Data Protection Policy
Data Protection Policy developed with the support of the Swiss Association of Medical Massage (vdms-asmm)
The responsible handling of our patients’ and clients’ data has always been a priority for us. We are gradually implementing changes to protect the personal data of our patients and clients. The completely revised Data Protection Act (nDSG) will come into force on 1 September 2023, and to mark this occasion, we are publishing our data protection guidelines.
About me - Who am I?
Nicolas Hamdy is a sole trader offering services such as medical massage and osteothai. We are committed to quality and effectiveness in order to tailor each therapy to the individual.
What are we doing to protect data?
The responsible handling of personal data is part of ethically responsible conduct. Data protection and security are therefore central concerns for our practice.
What patient/client data is processed?
Personal data is processed almost every time you interact with us or we interact with you, for example when you contact us via our website or by telephone. As part of our treatment services and in order to support you with prevention or rehabilitation, we also regularly process your health data. It is also important for us to be able to tailor our services to your individual needs.
To whom is personal data disclosed?
Your personal data may be passed on to other therapists in our practice and used by them. Outside our practice, personal data is generally only processed by selected service providers acting on our behalf and in accordance with our instructions. For health data, this applies only to a limited extent and, of course, in compliance with the applicable professional confidentiality obligations.
Is personal data secure?
As a general rule, we endeavour to limit personal data to the strict minimum necessary for the intended purpose. To protect data against unauthorised access, we ensure protection appropriate to the risks and implement comprehensive security measures. Where possible, we adapt these measures to the current state of the art.
Who should I contact if I have any questions?
If you have any questions regarding data protection, please contact us by telephone on our main number or via our general email address. You will find further information on data protection within our firm in general, and on our website in particular, in the privacy policy below.
General Privacy Policy
1. What is the purpose of this privacy policy?
In this privacy policy, we inform you about how we collect, process and use your personal data, as well as the purposes of these activities. Data protection is always a matter of trust. Our aim is to provide you with comprehensive information about the processing of your personal data and to help you understand it better. We have drawn up this privacy policy in accordance with Swiss data protection law.
2. Who does this privacy policy apply to?
This privacy policy applies to all individuals whose data we process, regardless of the means used to contact us. It applies to the processing of personal data across all our areas of activity. The data protection provisions are available on our website.
3. How do we protect personal data?
We take appropriate security measures (both organisational and technical) to ensure the security of your personal data. We thus protect it as far as possible against unauthorised or unlawful processing and take steps to prevent any risk of loss, accidental disclosure, unauthorised access or accidental alteration. However, we cannot completely rule out the possibility of a data security breach. Certain residual risks are unavoidable.
4. Who is responsible for data processing?
Within our firm, the management is generally responsible for data protection and ensures that data is processed correctly.
5. Scope of personal data
As part of our business activities, we process a large volume of data. This mainly comprises master data, contractual data, health data (including sensitive data), communication data and other data.
Master data
Master data comprises the fundamental information relating to our patients/clients. This includes first name, surname, contact details, date of birth and health insurance details. We collect master data when you opt for one of our services (e.g. medical massage, participation in classes, etc.). We may also collect basic data to control access to our events (e.g. classes) or to our practice premises. We also collect basic data via contact persons, contractual partners and authorities. As part of basic data, we may also process health data as well as information concerning third parties (e.g. family members).
Contractual data
Contractual data is personal data generated in the course of processing or, generally, the conclusion of a contract (e.g. participation in courses, purchase of equipment). It may also include health data and information concerning third parties, for example information on cases of illness within the family. We primarily enter into contracts with patients, clients, job applicants, business partners or, generally speaking, contractual partners.
Health-related data – Sensitive data
We process health-related data as part of our therapeutic and medical services. We must and wish to attach particular importance to the protection of this data. As a general rule, we process sensitive personal data only if this is necessary for the provision of a service, if you have provided us with this data of your own accord, or if you have consented to it. We may also process sensitive personal data if this is justified and necessary from a legal perspective and if applicable law permits such processing. In addition to health data, children’s personal data is also subject to special protection. We therefore seek the consent of parents or legal guardians when we knowingly process the personal data of children who lack the capacity to consent. If consent has been given for a child by their parents or legal guardians, the child is free, as soon as they reach the age of discernment regarding the consequences of the consent or as soon as they reach the age of majority, to revoke this consent for the future. In the specific case of children capable of discernment, we generally allow them to decide for themselves on matters relating to the processing of their data; this is what the law provides for.
Communication data / Other data
When our firm is in contact with you or you are in contact with us, we process the content exchanged; in particular, we may request identification documents (ID card, health insurance card). A great deal of data is thus exchanged during communication. We also collect data about you in other situations. In the context of administrative or legal proceedings, for example, data is generated (such as files, evidence, etc.) which may also relate to our patients/clients. For health protection reasons, we may also collect data (for example, in the event of a pandemic, as part of protection plans). We may also take photographs or make audio and/or video recordings in which our patients/clients may appear (e.g. telephone consultations, participation in an event) and thereby obtain information about your behaviour in the relevant situations. During medical examinations, recordings may also be made to enable the healthcare professional, for example, to better assess symptoms or to better support the stages of treatment.
Use of CCTV systems
For security and evidence-gathering purposes, we also make video recordings in our shops and other premises. In doing so, we may obtain information about your behaviour in the relevant areas. The use of CCTV systems is limited to certain locations and is clearly signposted.
No use of CCTV systems
Each time you use our website, certain data is automatically generated for technical reasons and temporarily stored in log files, known as ‘log data’ (including the IP address, information about the internet service provider, information about the operating system, browser and URL, date/time, and the content viewed during your visit to our website). The processing of this data serves to enable the use of our website (establishing the connection), to ensure its functionality, to guarantee system security and stability, to enable the optimisation of our online offering, and for statistical purposes. The IP address is analysed together with other log files in the event of attacks on the IT infrastructure or other potentially unauthorised/abusive use of our website for the purposes of investigation and defence, and may be used for identification purposes in the context of criminal proceedings.
Cookies are files that your browser automatically stores on your device when you visit our website. Cookies contain a unique identification number (an ID) that allows different visitors to be distinguished from one another. With regard to cookies, we distinguish between necessary cookies (essential for the website to function properly), performance cookies (which collect information on the use of our website to enable analysis), functional cookies (which enable advanced features and the display of personalised content) and marketing cookies (which enable us to show you adverts on our website and on third-party websites).
5. Where does personal data come from?
Often, it is the patients and clients themselves who provide us with their personal data. In most cases, they supply us directly with their basic, contractual and contact details. They also frequently provide us with their preference data themselves. However, we may also collect personal data about them manually or automatically, for example when they use our services, view our offers or use our website. This often involves behavioural data. We may also derive personal data from existing personal data. This derived personal data often relates to preferences or, in the case of medical examinations, basic data.
6. What is the purpose of processing personal data?
The processing of personal data enables all parties involved to operate more efficiently and generally forms the basis / prerequisite for any contractual relationship.
Efficient processing of orders and contracts
In order to provide you with the best possible service to help you stay healthy or recover, we require accurate data in connection with our medical services. We wish to optimise the efficiency of our internal processes and therefore also process personal data for administrative purposes within our practice. To this end, we process, in particular, master data, contractual data and technical data, as well as behavioural and communication data.
Communication
We wish to stay in touch with you, as this is the only way to respond to your individual enquiries. We therefore process your personal data as part of our communication with you, for example to respond to your enquiries and manage customer relations. To this end, we use, in particular, communication data and master data and, where the communication relates to a contract, also contractual data. We are particularly committed to managing our resources sustainably. It is therefore also in our customers’ interests that we avoid paper correspondence as far as possible (particularly for booking appointments and invoices), and we assume that there is general consent for the sending of unencrypted emails, with the exception, of course, of particularly sensitive health data.
Compliance with legal requirements regarding security and prevention (regulatory compliance)
We create the necessary conditions to comply with legal requirements. We are therefore obliged to process personal data in order to fulfil our legal obligations and to detect and/or prevent infringements. As healthcare professionals, we wish to be able to assert our rights and defend ourselves against claims made by others. We therefore also process personal data for the purposes of legal defence, for example to assert our rights in court, in the context of judicial or extrajudicial proceedings, as well as before authorities in Switzerland and abroad, or to defend ourselves against claims. In doing so, we process various personal data depending on the situation.
Quality Improvement / Marketing
We wish to provide you with interesting offers and therefore process personal data as part of customer relationship management and for marketing purposes. We aim to continuously improve the quality of our offers and make them more attractive. We therefore process personal data as part of surveys and for quality improvement purposes. Where possible, we use pseudonymised or anonymised data for these purposes.
7. What is the legal basis for the processing of personal data?
The processing of personal data that we carry out is based on various legal grounds, depending on the purpose of such processing. In particular, we may process personal data where such processing:
• is necessary for the performance of a contract or the provision of services to the data subject
• is necessary for pre-contractual measures
• is necessary for the pursuit of legitimate interests
• is necessary to comply with national or foreign legislation
• is based on consent
8. To whom do we disclose personal data?
We only grant our staff and therapists access to your personal data if this is necessary for the performance of their duties. This may also apply to staff in other departments (e.g. administration or IT). These staff members are required to comply with our guidelines and are bound by a duty of confidentiality when processing your personal data. In certain specific cases, we may also pass on personal data to other third parties (e.g. health insurers) for their own purposes, for example if you have given us your consent or if we are legally obliged or authorised to do so. In such cases, the recipient of the data is considered a separate data controller within the meaning of data protection legislation. When we engage third-party service providers, we pass on personal data to these external companies. As a general rule, these service providers process personal data on our behalf as ‘data processors’. Our ‘data processors’ are obliged to process personal data exclusively in accordance with our instructions and to take appropriate measures to ensure data security. Certain service providers are also jointly responsible with us or act independently (for example, debt collection agencies). Through our choice of service providers and appropriate contractual agreements, we ensure that data protection is guaranteed throughout the processing of your personal data. Naturally, we comply with the rules on professional confidentiality (healthcare professionals) to which we are subject in certain cases. In such cases, we only pass on the relevant data (e.g. your health data) within our practice in accordance with the requirements of professional confidentiality (e.g. when necessary for your treatment).
9. How long do we process and retain personal data?
We process and retain personal data for as long as
• we have a legitimate interest in retaining it
• it is necessary for that purpose
• it is subject to a legal retention obligation (for certain data, retention periods are ten years or more)
In some cases, we also ask for your consent when we wish to retain your personal data for longer (for example, for applications we wish to keep on hold). Once the specified periods have expired, we systematically delete or anonymise your personal data.
10. What rights do we take into account when processing your personal data?
In certain circumstances, applicable data protection legislation grants you the right to object to the processing of your data, particularly with regard to marketing emails and other legitimate interests justifying such processing. Provided that the applicable conditions are met and no legal exceptions apply, you also have the following rights: • to correct inaccurate personal data • to request the deletion of your personal data • to ask us whether we are processing data concerning you and, if so, which data • to request that certain personal data be provided to you in a commonly used electronic format or transferred to another data controller; • to withdraw your consent with effect for the future, insofar as the processing is based on consent. You may exercise the aforementioned rights by contacting us via email, and you may also unsubscribe from the newsletter and other promotional emails. It should be noted that these rights may be restricted or excluded in certain specific cases, for example where this is necessary to protect other individuals or to comply with legal obligations. If you have any doubts regarding the legal compliance of the processing of your personal data, you may lodge a complaint with a competent supervisory authority.
11. How to contact us
If you have any questions regarding this privacy policy or the processing of your personal data, please do not hesitate to contact our firm using the following details:
Nicolas Hamdy
Ekkehardstrasse 9
8006 Zurich
079/686 80 46
12. Changes to the privacy policy
If we change our data processing practices or if new legal provisions come into force, this privacy policy may be updated from time to time. The current version is available on our website. However, it is generally the version in force at the time data processing began that applies.
Website Privacy Policy
Website Privacy Policy. What does it cover? In addition to our firm’s privacy policy, we provide the following details regarding data protection on our website.
Disclaimer
The author accepts no liability for the accuracy, correctness, timeliness, reliability or completeness of the information. Any liability on the part of the author for material or immaterial damage resulting from access to, use of or failure to use the published information, misuse of the connection or technical faults is excluded. All offers are non-binding. The author expressly reserves the right to amend, supplement or delete parts of the pages or the entire offer without prior notice, or to suspend publication temporarily or permanently.
Liability regarding links
We accept no liability for references and links to third-party websites. We accept no liability for these websites. Access to and use of these websites is at the user’s own risk.
Copyright
Copyright and all other rights to the content, images, photographs or other files on the website belong exclusively to our firm or to the rights holders specifically mentioned. Reproduction of any element requires the prior written consent of the copyright holders. The rights to our publications and our firm’s logo belong exclusively to us or to the specifically named rights holders and may only be used after obtaining prior written consent.
Data protection
Third parties are expressly prohibited from reusing our data in any way; please refer to the Data Protection Act. In close cooperation with our hosting providers, we endeavour to protect our databases as effectively as possible against unauthorised access, loss, misuse or falsification. When accessing our websites, the following data is recorded in log files: IP address, date, time, browser request and general information transmitted regarding the operating system or browser. This usage data forms the basis for anonymous statistical analyses to identify trends, from which we can improve our services accordingly.
1. Website Hosting
The content of our website is hosted by the following provider:
Squarespace
Le fournisseur est Squarespace Ireland Ltd., Le Pole House, Ship Street Great, Dublin 8, Irlande (ci-après « Squarespace »).
Squarespace is a tool for creating and hosting websites. When you visit our website, your data is processed on Squarespace’s servers. In this context, personal data may also be transmitted to Squarespace’s parent company, Squarespace Inc., 8 Clarkson St, New York, NY 10014, USA. Squarespace also stores cookies that are necessary for displaying the website and ensuring security (necessary cookies).
The use of Squarespace is based on Article 6(1)(f) of the GDPR. We have a legitimate interest in ensuring that our website is displayed as reliably as possible. If corresponding consent has been requested, processing takes place exclusively on the basis of Article 6(1)( (a) of the GDPR and Section 25(1) of the TTDSG, insofar as the consent relates to the storage of cookies or access to information on the user’s device (e.g. device fingerprint) within the meaning of the TTDSG. Consent may be withdrawn at any time.
Data transfers to the United States are based on the European Commission’s standard contractual clauses. 3 / 11 Further details can be found here: https://support.squarespace.com/hc/de/articles/360000851908-DSGVO-und-Squarespace.
The company is certified under the ‘EU-US Data Privacy Framework’ (DPF). The DPF is an agreement between the European Union and the United States designed to ensure compliance with European data protection standards when processing data in the United States. Any company certified under the DPF undertakes to comply with these data protection standards. For further information on this subject, please visit the provider’s website via the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt0000000GnjcAAC&status=Active
2. General Information and Legal Requirements
Data Protection Policy
The operators of this website take the protection of your personal data very seriously. We treat your personal data confidentially, in accordance with the relevant data protection legislation and this privacy policy.
When you use this website, various types of personal data are collected. Personal data is data that can be used to identify you personally. This privacy policy explains what data we collect and for what purposes we use it. It also explains how and for what purpose this is done.
Please note that data transmission over the internet (for example, when communicating by email) may be subject to security vulnerabilities. It is not possible to provide complete protection of data against access by third parties.
Data encrypted using SSL or TLS
For security reasons and to protect the transmission of confidential information, such as orders or enquiries that you send to us as the website operator, this page uses SSL or TLS encryption. You can recognise an encrypted connection by the fact that the address in your browser’s address bar changes from ‘http://’ to ‘https://’ and by the presence of the padlock symbol in your browser’s address bar.
When SSL or TLS encryption is enabled, the data you transmit to us cannot be read by third parties.
Unsubscribe from Promotional Emails
The use of contact details published in the legal notice to send unsolicited advertising and promotional material is hereby prohibited. The website operators expressly reserve the right to take legal action in the event of unsolicited advertising being sent, for example via spam emails.
3. Collection of Data on This Website
Server Logs
The provider of these pages automatically collects and stores information in server log files, which your browser automatically transmits to us. This includes the following:
Browser type and version
Operating system used
Referrer URL
Host name of the accessing computer
Time of the server request
IP address
This data is not merged with other data sources.
The collection of this data is based on Article 6(1)(f) of the GDPR. The website operator has a legitimate interest in ensuring the technical functionality of the website and in optimising it; for this purpose, the collection of server log files is necessary.
Contact Us Form
When you send us an enquiry via the contact form, we store the information you have entered in the form, including your contact details, in order to process your enquiry and to be able to respond to you should we have any further questions. We do not pass on this data without your consent.
The processing of this data is carried out on the basis of Article 6(1)(b) of the GDPR, insofar as your enquiry relates to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in efficiently handling enquiries addressed to us (Article 6(1)(f) of the GDPR) or on your consent (Article 6(1)(a) of the GDPR) where such consent has been sought; this consent may be withdrawn at any time.
The data you have entered in the contact form will remain in our possession until you ask us to delete it, withdraw your consent to its storage, or the purpose for storing the data no longer applies (for example, once your enquiry has been processed). Mandatory legal provisions – in particular retention periods – remain unaffected.
4. Social Networks – Instagram
This website incorporates features from the Instagram service. These features are provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. When the social media feature is active, a direct connection is established between your device and the Instagram server. Instagram thereby receives information indicating that you have visited this website. If you are logged into your Instagram account, you can link the content of this website to your Instagram profile by clicking the Instagram button. This allows Instagram to associate your visit to this website with your user account. Please note that, as the provider of these pages, we have no knowledge of the content of the data transmitted or how it is used by Instagram. Where consent has been obtained, the use of the aforementioned service is based on Article 6(1)(a) of the GDPR and Section 25 of the TTDSG. Consent may be withdrawn at any time. Where no consent has been obtained, the use of the service is based on our legitimate interest in achieving the widest possible visibility on social media. Where personal data is collected on our website using the tool described here and transmitted to Facebook or Instagram, we are jointly responsible for this data processing with Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Article 26 of the GDPR). This joint responsibility is limited exclusively to the collection of data and its transmission to Facebook or Instagram. The processing carried out by Facebook or Instagram after transmission does not fall within the scope of this joint responsibility. Our joint obligations have been set out in a joint processing agreement. You can find the text of this agreement at the following address: https://www.facebook.com/legal/controller_addendum. In accordance with this agreement, we are responsible for providing information on data protection when using Facebook or Instagram tools and for implementing these tools on our website in compliance with data protection legislation. Facebook is responsible for the data security of Facebook or Instagram products. You may exercise your rights as a data subject (e.g. requests for access) regarding data processed by Facebook or Instagram directly with Facebook. If you exercise your rights as a data subject with us, we are obliged to forward them to Facebook. The transfer of data to the United States is based on the European Commission’s standard contractual clauses. 8 / 11 You can find further details here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://privacycenter.instagram.com/policy/ and https://de-de.facebook.com/help/566994660333381. You can find further information on this subject in Instagram’s privacy policy: https://privacycenter.instagram.com/policy/. The company is certified under the ‘EU-US Data Privacy Framework’ (DPF). The DPF is an agreement between the European Union and the United States aimed at ensuring compliance with European data protection standards when processing data in the United States. Any company certified under the DPF undertakes to comply with these data protection standards. You can find further information on this from the provider via the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt0000000GnywAAC&status=Active
5. Website Plugins and Tools
Google Maps
This website uses the Google Maps mapping service. The provider is Google Ireland Limited (‘Google’), Gordon House, Barrow Street, Dublin 4, Ireland.
In order to use the features of Google Maps, it is necessary to record your IP address. This information is generally transmitted to a Google server in the United States and stored there. The operator of this website has no influence over this data transfer. When Google Maps is activated, Google may use Google Fonts to ensure a uniform display of fonts. When you access Google Maps, your browser loads the necessary web fonts into its cache to display text and fonts correctly.
The use of Google Maps is intended to present our online offerings in an attractive manner and to make it easier to locate the places we indicate on the website. This constitutes a legitimate interest within the meaning of Article 6(1)(f) of the GDPR. If the relevant consent has been requested, processing is carried out exclusively on the basis of Article 6(1)(a) of the GDPR and Section 25(1) of the TTDSG, insofar as the consent relates to the storage of cookies or access to information on the user’s device (e.g. the device fingerprint) within the meaning of the TTDSG. Consent may be withdrawn at any time.
Data transfers to the United States are based on the European Commission’s standard contractual clauses. Further details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/
For further information on the processing of user data, please refer to Google’s privacy policy: https://policies.google.com/privacy?hl=de. The company is certified under the ‘EU-US Data Privacy Framework’ (DPF). The DPF is an agreement between the European Union and the United States designed to ensure compliance with European data protection standards when processing data in the United States. Any company certified under the DPF undertakes to comply with these data protection standards. You can find further information on this subject from the provider via the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt000000001L5AAI&status=Active