropriate settings of your Internet browser and thereby permanently object to the setting of cookies. Furthermore, already set cookies can be deleted at any time through your Internet browser or other software programs. This is possible in all common Internet browsers. If you deactivate the setting of cookies in your Internet browser, not all functions of our website may be fully usable.

The Privacy Policy of a. ö. Krankenhaus St. Vinzenz Betriebs GmbH is based on the terminology used by the European legislator when enacting the General Data Protection Regulation (GDPR). Our privacy policy aims to be easily readable and understandable for the public, as well as for our patients, employees, and business partners. To ensure this, we would like to explain the terms used.

In this privacy policy, we use the following terms:

• Personal Data
  Personal data refers to any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"). A natural person is considered identifiable if they can be directly or indirectly identified, particularly by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
• Special Categories of Personal Data
  Special categories of personal data refer to information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the unique identification of a natural person, health data, or data related to sexual life or sexual orientation.
  

Personal data of special categories is subject to a particularly high level of protection.

Processing

Processing refers to any operation or set of operations performed on personal data, whether or not by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of provision, alignment or combination, restriction, deletion, or destruction.

Controller or Data Controller

The controller or data controller is the natural or legal person, public authority, agency, or other body that alone or jointly with others determines the purposes and means of processing personal data. If the purposes and means of this processing are determined by Union law or the law of the member states, the controller or the specific criteria for its designation may be provided for by Union law or the law of the member states.

Processor

A processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

Recipient

A recipient is a natural or legal person, public authority, agency, or other body to whom personal data is disclosed, whether or not they are a third party. Authorities that may receive personal data in the context of a specific inquiry under Union law or the law of member states are not considered recipients.

Third Party

A third party is any natural or legal person, public authority, agency, or other body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorised to process the personal data.

Consent

Consent is any freely given, specific, informed, and unambiguous indication of the data subject's wishes, given by a statement or other unambiguous affirmative action, by which the data subject signifies agreement to the processing of personal data relating to them.

Restriction of Processing

Restriction of processing is the marking of stored personal data with the aim of limiting its future processing.

Profiling

Profiling is any type of automated processing of personal data that involves using this personal data to evaluate certain personal aspects related to a natural person, particularly to analyse or predict aspects regarding work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements of the natural person.

Pseudonymisation

Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Cookies

Cookies are text files that are stored and saved on a computer system via an Internet browser.

Many websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters that allows websites and servers to assign the specific internet browser in which the cookie was stored. This enables visited websites and servers to distinguish the individual browser of the data subject from other internet browsers containing other cookies. A specific internet browser can be recognised and identified via its unique cookie ID.

Name and Address of the Data Controller
The data controller in accordance with the General Data Protection Regulation, other applicable data protection laws in the member states of the European Union, and other data protection-related provisions is:

a. ö. Krankenhaus St. Vinzenz Betriebs GmbH
Sanatoriumstrasse 43
6511 Zams
Austria

Phone: +43 5442 600

Email: office@krankenhaus-zams.at

VAT Identification Number (UID): ATU56346225
Company Registration Number: 228409x
Court of Registration: Regional Court of Innsbruck
Registered Office: Klostergasse 10
Management: Dipl. KH-Bw. Bernhard Guggenbichler

Name and Address of the Data Protection Officer
The data protection officer of the data controller in accordance with the General Data Protection Regulation is:

Ing. Andreas Derndler, LL.M.
Certified Data Protection Officer

a.ö. Krankenhaus St. Vinzenz Betriebs GmbH
Sanatoriumstrasse 43
6511 Zams
Austria

Phone: +43 5442 600

Email: dsb@krankenhaus-zams.at

Name and address of the supervisory authority

Austrian Data Protection Authority (DSB)
Barichgasse 40-42
1030 Vienna

Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at

As a data subject affected by the processing of personal data, you have rights granted by the European legislator. These rights are explained in more detail below.

Right to Confirmation

Every data subject affected by the processing of personal data has the granted right to request confirmation as to whether their personal data is being processed. If you wish to exercise this right, you may contact the respective secretariat during regular business hours.

Right to Access

Every data subject affected by the processing of personal data has the granted right to obtain information at any time about the personal data being processed concerning them, as well as a copy of this data.

This information is generally provided free of charge and within one month of the receipt of the request. This period may be extended by an additional two months if necessary, considering the complexity and number of requests. If your request is deemed unfounded or excessive, we reserve the right to either take no action on your request or charge a reasonable fee based on administrative costs.

General information about our processing activities can be found in the respective section.

Important Notice for Patients:

Your right to access under current data protection regulations does not replace your right to review your medical records pursuant to § 9a Tiroler Krankenanstaltengesetz. If you wish to review your medical records or obtain copies of specific documents contained therein, such as discharge letters, surgery reports, nursing discharge summaries, etc., please contact your attending physician or the respective department secretariat during regular business hours.

Applicable to Persons Insured Under the Austrian Social Insurance System:

We would also like to draw your attention to your Electronic Health Record (ELGA), where you can find relevant documents related to your treatments.

If you wish to exercise your right to access under the General Data Protection Regulation, please contact one of our secretariats during regular business hours. 

Right to Rectification

Every data subject affected by the processing of personal data has the granted right to request the immediate correction of inaccurate personal data concerning them. Furthermore, considering the purposes of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

If you wish to exercise this right to rectification, please contact one of our secretariats during regular business hours.

Important Notice for Persons Insured Under the Austrian Social Insurance System:

Documents already stored in your Electronic Health Record (ELGA) are entirely unaffected by any potential corrections to your personal data, such as changes to your name or address.

Right to Erasure (Right to Be Forgotten)

Every data subject affected by the processing of personal data has the right, as granted by the European legislator, to request the immediate deletion of personal data concerning them if one of the following reasons applies:

• The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
• The data subject withdraws their consent on which the processing was based pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, and there is no other legal basis for the processing.
• The data subject objects to the processing pursuant to Article 21(1) GDPR, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.
• The personal data has been unlawfully processed.
• The deletion of personal data is required to fulfill a legal obligation under Union or Member State law to which the controller is subject.
• The personal data was collected in relation to the offer of information society services as referred to in Article 8(1) GDPR.

If any of the above reasons apply and you wish to request the deletion of your personal data processed by us, please contact one of our secretariats during regular business hours.

Important Notice for Patients: Provided that the data concerns your medical history, we would like to point out our archiving obligation under § 15 Tiroler Krankenanstaltengesetz, which requires us to retain medical records for at least 30 years. X-rays, video recordings, and other aids used to create diagnoses must be kept for at least 10 years. Deletion within these legal archiving obligations is completely excluded.

Right to Restriction of Processing

Every data subject affected by the processing of personal data has the granted right to request the restriction of the processing of their data if one of the following conditions is met:

• The accuracy of the personal data is disputed by the data subject, for a period that allows the controller to verify the accuracy of the personal data.
• The processing is unlawful, the data subject opposes the deletion of the personal data and instead requests the restriction of its use.
• The controller no longer needs the personal data for the purposes of processing, but the data subject requires it for the assertion, exercise, or defense of legal claims.
• The data subject has objected to the processing under Article 21(1) GDPR, and it has not yet been determined whether the legitimate grounds of the controller override those of the data subject.

If at least one of the above conditions applies and you wish to request the restriction of the processing of your personal data processed by us, you can contact one of our secretariats during regular business hours. Alternatively, you can download the application form directly HERE.

Important Notice for Patients: According to § 9a (2) of the Hospital and Sanatorium Act (KAKuG), the rights and obligations under Articles 18 and 21 of the GDPR are excluded.

Right to Data Portability

Every data subject affected by the processing of personal data has the granted right to receive the personal data concerning them, which has been provided by the data subject to a controller, in a structured, commonly used, and machine-readable format. They also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that the processing is based on consent under Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, or on a contract under Article 6(1)(b) GDPR, and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, the data subject, when exercising their right to data portability under Article 20(1) GDPR, has the right to request that personal data be transmitted directly from one controller to another, where technically feasible, and provided that the rights and freedoms of other individuals are not impaired.

If you wish to exercise your right to data portability under the General Data Protection Regulation, you can contact one of our secretariats during regular business hours.

Right to Object

Every data subject affected by the processing of personal data has the granted right to object at any time to the processing of personal data concerning them, which is based on Article 6(1)(e) or (f) GDPR, for reasons arising from their particular situation. This also applies to profiling based on these provisions.

The a. ö. Krankenhaus St. Vinzenz Betriebs GmbH will no longer process the personal data in the event of your objection, unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or the processing is necessary for the establishment, exercise, or defense of legal claims.

Furthermore, the data subject has the right to object, for reasons arising from their particular situation, to the processing of their personal data by a. ö. Krankenhaus St. Vinzenz Betriebs GmbH for scientific or historical research purposes or statistical purposes under Article 89(1) GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.

If you wish to object to the processing of your personal data by a. ö. Krankenhaus St. Vinzenz Betriebs GmbH, you can contact one of our secretariats during regular business hours. Alternatively, you have the option to download the application form directly here.

Important Note for Patients: According to § 9a Abs. 2 of the Austrian Hospitals and Sanatorium Act – KAKuG, the duties and rights under Article 21 GDPR are excluded.

Automated Decisions in Individual Cases, Including Profiling

Every data subject affected by the processing of personal data has the right, granted by the European legislator, not to be subject to a decision based solely on automated processing — including profiling — that has legal effects on them or similarly significantly affects them, unless the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the controller, or (2) is authorized by Union or Member State legislation to which the controller is subject, and such legislation contains appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject, or (3) is based on the explicit consent of the data subject.

If the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the controller, or (2) is based on the explicit consent of the data subject, a. ö. Krankenhaus St. Vinzenz Betriebs GmbH will implement appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject, which at least includes the right to request human intervention from the controller, to state their point of view, and to contest the decision.

As a responsible company, a. ö. Krankenhaus St. Vinzenz Betriebs GmbH entirely refrains from automated decision-making or profiling.

Right to Withdraw a Data Protection Consent

Every data subject affected by the processing of personal data has the right, granted by the European legislator, to withdraw their consent to the processing of their personal data at any time. If the processing of your personal data is based on consent, and you wish to exercise your right to withdraw your consent for the processing of your personal data at a. ö. Krankenhaus St. Vinzenz Betriebs GmbH, you may do so by contacting the treating doctor or the relevant department secretary during office hours.

Right to Lodge a Complaint

Every data subject affected by the processing of personal data has the right, granted by the European legislator, to lodge a complaint with a supervisory authority if they believe that the processing of their personal data violates European or national data protection law. The competent authority in Austria is the Data Protection Authority (Datenschutzbehörde).

a. ö. Krankenhaus St. Vinzenz Betriebs GmbH processes personal data, in particular special category data such as health data, on the basis of legal frameworks created by the European directive and regulation provider or national legislator.

The following legal bases are relevant for the processing activities in our company:

• (1) If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, such as in the case of processing activities required for the treatment of a patient (treatment contract) or in the employment relationship of an employee (employment contract), the processing is based on Art. 6(1)(b) GDPR. The same applies to processing activities that are necessary to carry out pre-contractual measures, such as in cases of recruitment procedures.
• (2) If our company is subject to a legal obligation that requires the processing of personal data, such as for the fulfillment of tax obligations, the processing is based on Art. 6(1)(c) GDPR.
• (3) In cases where the processing of personal data is necessary to protect vital interests of the data subject or another natural person, the processing is based on Art. 6(1)(d) GDPR.
• (4) Furthermore, processing activities may be based on Art. 6(1)(f) GDPR. This legal basis applies to processing activities that are necessary for the protection of a legitimate interest of our company or a third party, provided that the interests, fundamental rights, and freedoms of the data subject do not override such interests.
• (5) If none of the aforementioned legal bases apply, but personal data processing is still to take place, the data subject's consent for a specific processing purpose may be obtained. In this case, Art. 6(1)(a) GDPR serves as the legal basis for our company.

Processing of Special Categories of Personal Data

The processing of personal data of special categories (see definitions) is generally prohibited. Whenever such special categories of data are processed, the processing is based on one of the following legal grounds:

• (1) If the data subject has explicitly consented to the processing of the mentioned personal data for one or more specified purposes and this consent to processing is not prohibited under Union or national law, the processing is based on Art. 9(2)(a) GDPR.
• (2) If the processing is necessary to protect vital interests of the data subject or another natural person, and the data subject is physically or legally incapable of giving consent, the processing is based on Art. 9(2)(c) GDPR.
• (3) If the processing is necessary for the establishment, exercise, or defense of legal claims or for actions of courts in the course of their judicial activity, the processing is based on Art. 9(2)(f) GDPR.
• (4) If the processing is necessary for reasons of preventive or occupational medicine, for medical diagnosis, health or social care treatment, or for the management of health or social care systems and services under Union or national law, the processing is based on Art. 9(2)(h) GDPR. It is noted that the processing according to Art. 9(2) GDPR takes place exclusively by professionals or under their responsibility, who are subject to professional secrecy according to Union or national law.
• (5) If the processing is necessary for public health reasons, such as the protection from serious cross-border health threats or to ensure high-quality and safety standards in healthcare and for medicines and medical devices, under Union or national law, the processing is based on Art. 9(2)(i) GDPR. The processing takes place exclusively by professionals or under their responsibility, who are subject to professional secrecy according to Union or national law.
• (6) If the processing is for reasons of public interest in the area of archiving, scientific or historical research, or statistical purposes, the processing is based on Art. 9(2)(j) GDPR and §7 DSG.