Privacy policy of Bad Schinznach AG, Brugg

This privacy policy provides information about the personal data we process in connection with our activities and operations, including our website. In particular, we provide information about why, how and where we process personal data and about the rights of persons whose data we process.

If you provide us with data about other persons (e.g. relatives, other associated persons or other (healthcare) service providers), we assume that you are authorized to do so and that this data is correct and that you have ensured that these persons are informed about this disclosure, insofar as there is a legal obligation to provide information (e.g. by bringing this data protection declaration to their attention in advance).

When processing your personal data, we are primarily subject to the Federal Act on Data Protection (FADP); as part of the cantonal performance mandate, we are also subject to the cantonal provisions on the handling of information and data protection. We may also be subject to the EU General Data Protection Regulation (GDPR). However, whether and to what extent these laws are applicable depends on the individual case.

The data controller is responsible for the processing described in this privacy policy:

Carlo Pirola
Bad Schinznach AG
Badstrasse 50
5116 Schinznach-Bad
Phone: +41 56 463 77 77
E-mail: carlo.pirola@bad-schinznach.ch
Website: https://www.bad-schinznach.ch

If you make use of our services, in particular in connection with healthcare, or purchase products, use our website (hereinafter collectively referred to as the “Website”) or otherwise have dealings with us, we obtain and process various categories of your personal data. In principle, we may obtain and otherwise process this data for the following purposes in particular:

• Healthcare: We process your personal data in order to provide, document and invoice our healthcare services in a professional manner. In particular, we process your name and contact details and your health data.
• Initiation and conclusion of contracts: With regard to the conclusion of a contract (not only to establish a treatment relationship, but also if you purchase other services or products from us or if we purchase products or services from you or your contractor or employer), we may in particular obtain and otherwise process your name, contact details, health data, photos, powers of attorney, declarations of consent, information about third parties (e.g. contact persons, contract contents, date of conclusion, creditworthiness data and all other data which you provide to us.contact persons, details of relatives or other associated persons), contract contents, date of conclusion, creditworthiness data and all other data which you provide to us or which we collect from public sources or third parties (e.g. references).
• Administration and processing of contracts: We obtain and process personal data so that we can comply with our legal and contractual obligations towards our patients, authorities, insurance companies and other contractual partners (e.g. other healthcare providers, referring physicians, suppliers, service providers, project partners) and, in particular, provide and claim contractual services. This also includes data processing for the support of our other customers, as well as the enforcement of contracts (billing of services to insurance companies, debt collection, legal proceedings, etc.), accounting and public communication. For this purpose, we process in particular the data that we receive or have collected as part of the initiation, conclusion and execution of the contract, as well as e.g. data on contractual services and the provision of services, details of reactions and financial and payment information.
• Communication: In order to communicate with you and third parties via email, telephone, fax, digital communication channels, by letter or otherwise (e.g. to answer inquiries, as part of treatment or advice and to initiate or process contracts), we process in particular the content of the communication, your contact details and the marginal data of the communication.
• Relationship management and marketing purposes: We also process your personal data for relationship management and marketing purposes, in particular to send our customers, other contractual partners and other interested parties personalized advertising about products, services and other news. For this purpose, we process in particular the names, e-mail addresses, telephone numbers and other contact details that we receive in the course of concluding or processing a contract or during any registration. You can reject these mailings at any time or refuse or revoke your consent to being contacted for advertising purposes by notifying us (see contact details in section 2).
• Improving our services and operations and product development: In order to continuously improve our products and services (including our website), we collect data about your behavior and preferences, for example by analyzing how you navigate through our website. If necessary, we may supplement this information with data from third parties (including from publicly accessible sources).
• Operation of our website: In order to operate our website securely and stably, we collect technical data, such as IP address, information about the operating system and settings of your end device, the region and the time and type of use. We also use cookies and similar technologies. For further information, see section 8.
• Registration: In order to use certain offers and services (e.g. newsletters), you must register. For this purpose, we process the data provided during the registration process. We may also collect personal data about you while you are using the offer or service; if necessary, we will provide you with further information about the processing of this data.
• Security purposes and access controls: We obtain and process personal data in order to ensure and continuously improve the appropriate security of our IT and other infrastructure (e.g. buildings). This includes, for example, monitoring and controlling electronic access to our IT systems and physical access to our premises, analyzing and testing our IT infrastructures, system and error checks and creating backup copies. We also keep access logs and visitor lists in relation to our premises for documentation and security purposes (preventive and to investigate incidents).
• Compliance with laws, directives and recommendations from authorities and internal regulations (“compliance”): We obtain and process personal data to comply with applicable laws (e.g. health police obligations, child and adult protection obligations, social security or tax obligations, professional and ethical obligations in healthcare), self-regulation, certifications, industry standards, our corporate governance, as well as for internal and external investigations (e.g. by a law enforcement or supervisory authority or a commissioned private body).
• Risk management and corporate governance: We obtain and process personal data as part of risk management and corporate governance. This includes, among other things, our business organization and corporate development.
• Job application: If you apply for a job with us, we obtain and process the relevant data for the purpose of reviewing the application, carrying out the application process and, in the case of successful applications, for the preparation and conclusion of a corresponding contract. In addition to your contact details and the information from the corresponding communication, we also process the data contained in your application documents and the data that we can additionally obtain about you, e.g. from job-related social networks, the Internet, the media and from references, if you consent to us obtaining references.
• Communication: In order to communicate with you and third parties via email, telephone, fax, digital communication channels, by letter or otherwise (e.g. to answer inquiries, in the context of treatment or advice and to initiate or process contracts, or in the context of training / webinars), we process in particular the content of the communication, your contact details and the marginal data of the communication. This also includes image and audio recordings of (video) telephone calls / conferences. In the event of an audio or video recording, we will inform you separately and you are free to inform us if you do not wish to be recorded or to end the communication. For audio and video conferences, we only use services that guarantee adequate data protection (in addition to this privacy policy, any terms and conditions of the services used, such as terms of use or privacy policies, also apply).

• From you: You (or your device) provide us with the majority of the data we process (e.g. in connection with healthcare and our other services, the use of our website, or communication with us).
• From third parties: We may collect the data that we process for healthcare and for the initiation and execution of contracts from other healthcare providers, social or private insurers, authorities or from your relatives or other third parties. However, we may also obtain further data from publicly accessible sources or receive such data from (i) authorities, (ii) your employer or client, and (iii) other third parties (e.g. contractual partners). This includes in particular the data that we process in the context of the initiation, conclusion and execution of contracts as well as data from correspondence and discussions with third parties, but also all other categories of data in accordance with Section 3.

In connection with the purposes listed in Section 3, we may transfer your personal data to the following categories of recipients in particular:

• Other healthcare providers: We work with other healthcare providers (e.g. referring physicians or aftercare providers, in particular general practitioners, medical practices, other clinics and hospitals, rehabilitation facilities, etc.), in particular for the pre- and aftercare of patients. We also rely on the cooperation of other service providers (e.g. laboratories, drug and medical product manufacturers, ambulance and rescue services, attending physicians, etc.), particularly during the care relationship. These healthcare providers may process data that they have received from us or collected for us (i) on our behalf, (ii) in joint responsibility with us or (iii) on their own responsibility.
• Service providers: We work with other service providers in Switzerland and abroad who (i) process data on our behalf (e.g. IT providers), (ii) process data that they have received from us or collected for us on their own responsibility or (iii) process data on their own responsibility.
• Patients, customers and other contractual partners: This initially refers to patients, customers and other contractual partners of ours for whom a transfer of your data results from the contract (e.g. because you work for a contractual partner or they provide services for you). This category of recipients also includes contractual partners with whom we cooperate. The recipients generally process the data on their own responsibility.
• Authorities and courts: We may pass on personal data to offices, courts and other authorities (incl. social insurance companies) if we are legally obliged or entitled to do so or if this appears necessary to protect our interests. These recipients process the data under their own responsibility.
• Other persons: This refers to other cases where the inclusion of third parties arises from the purposes set out in section 3. This applies, for example, to delivery recipients or payment recipients specified by you, third parties in the context of representation relationships (e.g. your lawyer or your bank as well as legal advisors or relatives authorized to represent you or other third parties) or persons involved in official or court proceedings. As part of our corporate development, we may sell or acquire businesses, parts of businesses, assets or companies or enter into partnerships, which may also result in the disclosure of data to the persons involved in these transactions. In the course of communication with our competitors, industry organizations, associations and other bodies, data relating to you may also be exchanged.

All these categories of recipients may in turn involve third parties, so that your data may also become accessible to them. We can restrict the processing by certain third parties (e.g. IT providers), but not by other third parties (e.g. authorities, banks, etc.).

We process and store personal data mainly in Switzerland and the European Economic Area (EEA), but in exceptional cases – for example via sub-processors of our service providers – potentially in any country in the world.

If a recipient is located in a country without adequate data protection, we contractually oblige the recipient to comply with an adequate level of data protection (we use the revised standard contractual clauses of the European Commission, which are available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?; including the supplements necessary for Switzerland), unless the recipient is already subject to a legally recognized set of rules to ensure data protection and we cannot rely on an exception. An exception may apply in particular to legal proceedings abroad, but also in cases of overriding public interests, if the performance of a contract that is in your interest requires such disclosure, if you have given your consent, or if it is not possible to obtain your consent within a reasonable period of time and the disclosure is necessary to protect your life or physical integrity or that of a third party, or if the data in question has been made generally accessible by you and you have not objected to its processing.

You have certain rights in connection with our data processing. In accordance with applicable law, you may in particular request information about the processing of your personal data, have incorrect personal data corrected, request the deletion of personal data, object to data processing, request the disclosure of certain personal data in a common electronic format or its transfer to others.

If you wish to exercise your rights against us, please contact us; our contact details can be found in section 2. In order for us to rule out misuse, we must identify you (e.g. with a copy of your ID, if necessary).

Please note that conditions, exceptions or restrictions apply to these rights (e.g. to protect third parties or professional and business secrets). We reserve the right to black out copies for reasons of data protection or confidentiality or to supply only excerpts.

When using our website (including newsletters and other digital offers), data is collected that is stored in logs (in particular technical data). We may also use cookies and similar technologies to recognize website visitors, evaluate their behavior and identify preferences. A cookie is a small file that is transmitted between the server and your system and makes it possible to recognize a specific device or browser.

You can set your browser so that it automatically rejects, accepts or deletes cookies. You can also deactivate or delete cookies in individual cases. You can find out how to manage cookies in your browser in the help menu of your browser.

Neither the technical data we collect nor cookies generally contain any personal data. However, personal data that we or third-party providers commissioned by us store may be linked to the technical data or to the information stored in and obtained from cookies and thus possibly to your person.

We also use social media plug-ins, which are small pieces of software that establish a connection between your visit to our website and a third-party provider. The social media plug-in informs the third-party provider that you have visited our website and may send the third-party provider cookies that it has previously placed on your web browser. For more information on how these third-party providers use your personal data collected via their social media plug-ins, please refer to their respective privacy policies.

We also use our own tools and third-party services (which in turn may use cookies) on our website, in particular to improve the functionality or content of our website (e.g. integration of videos or maps) and to compile statistics.

We sometimes use Google Analytics or similar services on our website. Data about the use of a website is transmitted to the server used for this purpose. Depending on the provider, these servers may be located abroad. For the most frequently used web analysis tool, Google Analytics, this data is transmitted including shortened IP addresses, which prevents the identification of individual devices. Google complies with the data protection provisions of the “Swiss-U.S. Privacy Shield” agreement and has registered with the U.S. Department of Commerce for the “Swiss-U.S. Privacy Shield”. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. A transfer of data by Google to third parties only takes place on the basis of legal regulations or as part of order data processing. You can prevent the collection of data generated by cookies and related to your use of the website (including IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available from Google.

Some of the third-party providers we use may be located outside Switzerland. Information on the disclosure of data abroad can be found in section 6. In terms of data protection law, some of them are “only” processors on our behalf and some are controllers. Further information on this can be found in the data protection declarations.

We operate pages and other online presences on social networks and other platforms operated by third parties and process data about you in this context. In doing so, we receive data from you (e.g. when you communicate with us or comment on our content) and from the platforms (e.g. statistics). The providers of the platforms can analyze your use and process this data together with other data that they have about you. They also process this data for their own purposes (e.g. marketing and market research purposes and to manage their platforms) and act as their own data controllers for this purpose. For further information on processing by the platform operators, please refer to the privacy policies of the respective platforms.

We currently use the following platforms, whereby the identity and contact details of the platform operator can be found in the privacy policy:

• Facebook
  facebook.com
  Privacy policy: https://www.facebook.com/privacy/policy
• Instagram
  instagram.com
  Privacy policy: https://privacycenter.instagram.com/policy
• Xing
  xing.com
  Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung
• LinkedIn
  linkedin.com
  Privacy policy: https://de.linkedin.com/legal/privacy-policy
• X formerly Twitter
  twitter.com
  https://twitter.com/de/privacy
• TAC
  https://www.tac.eu.com/
  https://www.tac.eu.com/datenschutzerklaerung/

We are entitled, but not obliged, to check third-party content before or after its publication on our online presences, to delete content without notice and, if necessary, to report it to the provider of the platform in question.

Some of the platform operators may be located outside Switzerland. Information on data disclosure abroad can be found in section 6.

We do not assume that the EU General Data Protection Regulation (“GDPR”) is applicable. However, should this be the case in exceptional cases for certain data processing, this Section 10 applies exclusively for the purposes of the GDPR and the data processing subject to it. We base the processing of your personal data in particular on the fact that

• it is necessary for the initiation and conclusion of contracts and their administration and enforcement (Art. 6 para. 1 lit. b GDPR; see section 3),
• it is necessary for the legitimate interests of us or third parties, namely for communication with you or third parties, to operate our website, to improve our electronic offers and registration for certain offers and services, for security purposes, for compliance with Swiss law and internal regulations, for our risk management and corporate governance (Art. 6 para. 1 lit. f GDPR; see section 3) and for other purposes such as training and education, administration, evidence and quality assurance, organization, organization of events and other legitimate interests (section 3),
• it is required or permitted by the law of the EEA or a member state,
• it is necessary to protect your vital interests or those of other natural persons,
• it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us,
• you have separately consented to the processing, e.g. via a corresponding query on our website (Art. 6 para. 1 lit. a and Art. 9 para. 2 lit. a GDPR).

Please note that we generally process your data for as long as required by our processing purposes (see section 3), the statutory retention periods and our legitimate interests, in particular for documentation and evidence purposes, or if storage is technically necessary (e.g. in the case of backups or document management systems). If there are no legal or contractual obligations or technical reasons to the contrary, we will generally delete or anonymize your data after the storage or processing period has expired as part of our normal processes and in accordance with our retention policy.

If you do not provide certain personal data, this may mean that it is not possible to provide the associated services or conclude a contract. As a matter of principle, we indicate where personal data requested by us is mandatory.

The right to object to the processing of your data set out in Section 7 also applies in particular to data processing for the purpose of direct marketing.

If you do not agree with our handling of your rights or data protection, please let us know (see contact details in section 2). If you are in the EEA, you also have the right to lodge a complaint with the data protection supervisory authority in your country. A list of authorities in the EEA can be found here: https://edpb.europa.eu/about-edpb/board/members_de.

Our representative according to Art. 27 GDPR (if required) is: Carlo Pirola, Bad Schinznach AG, 5116 Schinznach-Bad, Switzerland, E-Mail: carlo.pirola@bad-schinznach.ch

As far as possible and feasible, we take appropriate technical and organizational security precautions to protect your personal data from unauthorized access and misuse.

This website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as requests that you send to us as the site operator.