The protec­tion of personal data is not only an impor­tant concern for us, it is also our company’s number one prior­ity, so we can earn the trust placed in us by our patients, busi­ness part­ners and employ­ees in the correct handling of their data. In the field of health care espe­cially, compli­ance with the applic­a­ble legal provi­sions on the protec­tion of personal data and data secu­rity is indis­pens­able. For us, compli­ance with the General Data Protec­tion Regu­la­tion (GDPR) and supple­men­tary national data protec­tion regu­la­tions is thus a matter of course. The medalp Imst — Zentrum für ambu­lante Chirurgie Betriebs GmbH has imple­mented numer­ous tech­ni­cal and organ­i­sa­tional measures (TOM) within the company to ensure the process­ing of personal data is as risk free as possi­ble. In accor­dance with the General Data Protec­tion Regu­la­tion, we are obliged to provide you with certain infor­ma­tion. We are happy to comply with this oblig­a­tion by means of this privacy policy, in which we inform you about the nature, scope and purpose of the personal data we process and inform you about the rights of data subjects.

If you have any ques­tions or concerns about data protec­tion, please do not hesi­tate to contact us.

Data protec­tion officer
Mr. Thomas Pittl Bakk. techn.
Medalp Platz 1
6460 Imst
+43 5418 51100
moc.p1732137825ladem1732137825@noit1732137825asina1732137825gro1732137825

Website

How to contact us
If you contact us by the form on our website or by e‑mail, we will store the data you provide for six months for the purpose of process­ing your request and in case of follow-up ques­tions. We do not pass on this data with­out your consent.

Collec­tion of general data and information
The website of the medalp Imst — Zentrum für ambu­lante Chirurgie Betriebs GmbH collects a range of general data and infor­ma­tion when­ever a data subject or auto­mated system calls up the website. This general data and infor­ma­tion are stored in the server log files. The follow­ing can be recorded (1) browser types and versions, (2) the oper­at­ing system used by the access­ing system, (3) the website from which an access­ing system accesses our website (the refer­rer), (4) the sub-websites that are accessed via an access­ing system on our website, (5) the date and time of access to the website, (6) an Inter­net proto­col address (IP address) and (7) other simi­lar data and infor­ma­tion that serve to avert danger in the event of attacks on our infor­ma­tion tech­nol­ogy systems.

When using these general data and infor­ma­tion, the medalp Imst — Zentrum für ambu­lante Chirurgie Betriebs GmbH does not draw any conclu­sions about the data subject. Rather, this infor­ma­tion is needed (1) to deliver the content of our website correctly, (2) to opti­mise the content and adver­tis­ing of our website, (3) to ensure the long-term func­tion­al­ity of our infor­ma­tion tech­nol­ogy systems and the tech­nol­ogy of our website, and (4) to provide law enforce­ment author­i­ties with the infor­ma­tion neces­sary for pros­e­cu­tion in the event of a cyber attack. The medalp Imst — Zentrum für ambu­lante Chirurgie Betriebs GmbH there­fore collects anony­mous data and infor­ma­tion on the one hand for statis­ti­cal purposes, and on the other hand for the purpose of increas­ing the data protec­tion and data secu­rity of our enter­prise so that we can ulti­mately ensure an opti­mal level of protec­tion for the personal data we process. The anony­mous data contained in the server log files are stored sepa­rately from any personal data provided by a data subject.

Auto­mated deci­sion-making or profiling
As a respon­si­ble company, we completely refrain from auto­mated deci­sion-making or profiling.

Cook­ies
Our website uses cook­ies. Cook­ies are text files that are stored on a computer system via a web browser. By using cook­ies, we can provide you with a user-friendly website, which would not be possi­ble other­wise. You can prevent our website from stor­ing cook­ies at any time by chang­ing the setting in your web browser accord­ingly and perma­nently object­ing to cook­ies being placed on your device.
Further­more, exist­ing cook­ies can be deleted at any time via your web browser or other soft­ware programmes. This is possi­ble in all common web browsers. If you deac­ti­vate cook­ies in your web browser of choice, it may not be possi­ble to use all the func­tions of our website to their full extent.

reCAPTCHA
To protect your requests submit­ted via our online form, we use the reCAPTCHA service provided by Google Inc (Google). The query serves to distin­guish whether the input is made by a human being or improp­erly by auto­mated, machine process­ing. The query includes send­ing an IP address to Google and possi­bly other data required by Google for the reCAPTCHA service. For this purpose, your input is trans­mit­ted to Google and further used there. However, your IP address will be short­ened before­hand by Google within member states of the Euro­pean Union or in other contract­ing states of the Agree­ment on the Euro­pean Economic Area. Only in excep­tional cases will the full IP address be trans­mit­ted to a Google server in the US and short­ened there. On behalf of the oper­a­tor of this website, Google will use this infor­ma­tion to eval­u­ate your use of this service. The IP address trans­mit­ted by your browser for reCAPTCHA will not be merged with other Google data. The devi­at­ing data protec­tion provi­sions of Google apply to these data. You can find more infor­ma­tion on Google's privacy policy at: https://​poli​cies​.google​.com/​p​r​i​v​a​c​y​?​h​l​=en

Website Analy­sis
We want to process as little personal data as possi­ble when users visit our website. For this reason, we have chosen Fathom Analyt­ics for our website analyt­ics, which does not use cook­ies and complies with the GDPR, ePri­vacy (includ­ing PECR), COPPA and CCPA. With this privacy-friendly website analyt­ics soft­ware, your IP address is processed only briefly, and we (the oper­a­tors of this website) have no way to iden­tify you. In accor­dance with the CCPA, your personal data are anonymised. For more infor­ma­tion, please visit the Fathom Analyt­ics website.

The purpose of our use of this soft­ware is to under­stand our website traf­fic in the most privacy-friendly way possi­ble so that we can contin­u­ously improve our website and busi­ness. The legal basis under the GDPR is (f); where our "legit­i­mate inter­est" is to contin­u­ously improve our website and busi­ness. As can be seen from the expla­na­tion above, no personal data is stored over time.

Definitions

The privacy policy of medalp Imst – Zentrum für ambu­lante Chirurgie Betriebs GmbH is based on the terms which were used by EU direc­tives and regu­la­tions when the General Data Protec­tion Regu­la­tion (GDPR) became law. Our privacy policy is meant to be easy to read and under­stand for the public as well as for our patients, busi­ness part­ners and employ­ees. To ensure read­abil­ity, we would like to explain the terms used.

Personal data
Personal data means any infor­ma­tion relat­ing to an iden­ti­fied or iden­ti­fi­able natural person (‘data subject’). An iden­ti­fi­able natural person is one who can be iden­ti­fied, directly or indi­rectly, in partic­u­lar by refer­ence to an iden­ti­fier such as a name, an iden­ti­fi­ca­tion number, loca­tion data, an online iden­ti­fier or to one or more factors specific to the phys­i­cal, phys­i­o­log­i­cal, genetic, mental, economic, cultural or social iden­tity of that natural person.

Special cate­gories of personal data
Special cate­gories of personal data include any infor­ma­tion reveal­ing racial or ethnic origin, polit­i­cal opin­ions, reli­gious or philo­soph­i­cal beliefs, or trade union member­ship, and the process­ing of genetic data, biomet­ric data for the purpose of uniquely iden­ti­fy­ing a natural person, data concern­ing health or data concern­ing a natural person's sex life or sexual orien­ta­tion. Special cate­gory personal data are subject to a partic­u­larly high level of protection.

Process­ing
Process­ing means any oper­a­tion or set of oper­a­tions which is performed on personal data or on sets of personal data, whether or not by auto­mated means, such as collec­tion, record­ing, organ­i­sa­tion, struc­tur­ing, stor­age, adap­ta­tion or alter­ation, retrieval, consul­ta­tion, use, disclo­sure by trans­mis­sion, dissem­i­na­tion or other­wise making avail­able, align­ment or combi­na­tion, restric­tion, erasure or destruction.

Controller
Controller means the natural or legal person, public author­ity, agency or other body which, alone or jointly with others, deter­mines the purposes and means of the process­ing of personal data. Where the purposes and means of such process­ing are deter­mined by Union or Member State law, the controller or the specific crite­ria for its nomi­na­tion may be provided for by Union or Member State law.

Proces­sor
Proces­sor means a natural or legal person, public author­ity, agency or other body which processes personal data on behalf of the controller.

Recip­i­ent
Recip­i­ent means a natural or legal person, public author­ity, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public author­i­ties which may receive personal data in the frame­work of a partic­u­lar inquiry in accor­dance with Union or Member State law shall not be regarded as recipients.

Third party
Third party means a natural or legal person, public author­ity, agency or body other than the data subject, controller, proces­sor and persons who, under the direct author­ity of the controller or proces­sor, are autho­rised to process personal data.

Consent
Consent of the data subject means any freely given, specific, informed and unam­bigu­ous indi­ca­tion of the data subject's wishes by which he or she, by a state­ment or by a clear affir­ma­tive action, signi­fies agree­ment to the process­ing of personal data relat­ing to him or her.

Restric­tion of processing
Restric­tion of process­ing means the mark­ing of stored personal data with the aim of limit­ing their process­ing in the future.

General

Proces­sor
The controller medalp Imst — Zentrum für ambu­lante Chirurgie Betriebs GmbH reserves the right not to directly carry out all process­ing activ­i­ties neces­sary for the fulfil­ment of the purpose and to trans­fer these to exter­nal service providers, known as proces­sors. As a result, we will trans­mit your personal data to the proces­sor and they will be subse­quently processed by the latter. With­out excep­tion, we only work with proces­sors who, in addi­tion to the best possi­ble profes­sional qual­i­fi­ca­tions, offer suffi­cient guar­an­tees that they imple­ment appro­pri­ate tech­ni­cal and organ­i­sa­tional measures, to make sure the process­ing is carried out in accor­dance with the require­ments of the GDPR and ensure the protec­tion of the rights and free­doms of the data subjects. The process­ing oper­a­tions by the proces­sor shall be carried out on the basis of a writ­ten contract or another legal instru­ment under Union or Member State law.

Active process­ing:
Patholo­gie-Labor Dr. Peter Obrist – Dr. Thomas Brun­hu­ber OG
Kloster­gasse 1, 6511 Zams, Austria
VAT: ATU62126906

Dr. med. Dieter Lungenschmid
Medi­cent Inns­bruck, Innrain 143, 6020 Inns­bruck, Austria

Medi­zinis­ches Labor Dr. Schmoigl Medi­zinisch und Chemis­che Labordiagnostik
Mark­t­platz 5, 6410 Telfs, Austria

Bakte­ri­olo­gie Medi­zinis­che Univer­sität Innsbruck
Schöpf­s­traße 41, 6020 Inns­bruck, Austria
VAT: ATU57495455

Wirtschaft­streu­hand Ober­land Steuer­ber­atungs GmbH & Co KG – Thomas Zerzer
Ried im Oberin­ntal 54a, 6531 Ried im Oberin­ntal, Austria
VAT: ATU50302006

Tirol Kliniken GmbH Rechtsabteilung
Anich­straße 35, 6020 Inns­bruck, Austria
VAT: ATU52020209

Passive data processing:
ACP IT Solu­tions GmbH
Eduard-Bodem-Gasse 1, 6020 Inns­bruck, Austria
VAT: DE259668132

TIP Tech­nik und Infor­matik Part­ner GmbH
Bildgasse 18a, 6850 Dorn­birn, Austria
VAT: ATU36138103

Dräger Medical Austria GmbH
Perfek­tas­traße 67, 1230 Vienna, Austria
VAT: DE135082211

Cosymed AG Clinic Organ­i­sa­tions Systems
Hopfen­straße 10, 85098 Großmehring, Germany
VAT: DE128578927

HCS Health Commu­ni­ca­tion Service GmbH
Ricoweg 22, 2351 Wr. Neudorf, Austria
VAT: ATU56815478

EDV-Studio Valen­tini DI (FH) Johannes Valen­tini M.Sc.
Kreuzbühel­gasse 21, 6500 Landeck, Austria
VAT: ATU32628403

Hotelkit GmbH (medikit)
Stru­ber­gasse 26, 5020 Salzburg, Austria
VAT: ATU67203046

Kufgem GmbH
Fischer­gries 2, 6330 Kufstein, Austria
VAT: ATU32258106

REISSWOLF Öster­re­ich GmbH
Reiss­wolf Straße 1, 2100 Leoben­dorf, Austria
VAT: ATU41619600

Tele­vis GmbH
Mode­cen­ter­straße 1, 71110 Vienna, Austria

ÖWD Öster­re­ichis­cher Wach­di­enst secu­rity GmbH & Co KG
Bayer­hamer­straße 14c, 5020 Salzburg, Austria
VAT: ATU52497702

Siemens Health­care Diag­nos­tics GmbH
Siemensstraße 90, 1210 Vienna, Austria
VAT: ATU38815804

Pitagora Infor­ma­tion­s­man­age­ment GmbH
Olympias­traße 17, 6020 Inns­bruck, Austria
VAT: ATU41957806

Routine erasure and block­ing of personal data
We process and store your personal data only for the period neces­sary to achieve the purpose or if this has been provided for by EU direc­tives and regu­la­tions or another legis­la­tor in laws or regu­la­tions to which we are subject.
If the purpose of process­ing ceases to apply or if a stor­age period prescribed by EU direc­tives and regu­la­tions or another compe­tent legis­la­tor expires, your personal data will be routinely blocked or erased in accor­dance with the statu­tory provi­sions, unless they are required for any further legal requirements.

Legal basis of process­ing in general
medalp Imst — Zentrum für ambu­lante Chirurgie Betriebs GmbH processes personal data, in partic­u­lar special cate­gory data such as health data, on the basis of legal frame­works estab­lished by EU direc­tives and regu­la­tions or national legislation.

The follow­ing legal bases of the General Data Protec­tion Regu­la­tion are rele­vant for the process­ing activ­i­ties in our company:

• Arti­cle 6(1) b GDPR
  Process­ing is neces­sary for the perfor­mance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to enter­ing into a contract.
• Arti­cle 6(1) c GDPR
  Process­ing is neces­sary for compli­ance with a legal oblig­a­tion to which the controller is subject.
• Arti­cle 6(1) d GDPR
  Process­ing is neces­sary in order to protect the vital inter­ests of the data subject or of another natural person.
• Arti­cle 6(1) f GDPR
  Process­ing is neces­sary for the purposes of the legit­i­mate inter­ests pursued by the controller or by a third party, except where such inter­ests are over­rid­den by the inter­ests or funda­men­tal rights and free­doms of the data subject which require protec­tion of personal data, in partic­u­lar where the data subject is a child.
• Arti­cle 6(1) a GDPR
  The data subject has given consent to the process­ing of his or her personal data for one or more specific purposes.
  If none of the afore­men­tioned legal bases apply, but personal data must never­the­less be processed, the consent of the data subject may ulti­mately be obtained for a specific purpose.
• Arti­cle 6(1) a GDPR
  The data subject has given consent to the process­ing of his or her personal data for one or more specific purposes.
  Process­ing special cate­gories of personal data shall be prohib­ited. However, this does not apply as soon as one of the follow­ing cases has occurred. medalp Imst – Zentrum für ambu­lante Chirurgie Betriebs GmbH processes special cate­gories of personal data when one of these legal bases comes into effect.
• Arti­cle 9(2) a GDPR
  The data subject has given explicit consent to the process­ing of those personal data for one or more spec­i­fied purposes, and no provi­sions in Union or Member State law prohibit the consent.
• Arti­cle 9(2) b GDPR
  Process­ing is neces­sary for the purposes of carry­ing out the oblig­a­tions and exer­cis­ing specific rights of the controller or of the data subject in the field of employ­ment and social secu­rity and social protec­tion law in so far as it is autho­rised by Union or Member State law or a collec­tive agree­ment pursuant to Member State law provid­ing for appro­pri­ate safe­guards for the funda­men­tal rights and the inter­ests of the data subject.
• Arti­cle 9(2) c GDPR
  Process­ing is neces­sary to protect the vital inter­ests of the data subject or of another natural person where the data subject is phys­i­cally or legally inca­pable of giving consent.
• Arti­cle 9(2) f GDPR
  Process­ing is neces­sary for the estab­lish­ment, exer­cise or defence of legal claims or when­ever courts are acting in their judi­cial capacity.
• Arti­cle 9(2) h GDPR
  Process­ing is neces­sary for the purposes of preven­tive or occu­pa­tional medi­cine, medical diag­no­sis, the provi­sion of health or social care or treat­ment or the manage­ment of health or social care systems and services on the basis of Union or Member State law. It is hereby stated that, pursuant to Arti­cle 9(2) of the GDPR, the process­ing shall be carried out exclu­sively by or under the respon­si­bil­ity of qual­i­fied person­nel who are subject to profes­sional secrecy under Union or Member State law.
• Arti­cle 9(2) i GDPR
  Process­ing is neces­sary for reasons of public inter­est in the area of public health, such as protect­ing against seri­ous cross-border threats to health or ensur­ing high stan­dards of qual­ity and safety of health care and of medi­c­i­nal prod­ucts or medical devices, on the basis of Union or Member State law which provides for suit­able and specific measures to safe­guard the rights and free­doms of the data subject, in partic­u­lar profes­sional secrecy.
• Arti­cle 9(2) j GDPR
  Process­ing is neces­sary for archiv­ing purposes in the public inter­est, scien­tific or histor­i­cal research purposes or statis­ti­cal purposes in accor­dance with Arti­cle 89(1) (GDPR) based on Union or Member State law which shall be propor­tion­ate to the aim pursued, respect the essence of the right to data protec­tion and provide for suit­able and specific measures to safe­guard the funda­men­tal rights and the inter­ests of the data subject.

Process­ing activities
Below, we would like to provide an overview of our main process­ing activ­i­ties for each data subject group.

Appli­cants
Purpose of data processing:
Appli­cant data are used for tempo­rary record keep­ing in unso­licited appli­ca­tions and in appli­ca­tion proce­dures with job adver­tise­ments as well as for the selec­tion of applicants.

Legal basis and inter­ests of data processing:

• General Data Protec­tion Regu­la­tion (GDPR) in partic­u­lar Arti­cle 6(1). a (Consent to data process­ing), Arti­cle 6(1) b (Pre-contrac­tual measures) and Arti­cle 6(1) f GDPR (Safe­guard­ing the legit­i­mate inter­ests of the respon­si­ble party or a third party).
  Appli­cant data are processed in order to be able to contact appli­cants as part of the selec­tion process and, if neces­sary, to verify your infor­ma­tion in indi­vid­ual cases if this is in our inter­est for a posi­tion requir­ing high levels of trust­wor­thi­ness, or it is neces­sary in the inter­est of third parties.

Recip­i­ent or cate­gories of recipients:
Appli­cant data are usually checked by the HR depart­ment and submit­ted to the employ­ees who are involved in the appli­ca­tion process. In justi­fied cases, where there is a corre­spond­ing over­rid­ing inter­est, third parties may verify the infor­ma­tion (e.g. qual­i­fi­ca­tions and degrees).
medalp Imst — Zentrum für ambu­lante Chirurgie Betriebs GmbH is part of the medalp group GmbH group of compa­nies. For econom­i­cal inter­nal admin­is­tra­tion, we there­fore also make use of group-affil­i­ated compa­nies for process­ing activ­i­ties (exchange of appli­ca­tion docu­ments) in order to enable cross-company appli­ca­tions, if neces­sary. The Group has an over­rid­ing legit­i­mate inter­est in this.

• Medalp reha­clinic OG
  Medalp Platz 1, 6460 Imst, Austria
  VAT: ATU66787738
• Grup­pen­praxis für Unfallchirurgie (Sport­trau­ma­tolo­gie) und Allge­mein­medi­zin Dr. Manfred Lener, Dr. Alois Schranz, und Dr. Kenneth Helle OG
  Dorf­s­traße 160, 6450 Sölden, Austria
  VAT: ATU57612925
• Sport­clinic Ziller­tal GmbH
  Stillup­klamm 830, 6290 Mayrhofen, Austria
  VAT: ATU63436124

Data collec­tion from other sources:
When contact­ing refer­ences provided by appli­cants, data and infor­ma­tion regard­ing your previ­ous employ­ment or activ­i­ties, as well as subjec­tive assess­ments of your work perfor­mance, may be collected by the appro­pri­ate third parties.

Data reten­tion period:
In the case of appli­ca­tion proce­dures based on job adver­tise­ments, the personal data of unsuc­cess­ful appli­cants will be deleted after the appli­ca­tion proce­dure has been completed. However, at the applicant's request, it is possi­ble to keep the data on record for a further six months. In the case of unso­licited appli­ca­tions, the data is stored for six months from the date of receipt. The appli­cant will be informed and clar­i­fied of this. If there is an express wish to extend the period by a further six months, this is entirely possi­ble. In both cases, an infor­mal objec­tion can be lodged at any time.

Provi­sion of data:
In order to carry out the appli­ca­tion process, it is imper­a­tive that proof of the qual­i­fi­ca­tions required for the vacant posi­tion is provided and contact details are submit­ted. In indi­vid­ual cases, it may also be neces­sary to request further data (e.g. an extract from crim­i­nal records). If the manda­tory data are not provided, the appli­cant cannot be consid­ered for the position.

Further process­ing of data for other purposes:
If an employ­ment rela­tion­ship is estab­lished, core data (name, address and commu­ni­ca­tion data) as well as proof of qual­i­fi­ca­tions from appli­ca­tion docu­ments are used further for the purposes of person­nel administration.

Patient

Purpose of data processing:
The purpose of data process­ing is primar­ily the execu­tion of the treat­ment agree­ment. This includes the record­ing of core patient data and the collec­tion of health data in the course of treat­ment. These data are also required for any admin­is­tra­tive tasks, e.g. billing.

Legal basis and inter­ests of data processing:

• Kranke­nanstal­tenge­setz TirKAG [Hospi­tal Act] in partic­u­lar section 14 (duty of confi­den­tial­ity), section 15(1) (keep­ing of medical records) and section 47 (rights of social insur­ance institutions)
• Versicherungsver­trags­ge­setz VersVG [Insur­ance Contract Act] in partic­u­lar section 11a (process­ing of personal data by insurers)
• Ärztege­setz ÄrzteG [Physi­cians Act] in partic­u­lar section 51 (docu­men­ta­tion oblig­a­tions and provi­sion of information)
• Kranke­nanstal­ten- und Kuranstal­tenge­setz KAKuG [Law on hospi­tals and sanatoria]
• Regu­la­tion on elec­tronic health records ELGA 2015 ELGA-VO 2015
• Strafge­set­zbuch StGB [Crim­i­nal Code]
• Allge­meines Sozialver­sicherungs­ge­setz ASVG [General Social Secu­rity Act]
• General Data Protec­tion Regu­la­tion GDPR in partic­u­lar Arti­cle 6(1) a (Consent to data process­ing), Arti­cle 6(1) b (Perfor­mance of a contract), Arti­cle 6(1) c (Compli­ance with legal oblig­a­tions), Arti­cle 6(1) d (Vital inter­ests) and Arti­cle 9(2) a (Consent to process­ing of special cate­gories of personal data)

Recip­i­ent or cate­gories of recipients:

To make diag­noses and develop ther­a­pies and other preven­tive measures as part of the treat­ment, it is neces­sary to collab­o­rate and exchange data with other health care providers, as they have exper­tise and equip­ment in specific areas and can thus provide opti­mal treatment.
Personal data are trans­mit­ted to the respec­tive private and social insur­ance compa­nies to clar­ify the cover­age of costs.
Cate­gories of recipients:

• Social secu­rity
• Private insur­ance providers
• Health care providers (hospi­tal, doctor, labo­ra­tory, pathol­ogy, histol­ogy, bacteriology,…)
• Insured person
• Patient’s (nomi­nated) visitors
• Emer­gency services
• ELGA
• Proces­sor
• Admin­is­tra­tive authorities
• Courts
• Lawyers
  Federal army
• Prison
• Social welfare

Collec­tion of data from other sources:
In order to ensure opti­mal cross-organ­i­sa­tional and cross-national health care for patients, it is impor­tant to have knowl­edge of all rele­vant infor­ma­tion and data. There­fore, medalp Imst — Zentrum für ambu­lante Chirurgie Betriebs GmbH often obtains and receives personal data from other health­care providers. This usually involves exist­ing doctor's letters, imag­ing, find­ings, labo­ra­tory reports and other rele­vant data in the patient's file. Redun­dancy of exam­i­na­tions and treat­ments is thus prevented. In the context of corre­spon­dence with insur­ance compa­nies, personal data (core data and insur­ance data) may also be trans­mit­ted by the rele­vant insur­ance companies.

Data reten­tion period:
An entire medical history as well as X‑rays, video record­ings and other aids for the prepa­ra­tion of find­ings is kept for at least 30 years. After this period, the data will be erased imme­di­ately. However, three years after treat­ment, all the data are archived and access to these data is blocked. When a case is reopened, this block is lifted again and the three-year period begins anew.

Provi­sion of data:
The provi­sion of neces­sary personal data is manda­tory to carry out treatment.
Further process­ing of data for other purposes
The data collected are used exclu­sively for the activ­i­ties within the scope of treat­ment, which also includes the inter­nal trans­fer of data to the hospi­tal administration.

Rights of the data subject

As a data subject of a process­ing of personal data you have rights granted under EU direc­tives and regulations.
These rights are explained in more detail below.

If you wish to exer­cise any of your rights, you can contact our office staff during busi­ness hours.

Right to be informed
Pursuant to Arti­cle 15, GDPR, you may request infor­ma­tion as to whether or which of your personal data are processed by our company.

In general, you are enti­tled to this infor­ma­tion free of charge and within one month after receipt of the request. This period may be extended by a further two months if this is neces­sary, taking into account the complex­ity and number of requests. If your request is of an unfounded or exces­sive nature, we reserve the right to take action on the basis of your request, or to charge an appro­pri­ate fee based on the admin­is­tra­tive costs involved.

Right to rectification
If we process your data incor­rectly or incom­pletely, these can be corrected in accor­dance with Arti­cle 16, GDPR.

Right to erasure (Right to be forgotten)
Accord­ing to Arti­cle 17 of the GDPR, you have the right to request the erasure of the personal data in ques­tion. At least one of the reasons listed must apply.

• The personal data were collected or other­wise processed for purposes for which they are no longer necessary.
• The data subject with­draws consent on which the process­ing is based accord­ing to Arti­cle 6(1) a GDPR or Arti­cle 9(2) a GDPR, and where there is no other legal ground for the processing.
• The data subject objects to the process­ing pursuant to Arti­cle 21(1) GDPR and there are no over­rid­ing legit­i­mate grounds for the process­ing, or the data subject objects to the process­ing pursuant to Arti­cle 21(2) GDPR.
• The personal data have been unlaw­fully processed.
• The personal data have to be erased for compli­ance with a legal oblig­a­tion in Union or Member State law to which the controller is subject.
• The personal data have been collected in rela­tion to the offer of infor­ma­tion soci­ety services referred to in Arti­cle 8(1) GDPR.

Right to restric­tion of processing
If the require­ments accord­ing to Arti­cle 18, GDPR are met, your data can only be processed in a restricted form. At least one of the reasons listed must apply.

• The accu­racy of the personal data is contested by the data subject, for a period enabling the controller to verify the accu­racy of the personal data.
• The process­ing is unlaw­ful and the data subject opposes the erasure of the personal data and requests the restric­tion of their use instead.
• The controller no longer needs the personal data for the purposes of the process­ing, but they are required by the data subject for the estab­lish­ment, exer­cise or defence of legal claims.
• The data subject has objected to process­ing pursuant to Arti­cle 21(1), GDPR and the veri­fi­ca­tion whether the legit­i­mate grounds of the controller over­ride those of the data subject is still pending.

Right to data portability
Accord­ing to Arti­cle 20, GDPR, you have the right to receive the data that you have provided in an auto­mated process trans­ferred in a struc­tured, commonly used and machine-read­able format. You also have the right to trans­fer these data to another controller with­out hindrance from the controller to whom the personal data was provided, if the process­ing is based on consent pursuant to Arti­cle 6(1) a GDPR or Arti­cle 9(2) a GDPR or on a contract pursuant to Arti­cle 6(1) b GDPR and the process­ing is carried out by auto­mated means, unless the process­ing is neces­sary for the perfor­mance of a task carried out in the public inter­est or in the exer­cise of offi­cial author­ity vested in the controller.

Right to object
In the case of process­ing based on a legit­i­mate inter­est, you have the right to object at any time in accor­dance with Arti­cle 21 of the GDPR. In the case of process­ing for the purpose of direct adver­tis­ing and related profil­ing, this right exists with­out restric­tions. The medalp Imst — Zentrum für ambu­lante Chirurgie Betriebs GmbH shall no longer process the personal data in the event of the objec­tion, unless we can demon­strate compelling legit­i­mate grounds for the process­ing which over­ride the inter­ests, rights and free­doms of the data subject, or for the estab­lish­ment, exer­cise or defence of legal claims.

In addi­tion, the data subject has the right, on grounds relat­ing to his or her partic­u­lar situ­a­tion, to object to process­ing of personal data concern­ing him or her which is carried out by the medalp Imst — Zentrum für ambu­lante Chirurgie Betriebs GmbH for scien­tific or histor­i­cal research purposes, or for statis­ti­cal purposes pursuant to Arti­cle 89(1) of the GDPR, unless the process­ing is neces­sary for the perfor­mance of a task carried out in the public interest.

Right to with­draw consent
Consent given for the process­ing of personal data can be with­drawn at any time. The lawful­ness of the process­ing carried out up to the time of with­drawal is not affected by this.

Decla­ra­tion of consent regard­ing image rights during an event
By partic­i­pat­ing in events, you expressly consent to the publi­ca­tion of photographs, sound and film record­ings, as well as video streams of your­self that are taken during events in which you partic­i­pate. This also applies to printed matter, videos or DVDs, and the Internet.

Right to lodge a complaint
You have the right to lodge a complaint with a super­vi­sory author­ity (data protec­tion author­ity) respon­si­ble for you, in partic­u­lar in the EU member state of your place of resi­dence, your place of work or the place of the alleged infringe­ment, if you are of the opin­ion that the process­ing of personal data concern­ing you violates the General Data Protec­tion Regu­la­tion or that your data subject rights have been violated.

We would appre­ci­ate it if you contacted us before­hand and allow us the oppor­tu­nity to respond.

List of the super­vi­sory authorities:
http://​ec​.europa​.eu/​n​e​w​s​r​o​o​m​/​a​r​t​i​c​l​e​2​9​/​i​t​e​m​-​d​e​t​a​i​l​.​c​f​m​?​i​t​e​m​_​i​d​=​6​1​2​080

Name and address of the super­vi­sory author­ity in Austria:
Öster­re­ichis­che Daten­schutzbe­hörde (DSB)
Wick­en­burggasse, 81080 Vienna, Austria
Tele­phone: +43 1 521 52–25 69
E‑mail: ta.vg1732137825.bsd@1732137825bsd1732137825
Website: www​.dsb​.gv​.at