for the use of the web portal "MedYouCate" by MedYouCate GmbH, FN 560961 v
which personal data is processed / not processed by MedYouCate;
the purposes for which MedYouCate processes personal data;
the legal bases MedYouCate relies on when processing personal data;
to which recipients or categories of recipients MedYouCate transfers personal data;
how long personal data is stored by MedYouCate;
which external tools and plugins MedYouCate uses;
what rights data subjects have in relation to their personal data;
how MedYouCate can be reached in connection with data protection issues as well as the exercise of data subject rights.
With this data protection declaration, MedYouCate fulfils its information obligations under data protection law pursuant to Articles 12 to 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as the "General Data Protection Regulation" or "GDPR").
Masculine forms used in this data protection declaration refer equally to men and women. This is not intended to express gender discrimination or a violation of the principle of equality.
·MedYouCate shall mean MedYouCate GmbH, FN 560961 v (Regional Court Linz).
MedYouCate portal shall mean the Internet platform operated by MedYouCate under the web address https://www.medyoucate.com.
User shall mean any natural person (i.e. healthcare professional, student) using the MedYouCate portal. A User who has concluded an individual contract with MedYouCate is an "Individual User". A User who derives his right of use via an organiser is a "Derived User".
Content Creator shall mean any User who has been granted permission by MedYouCate to create individual content using the "Creator Studio" tool on the MedYouCate portal.
Organiser shall mean any natural or legal person who, as administrative body, concludes a contract with MedYouCate. The organiser of MedYouCate is only given permission to grant the role of a Derived User to persons from the sphere of the organiser. For the avoidance of doubt, the Organiser is deemed to be an independent controller within the meaning of Article 4 (7) of the GDPR; joint controllership of the Organiser and MedYouCate under Article 26 of the GDPR is excluded.
3. Data protection officers
Sole controller pursuant to Article 4 (7) GDPR for the processing of personal data relating to the MedYouCate portal is MedYouCate GmbH, commercial register number 560961 v, Promenade 25b, 4020 Linz.
4. MedYouCate collects the following categories of data
Data that MedYouCate collects from the User as well as the organiser:
Basic information of the User as well as organiser: MedYouCate processes personal data / data categories of Users as well as Organisers. MedYouCate collects this data from the respective Individual User or Organiser itself. Data of Derived Users are imparted to MedYouCate by an Organiser. This includes:
Sign-in data: This includes the first and last name, the username, the e-mail address, the password, and the date/time as well as the IP address of the last login.
Master data: This includes personal data that is necessary for generating a user account and billing. Depending on the occasion, this includes the name (including academic titles), the professional title, the employer or the university, the address (street, postal code, city, country), the location at the time of registration, account data, other payment data or information, the tax number, evidence of the user being a medical professional or student, the profile picture, as well as the connection between an Organiser and a Derived User.
If the Organiser imparts personal data of any Derived User to MedYouCate, he must first ensure within his organisation that such transfer is based on a valid consent of the User or another permissible legal basis under data protection law within the Organiser's area of responsibility.
Correspondence Data: in case of direct contact between the User/Organiser and MedYouCate (e.g. support requests), MedYouCate collects and processes the personal data that the User/Organiser discloses to MedYouCate.
Data imparted to MedYouCate by the Content Creator ("Content Data"): MedYouCate processes personal data that the Content Creator uploads to the MedYouCate portal by using the "Creator Studio" tool in accordance with Section 6.
Data automatically generated by the MedYouCate portal:
Session data: This includes the session ID.
Log data: This includes, for example, the URL accessed by the User or Organiser, the timestamp (date/time), browser type/browser version, the operating system used, the referrer URL and the IP address.
Usage data: This includes data related to the User's use of the MedYouCate portal, in particular which courses the User has enrolled for and which media content has been viewed.
In general, there is no obligation to provide the aforementioned data. However, this could result in MedYouCate not being able to provide all services of the MedYouCate portal. For example, the non-disclosure of Master Data could prevent MedYouCate from the formation of a contractual relationship with the Individual User or Organiser. Likewise, the non-disclosure of Correspondence Data could prevent MedYouCate from responding to inquiries.
5. Purposes and legal bases of processing
MedYouCate processes the personal data mentioned in Section 4 in order to be able to offer, operate and provide the MedYouCate portal. In doing so, MedYouCate respects the principle of data minimization in accordance with Article 5 (1) (c) GDPR. This means, in particular, that MedYouCate only processes personal data necessary to achieve the respective purposes. The purposes of the processing include:
Registration, creation of a user account: MedYouCate processes Master Data of the User or Organiser in order to enable the initial registration to the MedYouCate portal and to set up a user account. With regard to Individual Users and Organisers, the legal basis for the processing is the performance of the contract; with regard to Derived Users, the legal basis is the overriding legitimate interest of MedYouCate (enabling the Derived User to register or set up a user account).
User verification: MedYouCate processes Master Data of the User or Organiser in order to verify whether the User or Organiser is a medical professional, a student or a Content Creator. The legal basis for the processing is the overriding legitimate interest of MedYouCate, (making the content of the MedYouCate portal available only to those Users or Organisers who can demonstrate a professional usage interest for educational or training purposes).
Sign-in and provision of the content of the MedYouCate portal: MedYouCate processes Sign-In Data of the User or Organiser as well as session data in order to enable the User or Organiser to log in to the MedYouCate portal and subsequently use it as intended. With regard to Individual Users and Organisers, the legal basis for the processing is the performance of the contract; with regard to Derived Users, the legal basis is the overriding legitimate interest of MedYouCate (enabling the User or Organiser to log in and use the MedYouCate portal).
Personalisation of the MedYouCate portal: MedYouCate processes Usage Data in order to personalise the MedYouCate portal for the respective User. Such personalisation includes, in particular, the storage of the courses subscribed to by the User or assigned to the User by the organiser as well as the course history (e.g. content that has already been viewed), the management of the watch list as well as the computation of the User's preferences in order to be able to derive and present a course or content selection tailored to the respective User. The legal basis for the processing is the overriding legitimate interest of MedYouCate (enabling such personalisation for the User).
Communication: MedYouCate processes Master Data of the User or Organiser as well as Correspondence Data in order to be able to contact and correspond with the User or Organiser in relation to the MedYouCate portal and its range of services, in particular by means of the contact form provided on the MedYouCate portal or by e-mail. The legal basis for the processing is - depending on the reason for this contact and in compliance with § 174 TKG 2021 (Unsolicited Messages) - consent, contract performance or initiation or the overriding legitimate interest of MedYouCate (handling the communication).
Newsletter: MedYouCate processes Master Data of the User or Organiser (name, e-mail address, if necessary group attribution to medical professionals, students or content creators) in order to send him – in case the User/Organiser has registered to the service beforehand – a newsletter by e-mail. MedYouCate only processes such personal data for this purpose if the User or Organiser has given his prior consent. This consent can be withdrawn at any time without giving reasons. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Ordering services, billing including debt collection: MedYouCate processes Master Data of the User or organiser as well as Usage Data in order to be able to bill for its services on the MedYouCate portal, and, if necessary, to collect the claims (including court actions). The legal basis for processing personal data of Individual Users or Organisers is the performance of the contract. As far as personal data of Derived Users have to be included in this billing, the legal basis for processing is the overriding legitimate interest of MedYouCate (ensure proper billing towards the contractual partner). In case of (judicial) enforcement of the claim, the legal basis is the overriding legitimate interest of MedYouCate (being able to enforce the claim).
Creation of certificates : MedYouCate processes data of the Content Creator, Content Data as well as Master Data of a User who has successfully completed a course in order to be able to issue a certificate of participation to this User. The legal basis for the processing is the overriding legitimate interest of both MedYouCate and the participating User (enable the documentation for the User). If the Content Creator has uploaded a signature scan, this signature will also be attached to the certificate of participation. The legal basis for the processing of this personal data is the consent of the Content Creator. This consent can be withdrawn at any time without giving reasons. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
IT security: MedYouCate processes all information (including data of Users and Organisers as well as automatically generated data) to ensure the security and operability of the MedYouCate portal. This includes, in particular, processing activities related to technical and organisational measures to detect, prevent and pursue attacks against the MedYouCate portal. The legal basis for the processing is the overriding legitimate interest of MedYouCate (being able to achieve the aforementioned objective).
Prevention of fraud and abuse: MedYouCate processes all information (including data of Users and organisers as well as automatically generated data) to be able to detect, prevent and prosecute abuse of the MedYouCate portal as well as abuse of the data of Users and organisers (in particular uses of the MedYouCate portal contrary to the General Terms and Conditions, usage by several persons, recording content, data and credit card fraud). The legal basis for the processing is the overriding legitimate interest of MedYouCate (being able to achieve the aforementioned objective).
Fulfilment of legal obligations: MedYouCate processes Master Data of Users and organisers in order to comply with statutory disclosure, record-keeping and storage obligations (in particular those pursuant to § 132 of the Austrian Federal Tax Code [“Bundesabgabenordnung” – BAO] and § 212 of the Austrian Commercial Code [“Unternehmensgesetzbuch” – UGB]) and to comply with the rights of data subjects (in particular those pursuant to Art 15 et seq GDPR).
Other purposes: MedYouCate may also process personal data for purposes and on the basis of legal grounds mentioned as such in Section 6 (use of the Creator Studio), Section 7 (transfer of personal data to third parties) and Section 8 (cookies and web tools).
6. Use of the Creator Studio
MedYouCate enables the Content Creator – provided that he has been activated for this function – to create his own courses on the MedYouCate portal by using the "Creator Studio" tool. MedYouCate processes the data that the Content Creator enters or uploads in the course creation process. The purpose pursued by MedYouCate lies in the provision of these courses to create a high-quality educational or information offer for Users. The following applies:
Personal data of the Content Creator: This includes - depending on the data entered - for example the name, academic title, job title and place of work of the Content Creator. The legal basis for the processing is the consent of the Content Creator.
This consent can be withdrawn by the Content Creator without giving reasons. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Personal data of patients:
MedYouCate expressly does not process any direct or indirect personal (also pseudonymised) data (in particular health data, genetic data or biometric data) of patients, but only completely and irreversibly anonymised data. The Content Creator shall ensure and guarantee to MedYouCate - in particular by applying suitable, state-of-the-art anonymization measures - that the data entered or uploaded by him exclusively represent irreversibly anonymized data, so that a (re-)identification of the patient by MedYouCate or third parties is impossible.
The Content Creator shall also guarantee to MedYouCate that patients have – in accordance with the relevant data protection or professional regulations – demonstrably given their consent or approval that their personal data (in particular image and video material) will – exclusively in the area of responsibility of the Content Creator – be recorded and irreversibly anonymised for the purpose of publication for educational and training purposes (including the publication in the MedYouCate portal). The Content Creator shall be considered sole controller within the meaning of Article 4 (7) of the GDPR with regard to such processing until the stage of complete, irreversible anonymisation of the data.
MedYouCate may provide the Content Creator with an information sheet with recommendations on secure, state-of-the-art anonymisation.
Should MedYouCate determine that the Content Creator has not exclusively irreversibly anonymised patient data, but rather entered or uploaded direct or indirect personal or pseudonymised data of patients, MedYouCate is entitled and obliged to immediately delete this data from the MedYouCate portal and to destroy any backup copies thereof. In such a case MedYouCate is also entitled to temporarily or permanently revoke the right of the Content Creator to create own courses, without the Content Creator being entitled to any claims against MedYouCate in this regard.
The Content Creator must upon MedYouCate's request provide MedYouCate with all information and disclosures that the provisions of this Section are complied with.
7. Transmission of personal data to third parties
Personal data will only be disclosed to third parties or transferred to third parties in accordance with the following provisions:
MedYouCate assigns data processors to perform its business activities. In doing so, MedYouCate ensures that prior to the start of the respective processing operations, processing agreements pursuant to Article 28 GDPR with these processors have been concluded. These processors are:
Kaleido AI GmbH, Ungargasse 37/BT1/3.3, 1030 Wien, Austria (Operator of the service „Remove.bg“): MedYouCate uses this service to be able to remove the background of signatures uploaded by Content Creators. The privacy statement of Kaleido AI GmbH is available here: https://www.remove.bg/de/privacy.
Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA (Operator of the service “Cloudflare”): MedYouCate uses this service to ensure the security of the MedYouCate portal, in particular to protect it against DDoS attacks. The privacy statement of Cloudflare, Inc. is available here: https://www.cloudflare.com/de-de/gdpr/introduction/.
Objectis Ltd., Laisves st. 60, LT-05120 Vilnius, Lithuania (Operator of the service “Cookie-Script.com“): MedYouCate uses this service to manage cookies and obtain consent from Users or Organisers to set cookies. The privacy statement of Objectis Ldt. is available here: https://cookie-script.com/privacy-policy.html
Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Irland (Operator of the services "Google Tag Manager" and "Google Analytics"). Further information on these services can be found in Section 8.
For the purposes stated in Section 5, personal data is transferred to banks (e.g. to make transfers to the Content Creator), tax advisors (e.g. to carry out proper accounting), lawyers and collection agencies (e.g. to collect outstanding debts), courts and authorities (e.g. to report and clarify legally relevant facts or to enforce claims). The data is also transmitted whenever MedYouCate is legally obliged to do so.
Some of the recipients mentioned above are located outside the European Economic Area or process personal data there. The level of data protection in other countries may not be the same as in the European Economic Area. In particular, in case of data recipients located in the United States of America, it cannot be ruled out that US authorities will request access to the data and a recipient will grant such access.
However, MedYouCate only transfers personal data to countries for which the EU Commission has decided that they have an adequate level of data protection, or MedYouCate takes measures to ensure that all recipients have an adequate level of data protection. For example, standard contractual clauses (pursuant to Commission Implementing Decision (EU) 2021/914) are concluded for this purpose. MedYouCate will make these Standard Contractual Clauses available upon request (cf. Section 12).
8. Cookies and Web Tools
8.1. Essential cookies
MedYouCate uses the following essential cookies, which are necessary for the proper functioning of the MedYouCate portal:
Consent to the setting of cookies granted or not granted
End of session
8.2. Google Analytics
MedYouCate uses Google Analytics on the MedYouCate portal, which is offered by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. The purpose of the use is to analyze the use of the MedYouCate portal by Users or Organisers.
Cookies are used for the proper functioning of this service. The usage information collected by means of these cookies is generally transferred to a Google server in the USA and stored there.
IP anonymization has been activated for the MedYouCate portal. This means that the IP address of Users or Organisers within the European Economic Area is shortened in such a way that any personal reference to a User or an Organiser is omitted. Based on such anonymized data, MedYouCate creates, via the data processor Google Ireland Limited, an analysis of the use and activity of the MedYouCate portal. This analysis is used to evaluate the performance of the MedYouCate portal.
Usage data includes, inter alia, page views, the first visit to the website, the start of the session, interactions made with the MedYouCate portal, scrolls, clicks on external links, internal search queries, interactions with videos, downloads of files, interactions with ads and language settings. In addition, the approximate location, the shortened IP address, technical information about the browser and terminal device used, the Internet provider, and the referrer URL are recorded.
This data is automatically deleted after two months. Data whose retention period has been reached is automatically deleted once a month.
The legal basis for processing is the consent given by the User or Organiser in accordance with Article 6 (1) (a) GDPR and Article 49 (1) (a) GDPR. This consent can be withdrawn at any time without giving reasons. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Consent can be withdrawn here:
Alternatively, the storage of cookies can also be prevented in the first place by preconfiguring the browser software used. However, if the browser software is configured in such a way that all cookies are rejected, the functionality of the MedYouCate portal may be restricted. Furthermore, the User or Organiser can prevent the collection of data generated by the cookie by (i) not consenting to the setting of the cookie, or (ii) downloading and installing the browser add-on to disable Google Analytics under this link: https://tools.google.com/dlpage/gaoptout?hl=de.
Possible data recipients are:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (as processor pursuant to Article 28 GDPR)
Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
It cannot be ruled out that data stored by Google may be transferred to the USA and accessed by US authorities. The USA is, from a data protection perspective, currently considered a third country. Users or Organisers do not have the same rights there as within the EU or EEA. They may not be entitled to legal remedies against such access. For the appropriate safeguards taken by MedYouCate, cf. Section 7
8.3. Google Tag Manager
9. Storage period
Sign-in data of Users and Organisers as well as Usage Data are stored for the duration of the usage relationship with MedYouCate and deleted after its expiration.
Session data is stored for the access duration of the MedYouCate portal and deleted after logout , but no longer than after one month. Log data is stored for a period of 24 hours as personal data; after expiry, the IP address is anonymised. If this data is required for IT security and fraud prevention purposes, the data will continue to be stored as personal data until the end of the respective purpose.
Content Data will be stored - depending on which case occurs first - (i) until deletion by the Content Creator or (ii) until MedYouCate receives a withdrawal of consent by the Content Creator or a person involved, at the longest, however, (iii) until termination of the usage relationship with the Content Creator and thereafter deleted, unless there is a legal obligation to store such data.
10. Automated decision making including profiling
MedYouCate does not process personal data for the purpose of automated decision making including profiling.
11. Rights of data subjects in relation to personal data
Persons whose data is processed by MedYouCate (“data subjects”) are, depending on the conditions of the applicable law, entitled
to request information as to whether and which personal data of the data subject MedYouCate is processing and to receive further information on such processing, as well as to receive copies of such data;
to request the rectification or completion of personal data;
to request the deletion of personal data that are inaccurate or processed in a way that does not comply with the law;
to request MedYouCate to restrict the processing of personal data;
to object to the processing of personal data under certain circumstances, whereby an objection to the processing for purposes of direct marketing is possible at any time without stating reasons;
to request data portability, provided that the processing is based on the legal grounds of consent or the performance or initiation of a contract and is carried out by means of automated procedures;
to know the identity of third parties to whom the personal data are transmitted;
if the processing is based on the legal basis of consent, to withdraw the consent; such withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
to lodge a complaint with the competent authority (Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, [email protected]).
12. Contact details of the responsible person
For inquiries regarding data protection or the exercise of data subject rights, please contact exclusively:
Company registration number (FN) 560961 v
Promenade 25b, 4020 Linz
Tel: +43 664 4003834
Email: [email protected]
Valid from: 30.03.20