Insel Gruppe AG Privacy Notice

nsel Gruppe AG, Bern, with its range of medical facilities (hereinafter also "we", "us"), procures and processes personal data, in particular personal data about our patients, their relatives and affiliates, other customers, contracting parties, visitors to our website, event participants, subscribers to newsletters, other healthcare providers and other entities or their relevant contact persons and colleagues (hereinafter also "you"). We describe these data processing operations in this privacy notice. In addition to this privacy notice, we may explain separately how your data are processed (e.g. in the case of forms or terms and conditions of contract).

If you let us have data about other persons (such as your relatives, other affiliated persons or other [healthcare] service providers), we assume you are entitled to do so and that the data are accurate; you must also have made these persons aware of such notification if that is a legal obligation (e.g. by bringing this privacy notice to their prior attention). 

When processing your personal data, we are primarily governed by the Data Protection Act of the Canton of Bern (KDSG-BE).

Who is responsible for processing your data?
The responsibility under data protection law for the processing operations described in this
privacy notice is vested in:

Insel Gruppe AG
Freiburgstrasse 18
3010 Bern

Tel.: 031 632 21 11
Contact form: https://www.inselgruppe.ch/de/kontakt 

If you use our services (especially in connection with the provision of healthcare, together
with hotel and other services) or procure products (especially medicines and medicinal prod-
ucts), use our webpages or our apps (hereinafter jointly "website") or have other contacts
with us, we procure and process several categories of personal data about you. In general,
we may procure and otherwise process such data in particular for the following purposes:

• Provision of healthcare: we process your personal data in order to enable us to  provide, document and bill our services professionally in connection with the provision of healthcare. For that purpose, we process in particular your name and contact details as well as your healthcare data (e.g. details of present and past diagnoses, treatments, prescribed medicines, visual recordings such as Xray, tomographic or other images, laboratory and other analyses, reports and treatment notes as well as further information about your state of health which become available in connection with your case history, investigations, treatment and advice). For healthcare provision, you are also reminded of forthcoming appointments by email or SMS sent by certain Insel Group units.
• Information and conclusion of contracts: With regard to the conclusion of a contract (not only to justify a treatment relationship, but also if you procure hotel or other services or products from us or if we obtain products or services from your principal or employer), we may in particular procure and otherwise process your name, contact data, healthcare data, photos, powers of attorney, declarations of consent, information about third parties (e.g. contact persons, details of relatives or other affiliates), contract contents, conclusion date, credit checks and all other data that you make available to us or that we obtain from public sources or from third parties (e.g. references).
• Administration and performance of contracts: We procure and process personal data to enable us to discharge our statutory and contractual obligations to our patients, authorities, insurance schemes and other contracting parties (e.g. other healthcare providers, referring doctors, suppliers, service providers, project partners) and in particular to provide and request the contractual services. This likewise includes data processing to serve our other customers, in other words those who are not patients, and also to implement contracts (billing our services to insurance companies, debt collection, legal proceedings etc.), bookkeeping and public communication. For this purpose, we process in particular the data that we receive or have gathered on the occasion of the initiation, conclusion and performance of the contract, e.g. data about contractual services and the provision of services, details of reactions and financial and payment information.
• Communication: To communicate with you and with third parties by email, telephone, fax, digital communication channels, letter or by other means (e.g. to answer enquiries, on the occasion of a treatment or consultation and to initiate or perform contracts), we process in particular the contents of the communication, your contact data as well as the marginal data of such communication. This likewise includes video and audio recordings of (video) telephone calls. If we need or wish to ascertain your identity, we gather additional data (such as a copy of an identity document).
• Research: We may also process your personal data for research purposes in compliance with the statutory requirements (such as the Human Research Act – HFG - etc.). To that end, we may in particular process your health and genetic data. Whenever this is compatible with the purpose of the research or required by law, we process the data in such a way that your person can either no longer be identified or can only be so identified with disproportionate expenditure. If anonymization is not possible, we process your data under a pseudonym. All research outcomes are anonymized before publication.
• Relationship management, information and marketing purposes: we also process your personal data for relationship management and marketing purposes, so as in particular to send our customers, other contracting parties and other persons personalized advertising (e.g. on our website, as printed matter, by email or via other channels) about our products, services and other news items as well as those of third parties (e.g. from product partners) (e.g. about events, competitions, general information, media releases or marketing campaigns). For this purpose, we process in particular the names, email addresses, telephone numbers and other contact details (e.g. political information in the case of politicians or specialisms of specialist personnel) which we obtain from public sources, on the occasion of the conclusion or performance of a contract or from any form of registration (e.g. to receive a newsletter). You may at any time decline these notifications or withhold or withdraw consent to contact being made for promotional purposes by notifying us.
• Improvement of our services, website, apps and of our business and product development: In order to constantly improve our products and services (including our website and other electronic resources), we gather data about your conduct and preferences, for example by analysing the way in which you navigate our website, how you interact with our social media profiles or which products of which groups of persons are used in which particular way. If appropriate, we may add details obtained from third parties (including from sources accessible to the public) to this information. You will also be contacted by certain Insel Group units by email or SMS and invited to take part in surveys that are conducted for quality assurance purposes.
• Operation of our website: To enable us to operate our website securely and in a stable manner, we gather technical data such as IP address, details of the operating system and settings of your terminal device, the region and time and nature of use. We also use cookies and similar technologies.
• Registration: In order to use certain offers and services (such as login zones, WLAN, newsletters, apps), you must first register (either directly with us or via our external login service providers). To that end we process the data notified whenever you register. While the offer or service is being used, we may likewise gather personal data about you; if necessary, we will tell you more about the way in which such data are processed.
• Security purposes and access controls: We procure and process personal data in order to assure and constantly improve the appropriate security of our IT and other infrastructure (such as buildings). This includes e.g. surveillance and control of electronic access to our IT systems and of physical access to our premises, analyses and tests of our IT infrastructures, system and fault tests and making backup copies. For documentation and security purposes (both preventive and to investigate incidents) we also record access to our premises, compile visitors lists and use surveillance systems (such as security cameras). We call your attention to surveillance systems by suitable signage at the relevant locations.
• Employee administration and personnel management: We process personal data of employees (employee data) that we collect from the employees themselves or third parties as part of the recruitment or employment relationship. Data is processed to establish, implement or terminate the employment relationship. If additional benefits are claimed (e.g. childcare subsidy/allowances), data is processed to fulfill these additional benefits. Personal data is processed in articular for: recruitment, personnel administration, maintaining a personnel dossier, payroll accounting, training management, planning measures for personnel and career development, performance evaluation, evaluating and improving work processes and for employee monitoring if this appears necessary or useful for safety, quality or performance assessment. The data is also used to carry out internal and external audits and for general information and invitations (e.g. newsletters, invitations to events, gifts, etc.).
• Compliance with laws, instructions and recommendations of authorities and internal regulations ("Compliance"): We procure and process personal data in order to comply with applicable laws (such as health formalities, child and adult protection duties, obligations under social insurance law and tax law, professional and occupational duties in respect of healthcare services), self-regulation, certifications, branch standards, our corporate governance and also for internal and external investigations (e.g. by a prosecuting or supervisory authority or a retained private entity).
• Risk management and corporate governance: We procure and process personal data for risk management purposes (e.g. for protection against unlawful activities) and also for corporate governance. This concerns e.g. our business organisation (such as resource planning) and business development (e.g. buying and selling parts of businesses or enterprises).
• Job applications: If you apply for a job with us, we procure and process the relevant data for the purpose of verification of your application, implementation of the application procedure and, if the application is successful, for the preparation and conclusion of a suitable contract. For this purpose we process your contact data and details obtained from the relevant communication and, in particular, the data contained in your application documents, as well as such further data as we may be able to obtain about you, e.g. from professional social media, the Internet, the media and from references which you allow us to consult.
• Other purposes: Other purposes include e.g. education and training, administrative tasks (e.g. bookkeeping) or holding events (e.g. professional events for healthcare or other specialists, for patients and other customers and for the general public). Your data, especially your healthcare data, may be used by us for basic and further training purposes in an anonymized form, for your own protection and security and that of other patients, employees, third parties or the general public and for quality assurance. We may also use personal data for the organization, holding and debriefing of events, including more specifically attendance lists, contents of presentations and discussions, as well as video and audio recordings made during these events. Protection of other justified interests is another of these purposes which are too many to list here in full.

• You yourself: Most of the data processed by us are made known to us by you (or your terminal device) personally (e.g. in connection with the provision of healthcare and of our other services, use of our website and apps or communication with us). You are not obliged to disclose your data, except in specific cases (e.g. when required to do so by law). However, if you do for instance conclude contracts with us or wish to make use of our services (including our website and other services) you must let us have certain data.
• Third parties: The data that we process for healthcare purposes and in order to initiate and perform contracts may be gathered from other healthcare providers, social or private insurance schemes, authorities, (former) employer and also from your relatives or other third parties. However, we may take further data from sources that are accessible to the public (e.g. debt collection registers, land registers, registers of commerce, media or the Internet, including social media) or obtain the data from (i) authorities, (ii) your employer or principal who is either in a business relationship or has other dealings with us and (iii) from other third parties (such as credit rating agencies, address dealers, associations, contracting parties, Internet analysis services). This includes in particular the data that we process in connection with the initiation, conclusion and performance of contracts and data taken from correspondence and discussions with third parties, together with all other data categories for the purposes described above.

In connection with the purposes listed above, we may in particular transfer your personal data to the following categories of recipients:

• Other healthcare providers: In particular for the preparation and follow-up of patients, we work with other healthcare providers (e.g. referring doctors or after-carers, these being in particular general practitioners, medical practices, other clinics and hospitals, rehabilitation centres etc.). Otherwise, and in particular during the treatment relationship, we are also dependent upon cooperation with other service providers (such as laboratories, manufacturers of medicines and medicinal products, ambulance and rescue services, attending doctors etc.). These healthcare providers may (i) acting on our instructions, (ii) in joint responsibility with us or (iii) under their own responsibility, process data that they obtain from us or have gathered for us.
• Service providers: We work with other service providers both at home and abroad who acting (i) on our instructions (e.g. IT providers), (ii) in joint responsibility with us or (iii) under their own responsibility, process data that they have received from or gathered for us. These service providers include e.g. IT providers, IT service providers, advertising service providers, banks, insurance companies, debt collection companies, address checkers, consultancy companies, auditing companies or law offices. As a rule, we agree contracts with these third parties for the use and protection of personal data.
• Patients, customers and other contracting parties: In the first instance, this means our patients, customers and other contracting parties to whom your data are transferred under the terms of the contract (e.g. because you are active for a contracting party or the latter provides services for you). This category of data recipients likewise includes contracting parties with whom we cooperate or who advertise on our behalf. The recipients in principle process the data under their own responsibility.
• Authorities and law courts: We may transfer personal data to organisations, law courts and other authorities (including social insurance schemes) at home and abroad if we are required or entitled to do so by law or if that appears necessary to protect our interests. These recipients process the data under their own responsibility.
• Other persons: this refers to cases in which third parties are involved for the purposes referred to above and concerns, e.g. delivery addressees or payees indicated by you, third parties acting as representatives (such as your attorney-at-law or your bank, as well as assistants or relatives or other third parties who are empowered to represent you) or persons involved in proceedings with the authorities or courts of law. For corporate development purposes, we may sell or acquire businesses, parts of businesses, assets or enterprises or enter into partnerships which may also require the disclosure of data (including e.g. as a patient, customer or supplier or as their representative) to the persons participating in such transactions. Data about you may likewise be exchanged. when we communicate with our competitors, branch organisations, associations and other bodies.

All these categories of recipients may in turn make use of third parties to whom your data may also be made available. We may limit processing by certain third parties (such as IT providers, but not that done by some other third parties (such as authorities, banks etc.). We likewise enable certain third parties to gather your personal data under their own responsibility from our website and at events held by us (e.g. media photographers, suppliers of tools that we have incorporated into our website). In so far as we do not play a determining role in such data gathering, these third parties have sole responsibility for doing so.

We process and store personal data primarily in Switzerland and in the European Economic Area (EEA), but in exceptional cases also potentially in any country of the world.
If a recipient is located in a country that does not have appropriate data protection, we require him by the terms of a contract to respect an adequate standard of data protection (for this purpose we use the European Commission’s standard contract clauses, including the supplements necessary for Switzerland), unless the recipient is already governed by recognized regulatory provisions on privacy and we cannot invoke an exceptional disposition. An exception may in particular apply to legal proceedings in another country and also in cases of overriding public interest, if the performance of a contract which is in your interest requires such disclosure, if you have granted your consent or your consent cannot be obtained reasonably soon and the notification is necessary to protect your life or your physical integrity or that of a third party or if data that have been made generally available by you are involved and you have not objected to their processing.

You have certain rights in connection with our data processing. Under the terms of the applicable law, you may in particular seek information about the processing of your personal data, arrange for incorrect personal data to be rectified, ask for certain personal data to be erased, lodge an objection to data processing, seek the release of certain personal data in a current electronic format or ask for the data to be transferred to other responsible parties.
In cases where cantonal provisions on the use of information and data protection apply, you may under certain circumstances enforce further rights under cantonal law, e.g. by asking for a stop to be placed on your personal data.
If you wish to exercise your rights in relation to us, please contact us. To enable us to exclude malpractice, we must identify you (e.g. by seeing a copy of an identity document, if necessary).
Please note that criteria, exceptions or limitations apply to these rights (e.g. in order to protect third parties or professional and business secrecy). We reserve the right to redact copies for reasons of data protection law or secrecy or to provide extracts only.

When our website is used (including newsletters and other digital resources), data (in particular technical data) are generated and stored in protocols. In addition, we may use cookies and similar techniques (such as pixel tags or fingerprints) in order to recognize website visitors when they return, evaluate their conduct and ascertain preferences. A cookie is a small data file that is transferred between the server and your system and enables a particular device or browser to be recognized again.
You may set your browser in such a way that it automatically declines, accepts or erases cookies. You may also deactivate or erase cookies in specific cases. Your browser’s help menu explains how to manage cookies in your browser.
The technical data gathered by us and the cookies do not as a rule contain any personal data. However, personal data that we or third-party providers retained by us store about you (e.g. if you have a user account with us or with these providers), may be linked to the technical data or to information stored in the cookies and obtained from you; in that case you may become identifiable.
We also use social media plug-ins, i.e. small software modules that establish a link between your visit to our website and a third-party provider. The social media plug-in informs the third-party provider that you have visited our website and may transfer to that third-party provider cookies which he has previously placed on your web browser. Further information about the way in which these third-party providers use your personal data collected via your social media plug-ins can be found in their individual privacy notices.
We also use our own tools and the services of third-party providers (who may place their own cookies) on our website, in particular to improve the functionality or content of our website (e.g. integration of videos or maps) and to compile statistics. This includes in particular Google Analytics, Google Maps, Youtube and iFrame.
Some of the third-party providers used by us may be located outside Switzerland. In terms of data protection law, they are sometimes “only” order processors acting on our behalf and sometimes also responsible entities. Further information on this matter will be found in the privacy notices.

We run pages and other forms of online presence on social media and other platforms operated by third parties; when doing so, we process data about you. We receive data from you (e.g. if you communicate with us or comment on our contents) and also from the platforms (e.g. statistics). The platform providers may analyse your use and process these data, together with other data that they hold about you. They also process such data for their own purposes (e.g. for marketing and market research and to administer their platforms); to that end they act under their own responsibility. Further information about processing by the platform operators can be found in the privacy notices of the platforms concerned.
We are entitled, but not obliged, to verify third-party contents before or after their publication on our various types of online presence, to erase contents without prior notice and, as appropriate, to report them to the provider of the platform concerned.
Some platform operators may be located outside Switzerland. See above for information about the disclosure of data abroad.

a. Use of the meta pixel (Facebook pixel)

Our website uses the meta pixel from Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (‘Meta’). This pixel enables us to track the behaviour of visitors to our website and to display targeted advertisements on Facebook and Instagram (so-called ‘retargeting’).

b. What data is collected?

By using the meta pixel, meta can collect and process the following data:

1. Visiting our website and sub-pages visited
2. Your user behaviour (e.g. links clicked on, time spent on the site)
3. Your IP address and technical information about your device (e.g. browser, operating system)
4. Whether you came to our website via a Facebook or Instagram ad
5. hashed (encrypted) Facebook ID if you are logged in

c. Purpose of processing

This data is processed for the following purposes:

1. Conversion tracking: We can track what actions users take on our website after they have seen or clicked on a Facebook or Instagram ad.
2. Personalised advertising: Users who have visited our website can be targeted with relevant advertising on Facebook and Instagram (retargeting).
3. Optimisation of our advertising measures: We use the collected data to analyse and improve the effectiveness of our Facebook and Instagram advertising.

d. Legal basis for the processing

The use of the meta pixel is based on your consent in accordance with Art. 6 (1) point a GDPR. You can give your consent via our cookie banner or withdraw it at any time.

e. Data transfer and storage

The data collected by the pixel is transmitted to Meta and stored there. A transfer to the USA cannot be excluded. Meta processes the data in accordance with the data policy of Meta.

f. Objection and opt-out options

You can disable the collection by the Meta pixel by:

1. Adjusting your cookie settings on our website.
2. Disabling personalised advertising in your Facebook settings at https://www.facebook.com/settings?tab=ads.
3. Installing the ‘Facebook-Pixel Blocker’ browser add-on (available for Chrome).

If you do not want Meta to link the collected data to your Facebook or Instagram account, you should log out of Facebook/Instagram before visiting our website.

g. Further information

Further information on data processing by Meta can be found in the Meta data policy.

We do not assume that the EU General Data Protection Regulation (GDPR) is applicable in our case. However, should that exceptionally be the case for certain data processing operations, this section shall apply solely for purposes of the GDPR and the data processing operations governed by it.
We base the processing of your personal data in particular on the fact that it is necessary for the initiation and conclusion of contracts and for their administration and enforcement (Art. 6 para. 1 letter b GDPR); to safeguard our own legitimate interests or those of third parties; in particular, for communication with you or with third parties; in order to operate our website; for the improvement of our electronic resources and registration for certain offers and services; for security purposes; for compliance with Swiss law and internal regulations; for our own risk management and corporate governance (Art. 6 para. 1 letter f GDPR) and for other purposes such as training and further training, administration, to provide evidence and
for quality assurance, organisation, holding and debriefing of events and for other legitimate interests; where prescribed or permitted by law of the EEA or of a Member State; when necessary to protect your own vital interests or those of other natural persons; if required to perform a task that is in the public interest or done in the exercise of public authority that has been entrusted to us; if you have consented to such processing separately or by making a relevant enquiry on our website (Art. 6 para. 1 letter a and Art. 9 para. 2 letter a GDPR).
We call your attention to the fact that, as a matter of principle, we process your data only as long as our processing purposes, statutory retention periods and our legitimate interests, in particular for documentation and evidential purposes, so require or storage is necessary for technical reasons (e.g. in the case of backups or document management systems). If no legal or contractual obligations or technical reasons prevent this, we erase or anonymize your data in principle upon the expiry of the retention or processing period using our habitual procedures and in compliance with our retention guideline.
If you do not supply particular personal data, this may create a situation in which provision of the associated services or the conclusion of a contract are impossible. In principle, we indicate the cases in which personal data requested by us are imperative. 
The right established above to object to the processing of your data likewise applies in particular to data processing operations for direct marketing purposes.
If you do not agree to our handling of your rights or to this data protection, please let us know. If you are located in the EEA you likewise have the right to appeal to the data protection supervisory authority in your country.

Purposes for which data are processed and legal bases Surveillance cameras process all personal data generated when an individual is present in the area covered by such surveillance.
This includes in particular body movements, behaviour, all visible parts of the body etc.
Video surveillance on the Insel site takes place for the following purposes:

• Prevention and investigation of criminal acts and other forms of misconduct (e.g. acts of violence or aggressive behaviour, performance of internal investigations, data analyses to prevent fraud);
• Assurance of patient safety;
• Enforcement of legal claims and defence in connection with legal disputes and official procedures;
• Safeguarding our operations.

We process and store your personal data as long as that is necessary to perform our contractual and legal obligations or otherwise required for the purposes pursued by such processing. The video recordings made by surveillance cameras that are accessible to the public are retained in principle for between 7 and 14 days. Video surveillance by cameras that are not accessible to the public is normally effected in real time only. Longer retention must comply with statutory retention and documentation requirements. Personal data may possibly be retained for the time during which claims may be enforced against our enterprise and to the extent that we are otherwise required to do so by law or that our legitimate interests so
require (e.g. to provide evidence).
Your personal data will be erased as soon as they are no longer needed for the above purposes.

Recipients of the video recordings are in the first instance selected employees of Insel Gruppe AG, who need such recordings to achieve the processing purpose. We only disclose your personal data to third parties in order to make use of technical or organisational services that we require for the attainment of the above purposes or for our other business activity. When support assistance is provided by an outside enterprise, the surveillance cameras or video recordings may be briefly accessed from other countries anywhere in the world.
If necessary, the recordings will be handed over to the authorities for criminal, civil law or administrative proceedings.
Where data are transferred to a country which does not respect an appropriate data protection standard, we ensure as required by law by means of suitable contracts (in particular on the basis of standard contract clauses) or binding corporate rules that an appropriate standard of data protection is respected; alternatively, we work on the basis of the exceptional circumstances stipulated by law for consent, contract performance, determination, exercise or enforcement of legal claims or overriding public interests.

The MyInsel app is the digital gateway to your administrative and medical data that are stored at Insel. This tool enables you to interact with your sensitive data. You may for example read your patient documents, share them, download them, communicate with medical personnel at Insel and input data. Further functions such as video appointments or making an appointment by mobile are also offered. For treatment purposes the app may be used to provide assistance. The information that you share with us via the app will become part of your patient records. If you attempt to use one of these functions for the first time, we will ask for your consent within the app and only allow you to use a particular function if you have given your consent. You must not grant your consent if you do not wish the app to interact with your data. The app has been developed by Epic Systems Corporation; please read the Epic privacy guidance for mobile applications for patients to obtain more detailed information about the limited interaction with your data: (https://www.epic.com/privacypolicies/?privacy-policy=mobile-policy-patient).
The application also provides a location-based check-in for personal appointments and enables you to find healthcare service providers in your vicinity. If you attempt to use a function that employs your location for the first time, we will ask for your consent via the app. Access to your location will only be permitted if you have given your consent for that to be done. 
Thiis is of course voluntary. We do not store your location data.
For further information, in particular about the processing purposes, disclosure of data to third parties and about your rights, please read the above general privacy notice.

This privacy notice is not part of a contract with you. We may amend this privacy notice at any time. The text published on this website in the latest version in every case.

Status April 2024