Data protection information for patients according to Art. 13 GDPR

Version: 1.0.0
Status: 17.11.2023

General information on data protection

1. Data protection

As the operator of this website, RxOme GmbH takes the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the legal data protection regulations.

In addition to you, the patient, other people use this platform. These are human geneticists on the one hand and human genetics laboratories on the other, who use the platform to create FindMe2care QR codes, for example, or to exchange information on rare genetic diseases.

2. Controller

The controller within the meaning of the GDPR and other national data protection laws as well as other data protection regulations is:

RxOme GmbH
Bayerstraße 3-5
D-80335 Munich
kontakt@findme2care.de
Phone +49 (0)89/30 90 886-0
Fax +49 (0)89/30 90 886-66

In the following, “FindMe2care” is used as a representative of the platform and the responsible organization.

3. Data protection officer

The data protection officer of the controller is:

Jan Alkemade,
Alkemade IT-Security e.K.
Egerländer Str. 9
61239 Ober-Mörlen
Phone: +49 6002 939593
E-mail: jan.alkemade@alkemade-it.de

II. Information on data processing

1. Purpose of the processing of personal data

The “FindMe2care” platform operated by RxOme GmbH serves to provide information on patients with rare genetic diseases and, if necessary, to put them in touch with pharmaceutical companies, study centers, and other affected persons. Patients can receive information tailored to their individual rare disease, be informed about current treatment options, or be supported by patient organizations that are suitable for them.

2. Scope of the processing of personal data

a) Data processing for the provision of the website

FindMe2care processes the personal data of visitors to the FindMe2care website only to the extent necessary to provide a functional website, content, and services. The medical data provided by patients is only processed to provide the services and is not passed on to third parties.

Each time the FindMe2care website is accessed, the system automatically collects data and information from the computer system of the accessing computer. The following data (so-called server log files), which the user’s browser automatically transmits to us, are collected:

  • Information about the browser type (version used, language settings, etc.)
  • The operating system of the user
  • The IP address of the user
  • Date and time of access
  • Website from which the user’s system accesses the FindMe2care website (website, search engine or link, so-called referrer URL)
  • Website accessed by the user’s system via the FindMe2care website
  • Status information (e.g., error messages)
  • Amount of data transferred

The data is also stored in the system’s log files. This data is not stored together with the user’s other personal data.

FindMe2care reserves the right to subsequently check this data or have it checked if concrete indications of illegal use become known.

b) Data processing for the registration of the report and contacting

Participation in or registration with FindMe2care is voluntary and does not replace regular contact with a responsible treating physician. Disease-specific information must be processed at the patient level in order to provide patients with targeted information and to avoid information that is not relevant to the individual concerned. The collection of corresponding personal and medical data is therefore mandatory for the provision of the services, so this data must be provided in accordance with the terms of use if registration is desired. Registration with FindMe2care is not possible without providing this information.

3. Legal basis for the processing of personal data

Personal data is processed on the basis of explicit consent. Thus, Art. 6 para. 1 lit. a. and Art. 9 para. 2 lit. a of the GDPR serve as the legal basis.

4. Data erasure and storage duration

The personal data of the data subject will be deleted or their processing restricted as soon as the purpose of the processing no longer applies.

The maximum planned storage period is 30 years. Patients can request the deletion of their data at any time without giving reasons (see right to object below).

III. Rights of the patients

According to the GDPR, the patients have the following rights towards the controller:

  • To request information about the personal data processed and to receive a copy of this data (right of access), Art. 15 GDPR
  • To request the rectification of inaccurate data and, taking into account the purposes of the processing, the completion of incomplete data (right to rectification), Art. 16 GDPR;
  • To request the deletion of their data where there are legitimate reasons (right to erasure), Art. 17 GDPR
  • To demand the restriction of the processing of their data, provided that the legal requirements are met (right to restriction of processing), Art. 18 GDPR; and
  • If the legal requirements are met, to receive the data provided by the patient in a structured, commonly used, and machine-readable format and to transmit this data to another responsible organization or, if technically feasible, to have it transmitted by FindMe2care (right to data portability), Art. 20 GDPR.

Furthermore, there is a right of appeal to a data protection supervisory authority in accordance with Art. 77 GDPR if a patient is of the opinion that the processing of their  personal data is not lawful. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy.

As the processing of data is based on the consent of the patient, they are entitled under Art. 7 GDPR to withdraw their consent to the use of their personal data at any time. It should be noted that the revocation is only effective for the future. Processing that took place before the revocation is not affected. It should also be noted that FindMe2care may have to retain certain data for a certain period of time in order to fulfill legal requirements (see section 8 of this privacy policy).

Right to object

The processing of the patient’s personal data is carried out in accordance with Art. 6 para. 1 lit. f GDPR to safeguard legitimate interests, they have the right to object to the processing of this data at any time for reasons arising from their particular situation in accordance with Art. 21 GDPR.

FindMe2care will then no longer process this personal data unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the patient or the further processing of their data serves the establishment, exercise, or defense of legal claims.

In order to safeguard the rights of patients, they are welcome to contact the controller or the responsible data protection officer using the contact details provided in sections 2 and 3.

In particular, the request to delete their own data can be made in writing to the above-mentioned address of RxOme GmbH or to datenschutz@findme2care.de or by deleting the user profile via the profile settings in findme2care.de.

The supervisory authority responsible for data protection for the controller is

Bavarian State Office for Data Protection Supervision
Mr. Michael Will
Promenade 18
91522 Ansbach
www.lda.bayern.de

IV. Data transfer and cooperation with third-parties

1. Cooperation with processors and third-parties

If, in the course of processing, FindMe2care discloses data to other persons and companies (processors or third parties), transmits it to them, or otherwise grants them access to the data, this is only done on the basis of legal permission if the patients have consented, if a legal obligation provides for this or on the basis of legitimate interest (e.g., when using agents, web hosts, etc.).

If FindMe2care commissions processors to process data, this is done on the basis of Art. 28 GDPR.

2. Transfer to third countries

No data is transferred to third countries

3. Integration of third-party services and content

For the operation of patient registration and contact, as well as the necessary processing of medical and other particularly sensitive data, no corresponding third-party content (analysis or tracking) is integrated so that no data is passed on to third parties (not even in pseudonymized form).

VI. Other information

Changes to our privacy policy:

FindMe2care may change the security and data protection measures as required by technical and legal developments and adapt the data protection guidelines accordingly. It is, therefore, pointed out that the current version must be observed.