Privacy statement
1) General information
For Evangelisches Krankenhaus Wien [Evangelical Hospital of Vienna], a non-profit company m.b.H. (hereinafter “we” or “us”), the issues of data protection and information security are the basis for stable and successful customer relationships and are very important to the company.
This declaration describes how we process your personal data (hereinafter “your data”) in connection with this website www.ekhwien.at and our career portal at ekh-karriere.at.
When processing your data, we observe all the provisions of the GDPR, the Data Protection Act (also referred to as GDPR) [Datenschutzgesetz – DSG] and the Telecommunications Act (TA) [Telekommunikationsgesetz – TKG] in their currently valid versions. Furthermore, we have taken the technical and organizational measures necessary for adequate data protection under our own area of responsibility.
We undertake to comply with data protection requirements, but are not responsible if third parties – despite all security measures – still manage to gain unlawful access to data and information.
2) Operation of the website
- We will collect the following information during your visit to this website:
- Browser type and version
- Model name of the cell phone used and a generic device identifier
- Operating system used
- Website from which the user visits our website (referrer URL)
- Our sub-websites (subdomains) that the user visits
- Date and time of access
- IP address of the user's computer
- All information provided by filling out the contact form/registration on the website.
Purpose
This is done to enable the retrieval and use of the Internet pages you have called up.
Legal basis
The legal basis for this is our legitimate interest in accordance with Article 6 (1) lit f GDPR to ensure the operation of the website, the implementation of an error and availability analysis and the defense against attacks.
Storage period
Form data are only saved for a maximum of four weeks. However, the data may be stored for a longer period of time if this is necessary in order to investigate attacks on our website.
Recipient
These data are only transmitted to processors, but not to third parties.
Provision requirement
You are under no obligation to provide this data. You cannot use the website without providing this data.
Automated decision making
There is no automated decision-making including profiling.
3) Cookies
We use so-called "cookies" so that you can use our website without restriction. Cookies are small files that enable the user to be recognized and your use of our website to be analyzed. A randomly generated unique identification number is stored in these files. A cookie also contains information about its origin and the storage period. Cookies cannot access, read or change any other data on your computer.
The cookies set by our website do not pose a risk to the user’s computer system because they do not cause any damage and do not contain viruses or the like.
We differentiate between two types of cookies that we use to operate our website:
- Functionally necessary cookies to ensure the technical operation and basic functions of our website. This type of cookie is used, among other things, to save your selection of the activated cookies by means of a cookie banner.
Name: cookieconsent_status
Purpose: Storage of consent to the use of cookies
Duration: 12 months
Font size cookie
Name: creaseFont
Purpose: Storage of the font size selected
Duration: 2 months
Name: fe_typo_user
Purpose: Recognition of the visitor or user
Duration: Until the end of the session - Statistics cookies from Matomo to understand how visitors interact with our website and to be able to set targeted advertising activities. Information is only collected and analyzed anonymously. This gives us valuable knowledge in order to optimize the website and our product range. See Section 3.1 below for more information.
Name: _pk_ses.1.48db
Purpose: Matomo statistics
Duration: 30 minutes
Name: _pk_id.1.48db
Purpose: Matomo statistics
Duration: 13 months
Most of the cookies on this website are automatically deleted (session cookies). However, we also use permanent cookies so that we can recognize you when you visit our website again. You can delete these permanent cookies manually in your browser at any time.
The use of cookies can also be prevented by changing the relevant browser settings. If your browser supports the "Do Not Track" technology and you have activated it, no usage profile will be created for your visit. Please note that blocking or deleting cookies could affect your online experience and prevent you from fully using this website.
Legal basis
The legal basis for the use of functionally necessary cookies is our legitimate interest in accordance with Article 6 (1) lit f GDPR in conjunction with Section 165 (3) Clause 3 TKG [Telecommunications Act] 2021 to ensure the technical operation and basic functions of our website as well as to save your chosen cookie settings and operate the website accordingly.
When Matomo is used, no personal data is processed for statistical purposes, which is why there is no need for a legal basis under the data protection law in accordance with Article 6 (1) GDPR.
Notice of revocation, notice of objection
You can revoke your given consent at any time. In certain circumstances, you may have the right to object to processing that is based on our legitimate interest. For more information on your rights as a data subject, see Section 11.
Storage period
The respective storage duration of the cookies can be found in the respective table above.
Recipient
These data are only transmitted to processors, but not to third parties.
Provision requirement
You are under no obligation to provide this data. By not providing the functionally necessary cookies, you may experience problems accessing and using our website. Failure to provide other cookies would not have any negative consequences for you.
Automated decision making
There is no automated decision-making including profiling.
3.1.) Matomo
The website uses Matomo, an open source tool, for web analysis. Matomo does not transmit any data to servers that are beyond our control as the technical operator. Matomo uses cookies, which enable a statistical analysis of the use of the website. Usage information is sent for this purpose, and your IP address is immediately anonymized. Therefore, no personal data is saved for statistical analysis.
4) Social media presence
This section applies to our appearances on social media (hereinafter “social media”).
In general, usage data is processed in social media for advertising and market research purposes. For example, the providers of social media can create their own usage profiles based on various interests of the users and then use these usage profiles to place targeted advertisements inside and outside of social media. For these purposes, the social medium also uses cookies, in which the usage behavior and the interests of the users are stored. Furthermore, these usage profiles can also contain data on users as members of the respective social media, provided they are logged in to them (hereinafter referred to as “usage data”).
For a detailed description of the respective data processing and the options for objection or revocation, we refer to the data protection information of the respective social medium (see Section 4.1 Social media in detail below).
In addition, in the course of our appearances on social media, we also process your user name, name, contact and communication data, provided you contact us and share this data with us.
Purpose
We use our presence on social media to provide information about us, job openings and our products or services, and of course also to contact and communicate with users. In addition, we receive statistical evaluations of usage data, which the respective social medium collects, in anonymous form, in order to be able to better adapt our offers to your interests.
Legal basis
The legal basis for communication is either the initiation of a contract or the fulfillment of a contract (Article 6 (1) lit b GDPR), if you contact us about this, or our legitimate interest (Article 6 (1) lit f GDPR) in answering other inquiries.
The legal basis for processing in joint responsibility with the respective social medium is our legitimate interest (Article 6 (1) lit f GDPR) in the processing of the data described above for analysis and marketing purposes in order to continuously improve our appearance on social media.
Shared responsibility
Since we have various appearances on social media, we take current developments in the area of data protection in social media into account and take them very seriously. We would therefore like to inform you that due to the current case law of the European Court of Justice, there is a joint responsibility within the meaning of Article 26 GDPR between the operator of a media presence and the respective provider of this social medium for the processing of your usage data. We have taken the necessary precautions for this joint responsibility, insofar as this has been made possible for us by the respective provider.
In regard to this, we would like to point out that the primary processing of your usage data in the social media takes place at the site of the respective provider of this social medium and that we receive it – if at all – exclusively in anonymous form. Therefore, the primary responsibility for this, according to the GDPR, also lies with the provider of the social medium. We therefore recommend that you assert your rights as a data subject in this context directly with the respective social medium. The corresponding links to the data protection information of the providers can be found in Section 4.1 Social media in detail, below. You can also assert your rights as a data subject with us in this context as part of our joint responsibility. In this case, we will immediately contact the respective provider of the social medium.
Third country transmission
With social media (Facebook, Instagram, LinkedIn, XING and YouTube) it is possible that usage data may be processed outside of the European Union, specifically in the USA. This is permitted on the basis of the EU-USA data protection framework (adequacy decision of the EU Commission dated July 10, 2023) pursuant to Art 45 GDPR or on the basis of the standard contractual clauses pursuant to Art 46 (2) (c) GDPR.
Recipient
Your personal data may be forwarded to external processors in certain circumstances, but in any case not to third parties.
Storage period
We generally process your data, which we receive when you contact us in the course of our appearances on social media, until your account is deleted in the respective social medium, unless longer storage is required due to processing purposes or legal provisions, or to assert or defend rights. As soon as these reasons no longer apply, your data are deleted.
Provision requirement
If your use takes places in the context of establishing contact to initiate a contract, it is necessary to provide your data for the conclusion of the contract. If your use is for other reasons, there is no obligation for you to provide your data. Failure to provide your data when establishing contact to initiate a contract would mean that we can no longer process your contract. Failure to provide your data when using for other reasons would not have any negative consequences for you.
Automated decision making
There is no automated decision-making including profiling.
We receive and process usage data exclusively in anonymous form. For more information about the storage period, please consult the data protection information of the respective social medium.
4.1) Social media in detail
Facebook and Instagram
Company: Facebook Ireland Ltd.
Address:4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Data protection information: https://www.facebook.com/policy.php https://help.instagram.com/519522125107875/?helpref=hc_fnav&bc[0]=Instagram-Hilfebereich&bc[1]=Privatsph%C3%A4re%20und%20Sicherheit
Shared responsibility: https://www.facebook.com/legal/terms/page_controller_addendum
Third country transmission: Standard contractual clauses according to Article 46 GDPR
Additional information:https://www.facebook.com/legal/terms/information_about_page_insights_data
Linkedln
Company: LinkedIn Ireland Unlimited Company
Address: Wilton Plaza, Wilton Pl, Saint Peter’s, Dublin 2, Ireland
Data protection information: https://www.linkedin.com/legal/privacy-policy?_l=de_DE.
Shared responsibility:https://de.linkedin.com/legal/l/dpa
Additional information:https://www.linkedin.com/help/linkedin/answer/89877?trk=microsites-frontend_legal_privacy-policy&lang=de
Company: New Work SE
Address: Dammtorstraße 30, 20354 Hamburg, Germany
Data protection information: https://privacy.xing.com/de/datenschutzerklaerung
YouTube
Company: Google LLC
Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy policy: https://policies.google.com/privacy?hl=en-US
5) YouTube integrations
Purpose
We integrate YouTube videos into our website to provide information about us, our products, and our services.
Legal basis
The legal basis for this is your consent in accordance with Art. 6 (1) (a) GDPR, which you give by clicking on a YouTube integration. You can revoke this consent at any time with effect for the future.
Recipient
Your data (and specifically your IP address) will be transmitted to the servers of YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA, represented by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Additional information can be found in YouTube’s privacy policy at the following link: www.google.de/intl/de/policies/privacy/.
Third country transmission
When using YouTube (Google), it is possible that usage data may be processed outside the European Union, specifically in the USA. This is permitted on the basis of the EU-USA data protection framework (adequacy decision of the EU Commission dated July 10, 2023) pursuant to Art 45 GDPR or on the basis of the standard contractual clauses pursuant to Art 46 (2) (c) GDPR.
Storage period
We generally process your data, which we receive when you visit our website, until your account is deleted, unless longer storage is required due to processing purposes, legal provisions or to assert or defend rights. As soon as these reasons no longer apply, your data will be deleted.
Provision requirement
There is no legal or contractual obligation for you to provide us with your data. However, if you do not do so you will not be able to view the integrated YouTube content.
Automated decision making
EKH Wien will not perform any automated decision making incl. profiling.
6) Contact form
Purpose
If you contact us by email, via the contact form on the website or by telephone, the data you provide will be stored by us in order to process the request and in case of follow-up questions.
Legal basis
The legal basis for this is, on the one hand, our legitimate interest, in accordance with Article 6 (1) lit f GDPR, in answering your request and/or, on the other hand, the initiation or fulfillment of a contract in accordance with Article 6 (1) lit b GDPR.
Storage period
The data is only stored for as long as it is necessary to achieve the respective purpose or within the scope of statutory retention periods.
Provision requirement
If you contact us
- in the context of contract initiation, you must provide your data in order to conclude the contract;
- in the context of fulfillment of the contract, you are obliged to provide the data that is required for the proper handling of your request;
- for reasons other than those mentioned above, you are under no obligation to provide this data.
Failure to provide your data would mean that we can no longer process your request. This could potentially violate existing obligations to cooperate with us.
Automated decision making
There is no automated decision-making including profiling.
7) Greeting card
You have the option of sending a greeting card to a patient who is admitted. In this case, the information you provide (name) will be saved for the purpose of forwarding it to the patient. It will not be passed on to third parties.
Purpose
The legal basis for this is the initiation or fulfillment of a contract in accordance with Article 6 (1) lit b GDPR
Storage period
Form data is stored for a maximum of seven (7) days and then deleted.
Recipient
Your data will be forwarded to the patient you have addressed and, in certain circumstances, to external processors, but in any case not to third parties.
Provision requirement
The provision of your data is necessary to initiate or fulfill a contract. As a result of non-provision, your request can no longer be processed.
Automated decision making
There is no automated decision-making including profiling.
8) Patient questionnaire
Patients have the opportunity to fill out and submit a questionnaire regarding their satisfaction during their hospital stay. This can be submitted anonymously or with contact details.
Purpose
In the interests of patient satisfaction and internal process optimization, it is necessary to be able to contact patients. Patients are questioned about complaints for processing. When a complaint is filed, a personal reply is formulated.
Legal basis
The legal basis for us to contact you is your consent (Article 6 (1) (a) GDPR). Notice of revocation: You can revoke this consent at any time with effect for the future.
Storage period
As long as the complaint is closed. 6 months after communication has been completed
Recipient
Your personal data may be forwarded to external processors in certain circumstances, but in any case not to third parties.
Provision requirement
You are under no obligation to provide this data. Without the provision of your data, we cannot include you in the processing.
Automated decision making
There is no automated decision-making including profiling.
9) Job application
You can apply for a job online at www.ekh-karriere.at. In this case, the information you provide (name) will be saved for the purpose of processing your application. If you consent to this and if your application is rejected, we will keep your application data on record for a further three (3) years so that we can contact you if a similar position becomes available.
Legal bases
- Contract initiation (Article 6 (1) lit b GDPR)
- Our legitimate interest in keeping the applicant data as evidence in the event of a defense against a claim for compensation under the Equal Treatment Act (ETA) [Gleichbehandlungsgesetz – GlBG] (Article 6 (1) lit f GDPR).
- Consent to keep records (Article 6 (1) lit a GDPR)
Notice of revocation: You can revoke this consent at any time with effect for the future.
Storage period
Your application data will be stored for eight (8) months if your application is rejected and then deleted. If you consent to the keeping of records, your application data will only be deleted three (3) years after your application is rejected, unless you revoke your consent before that.
Recipient
Your personal data may be passed on within the companies affiliated with the Evangelical Hospital or to external processors in certain circumstances, but in any case not to third parties. There is no automated decision-making or profiling.
Provision requirement
Application process: The provision of your data in the course of your application is required for the possible conclusion of a contract. Without the provision of your data, we cannot process your application any further.
Record keeping: There is no obligation for you to provide your data for record keeping. Without the provision of your data for record keeping, we can no longer contact you for further application processes.
Automated decision making
There is no automated decision-making including profiling.
10) Registration for the Medical Education Academy
Purpose
You can register online for the Medical Education Academy [Ärztliche Bildungsakademie]. In this case, the information you provide will be saved for the purpose of processing your registration and communicating with you in advance of the event. If you have registered for “future information” via “Stay up to date,” the information you provide will be stored for the purpose of sending you information about upcoming events at the Medical Education Academy.
Legal basis
The legal basis for the processing is the fulfillment of the contract (Article 6 (1) lit b GDPR).
The legal basis for receiving future information about upcoming events at the Medical Education Academy is your consent (Article 6 (1) lit a GDPR).
Notice of revocation: You can revoke this consent at any time with effect for the future.
Storage period
The registration data will be deleted no later than seven (7) days after the appointment has taken place.
Recipient
Your personal data may be forwarded to external processors in certain circumstances, but in any case not to third parties.
Provision requirement
The provision of your data as part of the course registration is necessary to fulfill the contract. As a result of the non-provision, you cannot participate in the respective course.
Automated decision making
There is no automated decision-making including profiling.
11) Registration for the EKH newsletter
You can subscribe to our company's newsletter on our website. For this purpose, we need a valid email address for you as well as information that allows us to verify that you are the owner of the email address provided. A confirmation email will be sent to the specified email address using the double opt-in procedure.
When you register for the newsletter, we also save the date and time of registration. The collection of this data is necessary in order to be able to trace (possible) misuse of the email address of a data subject at a later point in time and therefore serves to protect you and us.
Purpose
This is the way we inform our customers and business partners about offers from the company at regular intervals.
Legal basis
The legal basis for the processing is your consent (Article 6 (1) lit a GDPR).
Notice of revocation
You can revoke this consent at any time with effect for the future, for example via the “Unsubscribe” link in every newsletter.
Storage period
The data you provide will be stored by us until you unsubscribe from the newsletter and will then be deleted.
Recipient
The newsletter is sent by a processor we have commissioned in accordance with Article 28 GDPR.
Provision requirement
You are under no obligation to provide this data. Without the provision of your data, you cannot receive our newsletter.
Automated decision making
There is no automated decision-making including profiling.
12) Photo and/or video recording at company events
Purpose
As usual with events, photos and/or videos are taken for the events we organize. We are not concerned with identifying individual people, but only with documenting the event. For documentation purposes, the photos and/or videos we take are securely stored by us and, if necessary, also published on the Internet (on our website), in our company magazine or by means of a newsletter. These are also saved for archiving purposes. In addition, we may present the photos/videos taken at future events (e.g. annual/anniversary events).
Legal basis
The processing (the production, presentation and publication of the photos/videos) is based on our overriding legitimate interest in documenting our own events and also storing them in an archive (Article 6 (1) lit e GDPR in conjunction with Section 12 GDPR). This also includes our interest in informing the public, customers and interested parties about company events and documenting the company's own history with photo and video recordings for future generations.
Storage period
The photos/videos taken are stored as long as necessary for the purpose. Photos/video recordings are generally deleted immediately if they are not suitable for the purposes mentioned above, if they would violate the legitimate interests of the person depicted, or in the event of an objection by the person concerned.
Objection
There is basically no obligation for you to be photographed or recorded. If you do not agree to the recording or publication, please inform the photographer on site immediately. You can also contact us after you have already been included in a photo/video that has been taken. More on the right of objection below.
Provision requirement
There is no obligation for you to be photographed or filmed. If you do not provide your data, there will not be any negative consequences for you.
Automated decision making
There is no automated decision-making including profiling.
13) Management of data subjects' rights requests
Depending on the contract, it may be necessary to process certain data in order to either make use of the respective service or to be able to provide it on our part.
Purpose
We process the data required for the initiation of a contract (offer, participation in tenders, etc.).
Data that is required for the provision of services, customer care and information, including internal documentation and administration, is also processed within the framework of ongoing business relationships. In addition, data is also stored in order to comply with legal obligations (in particular the Federal Fiscal Code (BAO)) and, if necessary, to assert and defend against legal claims.
Legal basis
Initiation or fulfilment of a contract - Art 6 paragraph 1 (b) GDPR
Fulfilment of legal obligations - Art 6 paragraph 1 (c) GDPR
The legitimate interest of the company to store data as evidence for the assertion and defense of legal claims - Art 6 paragraph 1 (f) GDPR
Storage period
In principle, the data is stored for as long as is necessary to fulfil the mutual contractual obligations.
In order to comply with legal obligations (in particular § 132 BAO, §§ 190, 212 UGB (Commercial Code)), storage takes place for a period of 7 years from the end of the calendar year. In certain cases, the data can be stored for longer, for example to assert and defend against legal claims. In particular, contracts and associated data are kept for 30 years due to the general limitation period in accordance with § 1489 ABGB (General Civil Code). Until the deletion date, the data will be restricted so that no further processing or access takes place.
Recipient
If necessary, your data will be passed on to lawyers, insurance companies, authorities or courts, insofar as we are legally obliged to do so or this is necessary to exercise, assert or defend legal claims.
Provision requirement
The provision of your data is necessary to initiate or fulfill a contract. Failure to provide your data may result in, for example, delays in the processing of your request, no contract being concluded or the contract being terminated.
In addition, the provision of your data is required to fulfill our legal obligations (especially documentation obligations). Failure to provide this data would mean that we wouldn’t be able to comply with our legal obligations, which could make you liable to us for damages in the event of a penalty being imposed.
14) Your rights in relation to personal data
You have the right to
- Information (whether and which personal data about you have been stored),
- Correction, addition or deletion (of personal data that is incorrect or not processed in accordance with the law),
- Restriction and data portability
- and under certain circumstances the right of withdrawal and objection.
The right to deletion is only restricted to the extent that we can suspend the deletion based on statutory retention periods and/or to safeguard our claims. You also have the right to lodge a complaint with the competent authority if the processing of your data violates the data protection law or if your data protection claims have been violated in any other way.
15) Contact
Your trust is of particular importance to us. Therefore, if you have any further questions on the subject of data protection in connection with the Evangelical Hospital of Vienna non-profit company m.b.H., please feel free to use the following contact options:
Manager: Evangelisches Krankenhaus Wien gemeinnützige Betriebsgesellschaft m.b.H Hans-Sachs-Gasse 10-12, 1180 Vienna
Email: dsm@ekhwien.at
Telephone: +43 1 40422/9505
External data protection officer:
Email: dsb@ekhwien.at
Tel.: +43 (0) 7242 2155 65065
We would like to point out that, when using this website, you must observe copyrights, name and trademark rights and other rights of third parties. You commit to refraining from improper use of the entire content (in particular of images, videos, fonts and brands).
