Privacy Policy
The privacy policy describes how and for what purpose we collect, process and use personal data. The responsible handling of customer and patient data has always been an important concern for Medbase. We are continuously making adjustments in order to protect the personal data of our customers and patients even better.
Personal Data

We process general personal data relating to you, such as name and contact data.
More information:4. What personal data do we process?
ExampleYou register for a medical examination.
Financial Data

We process your financial data.
More information:4. What personal data do we process?
ExampleYou pay for a medical massage using your credit card.
Location Data

We process your location data.
More information:4. What personal data do we process?
ExampleYou use the Medbase physio.coach app to display therapists located close to you.
Health Data

We process data concerning your health.
More information:4. What personal data do we process?
ExampleYou arrange for a medical examination to be carried out by us.
Transferred data

You fill in the patient registration form during a doctor’s examination, also providing us amongst other things with your contact data.
More information:5. Where are personal data obtained from?
ExampleYou fill in the patient registration form during a doctor’s examination, also providing us amongst other things with your contact data.
Data collected

We process personal data that we collect in relation to you.
More information:5. Where are personal data obtained from?
ExampleWe collect information concerning your purchases that you make using your Medbase pharmacies club card.
Received data

We process personal data concerning you that we receive from third parties.
More information:5. Where are personal data obtained from?
ExampleIf requested by you, we obtain your patient file from your general practitioner.
Marketing

We use your personal data for marketing and advertising purposes.
More information:6.3. Quality improvement, product development and market research
ExampleIf you have signed up, we send you the Medbase newsletter containing the latest offers.
Product development

We use your personal data to develop and improve products and services.
More information:6.3. Quality improvement, product development and market research
ExampleWe carry out anonymized assessments in order to establish which of our offers in pharmacies are taken up and to optimize our offers.
Other purposes

We use your personal data for other purposes not related to our core services.
More information:6. For what purposes do we process personal data?
ExampleWe assess online behavior in order to detect potential fraudulent activity.
Profiling

We analyze your behavior and make assumptions concerning your interests and preferences.
More information:Example
We assess which of our offers you take up in pharmacies in order to present a personal selection of special offer vouchers to you.
Data transfer

We share your personal data with other companies, which decide themselves how to use your data.
More information:8. With whom do we share personal data?
ExampleWe transfer an outstanding claim to a debt collection company.
Worldwide

We also process your personal data outside Switzerland and the EU.
More information:9. How do we share your personal data outside the country?
ExampleAs a general rule, we store data in Switzerland and in Europe, although use common IT services, in relation to which some data transfers outside Europe are unavoidable.
The current version of the Privacy Policy takes account of current legal requirements and makes it even easier for you to find out how the Medbase Group processes data. The changes concern in particular the following areas:
- Data processing within the ambit of video monitoring is now explained in a separate section (section 11).
- There is a new section explaining how we use new technologies such as artificial intelligence (section 14).
- We have specified the circumstances under which we may transfer personal data to companies outside the Medbase Group (section 8).
- We have specified the circumstances under which we may transfer personal data to companies outside the Medbase Group (section 8).
- We have specified the circumstances under which we may transfer personal data to companies outside the Medbase Group (section 8).
- Data processing within the ambit of video monitoring is now explained in a separate section (section 11).
- There is a new section explaining how we use new technologies such as artificial intelligence (section 14).
- We have specified the circumstances under which we may transfer personal data to companies outside the Medbase Group (section 8).
- Thanks to privacy icons, you can establish at a glance how and for what purpose we process personal data;
- The Swiss Data Protection Act has been updated. We have amended the Privacy Policy in line with the new statutory disclosure requirements;
- We have simplified the Privacy Policy, making it clearer which categories of personal data we process for which purposes.
Who is Medbase?
The Medbase Group («we» or «us») is comprised of Medbase AG and its subsidiaries. The Medbase Group belongs to the Migros Group and its aim is to cater comprehensively to your health by offering medical, therapeutic, pharmaceutical and dental products and services. The Medbase Corporate Health Department supports companies with comprehensive health management.
What is Medbase doing to ensure data protection?
Data protection and data security are central concerns for Medbase. As we understand it, dealing responsibly with personal data is a key aspect of an ethically responsible approach. We use privacy icons in order to make it clearer for customers how Medbase uses data.
Which data concerning me are processed?
We process personal data in various contexts and for various purposes. Personal data are processed almost every time you interact with us, or when we interact with you, for instance if you contact a medical center or one of our pharmacies using the contact form or by telephone. We frequently process data concerning your health also within the ambit of treatment and in order to support you in health-related prevention or rehabilitation. It is also important for us to be able to tailor our offers to your individual needs. Whenever you visit our website, install a Medbase app or participate in the Medbase pharmacies club card program, we also process data relating to your behavior and transactions and make assumptions concerning your preference on the basis of these data. This enables us for instance to provide you with special offer vouchers, which are anticipated to be of interest for you, and also provide you with your loyalty coupons under the Medbase pharmacies club card program.
How do I benefit from data processing by Medbase?
Our data processing is largely indispensable and has a number of benefits for you. First of all, it enables us to provide you with comprehensive medical treatment and support. It also makes it easier for you to find the products and services on our website and in our apps that you most frequently use or that are likely to be more relevant for you than others. Thanks to our data processing, you also benefit from the dispatch of information that is specifically tailored to your needs and interests. By processing personal data, we are also able to constantly improve our products and services.
With whom are my personal data shared?
Your personal data may be shared with other companies from the Medbase Group and used by them. Outside the Medbase Group, personal data are generally only shared with selected service providers that process personal data on our behalf and in accordance with our instructions. For data concerning health, this only applies to a limited extent and naturally subject to compliance with applicable professional duties of confidentiality.
Are my data secure?
We ensure that your data are protected in a manner commensurate with the risks and put in place comprehensive security measures to protect your personal data against unauthorized access. We constantly improve our security measures and adapt them in line with the state of the art.
Whom can I contact with any questions?
If you have any questions concerning the processing of your personal data by us, please contact the Medbase contact center: datenschutz@medbase.ch, 052 260 29 29. The Privacy Policy contains further contact information as well as details about how you can exercise your rights in relation to your personal data. .
Privacy Policy
- What does this Privacy Policy deal with?
- Who is responsible for data processing?
- For whom is this Privacy Policy intended and what is its purpose?
- What personal data do we process?
- Where are personal data obtained from?
- For what purposes do we process personal data?
- What are the legal bases for our processing of personal data?
- With whom do we share personal data?
- How do we share your personal data outside the country?
- How do we process particularly sensitive personal data?
- How do we use video monitoring?
- How do we use profiling?
- Do we make individual decisions on an automated basis?
- How do we use artificial intelligence?
- How do we protect personal data?
- For how long do we process your personal data?
- What rights do you have in connection with the processing of your personal data?
- How can you contact us?
- Changes to this Privacy Policy
1. What does this Privacy Policy deal with?
Data protection can in some cases be a matter of trust, and your trust is important for us. In this Privacy Policy we therefore provide you with information about how and for what purposes we collect, process and use your personal data. We use the term «data» here in a manner synonymous with «personal data».
You can find out in this Privacy Policy amongst other things:
- which personal data we collect and process;
- the purposes for which we use your personal data;
- who has access to your personal data;
- the benefits for you of data processing by us;
- how long we process your personal data;
- the rights that you have in relation to your personal data; and
- how you can contact us.
We would like to provide you with comprehensive information concerning the processing of your personal data, whilst at the same time making it easier for you to navigate your way around this topic. Accordingly, at various points in this Privacy Policy we have provided the option of displaying additional information.
We have drawn up this Privacy Policy with reference both to the Swiss Data Protection Act as well as the European General Data Protection Regulation (GDPR). The GDPR has established itself throughout the world as a benchmark for strong data protection. However, whether and to what extent the GDPR is applicable depends upon the specific circumstances of the individual case.
2. Who is responsible for data processing?
The person responsible under data protection law for any specific data processing (controller) is the enterprise that establishes whether the processing should take place, the purposes for which it is to occur and how it is structured. As a general rule, a company from the Medbase Group («we» or «us») is responsible under data protection law for any data processing falling under this Privacy Policy. Generally speaking, this is the company that has referred you to this Privacy Policy (e.g. on its website or if you use its services). A company may be responsible for more than one unit within the Medbase Group for data protection purposes. This is the case in particular for Medbase locations and Medbase Group pharmacies.
The following list shows which company from the Medbase Group is responsible in each specific individual case for data protection within the business area at the respective locations.
Medical Center | |
Location | Responsible company |
Medbase Kriens Mattenhof | Medbase Zentralschweiz AG |
Medbase Thun Strättligen Medbase Zweisimmen | Medbase Berner Oberland AG |
All other Medbase medical centers | Medbase AG |
Pharmacies | |
Location | Responsible company |
Medbase Pharmacy Kriens Mattenhof | Medbase Zentralschweiz AG |
Medbase Pharmacy St. Gallen Am Vadianplatz | Medbase AG |
All other pharmacies | Medbase pharmacies AG |
Other units | |
Business area / location | Responsible company |
fit im job AG | fit im job AG |
Radiologisches Zentrum Baden AG | Radiologisches Zentrum Baden AG |
Radiologie Win AG | Radiologie Win AG |
Radiologie Luzern AG | Radiologie Luzern AG |
Centre d'Imaginerie Médicale | Centre d'Imagerie Médicale de Cornavin SA |
Zahnarztzentrum.ch practices
WePractice locations | zahnarztzentrum.ch AG
|
*HIN = Health Information Network (in response you will receive an encrypted email from us, which you can read through the HIN portal and answer securely where appropriate)
It is also possible that multiple companies from the Medbase Group may be jointly responsible for specific forms of data processing if they jointly decide concerning the arrangements for or purpose of the data processing concerned. You can approach any of these companies if it is not clear to you which one of them is responsible.
3. For whom is this Privacy Policy intended and what is its purpose?
This Privacy Policy is intended for all persons whose data we process (in each instance «you»), irrespective of the manner in which you contact us, e.g. at a practice or pharmacy, by telephone, via an online appointment booking tool, on a website, in an app, through a social network, at an event etc. It is applicable to the processing of both personal data that have already been collected as well as personal data collected in future.
Our data processing may in particular affect the following categories of people, where we process personal data:
- customers at our shops;
- patients at our practices;
- persons who receive services from us or who contact us concerning products and services;
- users of our online content and apps;
- participants in the Medbase pharmacies club card program;
- visitors to our websites;
- visitors to our premises;
- persons who write to us or who otherwise contact us;
- recipients of information and marketing communications;
- participants in competitions and prize draws;
- participants in customer initiatives and public events;
- participants in market research, opinion surveys and customer questionnaires;
- contact persons at our suppliers, buyers or any other business partner as well as organizations and authorities;
- shareholders of Medbase (subsidiary) companies; and
- job applicants.
Please also consult the contractual terms and conditions applicable to individual services (e.g. General Terms and Conditions, Terms of Use or Terms of Participation). These may contain additional information concerning data processing by us.
This Privacy Policy applies to the processing of personal data throughout all of our business areas, including Medbase medical centers, pharmacies, checkup centers, dental practices, radiology centers, WePractice locations and the Medbase pharmacies club card program.
This Privacy Policy also applies to the activities of Medbase Group subsidiaries, including Zahnarztzentrum.ch companies. However, the companies concerned may supplement this Privacy Policy with further information. Please therefore also consult any supplementary privacy information provided by the company concerned, which you will generally be able to find on its website.
For information concerning the collection and processing of personal data in relation to usage of our websites, mobile apps and social media pages, and in particular in relation to cookies and other similar technologies, please also consult our Cookie Notice.
4. What personal data do we process?
“Personal data” means any information relating to an identified or identifiable person. On the other hand, information that does not enable any inferences to be made concerning particular people, such as aggregated data or statistical assessments, does not constitute personal data.
We process various categories of personal data. The most important categories are provided below for your information. However, we may also process further personal data in specific individual cases.
You can find more information concerning the origin of the personal data processed by us in section 5, and details of the purposes for which we use these personal data in section 6.
4.1. Master data
Master data are comprised of basic information relating to you, such as e.g. form of address, name, contact data or date of birth. We collect master data in particular if you sign up for one of our products or services (e.g. medical examination or treatment, Medbase pharmacies club card program), if you register for any of our products and services (e.g. the Medbase pharmacies club card program) or if you set up a customer account. However, we also collect master data for instance if you participate in a competition or prize draw or sign up for a newsletter. We also collect master data in order to carry out access controls at our events (e.g. courses) or on office premises. In addition, we collect master data concerning contact persons and representatives of contractual partners, organizations and authorities. We may also process data concerning health as well as information relating to third parties (e.g. family members) as master data.
Master data include e.g.:
- form of address, first name, surname, gender, date of birth, nationality, religious affiliation (information concerning religious affiliation constitutes particularly sensitive personal data; you can find further information concerning processing of such data in section 10 below);
- postal address, email address, telephone number and other contact data;
- customer and booking numbers (e.g. Medbase pharmacies club card program, online appointment reservations etc.);
- health insurance scheme number and insurance model chosen;
- portrait photograph for customer file;
- payment information (e.g. means of payment lodged, bank details, invoicing address);
- user name and profile picture for accounts used for online products and services;
- information concerning the usage of online products and services (e.g. health report, myChange, myRelax, Oviva - online nutritional coaching), apps (e.g. Medbase physio.coach app) and subscriptions (e.g. Medbase magazine);
- information concerning related websites, social media profiles etc.;
- information concerning preferences and interests, preferred Medbase locations, language preferences etc.
- information concerning your relationship with us (customer, patient, visitor, supplier etc.);
- information concerning related third parties (e.g. contact persons, recipients of services or representatives, family members);
- settings relating to the receipt of advertising, newsletters subscribed to etc.;
- information concerning your status with us (e.g. facility ban);
- information concerning participation in competitions and prize draws;
- information concerning participation in advertising events, sponsorship initiatives or cultural or sporting events;
- official documents in which you appear (e.g. identification documents, vaccination certificate, Commercial Register extracts, licenses etc.);
- information concerning the titles and functions of contact persons at our business partners;
- date and time of registrations.
4.2. Contractual data
Contractual data means personal data relating to the conclusion or implementation of a contract, e.g. the nature and duration of a treatment contract entered into between you and us or the purchase date, product description and quantity of medications purchased at one of our pharmacies. These data may also include data concerning health and information relating to third parties, e.g. details of illnesses within the family. We conclude contracts primarily with customers, patients, business partners and job applicants, although also with other contractual partners such as e.g. sponsorship applicants. If you use our products and services under the terms of a contract, e.g. if you purchase goods or receive services, in many cases we also collect data relating to behavior and transaction data (see section 4.5).
Contractual data include e.g. information:
- relating to the conclusion of a contract and steps taken prior to entering into a contract, e.g. the nature and duration of the treatment contract, the date on which the contract was concluded (e.g. purchase date), information from the application process and details concerning the corresponding contract (e.g. nature and duration);
- relating to the performance and management of contracts (e.g. contact information, delivery addresses, successful or unsuccessful deliveries as well as information relating to the means of payment, tariff items generated and other bills);
- relating to enquiries concerning our products or services or requesting technical support;
- relating to our interactions with you (along with any history and corresponding entries);
- relating to claims as well as entitlements or benefits acquired (e.g. Medbase pharmacies club card points level or a win in one or our competitions);
- relating to products and services purchased;
- relating to defects and complaints as well as amendments to a contract;
- relating to customer satisfaction, that we may collect via surveys;
- relating to financial matters such as e.g. in order to determine creditworthiness (i.e. information enabling inferences to be made concerning the likelihood that claims will be settled), concerning reminders or debt collection and in order to enforce claims;
- in relation to a job application, e.g. CV, references, qualifications, certificates, interview notes etc. (which may also contain the personal data of third parties);
- in relation to a sponsorship application, e.g. information concerning the project and other participants;
- in relation to interactions with you as a contact person or representative of a business partner;
- in relation to security checks and other checks with a view to establishing a business relationship.
4.3. Data concerning health
We regularly process data concerning health in relation to our medical, therapeutic, medicinal and dental products and services. This includes all information that enables inferences to be made concerning a person’s physical or psychological state of health. Protecting these data is a particularly important concern for us. You can find information in section 10 about how we process particularly sensitive data such as data concerning health.
Data concerning health include e.g.:
- health history and patient file;
- vaccination certificate;;
- laboratory test results;
- information from DNA analyses or concerning hereditary diseases;
- x-ray images;
- ECG results;
- medical prescriptions;
- discharge report from a hospital.
4.4. Communication data
If you contact us or if we contact you, e.g. if you contact a practice or pharmacy or if you write to or call us, we shall process the contents of the communication as well as information relating to the nature, type and location of the communication. In particular situations, we may ask you provide an identification document or health insurance scheme number in order to identify yourself.
Communication data include e.g.:
- name and contact details such as e.g. postal address, email address and telephone number;
- the contents of emails, written correspondence, chat messages, social media posts, comments left on a website, telephone conversions, video conferences etc.;
- answers to customer and satisfaction surveys;
- information concerning the nature time and, under certain circumstances, the location of the communication;
- proof of identity such as e.g. copies of official identity documents;
- metadata relating to the communication (e.g. date and time of a call or when an email was sent).
Conversations by telephone and video conference with us may be recorded; we shall inform you concerning this at the start of each discussion. If you do not want it to be recorded, you have the option at any time of ending the conversation and contacting us in another manner (e.g. by email).
4.5. Data relating to behavior and transaction data
If you use our services, make a purchase with us or use our infrastructure, we often collect data concerning that usage as well as your behavior. This occurs e.g. if you register on one or our apps or book an appointment online. It also occurs if you make a purchase with us, providing the number of your Medbase pharmacies club card. If you participate in the Medbase pharmacies club card program, these personal data may concern not only you but also other Medbase pharmacies club card participants, e.g. your family members.
Data relating to behavior and transaction data include e.g. the following information, where we hold it as personal data:
- concerning your behavior on websites;
- concerning your behavior when shopping (where we process orders in your name or you use the Medbase pharmacies club card);
- concerning attendance at events or the usage of test offers (e.g. date, location and type of event or usage);
- concerning participation in competitions, prize draws and similar initiatives;
- concerning the installation and usage of mobile apps;
- concerning your usage of electronic messages (e.g. whether and when you opened an email or clicked on a link).
You can also use many of our products and services in anonymized form. For example, you can make purchases in our pharmacies without providing your Medbase pharmacies club card number. It is also possible, to some extent, to purchase products and services online (including in our apps) without using an account. However, if you have an account, data relating to behavior and transaction data may under certain circumstances also be allocated to your profile, unless you logged off before visiting the website or using the app.
4.6. Data relating to preferences
We aim to tailor our products and services as far as possible to our customers’ needs. We therefore process data concerning your interests and preferences. For this purpose, we may cross-reference data relating to behavior and transaction data with other data and assess the resulting data, both in anonymized form and with reference to specific individuals (however, we do not do this with patient files). This enables us to make inferences concerning characteristics, preferences and anticipated behavior, e.g. your preferences and affinities for particular products and services. You can find further information in section 11 concerning profiling in this regard.
We may cross-reference data relating to behavior and transaction data with other information, for instance with master data, contractual data and technical data as well as non-personal statistical information, and assess them in order to obtain information concerning your characteristics, preferences and anticipated behavior. We can in particular create segments (either permanent or case-specific), which are groups of people who are similar in terms of particular characteristics. Data relating to preferences may be used as personal data (e.g. in order to display advertising of interest to you or to provide you with relevant special offer vouchers), and also as non-personal data (e.g. for market research or product development).
4.7. Technical data
If you use our websites, our apps, our WiFi networks or any other electronic products or services, we collect certain technical data such as e.g. your IP address or device ID. Technical data also include log files in which we record usage of our systems. In some cases, we may also allocate a unique identifier to your end device (tablet, PC, smart phone etc.), e.g. using cookies or similar technologies so that we can recognize you in future. Further details relating to this can be found in our Cookie Notice.
We may also use technical data in particular to collect data relating to behavior, i.e. information concerning your usage of websites and mobile apps (see further section 4.5). However, we cannot generally establish from technical data who you are unless you e.g. set up a customer account an or register. In such cases, we can cross-reference technical data with master data – and thus with you as an individual.
Technical data include inter alia:
- the IP address of your device and other device IDs (e.g. MAC address);
- identifiers allocated to your device by cookies and similar technologies (e.g. pixel tags);
- information concerning your device and how it is configured, e.g. operating system or language settings;
- information concerning the browser that you use to access content as well as how it is configured;
- information concerning your behavior and actions on our websites and in our apps;
- information concerning your internet provider;
- your approximate location and the time of usage;
- system-generated logs of accesses and other processes (log files).
In most cases, these technical data do not in themselves enable us to make any inferences concerning your identity. However, they may be cross-referenced with other categories of data – and thus potentially associated with you as an individual – within the ambit of user accounts, registrations, the performance of contracts or the assessment of data relating to preferences.
Please also refer to our Cookie Notice for information concerning the processing of technical data.
4.8. Other data
We also collect data relating to you under other circumstances. For instance, data that may relate to you are generated within the ambit of administrative or judicial procedures (such as case documents, evidence etc.). We may also collect data for the purpose of protecting health (e.g. in accordance with protection concepts). Finally, we collect and process data relating to our shareholders and other investors; in addition to master data these include inter alia information for the respective register, concerning the exercise of your rights and in relation to the holding of events (e.g. general meetings).
4.9. Visual and sound recordings
We may take photographs or make video or sound recordings in which you may appear, e.g. if you contact a medical center by telephone or visit one of our pharmacies, request a remote medical consultation by video conference or participate in an event. Recordings may also be made during medical examinations, for instance in order to enable the healthcare professional to assess symptoms more effectively or to better monitor stages of treatment. We also record footage within the ambit of video monitoring at our shops and on our premises (see further section 11).
Visual and sound recordings include e.g.:
- recordings made within the ambit of a medical examination (photographs, x-ray images) and therapeutic treatments (videos);
- recording of conversations by telephone or video conference (e.g. during remote medical consultation);
- photographs, videos and sound recordings at customer events and public events (e.g. advertising events, sponsorship events etc.);
- photographs, videos and sound recordings of courses, seminars, training sessions etc.;
- footage recorded by video cameras and image sensors at our shops and on our premises.
5. Where are personal data obtained from?
In most cases, personal data are provided to us by you, e.g. if you transmit or communicate data to us. In particular master data, contractual data and communication data are normally provided to us by you. Data relating to preferences are also largely provided to us by you.
You will share personal data with us yourself e.g. in the following cases:
- you sign up for a medical appointment or one of our courses;
- you undergo a medical examination with one of our specialists;
- you make a purchase on one of our pharmacies;
- you register on one of our apps and enter your medical information or results of training;
- you register for the Medbase pharmacies club card program;
- you participate in a prize draw or a competition;
- you contact the Medbase contact center.
The provision of personal data is generally voluntary, i.e. you are not normally obliged to share personal data with us. However, we must collect and process any personal data that are necessary for the performance of a contract (e.g. medical examination) and for compliance with related duties or that are prescribed by law, e.g. mandatory master and contractual data. Otherwise, we shall be unable to conclude or perform under the respective contract.
If you provide us with data concerning other persons (e.g. family members), we shall presume that you are authorized to do so and that the data are accurate. Please also ensure that these other people have been informed concerning this Privacy Policy.
We may also collect personal data relating to you ourselves or according to automated mechanisms, e.g. if you use our services, use our content or make a purchase with us. In most cases, such data are comprised of data relating to behavior and transaction data as well as technical data.
We collect data relating to you on our own initiative e.g. in the following cases:
- you make a purchase in one of our pharmacies and when doing so use your Medbase pharmacies club card or the related code;
- you sign up online for one of our products or services (e.g. blood pressure measurement);
- you visit one of our websites (e.g. Medbase.ch) or use one of our apps (e.g. the Medbase physio.coach app);
- you clink on a link in one of our newsletters or otherwise interact with one of our electronic advertising messages
We can also infer personal data from personal data that we already hold, e.g. by assessing data relating to behavior and transaction data. Such inferred personal data is in most cases comprised of data relating to preferences or, with regard to medical examinations, master data.
We may analyze data relating to behavior and transaction data obtained for instance in relation to purchases made in our pharmacies and, on this basis, make assumptions concerning your personal interests, preferences, affinities and habits. This enables us for instance to tailor our products and services as well as our information to your individual needs and interests. This means that we may provide you with an individual selection of special offer vouchers relevant for you, e.g. within the ambit of the Medbase pharmacies club card program. Further information concerning data relating to behavior and transaction data can be found in section 4.5 and, concerning profiling in this regard, in section 11.
Specialists may also infer additional personal data by analyzing your examination data (e.g. laboratory test results, diagnoses).
We may also receive personal data from other companies from the Medbase Group. Further information concerning this can be found in section 8. However, we may also obtain data relating to you from other third parties, e.g. from companies with which we cooperate, from persons who communicate with us or from public sources.
We may obtain information relating to you e.g. from the following third parties:
- from other medical practices;
- from cooperation partners
- from service providers (e.g. medical laboratories that assess tests);
- from your employer and colleagues in relation to a job application and your professional functions (e.g. references from previous employers);
- from third parties, where correspondence and discussions concern you;
- from persons associated with you (family members, legal representatives etc.), e.g. your address for deliveries, references, powers of attorney or illnesses within the family;
- from credit information agencies, e.g. if we obtain credit check information;
- from Swiss Post and address management services, e.g. for updating addresses;
- from bankers, insurers, sales partners and other contractual partners in relation to purchases and payments;
- from providers of online services, e.g. providers of internet analysis services;
- from authorities, parties and other third parties in relation to administrative and judicial proceedings;
- from media monitoring companies in relation to articles and reports that mention you;
- from public registers, such as e.g. the Debt Enforcement Register or the Commercial Register, from public bodies such as e.g. the Federal Office of Statistics, from the media or from the internet.
6. For what purposes do we process personal data?
6.1. Communication
We would like to remain in contact with you and to address your individual concerns. We therefore process personal data to communicate with you, e.g. to answer enquiries and to provide customer support. For this purpose we use in particular communication and master data and, where the communication relates to a contract, also contractual data. We may also personalize the content of messages and the time when they are dispatched on the basis of data relating to behavior, transaction data and data relating to preferences as well as other data.
Communication occurs in particular for the following purposes:
- making appointments;
- answering enquiries;
- contacting you in relation to any questions;
- communication in relation to product recalls (e.g. we may contact you directly if we know that you have purchased a product that is affected by a recall);
- authentication, e.g. when using our online products and services;
- all other purposes of processing, where we are communicating with you for the respective purpose (e.g. performance of a contract, providing information and direct marketing).
6.2. Performance of a contract
We would like to offer you the best possible service in order to ensure that you remain healthy or return to health. We therefore process personal data in relation to steps taken prior to entering into a contract as well as the contractual management and the performance of contracts, e.g. in order to provide medical and pharmaceutical services, to operate a loyalty or bonus program or to arrange a prize draw. Performance of a contract may also include any personalization of services where agreed upon. For this purpose, we use in particular master data, contractual data, communication data, data relating to behavior and transaction data as well as data relating to preferences.
The purpose of performance of a contract covers in general terms anything that is necessary or expedient for the conclusion, performance and where appropriate enforcement of a contract. This may also entail the involvement of other companies from the Medbase Group as well as third parties (e.g. delivery service, medical laboratories, medical practice).
This includes e.g. processing:
- in order to plan and prepare for the provision of our services, e.g. planning the deployment of our staff;
- in order to provide services agreed upon under contract, e.g. medical and pharmaceutical services, the delivery of goods and the provision of functions (including personalized service elements);
- in order to decide whether and how (e.g. with which payment options) we enter into a contract with you (including the credit check);
- in order to obtain commitments concerning the payment of costs;
- in order to bill our services (and where applicable to generate cost recovery documentation for the health insurance scheme) as well as generally for accounting purposes;
- in order to provide customer services and increase customer satisfaction;
- in order to manage the loyalty and bonus program (e.g. the Medbase pharmacies club card program) and, e.g. to account for and credit entitlements and benefits accruing (e.g. loyalty points);
- in order to identify, notify and where appropriate publicly announce the winners of competitions and prize draws;
- in order to examine and where applicable act upon sponsorship orders;
- in order to examine the suitability of job applicants and where applicable in order to prepare for and conclude the employment contract;
- in order to examine whether we are willing and able to cooperate with a company and to monitor and assess its services;
- in order to prepare for and implement corporate transactions, e.g. company purchases, sales and mergers;
- in order to enforce legal claims under contracts (debt collection, judicial proceedings etc.);
- in order to manage and administer our IT and other resources;
- in order to store data under the terms of data retention requirements;
- in order to terminate and cancel contracts.
6.3. Quality improvement, product development and market research
We are constantly seeking to improve the quality of our products and services and to make them more attractive for you. We thus process personal data in relation to scientific studies and for the purpose of improving medical quality. In this regard we process in particular master data, data concerning health, data relating to behavior, transaction data, data relating to preferences as well as visual and sound recordings, in addition to communication data and information obtained from customer questionnaires, surveys and studies and further information e.g. from the media and the internet as well as from other public sources. Where possible, we use pseudonymized or anonymized information for these purposes.
Quality improvement, product development and market research include in particular:
- the assessment of pseudonymized or anonymized data concerning health (i.e. where it is not possible to make any inferences concerning you);
- the implementation of customer questionnaires, surveys and studies;
- the further development of our products and services (e.g. design of products and services, choice of location, pricing and planning of special offers etc.);
- the assessment and improvement of uptake of our products and services and communication by us in relation to products and services;
- the optimization and improvement of user-friendliness for websites and apps;
- the development and testing of new products and services;
- the testing and improvement of our internal processes;
- core and advanced training as well as staff instruction;
- statistical assessments, e.g. in order to assess information concerning interaction between customers and us on a non-personal basis;
- the assessment of the position concerning products and services on a particular market and the behavior of our competitors;
- market monitoring, e.g. in order to understand and respond to current developments and trends.
6.4. Compliance with legal requirements
We aim to put in place the necessary framework for complying with legal requirements. We therefore process personal data in order to comply with legal requirements and to prevent and detect breaches. This includes e.g. the receipt and processing of complaints and other reports, compliance with orders issued by a court of law or an authority as well as action to identify and clarify abuses. This may concern all categories of personal data referred to in section 4.
Compliance with legal requirements includes in particular:
- the administration and retention of patient files;
- personal clarification concerning risks and side effects associated with medications and healthcare procedures;
- filing reports with authorities that are required by law (e.g. concerning particular illnesses);
- implementing health and protection concepts;
- clarifications via business partners;
- receiving and processing complaints and other reports;
- carrying out internal examinations;
- ensuring compliance and risk management;
- disclosing information and documents to authorities, where we are entitled or obliged to do so by law;
- cooperating with external investigations e.g. by criminal prosecution or supervisory authorities;
- ensuring the level of data security prescribed by law;
- supporting our shareholders and other investors in complying with these obligations;
- complying with obligations to grant access, to provide information or to file reports e.g. in relation to duties under supervisory or tax law, e.g. with regard to archival duties and for the purpose of preventing, detecting and clarifying criminal offences and other breaches.
In all instances we may be subject to Swiss law although also the provisions of foreign laws, as well as self-regulatory, sectoral and other standards, internal corporate governance rules or official instructions.
6.5. Security and prevention
We endeavor to guarantee both your and our own security and to prevent abuses. We therefore process personal data also for security purposes, in order to guarantee IT security, to prevent theft, fraud and abuse and for evidentiary purposes. This may occur in relation to all categories of personal data referred to in section 4, including in particular also data relating to behavior and transaction data as well as visual and sound recordings (see further section 11). We may collect, assess and store these data for the purposes indicated.
The purpose of security and prevention includes e.g.:
- the recording and assessment (manually and automatically) of video footage for detecting and prosecuting criminal offences;
- the imposition of facility bans and the management of facility ban lists;
- the analysis of data relating to behavior and transaction data for the purpose of identifying suspicions types of behavior and fraudulent activities;
- the assessment of system-generated logs concerning usage of our systems (log files);
- preventing, defending against and investigating cyber and malware attacks;
- analysis and testing of our networks and IT infrastructure as well as system and error tests;
- controlling access to electronic systems (e.g. log-ins to user accounts);
- physical access controls (e.g. access to office premises);
- documentation purposes and the lodging of backup copies.
6.6. Enforcement of rights
We want to be able to enforce our own legal claims and to defend legal claims brought by others. We therefore process personal data also for the purposes of enforcing rights, e.g. in order to enforce legal claims in, before or out of court and before authorities in Switzerland and abroad or to defend any similar legal claims. In this regard, depending upon the circumstances we process different personal data, e.g. contact data and information relating to processes that constitute or may constitute grounds for a dispute, which under certain specific circumstances also involves the processing of data concerning health (subject to the maintenance of professional confidentiality, where applicable, see also section 8).
The purpose of enforcing rights includes in particular:
- the investigation and enforcement of our legal claims, which may also include claims of companies associated with us and of our contractual or business partners;
- the defense of claims brought against us, our employees, companies associated with us and against our contractual or business partners;
- clarification of the prospects within litigation along with other legal, economic or other questions;
- participation in proceedings before courts and authorities in Switzerland and abroad. For example, we may secure evidence, arrange for prospects within litigation to be clarified or file documentation with an authority. It is also possible that authorities may instruct us to file documentation and data carriers that contain personal data.
6.7. Information and marketing
We would like to offer you attractive products and services. We therefore process personal data for the purpose of maintaining customer relations and for marketing purposes, e.g. in order to provide you with written and electronic messages and offers and to implement marketing initiatives. These may relate to our own products and services as well as the products and services of other companies from the Medbase Group or those of advertising partners. Messages and offers may also be personalized with the aim, where possible, of providing you only with information that is anticipated to be of interest for you. For this purpose, we use in particular master data, contractual data, communication data, data relating to behavior and transaction data as well as data relating to preferences.
These messages and offers may include e.g. the following:
- newsletters, advertising emails, in-app messages and other electronic messages;
-
banners and other forms of online advertising;
-
the provision of vouchers and loyalty coupons;
- notifications concerning specialist items that are likely to be relevant;
- invitations to participate in events, prize draws and competitions.
Where we do not ask for your consent separately in order to contact you for marketing purposes, you can object to any such contact at any time (see section 15). For newsletters and other electronic messages, you will normally be able to unsubscribe from the service concerned via the unsubscribe link incorporated into the message.
By personalizing our messages, we are able to target information to your specific individual needs and interests and to offer you, where possible, only products and services that are relevant for you. For example, under the Medbase pharmacies club card program we provide you with an individual selection of special offer vouchers that are relevant for you or display you online content that is specifically tailored to you. You can find further information in section 11 concerning profiling in this regard.
6.8. Intragroup administration and support
We aim to structure our internal processes as efficiently as possible. We therefore process personal data only for intragroup administration. In this regard we process in particular master data, contractual data and technical data, although also data concerning health (subject to the maintenance of professional confidentiality, where applicable, see also section 8), data relating to behavior and transaction data along with communication data.
Intragroup administration and support includes in particular:
- the management of IT and real estate;
- accounting;
- the archival of data and the management of our archive;
- training and instruction, e.g. where we assess recordings of telephone, video or other forms of communication;
- centralized data storage and management, which is used by various companies from the Medbase Group;
- the review or execution of corporate transactions such as e.g. company purchases, sales and mergers;
- the forwarding of enquiries to the competent bodies, e.g. if you submit an enquiry to a Medbase company concerning another company;
- the sale of receivables, where we for instance transmit information to the buyer concerning the reason for and the amount of the claim and, where applicable, the creditworthiness and behavior of the debtor;
- in general, the testing and improvement of internal processes;
- support in relation to legal matters (see also sections 6.4 and 6.6).
We may share also personal data with other companies from the Medbase Gruppe in order to support their own respective purposes for processing according to this Privacy Policy in the overall interest of the Medbase Group. Further information concerning this matter can be found in section 8.
7. What are the legal bases for our processing of personal data?
Depending upon the purpose for which data are processed, there are various legal bases for the processing of personal data by us. We may process personal data in particular where the processing:
- is necessary for the performance of a contract with the data subject or to take steps prior to entering into a contract (e.g. examination of a proposed contract);
- is necessary in order to uphold legitimate interests;
We have a legitimate interest in particular in processing for the purposes referred to in section 6 above as well as the disclosure of data according to section 8 and the respective aims related with such disclosure. Legitimate interests include both our own interests as well as the interests of third parties.
These legitimate interests comprise e.g. the interest in:
- improving existing products and services and developing new products and services;
- delivering products and services to third parties (e.g. to recipients of gifts);
- good customer relations, maintaining contact and communications with customers, also separately from any contracts;
- advertising and marketing activities;
- intragroup management and intragroup dealings, insofar as required where group entities cooperate on the basis of a division of responsibilities;
- mutual support among Group companies with reference to their respective activities and goals;
- combatting fraud and preventing and investigating crime;
- protecting customers, employees and other persons, data, secrets and assets of the Medbase Group;
- ensuring IT security, particularly in relation to the usage of websites, apps and other IT infrastructure;
- ensuring and organizing business operations, including the operation and development of websites and other systems;
- corporate management and development;
- the sale or purchase of companies, company units or other assets;
- the exercise or defense of legal claims;
- compliance with Swiss and foreign law as well as internal rules.
- is based on consent;
consent may be withdrawn at any time with future effect. However, this will not affect the lawfulness of any data processing occurring prior to the withdrawal of consent.
- is necessary in order to comply with the provisions of Swiss or foreign law.
8. With whom do we share personal data?
We only allow our employees to access your personal data where this is necessary for the activities of the employee concerned. This may also include employees in other departments and in support areas such as e.g. IT or Legal. They are bound by our instructions and subject to a duty of confidentiality when handling your personal data.
We may share personal data that we obtain from you or from a third party source with other companies from the Medbase Group. Such disclosure may occur for the purpose of intragroup administration and support or the provision of support to the Medbase company concerned, including the fulfilment of its own purposes of processing, for instance if an existing customer relationship is extended to further companies from the Medbase Group. This means that it is possible for instance for your medical history, as recorded at one of our medical centers, to be made available immediately in relation to your treatment if you are treated by a doctor at another medical center. This naturally requires your express consent. Your data may also be shared within the Group in order to support the development and improvement of products and services, the personalization of marketing activities, the conduct of credit checks as well as measures to prevent theft, fraud and misuse.
As is the case for any association of companies, also the Medbase Group has an overall interest in the successful business operations of Group companies, and our Group companies for their part have an interest in their own operations and their own purposes of processing (section 6). In order to support these activities and purposes, the personal data necessary for this purpose may be shared with Group companies and, where appropriate, supplemented by them or compared and linked with other available personal data.
This may involve e.g. the following forms of data disclosure:
- all categories of personal data referred to in section 4 for the management and performance of contractual relationships, in particular in relation to products and services involving performance by more than one Group company (e.g. with regard to the supplementation of centrally managed medical history with relevant information obtained from other medical centers of pharmacies);
- master data, contractual data, data concerning health, communication data, data relating to behavior and transaction data as well as data relating to preferences, information obtained from customer questionnaires, surveys and studies as well as visual and sound recordings for product development and market research, where such information must contain personal data;
- master data, contractual data, communication data, technical data, data relating to behavior, transaction data, data relating to preferences as well as visual and sound recordings for the provision and personalization of products and services, communication and marketing activities;
- master data, contractual data, communication data, technical data, data relating to behavior and transaction data, in addition to data relating to preferences for the purpose of preventing fraud and misuse as well as for credit checks (e.g. in relation to the provision of services on account);
- master data, contractual data, communication data, technical data, data relating to behavior and transaction data, as well as visual and sound recordings for the purpose of preventing fraud and for evidentiary purposes;
- information of security relevance for security purposes and compliance with legal requirements;
- information concerning support in relation to the enforcement of rights.
If you contact us for instance with a concern relating to a service, we may pass this information on to the Medbase company that provided the service for the purpose of service and quality improvement. Also where you participate in the Medbase pharmacies club card program, we share for instance data relating to behavior, transaction data and data relating to preferences with regard to purchases made in pharmacies with Medbase companies, for instance in order to enable them to offer you services that may be of interest for you in the light of the products purchased by you.
We may also share your personal data with companies both within and outside the Medbase Group where we receive services from them. As a general rule, these service providers process personal data on our behalf as “processors”. Our processors are obliged to process personal data exclusively in accordance with our instructions and to take appropriate action to ensure data security. Some service providers are also joint controllers alongside us, or independently in their own right (e.g. debt collection companies, credit reference agencies, consultancy firms). We ensure by carefully selecting the service providers and through suitable contractual agreements that data protection is guaranteed for the full duration of any processing of your personal data.
The services concerned relate e.g. to the following areas:
- medical services, e.g. laboratory analyses
- advertising and marketing services, e.g. for dispatching messages and information;
- corporate management, e.g. accounting or the management of assets;
- payment services;
- shipping and logistics, e.g. for shipping goods ordered;
- credit information services, e.g. when deciding whether we would like to offer purchase on account;
- debt collection services, e.g. in order to issue a formal reminder concerning outstanding payments, and to enforce the related claims;
- IT services, e.g. services in the fields of data storage (hosting), cloud services, the dispatch of email newsletters, data analysis and refinement etc.;
- advisory services, e.g. services provided by tax advisors, lawyers, corporate consultants or staff recruitment or intermediation advisors.
In specific individual cases, it is also possible that we may share personal data with other third parties to be used for their own purposes, e.g. if you have granted us your consent, if we are obliged or entitled by law to disclose data or if we have overriding interests in disclosure. In such cases, the recipient of the data will have the status of controller for data protection law purposes.
These include e.g. the following scenarios:
- transfer to hospitals or other specialists;
- provision of information concerning the state of your health to relatives, subject to professional secrecy;
- notifications to health insurance schemes for the purpose of assessing commitments concerning the payment of costs;
- the assignment of receivables to other companies such as e.g. debt collection companies;
- the disclosure of information concerning payment history to credit reference agencies that e.g. carry out credit checks or provide credit information for us or other customers;
- the usage of personal data for the purpose product development and for the training of models and algorithms by the technology providers whose IT solutions we use;
- the disclosure of personal data for scientific research, for study-related purposes and within the ambit of hackathons and similar events for developing ideas;
- the review or execution of corporate transactions such as e.g. company purchases, sales and mergers;
- the disclosure of personal data to courts and authorities in Switzerland and abroad, e.g. to criminal prosecution authorities in the event of any suspicion of criminal activity or within the ambit of health protection concepts;
- the processing of personal data in order to comply with an order of a court of law or to exercise or defend legal claims, or where we consider it to be necessary due to other legal reasons. In such cases, we may also share personal data with other parties to the proceedings.
We may also outsource statistical assessments to third parties. These will involve information that cannot be associated with any particular person, that does not enable any inferences to be made concerning any particular person. We may for instance use transaction data to assess the customer segments amongst which a product is particularly popular, and make this assessment available to the supplier of the product concerned.
Please also note our Cookie Notice concerning the independent collection of data by third party providers whose tools we have incorporated into our websites and apps.
We naturally comply with the requirements applicable to special professional confidentiality (e.g. doctor-patient confidentiality, pharmacist’s confidentiality) to which we are subject in specific individual cases. In such cases, we only share the data in question (e.g. your data concerning health) within the Medbase Group in accordance with the requirements of professional confidentiality (e.g. where necessary for your treatment). The requirements laid down by the Swiss Human Research Act are also complied with in the event of the secondary usage of data concerning health. In addition, we reserve the right to share your data as provided for in this section (8). If you entrust any information with us concerning yourself or another person within the ambit of our professional activities that we should treat in a manner different from that specified in section 8 or that should be subject to a particular requirement of confidentiality and does not automatically fall under doctor-patient confidentiality or pharmacist’s confidentiality, please tell us about this in advance in order to enable us to examine the concern and, where appropriate, adopt the necessary security measures.
9. How do we share your personal data outside the country?
The recipients of your personal data referred to in section 8 may under certain circumstances be situated abroad, including outside the European Economic Area (EEA), and in exceptional cases in any country in the world. The countries concerned may potentially not have enacted legislation that protects your personal data to the same extent as in Switzerland or in the EEA. Where we transfer your personal data to such a country, we take steps to ensure that your personal data benefit from adequate protection.
One way of ensuring adequate data protection is e.g. to conclude data sharing agreements with the recipients of your personal data situated in third countries, which guarantee the necessary data protection. These include the contracts that have been approved, drafted or recognized by the European Commission and the Federal Data Protection and Information Commissioner, which are known as standard contractual clauses. An example of the data sharing agreements that are generally used by us can be found here. Please note that any such contractual precautions may in part make up for weaker or absent statutory protection, although cannot fully exclude all risks (e.g. of state interference abroad). In exceptional cases, transmission to countries without adequate protection may also be permitted in other cases, specifically on the basis of consent, in relation to legal proceedings abroad, if transmission is necessary for the performance of a contract, in cases involving an overriding public interest or if the data has been made generally accessible by you and you have not objected to the processing thereof.
10. How do we process particularly sensitive personal data?
Particular types of personal data qualify as being “particularly sensitive” for data protection law purposes, e.g. data concerning health falling under section 4.3 and biometric information. Depending upon the circumstances, other categories of personal data referred to in section 4 may include particularly sensitive personal data (e.g. information relating to religious affiliation contained in master data, which may be of significance within the context of blood transfusions). As a general rule, we only process particularly sensitive personal data if this is necessary in order to provide a service, if you have provided us with this data on our own initiative or if you have consented to processing. We may also process particularly sensitive personal data if this is necessary in relation to the enforcement of rights or compliance with national or foreign legal requirements, if it is clear that the data concerned have been made publicly available by the data subject or if the applicable law otherwise allows them to be processed.
We may process particularly sensitive personal data e.g. in the following cases:
- you log in to a Medbase app and provide information concerning physical complaints or enter your training data;
- you notify us concerning health-related complaints after taking, using or applying a product;
- you purchase from us a medical device covered by health insurance or receive a service and request documentation for the purpose of obtaining reimbursement;
- you receive one of our services and provide information on the patient form concerning medical history, intolerances, allergies etc.;
- you apply for an open position and provide information concerning your health, trade union membership or previous criminal convictions and measures of criminal enforcement.
- You contact us with a complaint or enquiry relating to medical treatment or advice.
Personal data relating to children also qualifies for particular protection. As a general rule, we ask the parents or legal representatives to provide their consent if we knowingly process personal data relating to children without capacity of judgment, where the basis for processing is consent. If consent has been provided for a child by his/her parents or legal representatives, once the child has become capable of appreciating the consequences of consent or has reached the age of majority, he/she is free to withdraw this consent with future effect. As regards specifically children without capacity of judgment, we generally let you decide how their data should be dealt with, as provided for by law.
We may process e.g. personal data relating to children under the following circumstances:
- you sign up your child for a therapy session or another service and fill in the patient form for your child;
- a young person registers for a medical service, concerning the provision of which he/she is free to decide himself/herself (e.g. measuring blood pressure, vaccination, contraception);
- your child completes a competition slip in his/her own name.
11. How do we use video monitoring?
We may use video monitoring at our shops and on our other premises in certain physically delineated, duly marked areas. This involves the processing by us of the recordings made by the video cameras and image sensors used, including in particular recorded images and video footage (section 4.9), which may in some cases result in us obtaining information about your behavior in these areas. Video monitoring is used primarily for security and prevention purposes, such as securing the products on sale, protecting our customers, complying with legal requirements and enforcing rights.
As a general rule, the recordings made by video cameras and image sensors cannot be associated with any specific individual, i.e. we do not know who the people recorded are. However, if it is necessary for the relevant purpose, we may associate the data with a specific individual, for instance if we would like to identify a particular person who has committed an unlawful act such as theft or who has damaged property on our premises. When doing so we may also assess recordings automatically and cross-reference or compare them with other data, e.g. data obtained from cash register systems.
The type of video monitoring, the technologies used and the purposes pursued differ from location to location. We may use video cameras and image sensors for instance as follows:
- in order to ascertain breaches of site rules and unlawful acts (such as theft, damage to property or personal injury), to identify the perpetrator and for the purpose of securing evidence and enforcing facility bans, and when doing so we may also assess recordings automatically and cross-reference or compare them with other data;
- in order to search automatically within existing video recordings covering a particular period of time for a specific combination of features (such as clothing or body size), enabling us to assess recordings more effectively in the event of any concrete suspicion and therefore increase the likelihood of identifying unlawful acts;
- in order to recognize dangerous situations and incidents and to raise the alarm automatically in such cases (e.g. if a person does not move for an extended period of time or is lying on the ground).
12. How do we use profiling?
«Profiling» means the automated processing of personal data in order to analyze personal aspects or to make predictions, e.g. the analysis of personal interests, preferences, affinities and habits or the predicting of anticipated behavior. Profiling can be used in particular to infer data relating to preferences (further details may be found in section 4.6).
Profiling is a commonplace process, e.g. in the event of the automated processing
- of data relating to behavior and transaction data as well as technical data in relation to our websites and apps;
- of information relating to attendance at events, participation in competitions, prize draws and similar initiatives;
- of communication data, e.g. your response to advertising and other messages;
- of other data relating to behavior and transaction data.
Profiling helps us for instance:
- to constantly improve our products and services and to better tailor them to individual needs;
- to make a more reliable medical diagnosis using computer technology;
- to present content and offers that are relevant for needs;
- to present to you if possible only with advertising and offers that are actually relevant for you;
- to provide you with better customer services;
- to decide on the basis of a credit check which payment options are available.
We conduct profiling e.g. within the ambit of the Medbase pharmacies club card program by assessing your purchasing history and allocating you to specific customer segments on the basis of it. These are groups of people that have similarities in terms of particular characteristics. These customer segments may be established on either a long-term or an ad hoc basis and may relate e.g. to the phase of life or reason for purchasing. This profiling enables us e.g. to provide you with special offer vouchers that are relevant for you. For instance, if you frequently purchase herbal remedies from us, you will often receive special offer vouchers and offers relating to other plant-based products. Similarly, we may inform you concerning products and services where you live, if we are aware of your preferred location. Alternatively, we can prevent you from receiving special offer vouchers for baby products if we have reason to believe that you do not have any children.
Profiling occurs for instance also in relation to your account if we assess your behavior when using our apps, for instance by offering you an individual training plan and presenting you with offers tailored to your interests and preferences.
In order to improve the quality of analyses and predictions, we may also base profiling on a combination of personal data from various sources, e.g. data collected offline and online as well as data collected through various services of ours or that we have received from other Medbase Group companies (however, we do not do this with patient files).
If you do not want us to analyze personal aspects or to make predictions in relation to the Medbase pharmacies club card program, you can and should refrain from joining the Medbase pharmacies club card program or should purchase items without using the Medbase pharmacies club card and refrain from registering for Medbase apps and other services. You can also object to profiling in particular cases, as described in section 17.
13. Do we make individual decisions on an automated basis?
An “automated individual decision” is a decision taken fully automatically, i.e. without any human input, that has legal consequences for the data subject or that significantly affects him/her in another way. We do not generally do this, although will inform you specifically should we take any automated individual decisions in specific individual cases. You will then have the opportunity to ensure that the decision is reviewed by a human being if you do not agree with it.
14. How do we use artificial intelligence?
New technologies such as artificial intelligence and machine learning have major potential, for instance by supporting our specialist staff in diagnostic activities or improving your experience when using our products and services. However, due to its novel nature it also entails challenges. We make sure that we always use new technologies in a manner that is consistent with our values, and carefully weigh up opportunities and risks in each specific individual case. We accept responsibility for any content generated or decisions made by artificial intelligence for us, and if the decision will have significant implications for the data subject we ensure that it can be checked by a human (see section 13). In addition, we shall inform you if any artificial intelligence used by us is interacting directly with you, in case this is not already readily apparent.
We may use artificial intelligence for instance in order to improve our products and services, to structure our internal processes more efficiently, to increase security and to prevent abuse, or for any of the other purposes described in section 6. Such artificial intelligence applications may process personal data, although in most cases no personal data are processed.
Areas in which artificial intelligence may potentially be used include e.g.:
- supporting our specialist staff in diagnostic activities;
- creating and facilitating access to information concerning our products and services;
- supporting the creation of versatile images (known as “stock images”), simple product captions, product packaging and similar, non-personalized content;
- needs-based processing of customer concerns and automatically assessing customer feedback;
- in general, improving the customer experience when using our products and services, for instance by offering targeted advice and providing information relevant to the addressee;
- supporting the creation of program code.
15. How do we protect personal data?
We take adequate technical and organizational security measures to ensure the security of your personal data and to protect you against unauthorized or unlawful processing as well as to counter the danger of the loss, inadvertent alteration, unintended disclosure or unauthorized access. However, as is the case for all companies, we are unable to prevent privacy breaches with absolute certainty; certain residual risks are unavoidable.
Technical security measures include e.g. data encryption and pseudonymization, the creation of log files, access restrictions and the storage of backup copies. Organizational security measures include e.g. the issue of instructions to our staff, the conclusion of non-disclosure agreements and the conduct of checks. We also oblige our controllers to adopt adequate technical and organizational security measures.
16. For how long do we process your personal data?
We process and store your personal data:
- for as long as is necessary for the purpose of processing or related purposes, for contracts as a general rule at least for the duration of the contractual relationship;
- for as long as we have a legitimate interest in storage. This may be the case in particular if we require personal data in order to exercise or defend legal claims, for archival purposes or to ensure IT security;
- for as long as they are subject to a statutory retention requirement. Retention periods of ten years or longer apply to particular types of data. Shorter retention period may apply to other types of data, e.g. footage from video monitoring or records or particular processes online (log files).
In some cases, we will also ask for your consent if we wish to store personal data for longer periods of time (e.g. for job applications that we wish to keep under consideration).
After the periods specified have expired, as a general rule we shall erase or anonymize your personal data.
17. What rights do you have?
Under the applicable data protection law, you have the right to object to the processing of your data under certain circumstances, including in particular for the purposes of direct marketing (e.g. email advertising), profiling for the purpose of direct advertising and other legitimate interests in processing.
Provided that the applicable prerequisites are met and no statutory exemptions are applicable, you also have the following rights:
- the right to obtain from us confirmation as to whether any of your data are being processed, and if so which data;
- the right to obtain the rectification of inaccurate personal data;
- the right to obtain the erasure of your personal data;
- the right to be obtain the surrender by us of particular personal data in a commonly used, electronic format or to obtain their transfer to another controller;
- the right to withdraw consent with future effect, where processing is based on consent;
- the right to state your views in relation to any automated individual decision-making (section 13) and to require that the decision be reviewed by a natural person;
- the right upon request to obtain further information that may be useful in exercising these rights.
Please note that these rights may potentially be limited or excluded in specific individual cases, e.g. if there is any doubt as to your identity or if this is necessary in order to protect other persons, to uphold legitimate interests or to comply with statutory requirements.
You can use our online form to exercise the most important rights mentioned above in relation to specific instances of data processing. In addition, you can unsubscribe from the newsletter and other advertising emails by clicking on the respective link at the end of the email. You can also contact us in accordance with section 18 if you wish to exercise any of your rights or if you have any questions concerning the processing of your personal data.
- The competent supervisory authority for Switzerland is the Federal Data Protection and Information Commissioner (EDÖB).
- The competent supervisory authority in the Principality of Liechtenstein is the Data Protection Authority of the Principality of Liechtenstein (Datenschutzstelle).
18. How can you contact us?
If you have any questions about this Privacy Policy or about how your personal data are being processed, please contact the respective controller company using the contact information provided on its website.
You can also contact us at:
Medbase AG
Schützenstrasse 3
CH-8400 Winterthur
datenschutz@medbase.ch
052 260 29 29
You can also contact our representative in the European Union or in the European Economic Area:
VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg
Deutschland
19. Changes to this Privacy Policy
This Privacy Policy may be amended over time, in particular if we change the way in which we process data or if new legal provisions come into force. If any significant changes are made, we shall actively inform people whose contact information is registered with us concerning those changes, provided that this is possible without disproportionate cost. In general, the version of the Privacy Policy that was in force when the relevant processing began applies to data processing.
Version 3.2