Date: 01.01.2024

Introduction

Data protection is a matter of trust and your trust is important to us. We respect your privacy and personal sphere. Responsible and legally compliant handling of personal data is of great concern to us, derma competence center AG, Bodmerstrasse 4, 8002 Zurich, Switzerland (“dcc”, “we”, “us” and the like). We process personal data at all times in compliance with applicable law, in particular Swiss data protection law and, where applicable, the General Data Protection Regulation of the European Union (EU GDPR).

This Privacy Policy (“Policy”) describes the way in which we process your personal data (i) when we provide you with services or you use our services (in particular medical services in the field of dermatology incl. app, see Part A, General Privacy Policy) and (ii) when you visit our website (dermacompetencecenter.com) or purchase services as a customer via our webshop (dermacompetencecare.com) (together “Online Services”) (see Part B, Online Privacy Policy).

This Policy forms an integral part of the contract between you and us if it is listed in the relevant contract as an integral part of the contract. If this is the case and there are any contradictions between the contents of this Policy and the provisions of the relevant contract or any General Terms and Conditions (GTC), the provisions of the latter documents shall take precedence over the contents of this Policy.

This Policy also serves as a list of processing activities within the meaning of Art. 12 FADP and Art. 30 para. 2 EU GDPR.

In addition to this Policy, further terms of use, general terms and conditions (GTC) and data protection declarations may apply (in particular in connection with the use of the web shop and the app).

A. General privacy policy

1. Responsibility

dcc is responsible for the data processing described in this privacy policy.

2. Categories of data subjects and categories of personal data

Personal data are all details and information relating to an identified or identifiable natural person.

In connection with the provision of our services and your use of the services, we process personal data of the following categories of data subjects:

• Patients in relation to our medical and aesthetic services (also in connection with the use of the app)
• Customers in relation to our aesthetic and cosmetic services
• Visitors and customers of our webshop
• Visitors to our website

We process different categories of personal data, such as

• Treatment data, health data and biometric data such as medical histories, diagnoses, therapy suggestions and findings
• Contact and identification data such as first name, surname, address, date of birth, gender, e-mail address, telephone number, country and customer number
• Personal details such as language
• Insurance-related data such as the name and type of your insurance (e.g. health insurance, accident insurance, disability insurance) and insurance number
• Contract and financial data such as contract type, contract content, type of services, applicable terms and conditions (web shop), remuneration claims as well as invoice and payment data.
• Interaction and usage data such as correspondence, customer preferences, type and scope of use of services, customer service information such as complaints and information from the assertion of rights as well as feedback
• Webshop user account information such as user name and password
• Information regarding the use of the website and webshop such as frequency of visits, date, time and duration of visits, pages visited, search terms, clicks on content, website of origin, information in forms (e.g. contact and feedback forms), social media profiles, ratings and comments submitted, IP address; information about the end devices used (end device type, device ID, manufacturer, operating system, language, device settings, MAC address, etc.), cookie information and browser settings

As a rule, there is no legal or contractual obligation to disclose personal data. However, we will need to collect and process personal data that is necessary for the establishment and fulfilment of a contractual relationship and the services to be provided. Otherwise, we will not be able to conclude or continue the contract in question. The processing of certain data is also unavoidable when you use our online services. The logging of certain data (but generally not personal data) cannot be prevented for technical reasons.

Under certain circumstances, you may wish or be required to transfer or grant us access to the personal data of third parties. We would like to point out that in this case you are obliged to inform the persons concerned about this Policy and its contents, to obtain the consent of the persons concerned if necessary and to ensure the accuracy of the personal data concerned.

3. Processing activities incl. purposes of processing and retention period

Our various processing activities and the associated purposes of processing are listed below. In addition, the respective categories of personal data processed as well as their retention period and the criteria for their retention are listed:

* We generally store and process your personal data for as long as is necessary to fulfil the purpose for which it was collected or for as long as is required or permitted by law/authorities. For example, we have a legitimate interest in storing your personal data as long as it is subject to a retention obligation or storage is necessary for reasons of evidence or security. Your personal data will then be deleted from our systems or anonymised so that you can no longer be identified.

4. Legal basis for processing

The processing of personal data requires a legal basis. dcc bases the processing of your personal data on the legal grounds of consent, contract fulfilment, legal obligation and/or the pursuit of a legitimate interest. In detail, this is as follows:

5. Disclosure of personal data and categories of data recipients

We may disclose your personal data to recipients such as service providers and other third parties such as business partners or authorities in compliance with legal requirements. This includes

• Third parties as part of the fulfilment of legal obligations: We may disclose your personal data to third parties if this is necessary or appropriate or appears necessary or appropriate in order to comply with or verify compliance with applicable laws and regulations and to respond to requests from competent authorities to whom we are required to provide information about you and your personal data in accordance with applicable laws and regulations.
• Third parties in the context of medical activities: In the context of our medical activities, we may pass on your personal data (e.g. contact and identification data, treatment data, health data) to other doctors or laboratories with your express consent. We may also pass on your personal data to insurance companies (e.g. health insurance companies, accident insurance companies, disability insurance companies) for the purpose of invoicing services.
• Service providers: We may disclose your personal data to service providers or grant them access to your personal data, which we use in the course of our business activities to perform customer-related or IT-related tasks on a contractual basis, such as trustees, maintenance and support service providers and marketing service providers (e.g. for sending newsletters). Such disclosure or access is generally limited to the personal data required for the provision of services by these service providers and does not include health data.
• Debt collection service providers: We may process your personal data for the purpose of commissioning debt collection service providers and make it accessible to these service providers.
• Third parties in the context of combating abuse: We may pass on your personal data to third parties in connection with indications of unauthorised use of services or obtain it from third parties if this is suitable for detecting, preventing or eliminating fraudulent or abusive use of services from dcc or third parties.

6. Cross-border processing of personal data in countries outside the EU/EEA (third countries)

In the course of providing its services, dcc may also rely on products and services from foreign manufacturers, suppliers and subcontractors who access personal data on our systems from abroad in the course of fulfilling their orders or who process such data at their foreign location.

Accordingly, the recipients of your personal data listed in section 5 may be located abroad, including outside the EU/EEA. The countries concerned may not have laws that protect your personal data to the same extent as in Switzerland or in the EU/EEA (so-called third countries). If we transfer your personal data to such a country, we will ensure its protection in an appropriate manner, for example by concluding data transfer agreements on the basis of contracts approved, issued or recognised by the European Commission (so-called standard contractual clauses). Please contact us via the contact options listed in Part C, Section 1, if you would like a copy of our data transfer agreements.

In exceptional cases, the transfer to countries without adequate protection is permitted, for example within the scope of the EU GDPR based on express consent, for the performance of a contract with the data subject or for the processing of your contract application, for the conclusion or performance of a contract with someone else in the interest of the data subject or for the assertion, exercise or defence of legal claims.

7. Technical and organisational measures

We have taken appropriate technical and organisational measures to protect your personal data (in particular against access and misuse by unauthorised third parties) and to ensure data security appropriate to the risk and have also agreed such measures with the third parties we have engaged (see section 5 above).

8. Note on the app (dcc – detect collect compare)

Personal data entered by you as a user of the app (including pictures taken) will only be stored locally on your mobile device on which the app is installed. Personal data is not processed within the meaning of applicable law.

B. Online privacy policy

1. General

When you use our online services (website and web shop), we process personal data that you provide to us, for example when placing an order or using a contact form (e.g. your contact details such as name, telephone number, address or email address).

We also use cookies in our online services in accordance with the explanations in section 3 of this statement (see below) so that you can use our online services properly. In addition, we only use cookies if you have given your consent via the cookie pop-up that is displayed when you visit our online services.

2. Webshop (dermacompetencecare.com)

You have the option of registering in our webshop and using your login to manage personal data and view information. If you have registered with our online shop, we can link your online usage data, such as the way in which you use the online shop and the services provided via it or the data that you disclose to us via the online shop, with other customer data that we collect and process in connection with your use of our services and process it for the provision of services and functions in the online shop, for marketing purposes and for the evaluation, improvement and new development of services and functions. This is also possible after you have logged out of the web shop.

3. External Hosting

We host the content of our website with the following provider:

This website is hosted externally. The personal data collected on this website is stored on the host’s servers. This can be among others, IP addresses, contact requests, meta and communication data, contract data, contact details, names, website access and other data generated via a website.

The external hosting takes place for the purpose of fulfilling the contract with our potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6(1)(f) GDPR) If a corresponding consent was requested, the processing takes place exclusively on the basis of Art. 6(1)(a) GDPR and Section 25(1) TTDSG, insofar as the consent includes the storage of cookies or access to information in the user’s end device (e.g. device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time.

Our host(s) will only process your data to the extent necessary to fulfill their performance obligations and follow our instructions in relation to this data.

We use the following host(s):

Swiss IT Security AG
Etzelmatt 3
5430 Wettingen
Switzerland

Order Processing

We have entered into a Data Processing Agreement (DPA) with the above-mentioned provider. This is a contract required by data protection law, which ensures that the personal data of our website visitors is only processed according to our instructions and in compliance with the GDPR (General Data Protection Regulation).

4. Cookies

Cookies are used on our online services. Cookies are small files that are stored on your computer or mobile device when you visit or use our online services. Cookies store certain settings about your browser and data about the exchange with the relevant online service via your browser. When a cookie is activated, it is assigned an identification number (cookie ID) that identifies your browser and allows the information contained in the cookie to be used.

Most of the cookies used are temporary session cookies that are automatically deleted from your computer or mobile device at the end of the browser session. Permanent cookies are also used. Depending on the type of cookie, permanent cookies remain stored on your computer or mobile device for between one month and ten years after the end of the browser session and are automatically deactivated after the programmed time has elapsed.

Cookies record usage information such as the date and time of access to our online services, pages accessed, the IP address of your computer or mobile device, browser type and version and the operating system used. Cookies also provide information, for example, about which of our online services you visit and from which website you came to our online services. We can also use cookies to track the topics you research on our online services.

The cookies or corresponding technologies stored on your computer or mobile device may also originate from independent third-party providers. The cookies from such third-party providers also remain stored on your computer or mobile device for between one month and ten years and are automatically deactivated after the programmed time has expired. The third-party providers only receive access to data on the basis of an identification number (cookie ID). This is online usage information such as which of our online services you have visited and which content you have used.

We use Borlabs Cookie’s cookie consent technology on our online services to obtain your legally required consent for the use of certain cookies in your browser and to document this in compliance with data protection regulations. The provider of this technology is Borlabs – Benjamin A. Bornschein, Georg-Wilhelm-Str. 17, 21107 Hamburg, Germany (“Borlabs”). When you visit our online services, a Borlabs cookie is stored in your browser, in which the consents you have given or the revocation of these consents are stored. This data is not passed on to Borlabs. The data collected will be stored until you ask us to delete it or delete the Borlabs cookie yourself or until the purpose for storing the data no longer applies. Mandatory statutory retention periods remain unaffected.

The list of cookies used on our online services can be found in the Borlabs cookie pop-up via the “Individual data protection settings” button.

5. Web analysis tools

We use web analysis tools to obtain information about the use of our online services and to improve our offering. These tools are usually provided by a third-party provider. As a rule, the information collected for this purpose about the use of our online services is transmitted to the third-party provider’s server through the use of cookies. Depending on the third-party provider, these servers may be located abroad.

6. Prevention of cookies and web analysis tools

Most Internet browsers accept cookies by default. However, you can set your browser so that it does not accept cookies or only accepts certain cookies, or so that you are notified before a cookie from an online service you visit is accepted. You can also delete cookies on your computer or mobile device by using the corresponding function of your browser. Instructions on how to prevent cookies through browser settings can be found at the following link: allaboutcookies.org/ge

You also have the option of customising your consent to the use of cookies in the Borlabs cookie pop-up on our online services.  

If you decide not to accept our cookies or the cookies and tools of our partner companies, you will not see certain information on our online services and will not be able to use some functions that are intended to improve your visit.

7. Social plugins

We also use social plugins from social networks on our online services. The plugins can be recognised by the logo of the respective social network.

All plugins used are set up using the 2-click method. This means that the respective plugins are only activated when you click on the logo of the respective social network.

When you access a page of our online services that contains an activated plugin, your browser establishes a direct connection to the servers of the respective provider. The content of the plugin is transmitted directly to your browser by the respective provider and integrated into the page. By integrating the plugins, certain information is transmitted to the third-party provider and stored by them.

If you are not a member of the relevant social networks, it is still possible for them to find out and save your IP address via the social plugin. If you are logged in to one of the social networks, the third-party providers can directly associate your visit to our online services with your personal profile on the social network. If you interact with the plugins, for example by clicking on a corresponding button, the corresponding information is also transmitted directly to a server of the third-party provider and stored there. The information is also published in the relevant social network in your respective profile and displayed there to your contacts. The purpose and scope of the data collection and the further processing and use of the data by the third-party providers as well as your rights in this regard and setting options to protect your privacy can be found in the data protection information of the third-party providers.

If you wish to prevent the relevant social network providers from assigning the data collected via our online services to your personal profile on the respective social network, you must log out of the relevant social network before visiting our online services. You can also completely prevent the plugins from loading with specialised add-ons for your browser, such as “NoScript” (http://noscript.net/) or “Ghostery” (https://www.ghostery.com/).

8. Newsletter

You have the option of subscribing to our newsletter on our online services. Personal data that you provide to us for this purpose, in particular your e-mail address and your name, may be used for the regular dispatch of our newsletter. The newsletter is sent either directly by us or by a specialised third-party provider. You can unsubscribe from the newsletter at any time (via the link in the newsletter). You can also inform us via the contact options listed in Part C, Section 1 that you no longer wish to receive newsletters.

9. Third-party services used by us in detail

On request, we will provide you with a list of the third-party services used on our online services (including services such as Google Maps). Please contact us via the contact options listed in Part C, Section 1.

C. General

1. Contact us

If you have any questions or concerns, you can contact us as follows:

By contact form: dermacompetencecenter.com/bahnhof-enge
By e-mail: info@dermacompetencecenter.com
By telephone: +41 (0)44 242 43 63
By post: derma competence center ag, Bodmerstrasse 4, 8002 Zurich, Switzerland

You can contact dcc’s data protection officer or data protection consultant as follows:

By e-mail: info@dermacompetencecenter.com
By post: derma competence center ag, Dr Hero Schnitzler, Bodmerstrasse 4, 8002 Zurich, Switzerland

You can contact dcc’s data protection representative in the European Union with questions relating to EU data protection law as follows:

By contact form: datenschutzpartner.eu/kontakt/
By e-mail: info@datenschutzpartner.eu
By post: VGS Datenschutzpartner GmbH, Am Kaiserkai 69, 20457 Hamburg, Germany

2. Your rights

You have the following rights in relation to the processing of your personal data, to the extent provided for by the applicable law (including the EU GDPR) and under the conditions set out in the applicable law:

• Right to information: You have the right to obtain confirmation from us as to whether we are processing personal data about you and, if this is the case, to request information about the processing of your personal data. This information includes, in particular, details of the purpose of the processing, the categories of personal data and the recipients or categories of recipients to whom the personal data has been or will be disclosed.
• Right to rectification: You have the right to rectification and/or completion of your personal data processed by us.
• Right to erasure: You have the right to have your personal data erased, unless we are obliged by applicable laws and regulations to continue to store your personal data (in whole or in part) or have an overriding interest in continuing to store it, if
• the personal data are no longer required for the purposes pursued;
• you have withdrawn your consent (if given) and there is no other legal basis for the processing;
• you have effectively objected to the processing;
• the personal data was processed unlawfully.
• Right to restriction of processing: You can request that we restrict processing in the following cases:
• if you dispute the accuracy of the personal data, for the duration of our review and the subsequent correction or rejection of the correction;
• if you object to erasure in the event of unlawful processing and wish to restrict processing instead;
• if, after fulfilment of the purpose, you request that the personal data should not be deleted, but should continue to be stored for the assertion of rights;

The personal data concerned will be segregated or marked for the duration of the restriction. In addition to storage, any further processing of this personal data will only take place with your consent.

• Right to data portability: Under certain conditions, you have the right to receive the personal data you have provided in a structured, commonly used and machine-readable format. You are entitled to have this personal data transmitted to a third party without hindrance, insofar as this is technically possible.
• Right to object: You have the right to object to the processing of your personal data by us at any time for reasons relating to your particular situation and to request that we no longer process your personal data. If you have a right to object and exercise this right, your personal data will no longer be processed by us for such purposes.

In particular, there is no right to object if we have compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves the establishment, exercise or defence of legal claims or is necessary for the conclusion and performance of a contract.

If we process your personal data for the purpose of direct marketing, you have the right to object to this processing at any time. After your objection, your personal data will no longer be processed for this purpose.

• Right to withdraw consent: If you have given us your consent to process your personal data for one or more specific purposes, you have the right to withdraw your consent for one or more of these purposes. Withdrawal of consent does not affect the lawfulness of the processing carried out up to the time of withdrawal.

You can assert your rights in connection with the processing of your personal data in writing via the contact options listed above by sending us your request by post or e-mail. Please enclose a copy of your identity document (ID card or passport) with your request.

We reserve the right to assert the restrictions provided for by law, for example if we are legally obliged to store or process certain personal data or have an overriding interest in doing so, e.g. because we need it for the assertion, exercise or defence of legal claims. Please note that the exercise of the aforementioned rights may conflict with contractual agreements between you and us (e.g. regarding the provision of services) and this may lead to consequences such as the premature cancellation of the contract or costs. In such cases, we will inform you in advance.

You also have the right to lodge a complaint with the competent supervisory authority, in particular in the Member State of your habitual residence or the place of the alleged infringement, if you consider that the processing of your personal data infringes applicable data protection law. The competent supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

3. Changes

We reserve the right to amend and supplement all parts of this Policy at any time and at our own discretion. The version published on our online services (dermacompetencecenter.com and dermacompetencecare.com) shall apply in each case. We will inform you of these changes appropriately and in accordance with the requirements of applicable law.

If this Policy forms part of a contract between you and us, we will inform you appropriately in advance and obtain your consent if we amend or supplement the Policy to your disadvantage. Your consent is voluntary. If you do not agree with the relevant amendment or addition, you may object to it. If you do not object within the previously announced period, you will be deemed to have consented to the relevant amendment or addition. There is no right to extraordinary cancellation of a contract due to a change or addition to this Policy.