Version 28.03.2025
Smed.health uses the medical device SMASS (Structured Medical Assessment System). SmED (“Structured Medical Initial Assessment in Germany”) is the software adapted to the German healthcare system within the generic product group SMASS.
The service provided on this website is operated by HCQS (Health Care Quality Systems GmbH) on behalf of Vivantes – Netzwerk für Gesundheit GmbH (hereinafter referred to as the client).
Name and contact details of the person responsible
The person responsible within the meaning of the EU General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is
Vivantes - Netzwerk für Gesundheit GmbH
Aroser Allee 72-76
13407 Berlin
Tel.: 030 130 10
David Koeppe
David.koeppe@vivantes.de
Tel. 030 130-111011
Datenschutz@vivantes.de
General information on data processing
Scope of processing of personal data
We process our users' personal data only to the extent necessary to provide a functional website and to deliver our content and services and optimize them. Our users' personal data is processed either on the basis of the user's consent or on the basis of legal provisions that permit the processing of the data.
Legal basis for the processing of personal data
The processing of personal data is carried out on the basis of the EU General Data Protection Regulation (GDPR) or national legislation. As a rule, one of the conditions of Art. 6 (1) GDPR is fulfilled when personal data is processed, so that the lawfulness of the data processing is ensured. This may include, among other things, the consent of the data subject, the necessity for the performance of a contract or for the implementation of pre-contractual measures, or the legitimate interest of the controller or a third party.
Recipient of personal data
Your personal data will only be passed on to third parties if the user has given his consent or if it is mentioned in this data protection declaration and a legal basis exists or if we are legally obliged to do so. The client uses service providers to provide the service (in particular HCQS – Health Care Quality Systems GmbH). If a service provider processes personal data on behalf of the client, the provisions of Art. 28 GDPR are complied with. Disclosure of the information from the self-assessment form will only take place with the consent of the user (see “Disclosure of the information from the self-assessment form”). Data will not be transferred to third countries.
Data erasure and storage duration
The personal data of the data subject will be deleted or restricted as soon as the purpose of the storage no longer applies. Storage may take place beyond this if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. A restriction of the processing or deletion of the data takes place when a storage period prescribed by the standards mentioned expires.
Rights of the data subject
The data subject has the right to request information about the personal data concerning them, as well as to request the rectification or erasure of this data or the restriction of its processing, to object to its processing and to request data portability. If the processing is based on the consent of the data subject, the data subject can revoke their consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until revocation. Furthermore, the data subject has the right to complain to a regulatory authority.
Provision of the website and creation of log files
Description and scope of data processing
Each time our website is accessed, our system automatically collects data and information from the accessing computer system.
The following data is collected:
(1) Information about the browser type and version used
(2) The user's operating system
(3) the user's internet service provider
(4) the user's IP address
(5) the date and time of access
The data is stored in our system's log files. This data is not stored together with other personal data of the user.
Purpose of data processing
The system needs to store the IP address temporarily to enable the website content to be delivered to the user's computer. To do this, the user's IP address must be stored for the duration of the session.
The data is stored in log files to ensure the functionality of the website and the security of our information technology systems. The data is not analyzed for marketing purposes in this context.
Legal basis for data processing
The legal basis for the temporary storage of data and log files is the legitimate interest of the controller in accordance with Art. 6 (1) point f GDPR. The legitimate interest in data processing is the interest in a functional and secure website.
Duration of storage
The data will be deleted as soon as it is no longer required for the purpose for which it was collected. In the case of data collection for the purpose of providing the website, this is the case when the respective session has ended.
If the data is stored in log files, this is the case after a maximum of 30 days. Further storage is possible on a temporary basis in the event of technical or security-related problems.
Right of objection
The collection of data for the provision of the website and the storage of the data in log files is essential for the operation of the website. Consequently, there is no possibility for the user to object.
Cloudflare
The service includes the use of “Cloudflare”. The provider is Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA (hereinafter “Cloudflare”).
The service includes Cloudflare's firewall, proxy, and load balancing services. This technically routes the transfer of information between your browser and the website over Cloudflare's network. This enables Cloudflare to analyze the data traffic between your browser and our website and to serve as a filter between our servers and potentially malicious data traffic from the internet. In doing so, Cloudflare may also use cookies or other technologies to recognize Internet users, but these are used solely for the purpose described here.
The use of Cloudflare is based on the legitimate interest in providing our web services in a manner that is as error-free and secure as possible (Art. 6 para. 1 lit. f DSGVO).
Data transfer to the US is based on the Standard Contractual Clauses (SCC) of the EU Commission. Details can be found here: https://www.cloudflare.com/privacypolicy/.
Further information on security and data protection at Cloudflare can be found here: https://www.cloudflare.com/privacypolicy/.
The Cloudflare Data Localization Suite is used. This routes the data traffic between you and the website/application via Cloudflare servers in Europe.
Contract data processing
HCQS and the client have a contract for order processing (AVV) for the use of the above-mentioned service. This is a contract prescribed by data protection law that ensures that the personal data of our website visitors is processed only in accordance with our instructions and in compliance with the GDPR.
Use of cookies
Description and scope of data processing
When you visit our website, session cookies (text files that are stored on your computer) are set for technical reasons. If the browser does not accept cookies, the web server cannot check the validity of the content and cannot receive it.
| Cookie name (“XXX” represents a dynamic portion) | Description |
|---|---|
| cf_clearance | Clearance cookie that stores proof of passing a security challenge. It is used to no longer issue a Captcha or Jschallenge challenge, if one is present. It is required to reach the origin server. |
| cf_cc_XXX; cf_chl_cc_XXX; cf_chl_seq_XXX; cf_chl_prog | These cookies are used by Cloudflare to execute Javascript or Captcha challenges. They are not used for tracking or beyond the scope of the challenge. They may be deleted. |
| __cflb | This cookie is used to manage and distribute the load on our servers. |
| cf_ob_info; cf_use_ob | This cookie is required for Cloudflare's Always-On feature. In the event of technical problems on our side, it is used to display a temporary copy of our website for you. |
| cc_cookie | This cookie stores your consent/refusal regarding the cookie information banner. |
| fe_typo_user | This cookie stores the session ID for the frontend user. It is set automatically by Typo3 as soon as the contact, newsletter registration or newsletter cancellation form is used. |
| SCDID_S | Stores the session of the second firewall |
| JSESSIONID | Stores the application session |
| language | Stores the selected language for a subsequent visit, permanently. |
| theme | Saves the selected theme for a later visit, permanently. |
| smass-cookie | Saves the acceptance of cookies and the cookie banner no longer needs to be displayed, permanently |
| browser-cookie | Saves the name and version of the browser when the warning about using a browser other than the one used in the system tests is acknowledged, permanently. |
| view | Saves the preference for a symptom-oriented or priority-oriented view for a later visit, permanent. |
| evaluation | Saves the preference for whether or not to display the evaluation screen for a later visit. |
Purpose of data processing
The purpose of using technically necessary cookies is to make it easier for users to use websites. Some of our website's features (pages with forms) cannot be offered for technical reasons without the use of cookies.
The user data collected by technically necessary cookies are not used to create user profiles.
Legal basis for the data processing
The legal basis for the processing of personal data using cookies is Article 6(1)(f) GDPR. The legitimate interest in the data processing is the interest in a functional and secure website.
Duration of storage, right to object
Cookies are stored on the user's computer and transmitted by it to our site. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it is possible that not all of the website's functions can be used to their full extent.
The session cookies are usually deleted by the browser when the browser session is ended.
Disclosure of information from the SmED Patient self-assessment form
If you use the patient.smed.health (SmED Patient) website, the data you enter in the self-assessment form will be stored in pseudonymized form. The pseudonym is the unique assessment token that is assigned for your use case. This pseudonym is a unique identifier for your initial assessment case, which you can use to retrieve your case in the event of data protection queries. It does not allow any conclusions to be drawn about you as a real person for other data processing bodies. By clicking on “Next” after completing the assessment, you will be redirected to a Vivantes - Netzwerk für Gesundheit GmbH website. Information about your assessment (initial assessment result, assessment token) will be forwarded in the data transmitted. This information is used to show you suitable care offers based on the initial assessment result.