PRIVACY POLICY
PRIVACY POLICY
Processing your personal data, we attach outmost importance to the security and to your fundamental rights and freedoms. Therefore, this privacy policy informs you about the purpose, the scope and your rights concerning the processing of your personal data by means of the DECIDE app.
When does this privacy policy apply?
By using the DECIDE app (“APP”), we process your personal data. We collect the data captured by sensors incorporated in the wearable device (a smartwatch), that is connected to the APP and subsequently sends the captured data to the APP. Furthermore, we collect your personal data extracted from the information you provide when answering a questionnaire or giving feedback by means of the APP.
We may change this privacy policy on our own initiative at any time. If material changes to this privacy policy may affect the processing of your personal data, we will communicate these changes to you in a way that we normally communicate with you (e.g. via e-mail and notification on the APP). We invite and recommend you to read the latest version of this privacy policy on the APP.
Apart from this DECIDE APP PRIVACY POLICY, we expect you to read the s APP TERMS OF SERVICE (“ToS”) and to abide by its provisions. The ToS are paramount concerning any usage.
Who are we?
In this privacy policy, “We” refers to the DECIDE Group. “DECIDE”, in turn, refers to a research project funded by the German “Bundesministerium für Bildung und Forschung” (BMBF; the Federal Ministry of Education and Research) and named after the research project’s title “Decentralized digital Environment for Consultation, data Integration, Decision making and patient Empowerment”. By contract, the DECIDE Group consists of its partners comprising the University Medical Centre of the Johannes Gutenberg-University Mainz, the Johannes Gutenberg-University Mainz and the Fraunhofer Institute for Industrial Mathematics ITWM. Being the manufacturer of the APP as well as of the wearable device that captures data, the MCS Data Labs GmbH is associated with the DECIDE Group. For more details on DECIDE, please see
the BMBF website: https://www.gesundheitsforschung-bmbf.de/de/decide-versorgungsqualitat-in-landlichen-regionen-verbessern-13024.php
or the website of the DECIDE Group: https://decide.imbei.uni-mainz.de/decide/.
Throughout DECIDE’s execution, the partners of the DECIDE Group jointly determine the purposes and means of processing personal data. Therefore, the group’s partners are joint controllers pursuant to Art. 26 (1) sentence 1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR). They have concluded a Joint Controller Agreement pursuant to Art. 26 (1) sentence 2 GDPR of which the essence is explained in this privacy policy.
We are accountable for the processing of your personal data in the manner explained in this privacy policy. If you have any questions, please contact us via decide@uni-mainz.de.
Which personal data do we process and why?
We will only process your personal data for the specific purpose of DECIDE’s execution and to the extent permitted by your informed consent or pursuant to applicable law. Further below, we explain in which cases we collect and use your personal data.
What personal data?
Why?
Legal basis?
Basic identification data
– master data
e.g. your name, contact details etc.
This information is necessary to directly identify the APP user and provide them with recommendations and advices as well as to communicate with them
Informed consent
Data collected through the sensors incorporated in the wearable device
– sensor data
e.g. endogenous, environmental and motion data
This information is essential for further analyses of your health status by means of combining the sensor data with other data
Informed consent
Data collected via questionnaires
– questionnaire data
e.g. data concerning your health status
This information is essential for further analyses of your health status by means of combining the questionnaire data with other data
Informed consent
Data collected due to your feedback on your participation in DECIDE
– feedback data
e.g. data concerning usability of the APP, the wearable device or the received intervention
This information is essential in order to improve DECIDE’s execution
Informed consent
With whom do we share your personal data?
In principle, your personal data is exclusively processed by us, the DECIDE Group, or by a processor on behalf of us. Where processing is carried out by a processor and on behalf of us, this processing is always governed by a contract, which is binding on the processor with regard to us and entailing obligations on par with and analogous to the obligations of the Joint Controller Agreement that are binding on the DECIDE Group’s partners. Furthermore, any natural person who processes your personal data is obliged to confidentiality.
For DECIDE’s execution, we do not transfer your personal data to natural or legal persons, public authorities, agencies or other bodies outside of the European Union (EU).
How long do we keep your personal data?
Your personal data will solely be processed up to 10 years after the purpose of the DECIDE research project will have been fulfilled (retention period) or until you withdraw your consent. If the retention period has expired or having received a withdrawal of your consent, your personal data will completely be deleted.
Processing your personal data any longer than pursuant to the provisions of No. 5.1 requires your consent or a legal or regulatory obligation or a court or administrative order to be in place.
How do we keep your personal data secure?
In particular, the security and confidentiality of your personal data is ensured by usage of the following technical and organizational measures:
Principle of least privilege (PoLP): For DECIDE’s execution, any natural or legal person processes only those parts of your personal data that are necessary for them to carry out their respective roles within the DECIDE research project;
Pseudonymisation: Wherever and whenever applicable, your personal data is solely processed after having been pseudonymized, meaning that, in particular, your master data (see No. 3) is substituted for an alphanumeric string making it practically impossible to identify you by a given pseudonymized data set;
State of the art encryption between mobile device and backend system pursuant to the Transport Layer Security (TLS) standard;
Authentication and authorisation mechanisms to regulate access to your personal data and under the regulations of PoLP (see above);
Identification mechanism to access the APP.
Your rights regarding your personal data
You may exercise the following rights related to the processing of your personal data: the right of access, rectification, erasure, and data portability as well as the right to object to or limit the processing of your personal data or to withdraw your consent. To exercise your rights, you can submit a request to decide@uni-mainz.de. If you want, in particular, to withdraw your consent, you may call us by phone at + 49 (0) 6131 39 38 785. Finally, you have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for the DECIDE Group is
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz
Prof. Dr. Dieter Kugelmann
Hintere Bleiche 34
55116 Mainz
Phone: + 49 (0) 6131 8920-0
Fax: + 49 (0) 6131 8920-299
Web: https://www.datenschutz.rlp.de/
Mail: poststelle@datenschutz.rlp.de
Do you have any questions?
Should you have any further questions about the processing of your personal data, please do not hesitate to contact us via https://decide.imbei.uni-mainz.de/about/about-us/.