Data privacy statement
In this data privacy statement, we provide an overview as to how the user’s submitted personal data is used. Moreover, we want to inform the user as to which precautionary measures we have taken in order to secure personal data as well as which rights and options are available to the user with respect to accessing personal data and privacy protection.
This data privacy statement also includes information as to which personal data we acquire, how it is processed and to which third parties it is forwarded.
Regarding used terminology such as “processing” or “data controller”, we refer to the definitions in Section 4 of the General Data Protection Declaration (GDPR).
Data controller:
Urania location:
DIAGNOSE ZENTRUM URANIA | Diagnosezentrum Betriebsführungs GmbH | DIAGNOSE ZENTRUM URANIA Ges.m.b.H. | Riedl-Prayer-Drahanowsky-Barton Radiologiegruppenpraxis OG, Laurenzerberg 2, 1010 Vienna, Austria, e-mail: datenschutz@imaging.at
Data protection officer: Medicforce Dienstleistungs GmbH, Robert Schmölzer, Höhenstraße 102a, 6020 Innsbruck, Austria, e-mail: datenschutz@imaging.at, tel.: +43 676 833 266 50
Praterstern location:
Riedl-Prayer-Drahanowsky-Barton Radiologiegruppenpraxis OG, Praterstern 2, 1020 Vienna, Austria, e-mail: datenschutz@imaging.at
Data protection officer: Medicforce Dienstleistungs GmbH, Robert Schmölzer, Höhenstraße 102a, 6020 Innsbruck, Austria, e-mail: datenschutz@imaging.at, tel.: +43 676 833 266 50
Petscan location:
PET-CT Vienna I GmbH & Co KG, Fleischmarkt 19, 1010 Vienna, Austria, e-mail: datenschutz@imaging.at
Bellaria location:
Univ. Prof. Dr. Riedl & Partner Gruppenpraxis für Radiologie GmbH | City-CT Institut für Computertomografie und bildgebende Diagnostik Gesellschaft m.b.H.
Bellariastraße 6, 1010 Vienna, Austria, e-mail: bellaria@imaging.at
Data protection officer: Medicforce Dienstleistungs GmbH, Robert Schmölzer, Höhenstraße 102a, 6020 Innsbruck, Austria, e-mail: datenschutz@imaging.at, tel.: +43 676 833 266 50
For what purposes and on what legal basis is personal user data processed?
1. On the basis of the user's consent (Section 6 (1) lit. a of the GDPR):
Subject to the user’s consent to the processing of personal data, data is exclusively processed according to the purposes and extent determined in the consent declaration (e.g. for the purposes of answering queries, contact establishment regarding earlier appointments, transmission of findings to the referring physician, access to online findings, performing trials, evaluating feedback forms, etc). The user may withdraw a previously submitted consent at any time with effect for the future.
2. On the basis of contractual obligations (Section 6 (1) lit b of the GDPR):
The processing of personal data is performed within the context of contract execution (e.g. management of customer/patient data, contract management with business partners, suppliers and patients, preparation of fee notes for privately covered services, dunning, etc.) and the execution of the user's tasks as well as of all necessary tasks associated with the operation and administration of our company.
3. On the basis of fulfilment of legal obligations (Section 6 (1) lit. c of the GDPR):
Processing personal data may be required for the purpose of fulfilling various legal obligations in regard to contract management, billing, accounting and invoicing as well as information or verification obligations according to the Medical Practitioners Act/Hospitals Act and Health Resorts Act.
4. On the basis of maintaining legitimate interests of the data controller (Section 6 (1) lit. f of the GDPR):
If necessary, data may be processed within the context of balancing of interests for the benefit of our company or a third party beyond the actual contractual fulfilment in order to maintain our legitimate interests or the legitimate interests of third parties. Such processing of patient and customer (employee) data is performed in the following cases:
- documentation for the issuance of findings (e.g. for traceability purposes as to whether findings have already been issued),
- reporting adverse drug reactions,
- documentation of insurance reports and damage events,
- recording medical emergencies,
- account management,
- measures related to business management and the further development of services and products,
- measures for the protection of customers and their employees as well as of the company's property, and
- within the context of legal proceedings
Who will receive the user’s personal data?
The protection and confidentiality of personal user data is important to us. We therefore only transmit personal data according to the extent described in the following or within the context of a notification at the time of data acquisition. Moreover, acquired personal user data is neither disposed of nor otherwise disclosed to other third parties.
1. Transmission to others
We transmit acquired personal data to specific service providers (e.g. external data protection officers, social insurance carriers, referring physicians, collection agencies, insurance companies, the Austrian Federal Office for Safety in Health Care, etc.) for the purposes of account management and for other procedures desired by the user.
2. Transmission to other third parties
We possibly also transmit the user’s personal data to third parties subject to obtaining consent. We provide personal data that we acquire on behalf of the data controller to third parties if the data controller acts as a service provider for third parties.
3. Transmission to processors of task data
To a limited extent, we also provide personal data to task data processors who perform services such as contract fulfilment, account management, accounting and invoicing on our behalf. Task data processors may only use or disclose this data insofar as this is necessary for performing services for us and to ensure compliance with legal regulations. We obligate these task data processors contractually to ensure the confidentiality and safety of personal data that they process on our behalf.
4. Other transmission
We may also transmit personal user data if (i) we are legally required to do so or within the context of legal proceedings, if (ii) we believe that a disclosure is required in order to avert damages or financial losses or (iii) within the context of an investigation into suspected or confirmed fraudulent or illegal activities.
Is my personal data transmitted to a third country or to an international organisation?
Insofar as we process personal data in a third country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)) or this data processing occurs as part of the commissioning of third-party services or the disclosure or transmission of personal data to third parties, we only transmit this personal data if this is required for the fulfilment of our (pre)contractual obligations on the basis of the user's consent and on the basis of a legal obligation or our legitimate interests. Subject to legal or contractual authorisations, we only process or allow the processing of personal data in a third country in case special conditions stated under Section 44 et seqq. of the GDPR apply. This means that processing and transmission are, e.g., based on special guarantees such as the officially recognised declaration of a data protection level on par with the guarantee of the EU or based on compliance with officially recognised special contract obligations (so-called “standard contract clauses”).
For how long is personal data stored and processed?
We process personal user data for the duration of the entire business relationship (from the initiation to processing and completion of a contract) and beyond in accordance with the statutory retention and documentation obligations. These obligations result, among other things, from the following:
- the Hospitals Act and the Health Resorts Act
- the Medical Practitioners Act (1998)
- the Austrian Commercial Code
- the Federal Tax Code of Austria
The legal limitation periods with respect to the retention duration, which in some cases may last up to 30 years according to the General Civil Code (the general limitation period is 3 years) must also be taken into account.
Which rights and options are available to users?
1. Right of access to personal data
Users have the right to demand a confirmation from us whether we are processing personal user data.
Insofar as personal user data is processed, the data subject has the right to demand information at any time about stored personal data and receive a copy of the respective processed personal data regarding the user’s person. Within this context, the data subject has the right to receive information about the following:
- the purposes of processing,
- the categories of processed personal data,
- the recipients or categories of recipients to whom personal data has been disclosed or will be disclosed, in particular recipients in third countries or international organisations,
- if possible, the planned duration for which the personal data will be stored or, if not feasible, the criteria for the determination of that duration,
- the existence of the right to rectification or deletion of personal user data or the right to the restriction of processing by the data controller or the right to object to this processing,
- the existence of the right to file a complaint with a supervisory authority,
- any available information regarding the origin of the user’s data insofar as personal data was not directly acquired from the user, and
- any existence of automated decision-making processes including profiling pursuant to Section 22 (1) and (4) of the GDPR and – at least in these cases – meaningful information about the logic involved as well as the scope and desired consequences of such processing for the data subject
Insofar as personal user data was transmitted to a third country or an international organisation, the user has the right to receive information about appropriate guaranties associated with the transmission.
2. Right to rectification
The user has the right to request the rectification of incorrect personal user data. Moreover, the user has the right to demand – also by means of a supplemental declaration – the completion of incomplete personal data with consideration for the purposes of processing.
3. Right to deletion
The user has the right to demand the immediate deletion of personal user data insofar as one of the following reasons applies and further processing is not required:
- The user’s personal data is no longer required for the purposes for which it was acquired.
- The user revokes his or her consent on which the processing is based, and another legal basis or prioritised legitimate interest for the processing of this data does not exist.
- Personal data was processed unlawfully.
- Deletion of personal data is required for the fulfilment of a legal obligation under EU legislation or the legislation of member states by which the data controller is bound.
- Personal data was collected in regard to services offered by the information society pursuant to Section 8 (1) of the GDPR.
4. Right to restriction of processing
The user has the right to demand that we restrict the processing of personal user data if one of the following conditions applies:
- The accuracy of personal data is disputed by the user (a restriction is applied for a duration that allows the data controller to examine the correctness of the personal user data).
- The processing of the user’s personal data is unlawful, and the data subject rejects the deletion of personal data and instead demands the restricted usage of this personal data.
- The data controller no longer requires the personal data for the purposes of processing. However, the data subject requires this data for the assertion, exertion or defence of legal claims.
- The user has objected to the processing of personal data, and it has not yet been determined whether the legitimate reasons of the data controller will prevail against the user.
5. Right to data portability
The user has the right to maintain his or her personal data submitted to us in a structured, common and machine-readable format. The user also has the right to demand that this data is directly transmitted by us to another data controller – determined by the user – insofar as this is technically feasible and no other rights and freedoms of other parties are compromised on account of this. Data portability is always subject to the condition that processing is based on the user’s consent or necessary for fulfilling a (pre-)contractual relationship and processing is performed by means of automated methods. The right to data portability does not apply to the processing of personal data necessary for the performance of a task of public interest or for the exercise of public authority conferred to the data controller.
6. Right to objection
The user has the right to revoke his or her consent for the processing of personal data at any time.
If the user objects to the processing, we will no longer process this personal data unless we can verify the existence of compelling reasons for processing that prevail against the user’s interests, rights and freedoms or processing is performed in order to assert, exert or defend legal claims.
For reasons resulting from the user’s special situation, the user has the right to object to the processing of personal data, which the data controller acquired for scientific or historic research or for statistical purposes according to Section 89 (1) of the GDPR unless such processing is required for the fulfilment of a task of public interest.
Insofar as the user wishes to exercise one or multiple of the abovementioned rights, he or she may contact our data protection officer at any time (contact data provided above).
At which supervisory authority can the user submit a complaint?
According to Section 77 of the GDPR, the user has the right to submit a complaint to the competent supervisory authority. In Austria, this is the Austrian Data Protection Authority.
Is personal data processed for other purposes than those for which the personal data was acquired?
Principally we process data only for the purposes for which it was acquired.
In exceptional cases, we may process personal data acquired for a certain purpose for other purposes as well. In this case we will inform the user regarding the intended processing for this purpose, the duration for which personal data is stored, the exertion of the rights of data subjects, the option to revoke consent, the existence of the right to submit a complaint to the Data Protection Authority, whether the provision of data is necessary for legal or contractual purposes and which consequences the non-provision of this data would have and whether automated decision-making or profiling is performed.
Which types of personal data are processed?
Among other things, we process the following personal data:
- inventory data (e.g. name, title, gender, addresses, date of birth, social insurance number),
- contact data (e.g. e-mail, telephone numbers),
- documentation data (e.g. protocols of conversations, circumstantial descriptions, damage cases, emergency protocols, etc.),
- image and audio data (e.g. X-ray images, CD-ROMs, etc),
- health-related data (e.g. pre-existing conditions, examination categories, anamnesis forms, findings, etc.), and
- task data (e.g. bank data for payment orders)
For this purpose, we are hereby declaring that we only process personal data insofar as necessary. In individual cases we are satisfied with only a few of the abovementioned data points.
Establishing contact
When contacting us (e.g. via the contact form, e-mail or telephone), the user’s information is processed for contact queries and processing. Personal data may be stored in our customer relationship management system (CRM) or in a comparable organisational tool.
We delete contact queries and the user’s submitted personal data insofar as the storage of this data is no longer required.
Online presence in social media
We maintain online presences within social networks and platforms in order to communicate with active customers, interested parties and users, and inform them of our services. When visiting respective networks and platforms, the terms and conditions and the data processing directives of the respective operators apply.
If not specified otherwise as part of our data privacy statement, we process personal user data when users communicate with us within social networks and platforms, e.g. by commenting on our online presence or sending us messages.
How will user data be protected?
We take the protection of the user's personal data very seriously and implement suitable technical and organisational measures in order to protect users against unauthorised or illicit processing of personal data as well as against accidental data loss, destruction or damage.
How do users learn about changes to the data privacy declaration?
The data controller is obligated to maintain the principles of privacy and data protection. For this reason, we regularly examine our data privacy statement. We thereby ensure that it is free of errors and well-visible on our website, contains appropriate information about the user’s rights and our processing activities and is implemented according to valid laws and thereby compliant with data protection legislation. We update this data protection statement, if necessary, in order to take current developments into account. If we implement significant changes to this data protection statement, we will inform the user of these changes on our website and make the current version of the data protection statement available to users.
Usage of our homepage
The use of our website is principally possible without providing personal data. Only information provided by the user’s Internet service provider is acquired (specifically the IP address assigned to the user). We only store this information for the duration of the user’s visit to our website. The individual user remains anonymous. The data controller does not further evaluate this data insofar as no illicit usage of our homepage is committed.
Personal data that the user electronically transmits on our website (e.g. name, e-mail address or other personal details) is only used by us for the stated purpose (e.g. making an appointment, feedback) as well as stored safely and not passed on to third parties. The provider collects and stores information on the web server such as the used browser, the operating system, referring page, IP address, time of access, etc. This data cannot be assigned to any particular person without inspecting additional data sources, and the data controller will not evaluate this data further unless our website is being used for illicit purposes.
Whenever the user contacts us via the contact form on the website or by e-mail, the provided data will be stored by us for six months in order to allow for the processing of enquiries and for any follow-up questions.
Data usage
We hereby expressly object to third-party usage of contact data, published as part of our obligations relating to legal notices, information and disclosure, and the sending of not explicitly requested advertisement and informational materials. We reserve the right to initiate legal steps in case of unsolicited mailing of advertising information e.g. spam mails, etc.
Form data and comments
Cookies are small files that enable our website to save specific user information on the user's computer or the digital consumer device while visiting our website. Cookies help us determine the usage frequency and number of visitors to our Internet website and allow us to modify our offer in order to make it more convenient and efficient for users.
Cookies are used or placed in accordance with EU and Austrian legislation (Section 5 (3) of the ePrivacy Directive and Section 96 (3) of the Telecommunications Act 2003).
The data controller exclusively uses session cookies that are stored for the duration of the user’s visit to our website. Permanent cookies are also used in order to record information about visitors who access our website repeatedly.
The data controller can thereby offer optimal user guidance as well as recognise repeat visitors and, in case of repeated usage, present an attractive website and interesting content.
The content of a permanent cookie is limited to an identification number. Name, IP address, etc. are not stored. We do not create an individual profile about the user’s behaviour.
We always obtain the user’s consent in advance for the usage or placement of cookies that contain personal data or have an impact on the privacy of users. Consent is obtained through the user’s active behaviour as the user navigates through our website after being informed by our cookie banner on our website about the purposes of cookies and thereby consents to the placement of cookies.
Users can also view our website without the use of cookies. For this purpose, users can deactivate the storing of cookies in the browser or configure the web browser (Chrome, IE, Firefox) so that it informs the user as soon as a cookie is sent. Users can also delete cookies at any time from the PC’s hard drive. However, please note that in this case our website will only be displayed to a limited extent and with limited user guidance.
Google Analytics
This website uses Google Analytics, a web analytics service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses so-called cookies (text files), which are stored on the user’s computer and make it possible to analyse the user’s website usage. Information generated by cookies regarding the user’s visit to this website is usually transmitted to a Google server in the US and stored there. However, in the event that IP anonymisation is activated on this website, the user’s IP address will first be shortened by Google for users within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. The full IP address will only be transferred to a Google server in the US and shortened there in exceptional cases. Google will use this information on behalf of the operator of the website in order to analyse website usage, compile reports about website activities and provide the website operator with other services relating to the use of the website and the Internet. The IP address transmitted by the user’s browser as part of Google Analytics will not be merged with other data held be Google. The user can prevent the storage of cookies by configuring the browser software. However, please note that the full extent of this website’s features may not be available then. Moreover, the user can also prevent Google’s processing of data generated by the cookie and relating to the user’s website usage (incl. the user’s IP address) by downloading and installing the browser plug-in available under the following link (http://tools.google.com/dlpage/gaoptout?hl- de).
Further information regarding the terms of use and data protection is available at https://www.google.com/analytics/terms/de.html and https://support.google.com/analytics/answer/6004245?hl=de. We would like to point out that Google Analytics has been extended on this website with the code "gat. _anonymizeIp ();" in order to guarantee an anonymous acquisition of IP addresses (so-called IP masking).
Google Maps
This website uses Google Maps in order to display map information. When using Google Maps, Google also collects, processes and uses data related to map functions used by visitors to the websites. For more information about Google’s data processing, please refer to the Google Privacy Policy at www.google.com/intl/en/policies/privacy/. Users can also change their privacy centre settings in order to manage and protect their data.
Right to information
At all times, users have the right to be informed about stored personal data regarding their person, the origin of the data and the recipients as well as the reason for its storage. If the user suspects that the processing of personal data violates data protection laws or if data protection rights have otherwise been violated in any way, the user may lodge a complaint with the supervisory authority for data protection.