+43 1 226 5567
Data protection information from MEDINO
1. general
Your personal data (“data”) is in safe hands with us, ST Healthcare GmbH, FN 501447y, Untere Weißgerberstraße 43/6, 1030 Vienna, as the operator of the Medino Health Center (“ST Healthcare” or “operator”) and the doctors, therapists and other practitioners (collectively “practitioners”) working at this health center as joint controllers (hereinafter also referred to as “we”, “us”)!
We are obliged to protect your data and take this duty very seriously. Please take the time to read this data protection information and find out why we collect your data and how we will process it. This text is for information purposes only and does not establish any contractual rights or obligations.
We inform you about the processing of your data when you visit and use our website in Point 4.
On request, we will be happy to provide you with the main contents of the agreement concluded between us and the data processors on joint responsibility for the personal data processed about you in accordance with Art. 26 GDPR. The main content of this agreement can be found under Point 5.
About the processing of your data in the context of (the initiation of) a treatment contract incl. We will inform you about any related processing in Section 6;
We inform you about the processing of your data for the purpose of asserting, exercising or defending legal claims and for conducting proceedings before authorities (including courts) in point 7;
We inform you about the processing of your data for the purpose of fulfilling corporate, tax and social security obligations in point 8;
2 What is personal data?
Personal data is any information relating to an identified or identifiable natural person (e.g. name, contact details, billing data, social security number).
3 How do we process your personal data?
If you visit our website, are interested in treatment at the Medino Health Center or conclude a treatment contract with one of the practitioners practicing at this health center, we process your data in the manner described in detail in the following points.
4. data processing when visiting our website
When visiting our website https://medino.at/ data is automatically processed by various technologies. We use cookies, analysis tools, marketing technologies and embedded content from third-party providers. In the following, we inform you about the respective processing operations, their purposes and legal bases.
Insofar as the processing described below is not technically mandatory, it will only take place with your consent (Art. 6 para. 1 lit. a GDPR), which you can give or refuse via our cookie consent banner (Complianz). You can revoke your consent at any time with effect for the future via the cookie settings on our website.
4.1. Cookie Policy
Our detailed cookie policy is available at https://medino.at/cookie-policy-eu/ .
4.2. Embedded content and external services
Our website integrates content and services from third-party providers. When loading this content, your IP address is transmitted to the respective provider.
Google Maps
We embed Google Maps (provider: Google Ireland Ltd) to display our location. When loading the map, your IP address is transmitted to Google. Legal basis: Consent (Art 6 para 1 lit a GDPR). Data transfer to the USA on the basis of the EU-US Data Privacy Framework.
Google Fonts
We use Google Fonts (provider: Google Ireland Ltd) for the uniform display of fonts. Your IP address is transmitted to Google when you access the website. Legal basis: Consent (Art 6 para 1 lit a GDPR). Data transfer to the USA on the basis of the EU-US Data Privacy Framework.
Wistia (Video)
We embed videos via Wistia (provider: Wistia Inc., Cambridge, MA, USA). Wistia uses cookies to store the video playback progress (wistia-video-progress-*). Data transfer to the USA on the basis of standard contractual clauses.
Social media plugins
We have integrated content from Instagram, Facebook and LinkedIn on our website. When loading this content, personal data (in particular your IP address) may be transmitted to the respective providers. The providers (Meta Platforms Ireland Ltd, LinkedIn Ireland Unlimited Company) may use this data to create profiles. Legal basis: Consent (Art 6 para 1 lit a GDPR). Data transfer to the USA on the basis of the EU-US Data Privacy Framework.
4.3. Newsletter registration via the website
You can register for our newsletter on our website. We use the Brevo platform (provider: Brevo GmbH, Köpenicker Straße 126, 10179 Berlin, Germany). When you register, your e-mail address will be transmitted to Brevo and stored there as a processor. The registration is based on your consent (Art 6 para 1 lit a GDPR). You can revoke your consent at any time with effect for the future by using the unsubscribe link in the newsletter or by contacting us at datenschutz@medino.at contact us.
4.4. Recipients of data and transfers to third countries
In connection with the operation of our website, we transmit data to the following recipients:
|
Receiver |
Data categories |
Purpose |
Legal basis |
Seat |
Third country transfer |
|
Google Ireland Ltd (Analytics, Tag Manager, Ads, Maps, Fonts, reCAPTCHA) |
IP address, usage data, device data |
Analysis, marketing, map display, fonts, spam protection |
Consent (Art. 6/1/a) or authorize. Interest (Art 6/1/f) |
Ireland |
USA: EU-US Data Privacy Framework |
|
Meta Platforms Ireland Ltd (Facebook pixel, Instagram, social plugins) |
IP address, usage data, event data |
Conversion tracking, advertising |
Consent (Art 6/1/a) |
Ireland |
USA: EU-US Data Privacy Framework |
|
LinkedIn Ireland Unlimited Company (Insight Tag, Social Plugins) |
IP address, usage data |
Conversion tracking, advertising |
Consent (Art 6/1/a) |
Ireland |
USA: EU-US Data Privacy Framework |
|
Hotjar Ltd |
IP address (anonymized), usage data, session data |
Heatmaps, Session Recordings |
Consent (Art 6/1/a) |
Malta (EU) |
No third country |
|
FullStory Inc. |
IP address, usage data, session data |
Website analysis |
Consent (Art 6/1/a) |
USA |
EU-US DPF / SCCs |
|
ShareThis Inc. |
IP address, usage data |
Social Sharing |
Consent (Art 6/1/a) |
USA |
Standard contractual clauses |
|
ActiveCampaign LLC |
E-mail, usage data |
Marketing automation |
Consent (Art 6/1/a) |
USA |
EU-US DPF / SCCs |
|
Wistia Inc. |
IP address, usage data |
Video embedding |
Consent (Art 6/1/a) |
USA |
Standard contractual clauses |
|
Brevo GmbH |
E-mail address |
Newsletter dispatch |
Order processing |
Germany |
Within EEA |
|
Cloudflare Inc. |
IP address, device data |
CDN, bot protection |
Authorized. Interest (Art 6/1/f) |
USA |
EU-US DPF / SCCs |
|
GoDaddy |
IP address, access data |
Hosting statistics |
Authorized. Interest (Art 6/1/f) |
USA |
EU-US DPF / SCCs |
5. processing of personal data under joint responsibility
We and the practitioners at Medino Health Center process your data as joint controllers in accordance with Art. 26 GDPR. The main contents of the agreement concluded between us and the treating physicians cooperating with us are as follows:
- The existence of joint responsibility is due to the fact that a uniform (IT) infrastructure has been set up between the joint controllers for the purpose of operating the Medino Health Center. With this, the operator supports the practitioners in the initiation, maintenance, fulfillment and termination of the treatment contracts as well as in accounting activities and the joint marketing of the Medino Health Center.
- Each controller shall ensure compliance with the provisions of the GDPR and the Data Protection Act (“DPA”). However, the joint controllers are equally responsible for the lawfulness of the joint processing operations.
- The contact point for the persons whose data is processed in connection with the data processing in question (“data subjects”) is the operator within the meaning of Art. 26 para. 1 GDPR.
- Insofar as the joint controllers are obliged to inform the data subjects about the processing of their data in accordance with Art. 13 f GDPR, this information obligation is fulfilled by the operator.
- The data subjects can assert the data subject rights standardized in Art. 15 to 22 GDPR. If such a right is asserted by a data subject, the response to this will be carried out by the operator.
- In the event of a data breach, joint controllers must comply with their reporting and/or notification obligations under Art. 33 and 34 GDPR. These reporting and notification obligations are fulfilled by the operator.
- If the data processing in question requires the performance of a data protection impact assessment in accordance with Art. 35 f GDPR (“DPIA”), the operator is entrusted with the performance of the DPIA. The respective controllers must cooperate in the implementation of the DPIA and support the operator.
- The operator is responsible for ensuring that the necessary technical and organizational measures within the meaning of Art 32 GDPR are put in place to protect the data. The jointly responsible parties are responsible for compliance with these measures.
- Each of the joint controllers will include the data processing operations on which the joint controllership is based in the processing directory pursuant to Art. 30 (1) GDPR. The joint controllers will provide each other with the necessary information.
6. data processing about our patients
6.1. Initiation, maintenance and handling of a treatment contract at the Medino Health Center
6.1.1. Data categories, purposes and legal bases
For the purpose of initiating a treatment contract between you as a patient and your practitioner as well as its conclusion, maintenance and fulfillment in the Medino Health Center (for online appointment booking see point 6.2.), we initially process your data for your practitioner on a (pre-)contractual basis (Art. 6 (1) (b) GDPR). The professional law regulated in the Medical Practitioners Act obliges doctors to document certain data on medical treatments (Section 51 (3) of the Medical Practitioners Act) and authorizes them to process data in connection with this (Section 3b (1) of the Medical Practitioners Act). The doctors are therefore also legally obliged to process your data in this regard (Art. 6 para. 1 lit. c GDPR), which constitutes a further basis for this processing. Your respective practitioner(s) at Medino Gesundheitszentrum are therefore also responsible under data protection law for the processing of your data for these purposes. You can find the contact details from your practitioner, at the reception desk of the Medino Health Center or on our website at https://medino.at/kontakt/.
In this processing of your data, the treating parties are supported by the operator within the framework of the operation of the Medino Health Center. The processing of your data by the operator is based on Art. 6 para. 1 lit. f GDPR; the operator pursues the legitimate interest of the treating parties in receiving support in fulfilling their legal obligations and in the operation of the Medino Health Center.
Information about your state of health (“health data”) is also processed. Health data constitutes a special category of personal data in accordance with Art. 9 GDPR, the processing of which is generally prohibited. However, the data processing carried out in connection with your treatment in our health center is permitted, as it serves individual care in the health and social sector, which is exempt from the processing prohibition pursuant to Art 9 para 2 lit h in conjunction with para 3 GDPR. Of course, all persons who have access to your data are subject to a strict (professional) legal (§ 54 ÄrzteG, § 13 Abs 6 MABG, § 6 DSG) as well as contractually secured confidentiality obligation. In addition, all staff are under the supervision of medical professionals at all times.
These categories of data are processed within the framework of the treatment contract for the purposes listed above:
- Master data (first and last name, date of birth, address)
- Contact details (telephone number, e-mail address)
- Appointment dates
- Insurance and billing data (social security number)
- Health data
The provision of the above data is not required by law. However, it is required for the conclusion of a contract. In the event of an upright contract with us, you are obliged to provide us with this data so that we can process the contractual relationship. In this respect, the provision of data is contractually required. Please understand that no treatment can be carried out if we do not have the above-mentioned personal data required for this purpose.
If you provide us with further data, we will process it to protect our legitimate interests (Art. 6 para. 1 lit. f GDPR) in improving the quality of our contractual relationship and our service provision or delete it.
The provision of such data is not required by law or contract and is not necessary for the conclusion of a contract. You are not obliged to provide this data.
6.1.2. Collection of data from other sources (information pursuant to Art. 14 GDPR)
For the purpose of initiating, maintaining and processing a treatment contract, we collect the following data about our (potential) patients from other sources:
|
Data resp. |
Source |
Public |
Purpose |
|
Health data |
ELGA |
No |
Recording the medical history |
|
Insurance data |
ÖGK and other insurance companies |
No |
Verification of insurance cover and identity check |
6.1.3. Storage period, duration of processing
Medical professional law obliges the doctors treating patients to keep records and other documentation on every person accepted for consultation or treatment for at least ten years (Section 51 (3) ÄrzteG). This data includes, in particular, data on the person’s condition at the time the consultation or treatment is accepted, the history of an illness, the diagnosis, the course of the illness and the type and scope of the consultation, diagnostic or therapeutic services, including data on the use of medicinal specialties and the data required to identify these medicinal specialties and the respective batches. Documents relating to further examinations, such as laboratory findings, findings from other doctors and x-rays, are also covered by the documentation obligation.
We store data other than the data subject to the medical documentation obligation for three years from the last contact in order to safeguard our legitimate interest in a possible new contract initiation (Art. 6 para. 1 lit. f GDPR).
Data from (potential) interested parties We store data relating to our services with which we have not concluded a contract for three years from the last contact for the purpose of keeping records. This storage of your data is carried out to protect our legitimate interest in a possible future contract initiation (Art 6 para 1 lit f GDPR).
For the possibility of a longer duration of processing for the purpose of asserting, exercising or defending legal claims and for conducting proceedings before authorities (including courts), please see point 7.
6.1.4. Recipients of data
In order to initiate, maintain and process treatment contracts, it is necessary for us to disclose your data to the following recipients for the following purposes. This disclosure can also be made by another form of provision. Medical professional law obliges us to transmit your data to the social insurance carriers and health care institutions to the extent that it is essential for the recipient to perform the tasks assigned to it, as well as, with your consent, to other doctors or medical institutions whose treatment you are undergoing or will undergo (Section 51 (2) ÄrzteG).
|
Receiver |
Data categories |
Purpose |
Legal basis |
Location of the recipient |
Basis for transfer to a third country |
|
Social insurance institutions, health care institutions, doctors, medical facilities |
Health care |
Fulfillment of a legal obligation |
§ Section 51 (2) ÄrzteG |
Austria |
No transfer to a third country |
|
ELGA |
Health data |
Fulfillment of a legal obligation |
§ Section 13 (3) GTelG |
Austria |
No transfer to a third country |
|
mobimed Software GmbH |
Master data, health data, billing data, appointment data, bank data |
Fulfillment of the treatment contract, sending e-mail newsletters, connection to third-party interfaces |
No legal basis required, as data processing relationship exists |
Austria |
No transfer to a third country |
|
Exoscale |
Master data, health data, billing data, appointment data, bank data |
Server hosting |
No legal basis required, as data processing relationship exists |
Switzerland |
For this third country, an adequacy decision of the EU Commission exists |
|
Netzwerk Handels- und IT-Dienstleistungs GmbH |
Master data, health data, billing data, appointment data, bank data |
Server hosting |
No legal basis required, as data processing relationship exists |
Austria |
No transfer to a third country |
|
Brevo GmbH |
Title, first and last name, e-mail address |
E-mail dispatch |
No legal basis required, as data processing relationship exists |
Germany |
Not required as recipient is located within the EEA |
|
iBASIS Austria GmbH |
Title, first and last name, telephone number |
SMS dispatch |
No legal basis required, as data processing relationship exists |
Austria |
No transfer to a third country |
|
Esendex |
Title, first and last name, telephone number |
SMS dispatch |
No legal basis required, as data processing relationship exists |
Germany |
Not required as recipient is located within the EEA |
|
MessageBird B.V. |
Title, first and last name, telephone number |
SMS dispatch |
No legal basis required, as data processing relationship exists |
Netherlands |
Not required as recipient is located within the EEA |
|
eyeson GmbH |
First and last name of participants, text messages, log files |
Video telephony |
No legal basis required, as data processing relationship exists |
Austria |
No transfer to a third country |
|
Hobex AG |
Billing data |
Processing of card payments |
Legitimate interest (Art 6 para 1 lit f GDPR) |
Austria |
No transfer to a third country |
|
Lawyers and tax consultants |
Master data, billing data |
Evaluation and compliance with legal obligations |
Legitimate interest (Art 6 para 1 lit f GDPR) |
Austria |
No transfer to a third country |
|
Auditor |
Master data, billing data |
Annual audit |
Legitimate interest (Art 6 para 1 lit f GDPR) |
Austria |
Within the EEA |
|
Collection service provider, if applicable [will be added when commissioned] |
Master data, billing data |
Collection of outstanding receivables |
Legitimate interest (Art 6 para 1 lit f GDPR) |
[will be added] |
[will be added] |
|
If applicable, credit agencies [will be added if necessary] |
Master data, creditworthiness data |
Registration of outstanding receivables |
Legitimate interest (Art 6 para 1 lit f GDPR) |
[will be added] |
[will be added] |
6.2. Online appointment booking and appointment reminder
6.2.1. Data categories, purposes and legal bases
We process data of interested parties and patients for the purpose of processing online appointment requests, which we offer for the initiation of treatment contracts, via our website on a pre-contractual basis (Art 6 para 1 lit b GDPR). These categories of data are processed as part of the online appointment booking for the purposes listed above: Gender, first and last name, date of birth, e-mail address, telephone number, optional message, booked appointment, practitioner.
The provision of the above data is not required by law. However, it is required for an appointment booking. Please understand that you will not be able to book an appointment if we do not have the above-mentioned personal data required for this purpose.
If you provide us with further data (e.g. via the notes field), we process this to protect our legitimate interests (Art. 6 para. 1 lit. f GDPR) in improving the quality of our contractual relationship and our service provision.
If you would like us to remind you in good time of the appointment you have booked by SMS and/or e-mail, we ask you to activate the respective checkbox and thereby give us your consent to use your telephone number and/or e-mail address for this purpose. If the checkbox is not activated, we will not be able to remind you of the appointments you have booked and you may incur cancellation fees in accordance with our General Terms and Conditions. You can revoke your consent at any time, preferably by e-mail to datenschutz@medino.at or by post to ST Healthcare GmbH, Doblhoffgasse 9/6, 1010 Vienna, with effect for the future.
The provision of such data is neither legally nor contractually required and is also not necessary for the appointment booking. You are not obliged to provide this data.
6.2.2. Storage period, duration of processing
We store this data for three years from the last contact in order to safeguard our legitimate interest in the possible initiation of a new contract (Art. 6 para. 1 lit. f GDPR).
6.2.3. Recipients of data
|
Receiver |
Data categories |
Purpose |
Legal basis |
Location of the recipient |
Basis for transfer to a third country |
|
mobimed Software GmbH |
Master data, health data, billing data, appointment data, bank data |
Fulfillment of the treatment contract, sending e-mail newsletters, connection to third-party interfaces |
No legal basis required, as data processing relationship exists |
Austria |
Not required as recipient is located within the EEA |
|
Exoscale |
Master data, health data, billing data, appointment data, bank data |
Server hosting |
No legal basis required, as data processing relationship exists |
Switzerland |
For this third country, an adequacy decision of the EU Commission exists |
|
Netzwerk Handels- und IT-Dienstleistungs GmbH |
Master data, health data, billing data, appointment data, bank data |
Server hosting |
No legal basis required, as data processing relationship exists |
Austria |
Not required as recipient is located within the EEA |
|
Brevo GmbH |
Title, first and last name, e-mail address |
E-mail dispatch |
No legal basis required, as data processing relationship exists |
Germany |
Not required as recipient is located within the EEA |
|
iBASIS Austria GmbH |
Title, first and last name, telephone number |
SMS dispatch |
No legal basis required, as data processing relationship exists |
Austria |
Not required as recipient is located within the EEA |
|
Esendex |
Title, first and last name, telephone number |
SMS dispatch |
No legal basis required, as data processing relationship exists |
Germany |
Not required as recipient is located within the EEA |
|
MessageBird B.V. |
Title, first and last name, telephone number |
SMS dispatch |
No legal basis required, as data processing relationship exists |
Netherlands |
Not required as recipient is located within the EEA |
6.3. Electronic direct mail
6.3.1. Data categories, purposes and legal bases
We process our patients’ data for the purpose of electronic direct advertising in the form of e-mails (sending our newsletter, satisfaction surveys, congratulatory letters). Electronic direct advertising to our patients is carried out on the basis of Section 174 (4) TKG 2021 or your express consent.
The following data is processed for direct advertising by e-mail:
- Salutation
- First name, last name
- e-mail address
- Data on services already used by us
We would like to expressly inform you that you can object to the processing of your data for the purpose of electronic direct advertising when the electronic contact information is collected and for each transmission also by e-mail to datenschutz@medino.at or by post to ST Healthcare GmbH, Doblhoffgasse 9/6, 1010 Vienna.
6.3.2. Storage period, duration of processing
We process your data for the purpose of direct advertising in accordance with Section 174 (4) TKG only until you object to this data processing. If you do not object, we will process your data for this purpose for three years from the last contact. This storage of your data for the purpose of future direct advertising is carried out to safeguard our legitimate interest in keeping records of contacts for sending electronic direct advertising (Art. 6 para. 1 lit. f GDPR).
For the possibility of a longer duration of processing for the purpose of asserting, exercising or defending legal claims and for conducting proceedings before authorities (including courts), please see Point 7.
6.3.3. Recipients of data
For direct advertising in accordance with Section 174 (4) TKG, it is necessary for us to disclose your data to the following recipients for the following purposes. This disclosure may be made by transmission, dissemination or any other form of provision.
|
Receiver |
Data categories |
Purpose |
Legal basis |
Location of the recipient |
Basis for transfer to a third country |
|
mobimed Software GmbH |
Master data, health data, billing data, appointment data, bank data |
Fulfillment of the treatment contract, sending e-mail newsletters, connection to third-party interfaces |
No legal basis required, as data processing relationship exists |
Austria |
Not required as recipient is located within the EEA |
|
Brevo GmbH |
Title, first and last name, e-mail address |
E-mail dispatch |
No legal basis required, as data processing relationship exists |
Germany |
Not required as recipient is located within the EEA |
6.4. Evaluations in connection with services offered
6.4.1. Data categories, purposes and legal bases
We process your data after it has been anonymized for the purpose of further developing our services and for scientific purposes. We carry out the anonymization on the basis of our legitimate interest in the improvement and further development of our services (Art 6 para 1 lit f GDPR). We carry out the anonymization of health data as a special category of personal data on the basis of the permission (=exception from the processing prohibition in this regard) of Art 9 para 2 lit j in conjunction with Art 89 GDPR in conjunction with § 7 para 1 Z 2 DSG.
After anonymization, the data no longer has any personal reference and can therefore no longer be assigned to you and you yourself can no longer be identified even if this data is known. We process the following categories of data for the above-mentioned purposes:
- Master data
- Health data
- Appointment dates
- Type of treatment or service selected
6.4.2. Storage period, duration of processing
Since the anonymized data no longer has any personal reference, it is no longer subject to any storage limitation. We process the anonymized data for as long as is necessary to achieve the above-mentioned purposes.
7. data processing for the assertion, exercise or defense of legal claims, conduct of proceedings before authorities (including courts)
7.1. Data categories, purposes and legal bases
We also process your data for the purpose of asserting, exercising or defending legal claims and for the handling of proceedings before authorities (including courts) to protect our legitimate interests (Art 6 para 1 lit f GDPR). Our legitimate interest lies in the enforcement of existing and defense against non-existing claims and in the handling of official (including judicial) proceedings to protect our legal position.
We process all categories of data required for the assertion, exercise or defense of legal claims and for the handling of proceedings before authorities (including courts). This potentially includes all categories of data that we already process from you for other purposes and also data that we do not collect from you (see point 7.2).
7.2. Collection of data from other sources (information pursuant to Art. 14 GDPR)
We also collect your data from other sources for the purpose of asserting, exercising or defending legal claims and conducting proceedings before authorities (including courts):
|
Data resp. |
Source |
Public accessible |
Purpose |
|
Data from public registers (in particular names, contact details, addresses, roles in legal entities, data on current and past proceedings) |
Central register of residents, company register, land register, central register of associations, edict file (https://edikte.justiz.gv.at/edikte/edikthome.nsf), execution register |
Yes |
Assertion, exercise, defense of legal claims; conduct of proceedings before authorities (including courts) |
|
Creditworthiness data, data on past payment defaults and insolvencies |
Credit agencies, in particular Österreichischer Kreditschutzverband 1870; Ediktsdatei (https://edikte.justiz.gv.at/edikte/edikthome.nsf) |
Partly |
Information from and data exchange with credit agencies (e.g. Österreichischer Kreditschutzverband 1870) to determine creditworthiness and default risks |
7.3. Storage period, duration of processing
We also process data required for the assertion, exercise or defense of legal claims for this purpose for up to 30 years after termination of the contractual relationship.
In the event of the assertion of data subject rights under the GDPR (for details see point 10), we store the associated data for three years from the last contact in connection with the assertion of a data subject right.
In the event of official or court proceedings, we store your data for the duration of these proceedings and, depending on the subject matter and outcome of the proceedings, for up to a further 30 years from the legally binding conclusion of the proceedings.
7.4. Recipients of data
For the assertion, exercise or defense of legal claims and the handling of official (including judicial) proceedings, it is necessary for us to disclose your data to the following recipients for the following purposes. This disclosure may be made by transmission, dissemination or any other form of provision.
|
Receiver |
Data categories |
Purpose |
Legal basis |
Location of the recipient |
Basis for transfer to a third country |
|
Lawyers and tax consultants |
Master data, contact data, billing data, contract data, health data if applicable (if required for legal advice) |
Evaluating and ensuring compliance with legal obligations |
Legitimate interests (Art 6 para 1 lit f GDPR): Compliance with the legal obligations to which we are subject |
Austria |
Not required as recipient is located within the EEA. |
|
Insurances |
Master data, contact data, billing data, claims data |
Settlement of claims |
Legitimate interests (Art 6 para 1 lit f GDPR): Compliance with our contractual obligations arising from insurance contracts and assertion of claims against insurance companies arising from our insurance contracts |
Austria |
Not required as recipient is located within the EEA. |
|
Credit agencies |
Title, first name, surname, address, creditworthiness data, data on outstanding receivables |
Reporting of outstanding receivables and payment history data to credit agencies |
Legitimate interests (Art. 6 para. 1 lit. f GDPR) of the companies that request creditworthiness data in the avoidance of payment defaults |
Austria |
Not required as recipient is located within the EEA. |
|
Auditor |
Master data, contact data, billing data, accounting documents |
Participation in the audit of the annual financial statements |
Legitimate interests (Art 6 para 1 lit f GDPR): in compliance with our obligation to audit the financial statements |
Austria |
Not required as recipient is located within the EEA. |
|
Public authorities (including courts) |
All data categories required for the respective procedure |
Handling of proceedings and legal disputes |
Legal obligations (Art 6 para 1 lit c GDPR); |
Austria |
Not required as recipient is located within the EEA. |
8. fulfillment of corporate, tax and social security obligations
8.1. Data categories, purposes and legal bases
As part of our accounting, we process your data to protect our legitimate interest in fulfilling various legal obligations (Art 6 para 1 lit f GDPR). Our legitimate interest lies in the fulfillment of our legal obligations.
These obligations include correct accounting in accordance with § 190 UGB, the fulfillment of our obligation to file VAT returns in accordance with § 21 UStG and income tax returns in accordance with (§ 24 KStG in conjunction with) § 42 EStG and – if you consent to this – cooperation in the reimbursement of costs, cost reimbursement or cost subsidy by the health insurance providers (§ 32b para. 2 ASVG).
These data categories are processed as part of our accounting for the above-mentioned purposes:
– Master data (first and last name, date of birth, address)
– Contact details (telephone number, e-mail address)
– Appointment dates
– Insurance and billing data (social security number)
– Type of treatment or service selected
8.2. Storage period, duration of processing
For reasons of company law (Section 212 of the Austrian Commercial Code (UGB)), we keep our accounting records and other documents that we are required to keep due to the retention period stipulated in Section 212 UGB for seven years (for the start of the retention period, see Section 212 (2) UGB). We therefore process your data from these documents in accordance with Section 212 UGB for a period of seven years.
For tax law reasons (Section 132 of the Federal Fiscal Code, hereinafter: BAO), we retain receipts relating to treatment contracts for a period of seven years from the end of the year in which the business transaction relating to the receipt took place. We therefore process your data from our receipts for a period of seven years from the end of the year in which the business transaction relating to the receipt took place.
For the possibility of a longer duration of processing for the purpose of asserting, exercising or defending legal claims and for conducting proceedings before authorities (including courts), please see point 7.
8.3. Recipients of data
In order to fulfill our corporate, financial and tax obligations, it is necessary for us to disclose your data to the following recipients for the following purposes. This disclosure may be made by transmission, dissemination or any other form of provision.
| Receiver | Data categories | Purpose | Legal basis | Location of the recipient | Basis for transfer to a third country |
| ÖGK and other insurance companies | Insurance and billing data | Simplification of cash refunds | § 32b ASVG | Austria | No transfer to a third country |
| Auditor | Master data, contact data, billing data, accounting documents | Participation in the audit of the annual financial statements | Legitimate interests (Art 6 para 1 lit f GDPR): in compliance with our obligation to audit the financial statements | Austria | Not required as recipient is located within the EEA. |
| Authorities (including courts) | All data categories required for the respective procedure | Handling of proceedings and legal disputes in connection with corporate, financial and tax obligations | Legal obligations (Art 6 para 1 lit c GDPR); Legitimate interests: Assertion, exercise or defense of legal claims (Art 6 para 1 lit f GDPR) and compliance with legal obligations (in particular procedural law) |
Austria | Not required as recipient is located within the EEA. |
9. automation-supported decision-making
We would like to inform you that no data processing within the meaning of Art. 22 GDPR takes place. This means that we do not make any decision based solely on automated processing (including profiling) which produces legal effects concerning you or similarly significantly affects you; any decision with a similar effect is made by a natural person.
However, we would like to point out that on our website – if you have given your consent via our cookie consent banner – profiling for advertising purposes by third-party providers (in particular Google, Meta and LinkedIn) may take place. This profiling serves exclusively to display interest-based advertising and does not result in an automated decision that has legal effect against you or significantly affects you in a similar way.
10. what rights do you have with regard to data processing?
We would like to inform you that you have the right to
- to request confirmation as to whether or not we are processing personal data concerning you; if this is the case, you have a right of access to this personal data and the information listed in Art 15 (1) and (2) GDPR; for the right to receive a copy of the personal data concerning you that is the subject of processing, see Art 15 (3) and (4) GDPR;
- to request the rectification or completion of inaccurate or incomplete data concerning you (see Art. 16 GDPR for details)
- to demand the deletion of your data, unless there is a legal basis for the further processing of your data (see Art. 17 GDPR in detail); in this context, we cannot comply with a deletion if the processing (storage) is necessary to fulfill a legal obligation (legal storage obligations) or if we are entitled to do so due to overriding interests (e.g. assertion, exercise or defense of specific legal claims);
- to demand the restriction of the processing of your data if certain conditions are met (see Art. 18 GDPR for details)
- to object to the processing of your data which is necessary for the purposes of the legitimate interests pursued by us or by a third party (Article 6(1)(f) GDPR). In the event of an objection, we will no longer process your data unless the processing serves the assertion, exercise or defense of legal claims or we can demonstrate compelling legitimate grounds for the processing that outweigh your interests (taking into account your particular situation, if applicable). If you object to processing for direct marketing purposes (including profiling to the extent that it is related to such direct marketing), we will no longer process your personal data for these purposes (see Art. 21 GDPR for details);
- to receive the transfer of the data provided by you in a structured, commonly used and machine-readable format. However, the right to data portability only exists if the processing is based on your consent or on a contract (see Art. 20 GDPR for details).
To assert one of the above-mentioned rights, you can either send an e-mail to datenschutz@medino.at or write to ST Healthcare GmbH, Doblhoffgasse 9/6, 1010 Vienna.
If we process your data on the basis of your consent (see above, points 6.1. and 6.3.), you have the right to withdraw this consent at any time by sending an e-mail to datenschutz@medino.at or by post to ST Healthcare GmbH, Doblhoffgasse 9/6, 1010 Vienna. This does not affect the lawfulness of the data processing carried out up to this point in time (Art. 7 para. 3 GDPR).
If, despite our commitment to process your data lawfully, you believe, contrary to expectations, that your personal data is not being processed lawfully, please contact us by post or email (see contact details below) so that we can learn of your concerns and address them. However, you also have the right to lodge a complaint with the Austrian Data Protection Authority or with another data protection supervisory authority in the EU, in particular at your place of residence or work.
We hope that this information has provided you with clarity as to how and for what purposes we process your data. If you still have questions about the processing of your personal data, you can contact us by e-mail at datenschutz@medino.at or by post at ST Healthcare GmbH, Doblhoffgasse 9/6, 1010 Vienna.
ST Healthcare GmbH
Untere Weißgerberstraße 43/6, 1030 Vienna, FN 501447y, HG Vienna
datenschutz@medino.at
ATU73944869
Member of the Austrian Federal Economic Chamber
The competent supervisory authority is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna (dsb@dsb.gv.at, www.dsb.gv.at)
Status: April 20, 2026