Data Protection
1 In a nutshell
With the Mavie health portal (“Portal”), we offer you a platform through which you can book services in the area of mental health or take advantage of other services (e.g. mental health videos). The offer includes targeted health services, such as arranging and providing psychological care for employees and their relatives living in the same household. In this context, your personal data will be processed primarily to make your reservation and to contact you or inform you regarding new offers. Naturally, this also involves processing your health data. As we are aware of the high importance of your personal data (in particular your health data), we want to inform you here in more detail about how we process your personal data (“your data”) in connection with the Mavie health portal.
This privacy policy is regularly adapted based on legal or technical developments. We will inform you about these adjustments via e-mail. If you have any questions in this regard, please address them to the point of contact listed under Point 2.
2 Who is responsible for processing your data?
The company responsible for data processing in connection with the portal is Mavie Work GmbH (FN 248924s), Landstraßer Hauptstraße 95/1/4a, 1030 Vienna. If you have any questions about the data processing described herein or wish to assert your rights as a data subject, please contact our data protection officer at:
kontakt@maviework.care
3 What personal data do we process?
3.1 What are personal data?
Personal data are basically any information relating to an identified or identifiable individual. This includes, in particular, e-mail address, company code (for allocating the company), first name, last name, gender, year of birth, employment relationship, as well as your health data. This includes information about your physical and mental condition. Health-related data belong to the so-called special categories of personal data and are subject to a particularly high level of protection. You can find out which personal data are actually processed in the following points.
The use of information that is not personal is not subject to any restriction under data protection law, because in these cases it is no longer possible to trace the data back to a specific person (so-called anonymous data, such as aggregated data of a group).
3.2 Required data processing when using the portal
3.2.1 Registration:
General: you must register in order to use the functions of the portal, in particular to be able to book the services offered on the portal.
The following data are processed: IP address of the device used, company code, e-mail address, first name and surname (or a pseudonym chosen by you) and password. If you have indicated the following during registration, we also process: salutation (gender), year of birth and employee status. These data are also referred to collectively below as “Your profile data”.
Purpose: The processing of your profile data is required in order for us to provide our services and to enable you to book the services offered on our portal.
Legal basis: The processing of your profile data is necessary to implement the bookings you have made. The processing is therefore carried out within the framework of the fulfilment of a contract in accordance with Article 6 (1) (b) GDPR.
Retention period: we either store this data for as long as you maintain an account with us, our contract with your employer is upheld, or we are legally obliged to store these data. In any case, we will delete your profile data after 10 years of inactivity at the latest.
Recipients / categories of recipients: see point 4.4.
3.2.2 Bookings:
General: processing your health data may be necessary if you book health services via our portal.
The following data are processed: in addition to the profile data described under point 3.2.1, the health data you provide will also be processed.
Please note: in the case of some bookings, the choice of service may allow conclusions to be drawn about the health of the user.
Purpose: the processing of your health data is necessary so that we can provide our services, enable you to book the health services offered on our portal and, if necessary, remind you of any bookings you have made.
Legal basis: the processing of your health data is voluntary and based solely on the data you enter and your usage behaviour. In these cases, data processing takes place on the legal basis of preventive health care, care or treatment in the health or social sector, on the basis of a contract with a healthcare professional (Article 9 (2) (h) GDPR) or in the public interest (in accordance with Article 9 (2) (i) GDPR), whereby the data are processed by specialised personnel who are subject to an obligation of secrecy.
Retention period: we store your data as long as this is necessary to implement your bookings.
Recipients / categories of recipients: see point 4.4.
3.2.3 Processing your enquiries
General: if you have any questions about our company, our services, services from third parties arranged by us, or if you have any suggestions or complaints, you can contact us directly via the contact details listed in point 2.
The following data are processed: e-mail address, date and time of your request, content of your enquiry.
Purpose: we process your data in order to be able to process your enquiry.
Legal basis: the processing of your enquiry is necessary for the fulfilment of our contractual obligations. The processing is therefore carried out in accordance with Article 6 (1) (b) GDPR.
Retention period: we store your data for as long as is necessary to process your enquiry, or for as long as we are legally obliged to store this data.
Recipients / categories of recipients: see point 4.4.
3.2.4 Mental health support
General: you can take a mental health test on our portal. Based on these test results, we suggest videos or even services that you can book on our portal.
The following data are processed: the data (answers) you provide as part of the test.
Purpose: we process your data in order to carry out the test and to be able to suggest suitable mental health videos and services to you.
Legal basis: the processing of your data is for health-related purposes and is therefore based on Article 9 (1) (h) GDPR.
Retention period: we store your data for as long as is necessary to process your tests and to offer videos and services.
Recipients / categories of recipients:: see point 4.4.
3.3 Optional data processing when using the portal
3.3.1 Newsletter and electronic applications
General: we also process your data to inform you about other services we offer. We would send you information via the portal for instance when the range of services expands. Likewise, we would send you relevant newsletters with medically relevant information via the portal (including e-mail).
The following data are processed: username, e-mail address.
Purpose: we process your data to send you information about the services offered via the portal and our newsletter.
Legal basis: we request your consent separately in order to be able to send you information about our additional range of services (Article 6 (1) (a) GDPR, Section 174 of the Austrian Telecommunications Act (TKG)). You provide this consent to us voluntarily. This means you can also withdraw your consent at any time and we will then no longer send you any newsletters.
Retention period: we will store your data for the purpose of sending you this information and the newsletter until you withdraw your consent.
Recipients / categories of recipients: see point 4.4. We may use the services of other data processors for technical processing.
4 Processor
We rely on service providers to help us organise and provide our service. These service providers have concluded a data processing contract with us in accordance with Article 28 GDPR and may therefore only process personal data on our behalf. We are supported above all by the following with this
InnoCraft/Matomo
Truendo
Ray Sono
Microsoft
4.1. InnoCraft/Matomo:
we use Matomo as a product of Innocraft Ltd, New Zealand, as a web analytics service to improve our services offered to you. The Matomo Analytics Cloud is used to analyse user behaviour on our website and app and helps to generate statistics. The following personal data are automatically collected by Matomo with this as our processor with whom we have concluded a data processing contract in accordance with Article 28 GDPR: anonymised IP address of the user, optional user ID, date and time of the request, title and URL of the page viewed and the page previously viewed, the screen resolution used, the time in the time zone of the local user, files clicked on and downloaded, links to a third-party domain that were clicked on, page generation time (the time web pages take to be generated by the web server and then downloaded by the user: page speed), approximate location of the user (country, region, city, approximate latitude and longitude), language of the browser used, user agent of the browser used.
There is an adequacy decision between New Zealand and the Commission under Article 45 GDPR that provides an adequate level of protection.
4.2. Truendo:
Truendo is a consent management tool that we also use on the website and our app to request and document users’ consent for certain services. Truendo is an Austrian company and, as a data processor in accordance with Article 28, is also subject to our instructions. A Truendo cookie is therefore set in the browser of the user’s end device when the website is accessed or the app is opened. This cookie communicates only with Truendo and is used to determine whether a user has given consent and for what purpose. This cookie stores the user’s Unique Consent ID (“Privacy ID”) to link the user’s consent to the consents stored by Truendo. The anonymised IP address, location (at country level), browser properties (type, language, version), device properties (type, operating system, screen resolution), privacy ID, consent register and timestamp are processed with this.
4.3. Ray Sono:
Ray Sono AG is an IT service provider and provides the portal technically on our behalf and in our name. The development by Ray Sono includes the user registration and login, the Mavie topic areas, the counsellor bookings and “My Topics” as well as the ISR Test (validated questionnaire to classify the characteristics of certain symptoms). In terms of data protection law, they are therefore our data processors and as such Ray Sono is contractually obliged to comply with applicable data protection laws and data security standards in accordance with Article 28 GDPR. Ray Sono may only process your data in accordance with our instructions. As a company based in Germany, Ray Sono is subject to a comparable level of data protection as in Austria.
4.4. Microsoft:
as the portal provider, we use the cloud service of Microsoft Ireland Operations Limited, One Microsoft Place, Dublin, D 18 P 521, Ireland, for the portal, whereby the data are only stored in encrypted form within the European Union, with decryption only possible by us. In rare cases, data are also transferred to countries outside the European Union. Standard contractual clauses in accordance with Article 46 GDPR and additional contractual obligations to ensure a level of data protection comparable to the EU have therefore been secured with Microsoft in order to ensure adequacy with regard to the rights and freedoms of individuals. To comply with global, national, regional and industry-specific regulations, Microsoft Cloud solutions support more than 90 regulatory standards and laws, including ISO 27001, ISO 27018, ISO 27701, SOC 1,2 and 3, C5, TISAX, KRITIS, BAIT and others.
Microsoft ensures that personal data are only processed on the instructions of the data controller, for us this also applies with regard to its transmission.
No data are transferred to third parties beyond this.
5 What rights do you have and how can you exercise these?
You can request information at any time regarding your personal data that we process. If we process data about you that are inaccurate or incomplete, you can request for this to be rectified or completed. You can also request the deletion of data processed unlawfully. Please note, however, that this only applies to incorrect, incomplete or unlawfully processed data. We ask you to note that these rights complement each other, meaning that you can only request either the correction or completion of your data or its deletion.
If it is unclear whether the data processed about you are inaccurate, incomplete or processed unlawfully, you can request a restriction on the processing of your data until final clarification of this issue.
Even if the data regarding you are correct and complete and are processed by us lawfully, you may object to the processing of these data in specific individual cases justified by you. If the processing of your personal data is based on a weighing of interests (Article 6 (1) (f) GDPR: legitimate interests), you have the right,based on reasons arising from your particular situation, to object to the processing at any time. When exercising your right to object, we ask you to explain your reasons why we should not process your personal data as we have done. We will review the facts and either stop or adjust the data processing, or demonstrate our compelling legitimate reasons to you and continue the data processing. We will also continue the data processing if it serves the purpose of establishing, exercising or defending against legal claims.
You may object to data processing for the purposes of direct marketing at any time. In this case, we will stop processing the data.
You can withdraw the data that we process on the basis of your (express) consent at any time, whereby the withdrawal does not affect the lawfulness of the processing until the withdrawal. For details on withdrawing your consent in connection with the processing of your health data, please refer to point 3.2.2.
You may receive the personal data we process about you, if we have received it from you ourselves, in a machine-readable format determined by us, or you may instruct us to transfer these data directly to a third party of your choice, provided that this recipient enables us to do so from a technical point of view and that the transfer of the data is not prevented by unjustifiable expense or by legal or other obligations of secrecy or confidentiality considerations on our part or on the part of third parties (data transmission).
We request you to connect with us through the contact details mentioned under point 2 with all your concerns, whereby we may sometimes ask you for a proof of your identity, e.g. by sending an electronic copy of your ID.
Although we make every effort to protect the privacy and integrity of your information, disagreements regarding the manner in which we use your information cannot be ruled out. If you believe that we are using your data in an unauthorised manner, you have the right to raise a complaint with the Austrian Data Protection Authority.
As at February 2022
Your Mavie Work GmbH team