Visual Universitätsmedizin Mainz

Information for patients (per GDPR)

OUR OBLIGATION TO PROVIDE YOU WITH INFORMATION RELATING TO THE COLLECTION OF YOUR PERSONAL DATA


DEAR PATIENT,

it is necessary for us to collect and process information on you (personal data), in particular health data, for the purposes of your treatment and care here at University Medical Center Mainz. We have compiled the following information for you so that you know exactly what will happen with your data.

Controller with regard to the processing of personal data

UNIVERSITY MEDICAL CENTER of Johannes Gutenberg University Mainz
Langenbeckstrasse 1
55131 Mainz
Telephone: +49 6131-170
represented by the Chief Medical Officer and the Chairman
Univ.-Prof. Dr. med. Norbert Pfeiffer

Contact details of the data protection officer

UNIVERSITY MEDICAL CENTER of the Johannes Gutenberg University Mainz
Data protection officer
Langenbeckstrasse 1
55131 Mainz
Telephone: +49 6131-170
Email:  datenschutz@unimedizin-mainz.de

WHY DO WE NEED YOUR PERSONAL DATA?

We need to collect your personal data to ensure that your treatment can be appropriately managed. This will not include information in connection with confidential births.


WHO DO WE GET YOUR DATA FROM?

Essentially, we collect the data from you personally. In some cases, however, we may also receive personal data from other hospitals that have carried out your initial treatment, from your general practitioner, specialists, medical care centers, etc. This is combined with your other data held at our hospital in order to ensure that your documentation is consistent.


WHAT DO WE USE YOUR PERSONAL DATA FOR?

Information about you, as well as relevant health data, will be collected, stored and – where necessary – transferred to third parties within the scope of your treatment. In this connection, we refer to the “processing” of your data. For data protection reasons, we can only process your data as a patient at our hospital if this is permitted under law or if you have given your consent to this in your capacity as a patient.

In particular, the processing of your data for your care and treatment is necessary for preventive, diagnostic, therapeutic, curative and aftercare reasons. We also process your data in order to provide the best possible information input at interdisciplinary conferences concerning the analysis and discussion of diagnostic and therapeutic techniques, preliminary, shared and further care with regard to diagnostic and therapeutic methods, prognosis and the status of disorders and vital signs. In addition, this data is also used to produce reports (“doctors’ letters”) and for quality assurance purposes, to detect and combat hospital-acquired infections, and for pastoral and social support and discharge management.

It is also necessary for us to process your personal data for administrative purposes. This is essential so that we can bill for your treatment, for auditing purposes and to enable legal claims to be lodged, exercised and defended.

Furthermore, data is processed for the purposes of the training and continuing training of medical personnel, for research and because of statutory obligations to register information (e.g. with the public health department under legislation designed to control and prevent the spread of infections) and also for the maintenance and upkeep of the IT system and applications.

LEGAL BASIS FOR THE PROCESSING OF YOUR DATA 

University Medical Center Mainz has the legal right to process your data because the hospital is responsible for the care and treatment of patients. There are various laws and regulations that allow the hospital operator to process such data.
 
The EU General Data Protection Regulation (GDPR) is one such; this also applies in Germany - in particular Arts. 6 and 9 GDPR, which regulate the processing of data of patients. Furthermore, basic principles of German law require the processing of your data, such as the Federal Data Protection Act (BDSG), the State Data Protection Act of Rhineland-Palatinate (LDSG), the State Hospital Act of Rhineland-Palatinate (LKG), Volume V of the Social Insurance Code (SGB V), e.g. Article 301 of SGB V and the German Civil Code (BGB), Articles 630 et seq. of the BGB.

The following are examples of the legal bases for processing:

  • Lawful is data processing for the purpose of implementation and documentation of the treatment process for medical and interprofessional communication concerning the patient at the hospital (Article 36(2)(1) LKG in conjunction with Articles 630a et seq., 630f BGB)
  • Lawful is data processing for the implementation of quality assurance measures and for training and continuing training, insofar as this is necessary (Article 36 (2)(2) LKG)
  • Lawful is the transfer of data to “external parties” for the purposes of joint treatment (in a team), including follow-up treatment for the purpose of performance of the therapy contract and consultation with external experts, e.g. laboratory, telemedicine and other external medical professionals (Section 36 (3)(2) LKG)
  • Lawful is the transfer of data to the statutory health insurance companies for the purpose of billing (Article 36(3)(1) LKG in conjunction with Articles 295, 301 SGB V),
  • Lawful is the transfer of data for quality assurance purposes (Article 36(3)(4) LKG in conjunction with Article 299 SGB V, in conjunction with Article 136 SGB V and the Directives of the Federal Joint Committee (G-BA)
  • Lawful is the use of data for own research projects (Article 37 LKG)
  • Lawful is the processing of data on the basis of consent (Section 36 (1)(4) LKG, Article 19(1) LDSG, Art. 6, 1. (a), Art. 9, 2. (a) GDPR)

WHO HAS ACCESS TO YOUR DATA?

The medical professionals involved in your treatment will have access to your data. This also includes doctors from other departments who are involved in interdisciplinary therapy and the administration department responsible for billing your treatment.

Your data will be processed by qualified personnel. These qualified personnel are either subject to what is known as an obligation of professional secrecy or are otherwise obligated to maintain confidentiality.

The handling of your data in confidence is important to us, and is guaranteed throughout.


WHO WILL WE RELEASE YOUR DATA TO? 

Your data will be collected within the scope of the intended purpose, taking into account the relevant data protection regulations and any existing declarations of consent, and transferred to third parties if necessary. Such third parties may include:

  • Statutory health insurance providers, assuming you have statutory health insurance cover
  • Private billing service providers, as well as private health insurance providers, if you are insured privately
  • Accident insurance providers
  • Your general practitioner
  • Doctors providing further treatment, doctors responsible for subsequent care or other attending doctors
  • Other healthcare or treatment institutions
  • Rehabilitation facilities
  • External data processors (so-called “processors”)
  • Providers of pastoral care

 
WHAT DATA WILL BE TRANSMITTED? 

If data is transmitted, which data is actually transmitted will be determined by the recipient in question in each individual case. If data is transmitted to your health insurance company per Article 301 of SGB V, for example, the following data is involved:
 

  1. Your name
  2. Your date of birth
  3. Your address
  4. Your health insurance number
  5. Your insurance status
  6. The date, time and reason for admission, as well as the referral diagnosis, the admission diagnosis, the subsequent diagnoses in the event of a change in the admission diagnosis, the expected duration of your hospital treatment and, if this is exceeded, the medical reasons for this (at the request of the health insurance company), bodyweight on admission (in the case of infants under 12 months of age)
  7. The date and nature of any surgery and other procedures performed at the hospital
  8. The date, time and reason for discharge or transfer, as well as the primary and secondary diagnoses relevant for hospital treatment
  9. Information on the rehabilitation measures implemented at the hospital in question, as well as statements on fitness for work and proposals for the nature of further treatment, with details of suitable institutions.

In the case of further permissible reasons for data transfer, we will only transmit the data necessary for the data processing in question.

HOW DO YOU WITHDRAW YOUR CONSENT?

If the processing of your data is based on consent that you have given to University Medical Center Mainz, you have the right to withdraw this consent at any time. You can submit your declaration of withdrawal of consent in any form or simply speak to us personally. You do not need to state any reasons for withdrawing your consent. Your withdrawal of consent becomes effective only from the time at which we receive your declaration. Withdrawal will not retrospectively invalidate the lawfulness of the processing of your data carried out up to that point in time.

We can process your withdrawal more quickly if you observe the following:

Please address your declaration of your withdrawal of your consent to data processing relating to medical matters directly to the office of the management of the relevant clinic/department to which you gave your consent. Contact our switchboard to be connected by telephone to the department in question: tel: +49 6131 - 170.

If you wish to withdraw your consent to data processing relating to administrative matters (e.g. during the admission process), please contact our patient management team: Service Center 3, patient management division.


WHAT HAPPENS IF ANY BILLS ARE LEFT UNPAID? 

If University Medical Center Mainz has to enforce claims against you or your health insurance company and uses legal or judicial assistance for this, the necessary personal data and data relating to your treatment will need to be disclosed for the purpose of the legal proceedings.


WHAT RIGHTS DO YOU HAVE? 

You are entitled to what are known as the rights of data subjects, i.e. rights that you can exercise as a data subject. You can assert these rights against University Medical Center Mainz:

THE RIGHT TO ACCESS TO INFORMATION, ART. 15 GDPR
You have the right to be informed about personal data concerning you that we hold.

THE RIGHT TO RECTIFICATION, ART. 16 GDPR
If you discover that incorrect data concerning you is being processed, you have the right to require its correction. Incomplete data must be completed, taking into account the purpose of the processing operation.

THE RIGHT TO ERASURE, ART. 17 GDPR
You have the right to demand the erasure of your data if certain grounds apply. This is particularly the case if the data is no longer required for the purpose(s) for which it was originally collected or processed.

THE RIGHT TO RESTRICTION OF PROCESSING, ART. 18 GDPR
You have the right to require the restriction of the processing of your data. This means that your data will not be deleted, but it will be suitably identified to indicate that it may no longer be processed or used.

THE RIGHT TO OBJECT, ART. 21 GDPR
In principle and for grounds relating to your particular situation, you have a general right to object even to lawful data processing which is in the public interest, is required for official purposes or is in the legitimate interest of an organization.

THE RIGHT TO DATA PORTABILITY, ART. 20 OF GDPR
You have the right to receive the personal data concerning you in a common and machine-readable file format.

WILL YOUR DATA BE SUBJECT TO AUTOMATED DECISION-MAKING?

Your personal data will not be used for decision-making based solely on automated processing (e.g. profiling).


HOW LONG WILL YOUR DATA BE STORED?

In accordance with Article 630f of the German Civil Code (BGB), University Medical Center Mainz is obligated to retain records of your treatment. This obligation is met by the retention of records in the form of a patient file in paper or electronic form. This documentation must be retained for 10 years after completion of your treatment.
 
Many legal regulations deal specifically with the matter of how long documents are to be retained by hospitals. In Germany, these include the X-ray Ordinance (RöV), the Radiation Protection Ordinance (StrlSchV), the Ordinance on the Operation of Pharmacies (ApBetrO) and the Transfusion Act (TFG). These legal regulations prescribe different retention periods.
 
In addition, it is necessary to take into account the fact that claims for damages that may be asserted by patients against a hospital only become statute-barred after 30 years at the latest per Article 199(2) German Civil Code (BGB). Therefore, liability proceedings against the hospital operator might only be initiated decades after the end of treatment. With this in view, University Medical Center Mainz retains patient files for 30 years in order to preserve the necessary evidence

 

WHERE CAN YOU FILE A COMPLAINT?  Regardless of the fact that you are also free to seek judicial assistance, you have the right to complain to a supervisory authority of your choice if you believe that your data is being processing in a form that is not consistent with data protection legislation. You have the right to lodge complaints under Art. 77 GDPR. The competent supervisory authority for University Medical Center Mainz can be contacted as follows: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz (State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate) Postfach 30 40 55020 Mainz Telephone: +49 6131-208 2449 Fax: +49 6131-208 2497 Complaints may be submitted in any form to the supervisory authority.

Our data protection declaration can be found here.