Privacy statement evita

The present privacy statement from Swisscom describes the way in which we process your per-sonal data in connection with the evita health record and when you navigate on evita.ch.

1. What is this privacy statement?

Data privacy is a matter of trust and your trust is important to us. The protection of your personal data and in particular your healthcare data is our top priority. We respect your private and personal life. A responsible and legally compliant handling of per-sonal data is very important to us.

This privacy statement ("statement") describes the way in which we process your personal data when you visit our website or when you use the evita health record ("evita") as a customer.

If you transmit or disclose data about other people, such as family members, work colleagues, etc., we assume that you are authorised to do so and that this data is correct. With the transmission of third party data, you confirm the aforesaid. Please also ensure that these third parties have been informed of the present privacy statement.

2. Who is responsible for processing your data?

Swisscom (Switzerland) Ltd, Alte Tiefenaustrasse 6, Worblaufen, 3050 Bern (“Swisscom” or “we”) is responsible for the data processing in evita described in this privacy statement, unless otherwise communicated in individual cases.

Information about third parties to whom we pass on your data can be found below in para. 7..

If you have any concerns about data protection or would like to exercise your rights according to para. 11. you can contact us using the contact details in the Impressum on evita.ch.

In addition, we have created the following position:

You can contact the data protection officer according to Art. 10 revDPS of Swisscom (Switzerland) Ltd as follows:

• by email: datenschutz@swisscom.com
• by post: Swisscom (Switzerland) Ltd, Dr. Nicolas Passadelis, LL.M., data protection officer, Swisscom (Switzerland) Ltd, PO box, CH-3050 Bern

3. Which data do we process?

We process different categories of data about you, with the current and possibly also with the previous information, if details change. The main categories are as follows:

• Contact and identification data: By contact and identification data, we mean the basic data that we need in addition to the con-tract data (see below) for the processing of our contractual and other business relationships or for marketing and advertising purposes, such as name, address, telephone number, email ad-dress, title and information, for example, about your role and function, as well as payment details such as credit card details. We process your contact and identification data if you are a customer or other business contact or work for such a person (e.g. as a contact person for the business partner). We receive contact and identification data from you (e.g. as part of a registration) or from de-partments for which you work (e.g. cooperation partners).
• Personal data: This includes further information related to your person, such as date of birth, gender, AHV number, your health insurance, nationality, language, marital status as well as in-formation about relatives and related persons. We process personal information if you are one of our customers. We can also process personal information about you if you are a business contact or work for one (e.g. as a contact person for cooperation partners). We receive your per-sonal information from you (e.g. as part of a registration) or from places you work for.
• Technical data: If you visit our website, we collect the IP address of your device and other technical da-ta to ensure functionality and security of these offers. Other data we collect are: information about the operating system of your terminal device, the date, region and time of your visit, the type and other settings of the browser used to access evita, and logs in which the use of our systems is recorded. In order to ensure the functionality of these offers, we can also assign you or your de-vice an individual code (e.g. in the form of a cookie, see para. 12.). In principle, the technical data does not allow any conclusions to be drawn about your identity. However, in the context of user accounts, registrations, access controls or the fulfilment of a contract, they can be linked to other categories of data (and thus, if applicable, to your person).
• Registration data: Our services can only be used with a user account or registration, which can be done di-rectly with us. In this process you have to provide us with certain data and we collect data about the use of the service. Registration data includes information you provide when you create an account on our website (e.g. email, password, mobile phone number). You also have to register if you want to subscribe to our newsletter.
• Communication channel: If you are in contact with us by email, telephone, letter or other means of communica-tion, we collect the data exchanged between you and us, including your contact details and the marginal data of the communication. If we want or need to determine your identity, e.g. when requesting information, register-ing as a physician's practice, etc., we collect data to identify you (e.g. a copy of document of identification).
• Healthcare data: This includes data about your health, your body and your vital functions, your diagnoses and treatments, your behaviour and your health insurances. This also includes uploaded documents and photo or video files related to your health. Healthcare data can also include data about your private and personal life. You can record your healthcare data in evita and we generally do not process it beyond storage (= fulfilment of contract).
• Contract data: These are data that arise in connection with the conclusion of a contract or the fulfilment of a contract, e.g. the applicable terms and conditions, start of contract, invoice data, type of subscribed services, as well as further information about contracts, about the services to be provided or provided and about reactions (e.g. complaints or information on satisfaction etc.). We usually collect this data from you or from cooperation partners.
• Other data: We also collect data from you in other situations. In connection with official or judicial proceedings, for example, data (such as files, evi-dence, etc.) can be generated that may also relate to you.

4. Where do we get your data from?

You provide us with much of the data mentioned in para. 3. ourself (e.g. when registering, when using your evita health record, when communicating with us, in connection with contracts, when using the website, etc.). If you want to open and use an evita health record, you must provide us with data as part of your contractual obligation in accordance with the “General Terms and Conditions of evita”, in particular contact, identification, contract and registration data. When using our website, the processing of technical data is inevitable.

To the extent this is not inadmissible, we can, in certain cases, also take data from publicly acces-sible sources (e.g. debt enforcement registers, commercial register, media or the Internet includ-ing social media) or receive data from authorities and other third parties (such as credit reference agencies, etc.).

5. For what purposes do we process your data?

We process your data for the purposes that we explain below. These purposes or the underlying goals represent legitimate interests of ours and, if applicable, of third parties. You can find further information on the legal basis of our processing in para. 6..

• We process your data for the contract fulfilment • as well as for the establishment and administration of contractual relationships. We conclude contracts with our customers, with suppliers or other contractual partners, such as cooperation partners in evita, or with parties in legal disputes. In particular, we process contact and identification data, contract data and communica-tion data and, depending on the circumstances, also the customer's registration data. For us, the fulfilment of contract also includes saving your healthcare data. Furthermore, within the scope of contract fulfilment, we process data for managing the customer relationship, for providing and requesting contractual services (which also in-cludes the involvement of third parties, such as providers in payment transactions), for advice and for customer care. The enforcement of legal claims from contracts (debt collection, court proceedings, etc.) is also part of contract performance, as is the bookkeeping and termination of contracts.
• We process your data for the purposes of communicating with you, , in particular to answer inquiries and assert your rights (para. 11.) and to contact you if you have any questions. For this purpose, we use in particular communication data and contact, identification and registration data. We can keep this data for inquiries and to document our communication with you.
• We process data for marketing purposes and for relationship maintenance, such as to send our customers advertisements about products and services from us and from third par-ties (e.g. from providers of services on evita). This can take the form of newsletters and other regular contacts (electronically, by post). You may at any time refuse (see para. 6.) i.e. withdraw or revoke your consent to be contacted for marketing purposes.
• We can process your data for further purposes. Further purposes include, for example, security, compliance with laws, instructions and recommendations from authorities and internal regulations (“compliance”), risk man-agement and prudent corporate governance, protection of our rights, administrative purposes (such as the management of contact and identification data, accounting and data storage), safeguarding our rights and evaluating and improving internal processes. The safeguarding of further legitimate interests, which cannot be named conclusively, are also part of this.

6. On what basis do we process your data?

Where we ask for your consent for certain processing (e.g. for marketing mailings), we will inform you separately about the respective purposes of the processing. You can revoke your consent at any time by written notification (by post) or, unless otherwise stated or agreed, by email to us at any time with effect for the future. You can find our contact details in para. 2.. As soon as we have received your withdrawal of consent, we will no longer process your data for the purposes to which you originally agreed, unless we have another legal basis to do so. Withdrawing your consent does not affect the legality of the processing carried out on the basis of your consent up to the point of withdrawal.

If we do not ask for your consent for processing your personal data, we base the processing on the fact that processing is necessary for the fulfilment of contract or the initiation of a contract with you (or the body you represent) or that we or third parties have a legitimate interest, in particular, to pursue the purposes described in para. 5. and to be able to take appropriate measures. This also includes compliance with statutory provisions, insofar as compliance is not already recognised as a legal basis by the applicable data protection law.

7. Who do we share your data with?

n connection with our contracts, the website, our services and products, our legal obligations, or otherwise, to safeguard our legitimate interests and other purposes described in para. 5., we also transfer your personal data to third parties, in particular to the following categories of recipient:

• Service provider: We work with selected service providers in Germany who process data about you on our behalf (e.g. for software development, customer support, IT services or online payment transactions). We only give these service providers data for the required service, which may also affect you. In a few cases, this data can include healthcare data. Netskin GmbH is one of the service providers involved in software development and support for evita. To process online payment transactions, we work together with Datatrans AG. All of our service providers have signed contracts with us that include provisions for data protection and confidentiality.
• Cooperation partner: Thereby we mean partners who offer their services in evita and who can receive data about you if you have registered for these services. This data can also include healthcare data. These cooperation partners can process data about you as an independent responsible person. Our central cooperation partners include the Insel Gruppe, Pro Senectute and the Swiss Society for Implantology (SGI-SSIO). If you use the services of these cooperation partners, the cooperation partners will also receive selected contact and identification data as well as personal information about you from us and may communicate with you for the purpose of the fulfilment of contract and customer information. If you work for one of our cooperation partners yourself, we can also transmit data about you to them in this context.
• Other persons: Other recipients are persons expressly authorised by you to access your data (e.g. family members) and medical service providers. The term also refers to other cases in which third parties are involved, for the purposes according to Ziff. 5, such as offices, courts and other authorities (if we are legally obliged or authorised to pass on data or the data transfer appears to be necessary to safeguard our interests), other third parties also in the context of proxy relationships (e.g. if we send your data to your lawyer) or other persons involved in official or court proceedings.

These categories of recipient can in turn involve third parties so that your data can also be ac-cessed by them. We have restricted processing by certain third parties (e.g. software developers) but we cannot restrict those of other third parties (e.g. authorities, etc.).

8. Is your personal data also transferred abroad?

Your data is safely stored in data centres in Switzerland. As explained in para. 7., we also share data with other bodies who are generally located in Switzerland. In certain cases, your data can also be processed by our service providers in Europe (e.g. to pro-cess online payment transactions). Please also note that data exchanged over the Internet can be sent via third countries. Your data can therefore be sent abroad even if the sender and recipient are in the same country.

9. For how long do we process your data?

We process your data for as long as our processing purposes, the statutory retention periods and our legitimate interests in processing for documentation and evidence purposes require or stor-age is technically required. As long as you actively use your evita account, your data will be saved.

In the event of prolonged inactivity, your account will be deactivated after prior notice and, if you do not react, your data in evita will be deleted. You can also delete your data in evita yourself in your evita account under “Delete account”.

As part of our usual processes, if there are no legal or contractual obligations to the contrary, we will delete or anonymise your data after the storage or processing period has expired.

The above-mentioned documentation and evidence purposes include our interest in document-ing processes, interactions and other facts in the event of legal claims, discrepancies, purposes of IT and infrastructure security and evidence of good corporate governance and compliance. Storage can be for technical reasons if certain data cannot be separated from other data and we therefore have to keep them together (e.g. in the case of backups).

10. How do we protect your data?

We take appropriate security measures to protect the confidentiality, integrity and availability of your personal data in order to protect this data against unauthorised or unlawful processing and the dangers of loss, unintentional change, unintentional disclosure or to counteract unauthorised access.

The security measures of a technical and organisational nature include measures such as the encryption and pseudonymisation of data, logging, access restrictions, the storage of backup copies, instructions to our employees, confidentiality agreements, controls and security reviews. We use suitable encryption mechanisms to protect your data transmitted via our website during transport, but we can only secure areas that we control. We also oblige our service providers to take appropriate security measures.

11. What are your rights?

The applicable data protection law grants you the right to object to the processing of your data under certain circumstances, in particular for direct marketing purposes. In order to make it easier for you to control the processing of your personal data, you also have other rights in connection with our data processing, such as:

• the right to request information from us as to whether and which data we are processing about you;
• the right to have us correct your data if it is inaccurate;
• the right to request deletion of your data;
• the right to request us to hand over certain personal data in a common electronic format or to transfer it to another responsible person;
• the right, upon request, to receive further information that is helpful for the exercise of these rights.

Note: You can view the data processed about you in evita directly in your evita account and download yourself the files you have uploaded to evita. You can also delete your evita account yourself, which will delete your data from evita as well.

If you want to exercise your data protection rights towards us, please contact us by letter or, unless otherwise stated or agreed, by email; our contact details are linked in para. 2.. To rule out misuse, we must identify you (e.g. with a copy of a document of identification, if no other option is available).

The above-mentioned rights extend to other bodies who work independently with us (cooperation partners who offer services in evita). Please contact them directly if you want to exercise your rights in connection with their pro-cessing. Information on our cooperation partners can be found in para. 7..

Please note that requirements, exceptions or restrictions apply to these rights (e.g. to protect third parties or trade secrets) according to the applicable data protection law. Furthermore, in the case of requests for information, disclosure or deletion of data we may point out to you the possibility of viewing, downloading or deleting your data yourself in evita, and to exclude this data from the implementation of your request. We will inform you accordingly if necessary.

If you do not agree with our handling of your rights or our approach to data protection, please inform us or our data protection officer (para. 2.). You also have the right to complain to the Swiss Federal Data Protection and Information Commissioner (FDPIC). https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact/address.html.

12. What cookies do we use?

In the login area of our website we use various techniques with which we can recognise you when you are using the website and possibly also track you over several visits. Essentially, it is about being able to distinguish your accesses (via your system) from accesses by other users so that we can ensure the functionality of the website and personalise it by our serv-er assigning you or your browser a certain identification number (a so-called "cookie").

Cookies are individual codes (e.g. a serial number) that our server transmits to your system when you connect to our website and that your system (browser, mobile) receives and saves until the programmed expiry time. With each subsequent access, your system transmits these codes to our server so that you can be recognised.

We only use cookies in the login area of our website. In this area we only use cookies which are necessary for the functioning of the website as such or for certain functions, for example to ensure that you remain logged in. These cookies are only temporary (“session cookies”). If you block them, the website may not work. Other cookies are necessary so that the server can save decisions you have made beyond a ses-sion (i.e. a visit to the website) if you use this function (e.g. the function for an automatic login, etc.).

13. Can we change this statement?

This statement is not part of any contract with you. We reserve the right to change this statement at any time. The version published on our website is the valid version.

Last uptdate: 18.10.2021