Your data
in safe hands

In the following document, we would like to provide you with all the information necessary for transparent data processing and to give you information about your rights in the field of data protection.

1 Name and contact details of the controller and its representatives:

ghg good healthcare GmbH
represented by Managing Directors: Daniel Schaller, Sebastian Schröter and Thomas Marco Steinle
Headquarter: Europaplatz 2, 10557 Berlin, Germany, Tel.: +49 30 338 49 47 77,
email: info@goodhealthcare.com

intouch hcc GmbH
represented by Managing Directors: Wolfgang Höfers and Thomas Marco Steinle
Location: Europaplatz 2, 10557 Berlin, Germany, Tel.: +49 30 338 49 48 88,
email: info@stay-intouch.com

+49 med GmbH
represented by Managing Director: Thomas Marco Steinle
Headquarter: Europaplatz 2, 10557 Berlin, Germany, Tel.: +49 30 338 49 49 49,
email: info@plus49.de

patient+ GmbH
represented by Managing Director: Thomas Marco Steinle
Headquarter: Europaplatz 2, 10557 Berlin, Germany, Tel.: +49 30 338 49 49 40,
email: info@patient-plus.com

2 Contact details of the Privacy Team

If you have any questions on how your personal data are processed within the good healthcare group, please contact our Privacy Team:

Data Protection Officer of ghg good healthcare GmbH, intouch hcc GmbH, +49 med GmbH and patient+ GmbH:

Vivien Müller
email: ds@goodhealthcare.com

External Data Protection Officer:

intersoft consulting services AG
Headquarter: Beim Strohhause 17, 20097 Hamburg, Germany,
Tel: +49 30 790 235 0,
email: ds@goodhealthcare.com

3 How is data processed on this website?

3.1 For what purposes and on what legal basis does the good healthcare group process personal data?

When you visit our websites, we may collect personal data from you. We process personal data on our website, in particular, for the reasons presented below and on the following legal bases:

3.2.1 Usage data

When using the website for purely informative purposes, i.e. if you do not register or otherwise send data to us (e.g. via a contact form), we collect the following technical information (logfiles):

  • the operating system of the end device you use to visit our website
  • the browser (type, version and language settings)
  • the volume of data accessed
  • the current IP address of the end device you use to visit our website
  • the data and time of access
  • the URL of the previous website visited (referrer)
  • the URL of the (sub) page accessed on our website
  • the internet service provider for the accessing system

We need to obtain this data for technical purposes, in order to display our website to you and ensure stability and security. We (and our suppliers) generally do not know who is behind an IP address. We do not merge the above data with other data.

The legal basis is article 6 para. 1 p. 1 lit. f of the GDPR. As it is absolutely necessary to gather this data in order to present the website and to store logfiles for operating the webpages and preventing misuse, we have a significant legitimate interest in data processing.

3.2.2 Contact and scheduling appointments

You have the option to contact us using our email address, the various contact forms, our appointment scheduler or by telephone.  Of course, we will only use the personal data communicated to us in this way for the specific purpose for which you have provided the data to us. Information that is required for use of the website is marked with as a mandatory field with an asterisk (*), all other information is provided on a voluntary basis.

The legal basis is article 6 para. 1 p. 1 lit. f DSGVO. Our legitimate interest lies in the creation and maintenance of a customer relationship.

3.2.3 Newsletter

We only send newsletters, emails and other electronic notifications with commercial information (hereinafter “newsletters”) with your explicit consent, art. 6 para. 1 lit. a GDPR. Our newsletters contain information regarding invitations to events, insights & figures on pharma-marketing, information on new marketing channels and healthcare start-ups, as well as videos, interviews and surveys.

If you want to order the newsletter from the good healthcare group and its members (ghg good healthcare GmbH, intouch hcc GmbH, +49 med GmbH, patient+ GmbH), in addition to your email address, we also need a confirmation that you agree to receive the newsletter (Double opt-in procedure). This information is used in order to send you the newsletters. Subscriptions to our newsletters are logged as evidence that we are entitled to send you the newsletters in accordance with the legal requirements.

If you provide us with voluntary additional address data (e.g. telephone number or mobile phone number), we will only use this data for the purposes of telephone marketing/market research or marketing via SMS/MMS with your express consent.

The good healthcare group and its members, as well as their legal successors, have set themselves the objective of limiting the amount of promotional contact you receive and only contacting you in accordance with your communication preferences. To do so, the good healthcare group will save the communication channel preferences obtained from you (email, telephone, etc.), in order to optimise communication processes and contact you using your preferred channel of communication. The legal basis is our legitimate interest, art. 6 para. 1 p. 1 lit. f of the GDPR.

In order to improve the customisation of our newsletter for you and to measure the success of our campaigns, we assess user behaviour. For these assessments, the emails sent contain so-called web-beacons or tracking pixels. These are stored on our server and inform us about when and how you access them. For the assessments, we join the aforementioned data and the web-beacons together with your e‑mail address.

The data gathered through this allows us to tailor the newsletter to your individual interests. As part of this, we gather fundamental information such as opening rates, information about when you read our newsletter and which links you access through these. Your personal interests are based on this information. The legal basis for such data processing is your consent, art. 6 para. 1, p.1, lit. a GDPR. You may revoke your consent with future effect by clicking on the “unsubscribe” button on our newsletter.

Moreover, this form of tracking is not possible if you have deactivated the standard display of images in your email programme. In this case, the newsletter will not be displayed to you in full and you may not be able to use all of its functions. If you manually allow the display of images, the abovementioned tracking will take place.

You can revoke your subscription to the newsletter and your consent to the storage of your data at any via telephone, by mail or email. Address your request to the office you wish to contact. (+49 30 338 49 47 77, ghg good healthcare GmbH, Europaplatz 2, 10557 Berlin, Germany, info@goodhealthcare.com or +49 30 338 49 48 88, intouch hcc GmbH, Europaplatz 2, 10557 Berlin, Germany, info@stay-intouch.com or +49 30 338 49 49 49, +49 med GmbH, Europaplatz 2, 10557 Berlin, Germany, info@plus49.de or +49 30 338 49 49 40, patient+ GmbH, Europaplatz 2, 10557 Berlin, Germany, info@patient-plus.com). You can find a link to unsubscribe at the end of every newsletter.

3.2.4 Existing customer mailings

If you have concluded a contract with us, you become part of our existing customer base. In such cases, you will receive our newsletter without having provided explicit consent, insofar as you have not made use of your right to object. The legal basis in such cases is our legitimate interest, art. 6 para. 1 lit. f of the GDPR.

You can object to the processing of your data with future effect free of charge and at any time. To do so, simply send an email to the contact details in section 1.

3.2.5 Careers

When you use the application portal on our careers page, (https://job.goodhealthcare.com/), we will process your data in order to carry out the application process § 26 para.1 BDSG (German Federal Data Protection Act).

In the mandatory fields, we only collect information that is absolutely needed for the application process. Additional important information can be entered voluntarily in the voluntary fields. This means that we only store data that you have entered in the form yourself.

By sending the form, you confirm that your details are accurate. In the event that we wish to accept you into our pool of applicants upon completion of an application, we will obtain your explicit consent.

For the organization and execution of the application process, it can be necessary for us to pass your data on to companies affiliated with us within the good healthcare group as part of contract work.

Your data is hosted by rexx systems GmbH, Süderstraße 75-79, 20097 Hamburg, Germany, by way of commissioned data processing in accordance with Art. 28 GDPR. Both we and rexx systems GmbH use technical and organizational security measures to protect your collected data against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. Our security measures are continuously improved in line with technological developments. Once your data has been entered and transmitted, it is sent directly to the rexx systems GmbH server via an encrypted connection. All data is encrypted on the basis of the TLS procedure.

If you send your application via WhatsApp and wish to carry out the application process via WhatsApp, by clicking the button “Apply with WhatsApp” you consent to participation in messenger communication and the use of the WhatsApp service in accordance with Art. 6 para. 1 lit. a GDPR. We would like to point out that the good healthcare group cannot influence the handling of user data and its processing by the WhatsApp service.

Details on data processing by WhatsApp can be found in WhatsApp’s privacy policy at the following link: https://www.whatsapp.com/legal/privacy-policy-eea?lang=en.

Applications must be submitted exclusively via the applicant portal. Should you nevertheless apply to us by e-mail, we expressly point out that sending unencrypted e-mails or e-mail attachments is not secure.

Your data will be used to process your application and to decide on the establishment of an employment relationship. The legal basis is § 26 para. 1 i.V.m. para. 8 sentence 2 BDSG. Furthermore, your personal data may be processed if this is necessary to defend against legal claims asserted against us in the application process. The legal basis for this is Art. 6 para. 1 sentence 1 lit. f GDPR. The legitimate interest in the processing also lies in the stated purposes.

If an employment relationship is established between you and us, we may process the personal data already received from you for the purposes of the employment relationship in accordance with Section 26 (1) BDSG if this is necessary for the performance or termination of the employment relationship or for the exercise or fulfillment of the rights and obligations of the representation of employees’ interests arising from a law or a collective agreement, a works or service agreement (collective agreement).

Your application data will not be processed beyond the use described above.

Your personal data will be deleted after completion of the application process after 6 months at the latest, unless deletion conflicts with any other legitimate interests on our part or you have not given us your consent for longer storage. Other legitimate interest in this sense is, for example, a burden of proof in proceedings under the General Act on Equal Treatment.

3.2.6 Cookies

We use so-called cookies on our website. They are used to make our internet presence more user-friendly, more effective and more secure as a whole. Cookies are datasets that are sent from the web server to a user’s web browser and stored there for future access. The user is informed about the use of cookies when they access the website and their consent is obtained for the processing of the personal data used.

In most cases, so-called “session cookies” are used. The distinguishing feature of “session cookies” is that they are automatically deleted from your hard drive at the end of a browser session. Other cookies remain on your computer system and enable us to recognize your computer on your next visit (so-called persistent cookies).

Here you will find an overview of all the cookies used.

Cookies that are not directly necessary will only be placed with the explicit consent of the user, in accordance with Art. 6 para. 1 lit. a GDPR. Of course, you can decline cookies at any time, provided that your browser permits this. Please note that certain features on this website may not work or may be restricted if your browser is configured not to accept any cookies (on our website).

 3.2.7 Web analysis by Matomo

This website uses Matomo (formerly known as Piwik), a software for website operators. Matomo uses cookies. Cookies are small text files that are stored on your computer and enable analysis of the way you are using the website. The information generated by the respective cookies about your use of this website is transmitted to the website operator server in Germany and is stored there. The IP address is anonymized immediately after processing and before storage.

The website operator will use this information in order to assess user behaviour and to generate reports about website activity.
The website operator will not pass this data onto third parties, unless legally required to do so. Cookies will only be installed following your explicit consent, in accordance with Art. 6 para. 1 lit. a GDPR. You can prevent the installation of cookies by adjusting the settings on your browser software. Please note that in this case, you may not be able to use all functions of the website in full. If you have given your consent, you can revoke it at any time.

If your Internet browser supports “Do-Not-Track” technology and you have activated it, your visit will be automatically ignored. You can disable data collection by Matomo here.

3.2.8. Google reCaptcha

We use reCaptcha v3 on our website. reCaptcha is a service from Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) and is designed to prevent the misuse of automatic details in web forms, thereby protecting the hoster’s technical systems. The protection of our system is our legitimate interest, Art. 6 para. 1 lit. d of the GDPR.

When you access one of our webpages that contains reCaptcha, this will establish a connection with Google’s servers. reCaptcha-cookie will then place a cookie. Your IP address is then sent to Google.

Moreover, reCaptcha uses “fingerprinting” to obtain the following data:

  • browser-plugins used
  • the cookies placed by Google in the last six months
  • the number of mouse clicks and movements conducted on the screen
  • CSS information for the pages accessed
  • Javascript objects
  • the date
  • the browser language

You can prevent the storage of cookies and fingerprinting by adjusting the technical settings on your browser software. Please note that in this case, you may not be able to use all functions of the website in full.

You can find Google’s data privacy policy and user terms at: https://www.google.com/policies/privacy/ and here: https://policies.google.com/terms.

3.2.9 Adobe Typekit

This website uses Adobe Typekit. This is a service provided by Adobe Systems Software Ireland Limited (“Adobe”), headquartered in 4-6 Riverwalk, Citywest Business Campus Dublin 24, Republic of Ireland.

When accessing the page, the necessary web fonts are loaded in your browser cache. This is to display texts and fonts correctly. In order to fulfill this purpose, your browser connection must be connected to the Adobe Typekit servers. As part of this, information is sent to Adobe, which the website obtains through your IP address.

3.2.10 Participation in our events

On our website, you can sign up for our (digital) events and presentations. To do so, we will require your contact details and email address. When you sign up for our events, you thereby declare that you agree to the collection, storage and use of your personal data gathered during registration, in the sense of article 4, no.1 of the GDPR.

By sending the registration form, you explicitly agree that we can use your personal data may be used to prepare, conduct and post-process the event.

We use your email to provide you with information relating to the event (e.g general event information, a link to the livestream, the livestream recording and follow-up emails). The legal basis is article 6 para. 1 lit. a and lit. b of the GDPR.

For digital events, we provide the opportunity to ask questions live (in writing) and to participate in live surveys. You can provide your name on a voluntary basis. Questions and survey results are stored. Statistical data is also collected, e.g. the number of livestream participants. The legal basis for this processing is our significant legitimate interest in the optimisation, assessment and analysis of the event, in accordance with article 6 para. 1 lit. f of the GDPR.

The livestreams of digital events (image & sound) are recorded and then sent to participants, published on our website or used on social media. The legal basis for this processing is our significant legitimate interest in the documentation of the event and the use of photographic and cinematographic recordings for PR purposes. 6 para. 1 lit. f of the GDPR.

For presentations, photo and video content is also produced and used for marketing purposes.

3.2.11 Social media platforms

The good healthcare group and its members, +49 med, patient+ and in//touch maintains social media platforms on Instagram, Facebook, Xing, LinkedIn and Kununu to inform the public about the companies. All data processing operations in this context are not carried out by us but by the respective social media providers. For the purpose and scope of data collection by the social media provider as well as the further processing and use of your data and your related privacy protection rights and settings options, please refer to the privacy policy of the respective provider. We have no influence on these privacy policies.

Instagram Privacy Policy: www.facebook.com/help/instagram/155833707900388
Facebook Privacy Policy: www.facebook.com/policy.php
Xing Privacy Policy: www.xing.com/privacy
LinkedIn Privacy Policy: www.linkedin.com/legal/privacy-policy
Kununu Privacy Policy: www.kununu.com/info/datenschutz

3.2.12. Embedding of services and contents from third parties

It can be the case that contents from third parties, such as videos from YouTube, map material from Google Maps, RSS feeds or graphics from other websites, are embedded in this website. This always requires that the providers of this content (hereinafter referred to as “third-party providers”) view the IP address of the user. Without the IP address, the third-party providers cannot send the contents to the browser of the relevant user. This means that the IP address is required to display this content. We strive to only use content from providers who only use the IP address to deliver the content. However, we do not have any influence on this if the third-party providers require the IP address for statistical purposes, for example. If this is known to us, we will make users aware of this.

3.2.13. Vimeo

This website uses plugins from the video portal Vimeo. The provider is Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA.

When you visit a page with a Vimeo video, a connection is made with Vimeo’s servers. In doing so, the Vimeo server is informed about which of our pages you have visited. Vimeo will also obtain your IP address. This also occurs if you are not logged into Vimeo or if you do not have a Vimeo account. The information obtained by Vimeo is sent to Vimeo’s servers in the USA.

If you are logged into your Vimeo account, you allow Vimeo to assign your browsing behaviour directly to your personal profile. You can prevent this by logging out of your Vimeo account.

To recognise website users, Vimeo uses cookies or similar recognition technologies (e.g. device fingerprinting).

The legal basis is our legitimate interest. Processing takes place on the basis of art. 6 para. 1 lit. f of the GDPR.

For more information about how user data is handled, see Vimeo’s privacy policy at: https://vimeo.com/privacy.

3.2.14. med.room

We use the “Zreality Grids” service for our “med.room”. This is a simple to use 3D-, virtual- and augmented reality platform belonging to ZREALITY GmbH, Zollamtstraße 11, 67663 Kaiserslautern.

In order to use the Zreality Grids functions, information including the IP address can be transmitted to the provider’s server. In order to use the tools it is necessary for you to register with your email address. Using this information, a user ID will be created, with the help of which you can be assigned within the software.

We will continue to track your user behaviour within Zreality Grids via the “Matomo” service. You will find further information on this in Section 3.2.7 “Web analysis by Matomo” or at https://matomo.org/privacy.

The software is used in the interest of providing an appealing and convenient communications platform.

For more information about how user data is handled, see Zreality’s privacy policy at: https://www.zreality.com/datenschutz/.

The collection and storage of data in the context of the use of the tool, including the email address and the user ID, is carried out for the provision of the digital space. The legal basis is our legitimate interest, according to Art. 6 para. 1 p. 1 lit. f of the GDPR. This is due to our ability to provide you with our “med.-room”. The data are deleted as soon as they are no longer required for the cited purposes.

Data collection and storage with the help of the Matomo service only takes place with express consent pursuant to Art. 6 para. 1, p.1, lit. a) GDPR. This consent can be withdrawn with future effect at any time.

4 Customers, potential customers and business partners

For the purpose of creating and carrying out contracts, we also process personal data, art. 6 para. 1 lit b and f of the GDPR. We use this data in order to make contact with you, to process payments and for contractual purposes.

5 Is data passed on to third parties?

In order for the good healthcare group to be able to process your data for the previously mentioned purposes, it can be necessary for other recipients (other companies within the good healthcare group, service providers or authorities) to be able to view and process your data.

5.1. Recipients within the good healthcare group

The good healthcare group is a network of independent companies which creates synergy effects. In certain cases, it can be necessary for us to process your data throughout the group. However, data is only processed within the good healthcare group when we are legally permitted to do so, for example, as part of contract work.

5.2 External service providers (processors)

Your data is passed on to service provider partners, if these providers are commissioned by us and support the good healthcare group with their services. When you subscribe to our newsletter, for example, we have commissioned a service provider to send the mail.
Processing of your personal data by a commissioned service provider is performed as part of contract work in accordance with Art. 28 GDPR.
These service providers also receive access to personal information that is required to carry out the relevant service. These service providers are prohibited from passing on your personal information or using it for other purposes, in particular for their own advertising purposes.
If external providers should come into contact with your personal data, we have ensured through legal, technical and organizational measures, as well as regular checks, that these external providers also comply with the applicable data protection regulations.
Your personal data is not passed on to other companies for commercial purposes.

5.3 Other service providers, partners or third parties

The good healthcare group can work together with additional partners when this is required to carry out our range of services or when we are legally obligated to pass on data.

6 Will data be processed outside of the EU or the EEA and how will data protection be ensured?

We also work partly with service providers outside the EU or EEA, e.g. Salesforce. In such cases, we have agreed EU standard contract clauses with these service providers in order to attain the right level of data protection.

7 How long is data stored for?

The personal data of the relevant person is deleted or blocked as soon as there is no longer a purpose for the data to be stored. In addition to this, data can be stored when this is stipulated by the European or national lawmaker in Union ordinances, laws or other provisions, which the responsible party is subject to. Data is also blocked or deleted when a data retention period prescribed by the specified standards expires – unless the data needs to be stored for longer for the purposes of concluding or fulfilling a contract.

The following data storage provisions apply for the use of data on our website:

  • Applicant data is deleted after six months if no consent has been obtained for extended storage of the data; in such as case, the data is deleted after a maximum of one year.
  • Contact inquiries are deleted after they are processed, provided that these are not subject to legal data retention periods and no consent for extended storage has been obtained.

8 What are your rights?

  • The consent to process personal data can be revoked at any time with effect for the future. This does not affect the lawfulness of the data processing that took place based on this consent until the time of revocation. A revocation can be informally submitted to the controller (see contact details under 1)) via telephone, email or letter.
  • If your personal data are processed, you have the right to receive information on the stored personal data concerning you (Art. 15 GDPR).
  • If incorrect personal data are processed, you are entitled to demand that controller rectify these data (Art. 16 GDPR).
  • If the legal conditions are in place, you may demand that the controller erases or restricts the processing and also object to the processing (Art. 17, 18, 21 GDPR).
  • If you have consented to the data processing or a contract for data processing is in place and automated means are used to carry out the data processing, you may have a right to data portability in relation to the controller (Art. 20 GDPR).

If you exercise the aforementioned rights, the controller will check whether the associated legal conditions are in place.

  • Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes this Regulation (Art. 77 GDPR).

You can enforce your rights at any time via telephone, mail or email. Address your request to the office you wish to contact. (+49 30 338 49 47 77, ghg good healthcare GmbH, Europaplatz 2, 10557 Berlin, Germany, info@goodhealthcare.com or +49 30 338 49 48 88, intouch hcc GmbH, Europaplatz 2, 10557 Berlin, Germany, info@stay-intouch.com or +49 30 338 49 49 49, +49 med GmbH, Europaplatz 2, 10557 Berlin, Germany, info@plus49.de or +49 30 338 49 49 40, patient+ GmbH, Europaplatz 2, 10557 Berlin, Germany, info@patient-plus.com). You can find a link to unsubscribe at the end of every newsletter.

Questions, suggestions, wishes?
Please feel free to contact us.

Contact us