The protection of personal data is not only an important concern for us, it is also our company’s number one priority, so we can earn the trust placed in us by our patients, business partners and employees in the correct handling of their data. In the field of health care especially, compliance with the applicable legal provisions on the protection of personal data and data security is indispensable. For us, compliance with the General Data Protection Regulation (GDPR) and supplementary national data protection regulations is thus a matter of course. The medalp Imst — Zentrum für ambulante Chirurgie Betriebs GmbH has implemented numerous technical and organisational measures (TOM) within the company to ensure the processing of personal data is as risk free as possible. In accordance with the General Data Protection Regulation, we are obliged to provide you with certain information. We are happy to comply with this obligation by means of this privacy policy, in which we inform you about the nature, scope and purpose of the personal data we process and inform you about the rights of data subjects.
If you have any questions or concerns about data protection, please do not hesitate to contact us.
Data protection officer
Mr. Thomas Pittl Bakk. techn.
Medalp Platz 1
6460 Imst
+43 5418 51100
moc.p1733181783ladem1733181783@noit1733181783asina1733181783gro1733181783
Website
How to contact us
If you contact us by the form on our website or by e‑mail, we will store the data you provide for six months for the purpose of processing your request and in case of follow-up questions. We do not pass on this data without your consent.
Collection of general data and information
The website of the medalp Imst — Zentrum für ambulante Chirurgie Betriebs GmbH collects a range of general data and information whenever a data subject or automated system calls up the website. This general data and information are stored in the server log files. The following can be recorded (1) browser types and versions, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our website (the referrer), (4) the sub-websites that are accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet protocol address (IP address) and (7) other similar data and information that serve to avert danger in the event of attacks on our information technology systems.
When using these general data and information, the medalp Imst — Zentrum für ambulante Chirurgie Betriebs GmbH does not draw any conclusions about the data subject. Rather, this information is needed (1) to deliver the content of our website correctly, (2) to optimise the content and advertising of our website, (3) to ensure the long-term functionality of our information technology systems and the technology of our website, and (4) to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack. The medalp Imst — Zentrum für ambulante Chirurgie Betriebs GmbH therefore collects anonymous data and information on the one hand for statistical purposes, and on the other hand for the purpose of increasing the data protection and data security of our enterprise so that we can ultimately ensure an optimal level of protection for the personal data we process. The anonymous data contained in the server log files are stored separately from any personal data provided by a data subject.
Automated decision-making or profiling
As a responsible company, we completely refrain from automated decision-making or profiling.
Cookies
Our website uses cookies. Cookies are text files that are stored on a computer system via a web browser. By using cookies, we can provide you with a user-friendly website, which would not be possible otherwise. You can prevent our website from storing cookies at any time by changing the setting in your web browser accordingly and permanently objecting to cookies being placed on your device.
Furthermore, existing cookies can be deleted at any time via your web browser or other software programmes. This is possible in all common web browsers. If you deactivate cookies in your web browser of choice, it may not be possible to use all the functions of our website to their full extent.
reCAPTCHA
To protect your requests submitted via our online form, we use the reCAPTCHA service provided by Google Inc (Google). The query serves to distinguish whether the input is made by a human being or improperly by automated, machine processing. The query includes sending an IP address to Google and possibly other data required by Google for the reCAPTCHA service. For this purpose, your input is transmitted to Google and further used there. However, your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the US and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of this service. The IP address transmitted by your browser for reCAPTCHA will not be merged with other Google data. The deviating data protection provisions of Google apply to these data. You can find more information on Google's privacy policy at: https://policies.google.com/privacy?hl=en
Website Analysis
We want to process as little personal data as possible when users visit our website. For this reason, we have chosen Fathom Analytics for our website analytics, which does not use cookies and complies with the GDPR, ePrivacy (including PECR), COPPA and CCPA. With this privacy-friendly website analytics software, your IP address is processed only briefly, and we (the operators of this website) have no way to identify you. In accordance with the CCPA, your personal data are anonymised. For more information, please visit the Fathom Analytics website.
The purpose of our use of this software is to understand our website traffic in the most privacy-friendly way possible so that we can continuously improve our website and business. The legal basis under the GDPR is (f); where our "legitimate interest" is to continuously improve our website and business. As can be seen from the explanation above, no personal data is stored over time.
Definitions
The privacy policy of medalp Imst – Zentrum für ambulante Chirurgie Betriebs GmbH is based on the terms which were used by EU directives and regulations when the General Data Protection Regulation (GDPR) became law. Our privacy policy is meant to be easy to read and understand for the public as well as for our patients, business partners and employees. To ensure readability, we would like to explain the terms used.
Personal data
Personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data
Special categories of personal data include any information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Special category personal data are subject to a particularly high level of protection.
Processing
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
General
Processor
The controller medalp Imst — Zentrum für ambulante Chirurgie Betriebs GmbH reserves the right not to directly carry out all processing activities necessary for the fulfilment of the purpose and to transfer these to external service providers, known as processors. As a result, we will transmit your personal data to the processor and they will be subsequently processed by the latter. Without exception, we only work with processors who, in addition to the best possible professional qualifications, offer sufficient guarantees that they implement appropriate technical and organisational measures, to make sure the processing is carried out in accordance with the requirements of the GDPR and ensure the protection of the rights and freedoms of the data subjects. The processing operations by the processor shall be carried out on the basis of a written contract or another legal instrument under Union or Member State law.
Active processing:
Pathologie-Labor Dr. Peter Obrist – Dr. Thomas Brunhuber OG
Klostergasse 1, 6511 Zams, Austria
VAT: ATU62126906
Dr. med. Dieter Lungenschmid
Medicent Innsbruck, Innrain 143, 6020 Innsbruck, Austria
Medizinisches Labor Dr. Schmoigl Medizinisch und Chemische Labordiagnostik
Marktplatz 5, 6410 Telfs, Austria
Bakteriologie Medizinische Universität Innsbruck
Schöpfstraße 41, 6020 Innsbruck, Austria
VAT: ATU57495455
Wirtschaftstreuhand Oberland Steuerberatungs GmbH & Co KG – Thomas Zerzer
Ried im Oberinntal 54a, 6531 Ried im Oberinntal, Austria
VAT: ATU50302006
Tirol Kliniken GmbH Rechtsabteilung
Anichstraße 35, 6020 Innsbruck, Austria
VAT: ATU52020209
Passive data processing:
ACP IT Solutions GmbH
Eduard-Bodem-Gasse 1, 6020 Innsbruck, Austria
VAT: DE259668132
TIP Technik und Informatik Partner GmbH
Bildgasse 18a, 6850 Dornbirn, Austria
VAT: ATU36138103
Dräger Medical Austria GmbH
Perfektastraße 67, 1230 Vienna, Austria
VAT: DE135082211
Cosymed AG Clinic Organisations Systems
Hopfenstraße 10, 85098 Großmehring, Germany
VAT: DE128578927
HCS Health Communication Service GmbH
Ricoweg 22, 2351 Wr. Neudorf, Austria
VAT: ATU56815478
EDV-Studio Valentini DI (FH) Johannes Valentini M.Sc.
Kreuzbühelgasse 21, 6500 Landeck, Austria
VAT: ATU32628403
Hotelkit GmbH (medikit)
Strubergasse 26, 5020 Salzburg, Austria
VAT: ATU67203046
Kufgem GmbH
Fischergries 2, 6330 Kufstein, Austria
VAT: ATU32258106
REISSWOLF Österreich GmbH
Reisswolf Straße 1, 2100 Leobendorf, Austria
VAT: ATU41619600
Televis GmbH
Modecenterstraße 1, 71110 Vienna, Austria
ÖWD Österreichischer Wachdienst security GmbH & Co KG
Bayerhamerstraße 14c, 5020 Salzburg, Austria
VAT: ATU52497702
Siemens Healthcare Diagnostics GmbH
Siemensstraße 90, 1210 Vienna, Austria
VAT: ATU38815804
Pitagora Informationsmanagement GmbH
Olympiastraße 17, 6020 Innsbruck, Austria
VAT: ATU41957806
Routine erasure and blocking of personal data
We process and store your personal data only for the period necessary to achieve the purpose or if this has been provided for by EU directives and regulations or another legislator in laws or regulations to which we are subject.
If the purpose of processing ceases to apply or if a storage period prescribed by EU directives and regulations or another competent legislator expires, your personal data will be routinely blocked or erased in accordance with the statutory provisions, unless they are required for any further legal requirements.
Legal basis of processing in general
medalp Imst — Zentrum für ambulante Chirurgie Betriebs GmbH processes personal data, in particular special category data such as health data, on the basis of legal frameworks established by EU directives and regulations or national legislation.
The following legal bases of the General Data Protection Regulation are relevant for the processing activities in our company:
- Article 6(1) b GDPR
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. - Article 6(1) c GDPR
Processing is necessary for compliance with a legal obligation to which the controller is subject. - Article 6(1) d GDPR
Processing is necessary in order to protect the vital interests of the data subject or of another natural person. - Article 6(1) f GDPR
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. - Article 6(1) a GDPR
The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
If none of the aforementioned legal bases apply, but personal data must nevertheless be processed, the consent of the data subject may ultimately be obtained for a specific purpose. - Article 6(1) a GDPR
The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Processing special categories of personal data shall be prohibited. However, this does not apply as soon as one of the following cases has occurred. medalp Imst – Zentrum für ambulante Chirurgie Betriebs GmbH processes special categories of personal data when one of these legal bases comes into effect. - Article 9(2) a GDPR
The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, and no provisions in Union or Member State law prohibit the consent. - Article 9(2) b GDPR
Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject. - Article 9(2) c GDPR
Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. - Article 9(2) f GDPR
Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. - Article 9(2) h GDPR
Processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law. It is hereby stated that, pursuant to Article 9(2) of the GDPR, the processing shall be carried out exclusively by or under the responsibility of qualified personnel who are subject to professional secrecy under Union or Member State law. - Article 9(2) i GDPR
Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy. - Article 9(2) j GDPR
Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) (GDPR) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Processing activities
Below, we would like to provide an overview of our main processing activities for each data subject group.
Applicants
Purpose of data processing:
Applicant data are used for temporary record keeping in unsolicited applications and in application procedures with job advertisements as well as for the selection of applicants.
Legal basis and interests of data processing:
- General Data Protection Regulation (GDPR) in particular Article 6(1). a (Consent to data processing), Article 6(1) b (Pre-contractual measures) and Article 6(1) f GDPR (Safeguarding the legitimate interests of the responsible party or a third party).
Applicant data are processed in order to be able to contact applicants as part of the selection process and, if necessary, to verify your information in individual cases if this is in our interest for a position requiring high levels of trustworthiness, or it is necessary in the interest of third parties.
Recipient or categories of recipients:
Applicant data are usually checked by the HR department and submitted to the employees who are involved in the application process. In justified cases, where there is a corresponding overriding interest, third parties may verify the information (e.g. qualifications and degrees).
medalp Imst — Zentrum für ambulante Chirurgie Betriebs GmbH is part of the medalp group GmbH group of companies. For economical internal administration, we therefore also make use of group-affiliated companies for processing activities (exchange of application documents) in order to enable cross-company applications, if necessary. The Group has an overriding legitimate interest in this.
- Medalp rehaclinic OG
Medalp Platz 1, 6460 Imst, Austria
VAT: ATU66787738 - Gruppenpraxis für Unfallchirurgie (Sporttraumatologie) und Allgemeinmedizin Dr. Manfred Lener, Dr. Alois Schranz, und Dr. Kenneth Helle OG
Dorfstraße 160, 6450 Sölden, Austria
VAT: ATU57612925 - Sportclinic Zillertal GmbH
Stillupklamm 830, 6290 Mayrhofen, Austria
VAT: ATU63436124
Data collection from other sources:
When contacting references provided by applicants, data and information regarding your previous employment or activities, as well as subjective assessments of your work performance, may be collected by the appropriate third parties.
Data retention period:
In the case of application procedures based on job advertisements, the personal data of unsuccessful applicants will be deleted after the application procedure has been completed. However, at the applicant's request, it is possible to keep the data on record for a further six months. In the case of unsolicited applications, the data is stored for six months from the date of receipt. The applicant will be informed and clarified of this. If there is an express wish to extend the period by a further six months, this is entirely possible. In both cases, an informal objection can be lodged at any time.
Provision of data:
In order to carry out the application process, it is imperative that proof of the qualifications required for the vacant position is provided and contact details are submitted. In individual cases, it may also be necessary to request further data (e.g. an extract from criminal records). If the mandatory data are not provided, the applicant cannot be considered for the position.
Further processing of data for other purposes:
If an employment relationship is established, core data (name, address and communication data) as well as proof of qualifications from application documents are used further for the purposes of personnel administration.
Patient
Purpose of data processing:
The purpose of data processing is primarily the execution of the treatment agreement. This includes the recording of core patient data and the collection of health data in the course of treatment. These data are also required for any administrative tasks, e.g. billing.
Legal basis and interests of data processing:
- Krankenanstaltengesetz TirKAG [Hospital Act] in particular section 14 (duty of confidentiality), section 15(1) (keeping of medical records) and section 47 (rights of social insurance institutions)
- Versicherungsvertragsgesetz VersVG [Insurance Contract Act] in particular section 11a (processing of personal data by insurers)
- Ärztegesetz ÄrzteG [Physicians Act] in particular section 51 (documentation obligations and provision of information)
- Krankenanstalten- und Kuranstaltengesetz KAKuG [Law on hospitals and sanatoria]
- Regulation on electronic health records ELGA 2015 ELGA-VO 2015
- Strafgesetzbuch StGB [Criminal Code]
- Allgemeines Sozialversicherungsgesetz ASVG [General Social Security Act]
- General Data Protection Regulation GDPR in particular Article 6(1) a (Consent to data processing), Article 6(1) b (Performance of a contract), Article 6(1) c (Compliance with legal obligations), Article 6(1) d (Vital interests) and Article 9(2) a (Consent to processing of special categories of personal data)
Recipient or categories of recipients:
To make diagnoses and develop therapies and other preventive measures as part of the treatment, it is necessary to collaborate and exchange data with other health care providers, as they have expertise and equipment in specific areas and can thus provide optimal treatment.
Personal data are transmitted to the respective private and social insurance companies to clarify the coverage of costs.
Categories of recipients:
- Social security
- Private insurance providers
- Health care providers (hospital, doctor, laboratory, pathology, histology, bacteriology,…)
- Insured person
- Patient’s (nominated) visitors
- Emergency services
- ELGA
- Processor
- Administrative authorities
- Courts
- Lawyers
Federal army - Prison
- Social welfare
Collection of data from other sources:
In order to ensure optimal cross-organisational and cross-national health care for patients, it is important to have knowledge of all relevant information and data. Therefore, medalp Imst — Zentrum für ambulante Chirurgie Betriebs GmbH often obtains and receives personal data from other healthcare providers. This usually involves existing doctor's letters, imaging, findings, laboratory reports and other relevant data in the patient's file. Redundancy of examinations and treatments is thus prevented. In the context of correspondence with insurance companies, personal data (core data and insurance data) may also be transmitted by the relevant insurance companies.
Data retention period:
An entire medical history as well as X‑rays, video recordings and other aids for the preparation of findings is kept for at least 30 years. After this period, the data will be erased immediately. However, three years after treatment, all the data are archived and access to these data is blocked. When a case is reopened, this block is lifted again and the three-year period begins anew.
Provision of data:
The provision of necessary personal data is mandatory to carry out treatment.
Further processing of data for other purposes
The data collected are used exclusively for the activities within the scope of treatment, which also includes the internal transfer of data to the hospital administration.
Rights of the data subject
As a data subject of a processing of personal data you have rights granted under EU directives and regulations.
These rights are explained in more detail below.
If you wish to exercise any of your rights, you can contact our office staff during business hours.
Right to be informed
Pursuant to Article 15, GDPR, you may request information as to whether or which of your personal data are processed by our company.
In general, you are entitled to this information free of charge and within one month after receipt of the request. This period may be extended by a further two months if this is necessary, taking into account the complexity and number of requests. If your request is of an unfounded or excessive nature, we reserve the right to take action on the basis of your request, or to charge an appropriate fee based on the administrative costs involved.
Right to rectification
If we process your data incorrectly or incompletely, these can be corrected in accordance with Article 16, GDPR.
Right to erasure (Right to be forgotten)
According to Article 17 of the GDPR, you have the right to request the erasure of the personal data in question. At least one of the reasons listed must apply.
- The personal data were collected or otherwise processed for purposes for which they are no longer necessary.
- The data subject withdraws consent on which the processing is based according to Article 6(1) a GDPR or Article 9(2) a GDPR, and where there is no other legal ground for the processing.
- The data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.
- The personal data have been unlawfully processed.
- The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
Right to restriction of processing
If the requirements according to Article 18, GDPR are met, your data can only be processed in a restricted form. At least one of the reasons listed must apply.
- The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
- The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
- The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
- The data subject has objected to processing pursuant to Article 21(1), GDPR and the verification whether the legitimate grounds of the controller override those of the data subject is still pending.
Right to data portability
According to Article 20, GDPR, you have the right to receive the data that you have provided in an automated process transferred in a structured, commonly used and machine-readable format. You also have the right to transfer these data to another controller without hindrance from the controller to whom the personal data was provided, if the processing is based on consent pursuant to Article 6(1) a GDPR or Article 9(2) a GDPR or on a contract pursuant to Article 6(1) b GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to object
In the case of processing based on a legitimate interest, you have the right to object at any time in accordance with Article 21 of the GDPR. In the case of processing for the purpose of direct advertising and related profiling, this right exists without restrictions. The medalp Imst — Zentrum für ambulante Chirurgie Betriebs GmbH shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her which is carried out by the medalp Imst — Zentrum für ambulante Chirurgie Betriebs GmbH for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out in the public interest.
Right to withdraw consent
Consent given for the processing of personal data can be withdrawn at any time. The lawfulness of the processing carried out up to the time of withdrawal is not affected by this.
Declaration of consent regarding image rights during an event
By participating in events, you expressly consent to the publication of photographs, sound and film recordings, as well as video streams of yourself that are taken during events in which you participate. This also applies to printed matter, videos or DVDs, and the Internet.
Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority (data protection authority) responsible for you, in particular in the EU member state of your place of residence, your place of work or the place of the alleged infringement, if you are of the opinion that the processing of personal data concerning you violates the General Data Protection Regulation or that your data subject rights have been violated.
We would appreciate it if you contacted us beforehand and allow us the opportunity to respond.
List of the supervisory authorities:
http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080
Name and address of the supervisory authority in Austria:
Österreichische Datenschutzbehörde (DSB)
Wickenburggasse, 81080 Vienna, Austria
Telephone: +43 1 521 52–25 69
E‑mail: ta.vg1733181783.bsd@1733181783bsd1733181783
Website: www.dsb.gv.at