Best possible protection for your data

Through its website, Barmer provides articles and information about its services and health topics. Insured persons can access the Meine Barmer personal member area via the website.

Legal Basis

Insofar as personal data is collected on this website, this is done either on the basis of your express consent, Article 6 (1) p. 1 (a) GDPR, to fulfil legal obligations which Barmer is subject to, Article 6 (1) p. 1 c GDPR, to perform tasks in the public interest or in the exercise of official authority vested in Barmer, Article 6 (1) p. 1 (e) GDPR.

Accessing and Informational Use of Our Website

Every time our website is retrieved and used for informative purposes, the browser used on your end device automatically sends data and information to the server of our website. The following data is collected:

• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Contents of the request (specific page)
• Access status / HTTP status code
• Amount of data transmitted in each case
• http referrer
• User agent (operating system, browser, etc.)
• Language and version of the browser software
• Action type or type of retrieval
• Other similar data and information that serves to avert danger in the event of attacks on our information technology (IT) systems

This data is also temporarily stored in log files in our system. This data is not stored together with your personal data. The temporary storage of the IP address by the system is necessary to provide you with the website. To this end, the IP address must remain stored for as long as the website is used.

Storage of the Aforementioned Data in Log Files

Storing the aforementioned data in log files is necessary for the following purposes:

• Provision of access to the website
• Analysis and elimination of possible technical problems
• Assessment of system security and stability

The legal basis for data processing is Article 6 (1) (c) and (e) GDPR, Sec. 3 BDSG (German Federal Data Protection Act), in conjunction with Sec. 13 and 14 SGB I (German Social Security Code Vol. I) in conjunction with Sec. 1 SGB V (German Social Security Code Vol. V), Sec. 25(2) no. 2 TDDDG (German Telecommunications Digital Services Data Protection Act) insofar as data processing is necessary to provide the website.

The data collected for providing the website will be deleted when the session on the website has ended.

The log files are kept for a maximum of 90 days and then deleted.

Use of Cookies and Similar Technologies

We use technologies such as cookies and plugins on our website. Cookies are small text files that are stored on your device when you visit websites. They can store information you enter, as well as settings such as the language or display preferences of a website. If you revisit the website using the same device and browser, the web server recognises by means of the cookie ID that you have visited before and adapts content and functions accordingly. In this way, cookies help to improve user experience on the Internet.

Barmer uses its own cookies (first-party cookies) as well as cookies from third parties (third-party cookies). Depending on their purpose and function, the following types of cookies are distinguished:

Technically Necessary Cookies

Technically necessary cookies are essential for providing our website and its functions and cannot be deactivated. They ensure that users can navigate our web pages or access the members' area Meine Barmer.

Analytics Cookies

Analytics cookies help us to better understand user behaviour. Pseudonymised user profiles are used to record how users interact with our content. It is not possible to directly identify a person. For example, this enables us to find out how often a particular web page is accessed or how long visitors stay on our pages. This allows us to further develop and improve our content in line with user interests.

Marketing Cookies

Marketing cookies support us in placing advertisements on the websites of our advertising partners (remarketing cookies) and in measuring the effectiveness of our campaigns (conversion cookies). It is not possible to directly identify a person. Marketing cookies help us display advertising content that is as relevant to you as possible. If these cookies are not set, you can still see advertising from Barmer, but it may be less relevant.

Services Provided by Other Companies (Independent Third-Party Providers)

On our barmer.de website, we use services provided by third parties such as YouTube and Google Maps. These external contents are not active on our website by default, a fact that we clearly point out. They only appear after you have actively chosen to enable them, either via the slider for external content or within the privacy settings.

Third-party providers may be based outside the European Union. This may also include countries where the level of data protection does not correspond to the GDPR standard in Germany. If your data is transferred to the USA, it may be accessed and used by US authorities for the purposes of monitoring and oversight without you having any legal means of redress. Detailed information about third-party providers and their services can be found in the privacy settings.

You can make your individual choices within the "privacy settings": You decide whether cookies and similar technologies from the categories of Analytics, Marketing, and Third-Party Providers are used. You can withdraw your consent at any time with future effect or adjust the settings to your specific needs.

In the "Services" section, you will find detailed information about all services, including processing purposes, legal bases and technologies used. The consent status for each individual technology, such as cookies or plugins, is documented transparently. You will also find a personal ID (visitor ID) there, which you can use to obtain information about your consent if required.

Reference to Social Media Channels

Use of Plugins

Plugins are generally defined as independent software modules that enable the integration of additional functionalities. Examples include Like and Share buttons from social media providers and advertising networks.

Barmer maintains various channels within social networks to communicate with users active there or to provide information. Furthermore, Barmer can be contacted via these channels and is thus available for all matters related to social security law.

Notes for Visitors to Our Social Media Channels

• Do not publish any data or information on social media that you do not wish to make public. Think about what data you want to put there and with whom you want to share it. Review the privacy preferences on your social media profiles. Your data may be automatically visible to all users.
• Any questions you ask us on the social media channels may only be answered by us in compliance with data protection laws. We are allowed to provide general information about health, our services and insurance law. However, we are not allowed to address specific cases of insured persons or the cases of others. As a statutory health insurance company, we must treat the data of those we insure confidentially. This excludes communication regarding personal matters on public channels.
• Barmer does not store any personal data of individual visitors to its social media presences in its systems. Comments, posts and suggestions are used solely to improve advice and service.
• If data from participants is collected as part of competitions, users will receive further information in the respective Terms of Use and Participation.
• Please observe the generally applicable principles for the use of social media portals and take into account copyright law and the netiquette of Barmer social media channels. Discrimination, bullying and insults are not tolerated by Barmer, either on the Internet or in real life. In the event of any violations of netiquette, Barmer reserves the right to delete the relevant content.

Share Buttons

If you click on a Facebook, Twitter, Instagram, YouTube, Xing or LinkedIn button on www.barmer.de, your browser will establish a direct connection with the respective service provider. In doing so, information is transmitted to the respective service provider indicating that the relevant website of www.barmer.de has been accessed or that a specific service of www.barmer.de has been used. We have no influence over the scope of data that service providers collect with the help of the share buttons.

Facebook and Instagram

Barmer uses the technical platform and services of Facebook Ireland for the information service offered here. Visitors to our page on Facebook or Instagram are statistically analysed (tracking). As page administrators, we can view this statistical data in the "Insights" section. The page statistics to which Barmer has access as the page operator are used to evaluate reach, interactions and posts and do not enable any conclusions to be drawn about individuals or profiles. The joint responsibilities are regulated as follows: Data subject rights may be asserted both with Facebook Ireland and with us. The primary responsibility under the GDPR (General Data Protection Regulation) for the processing of Insights data lies with Facebook, and Facebook fulfils all obligations under the GDPR with regard to processing. Facebook Ireland provides the essence of the Page Insights Addendum to the data subjects. We do not make any decisions regarding the processing of Insights data and all further information arising from Article 13 GDPR, including the legal basis, identity of the controller and the storage duration of cookies on users' end devices. You can find the current Page Insights Addendum Regarding the Controller with Facebook here.

YouTube

Our website uses plugins for the website YouTube. The operator of the YouTube pages is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. We use YouTube in privacy-enhanced mode. This mode, according to YouTube, results in YouTube not storing any information about the visitors on this website before they watch the video. Privacy-enhanced mode, however, does not necessarily exclude data being shared with YouTube partners. For example, YouTube – irrespective of whether or not you play a video – connects to the Google DoubleClick network. A connection to YouTube's servers is established as soon as you start a YouTube video on our website. The YouTube server is thereby notified about which of our pages you have visited. If you are logged into your YouTube account, you allow YouTube to link your browsing behaviour directly with your account. You prevent this by signing out of your YouTube account. YouTube may, in addition, store various cookies on your end device after starting a video. With the help of these cookies, YouTube can obtain information about visitors to our website. This information is used to collect video statistics, improve user-friendliness, prevent attempted fraud, etc. The cookies remain on your end device until you delete them. After starting a YouTube video, further data processing operations may be triggered over which we have no influence. The legal basis for the data processing described in this paragraph is Article 6 1 (a) GDPR (consent of the data subject).

Further information about data protection at YouTube can be found in their privacy policy at https://policies.google.com/privacy?hl=en

Newsletter

At various points, you have the option to subscribe to one or more e-mail newsletters. By doing so, you grant us your consent to use your e-mail address for advertising purposes. The sender of the e-mails is always Barmer. The content of the e-mails consists of information, offers and benefits from Barmer.

Newsletter Registration

For a valid registration, we require a valid e-mail address. To verify that the registration is actually being carried out by the owner of an e-mail address, we use the double opt-in (DOI) procedure. We record the request for the newsletter, the sending of a confirmation email and the receipt of the response requested for this purpose. To document each process, we record the exact time and the IP address of your device.

Topic-Specific Newsletters and Personalised Newsletters

If you choose to subscribe to a newsletter, we will not tailor its content to your interests. Accordingly, we do not require any data from you for profiling purposes but limit ourselves to the data necessary for the immediate provision of the newsletter. Typically, this includes your e-mail address and, if applicable, other individual information such as your name or, in the case of the pregnancy newsletter, your expected due date, due to technical procedures.

In addition, the content of the newsletter may be personalised so that it matches your personal interests. Details regarding this profiling can be found in the section "Personalisation via Interest Profiles".

Subscribers may also be informed by email about circumstances that are relevant to the service or their registration (e.g., changes to the newsletter service or technical conditions).

Retention Periods and Deletion Deadlines

When you register for the newsletter, your data will be stored until you withdraw your consent. Successful registration takes place when you click the confirmation link in the e-mail addressed to you.

If you do not confirm the newsletter registration link in your e-mail, we will store your data for up to 6 months. After that, the link will become invalid, and registration via the link will no longer be possible. New registration is possible at any time.

As soon as you unsubscribe from our newsletter, such as via the unsubscribe link included in every mailing, you will be completely unsubscribed from the respective (topic-specific) newsletter within 24 hours. Your data will be transferred to the unsubscribe list, where it will be stored for up to 6 months for statistical purposes and then automatically deleted.

Revocation of Topic-Specific Newsletters

You can revoke your consent to the storage of your personal data and its use for the newsletter dispatch at any time. There is an unsubscribe link at the end of each newsletter. The revocation of your consent does not affect the lawfulness of the processing conducted on the basis of the consent until the revocation. Technical and organisational processing times mean that, in exceptional cases, you may receive the respective newsletter a second time after you have unsubscribed.

Legal Basis

The legal basis for the data processing described in this section is Article 6 (1) (a) GDPR (Consent of the Data Subject).

Personalisation and Prospect Profiles

If you would prefer to receive content that is relevant to you, you may give your consent to the creation of a profile using a prospect profile. Please note that profiling will only take place after you have given your consent and that a one-time consent to profiling will apply to all newsletter services of Barmer that you have already subscribed to or may subscribe to in the future until you withdraw your consent. You may withdraw your consent at any time by unsubscribing from the newsletter service.

Service Providers Used

As part of personalised marketing campaigns, we use the campaign management services of a service provider based in Germany. Data processing takes place exclusively in Germany.

Prospect Party Profile

We need to understand your interests as best we can in order to show you content that is relevant to you. We therefore create a prospect profile of you for the personalised information.

In this prospect profile, we store identifying characteristics such as salutation, first and last name, e-mail address and date of birth together with your contract and usage data. The contract data only includes the status of your membership, i.e., whether or not you are a Barmer member. In particular, the usage data includes your response to our marketing activities (the newsletters sent to you and opened, clicks on links within a newsletter, etc.). This enables us to personalise our services for you. In this way, for example, the newsletter will provide you with information about services that are relevant to you or special offers that suit you – whichever applies to you.

Data Sources

During our mailing campaigns, we combine data from various Barmer sources in prospect profiles in order to obtain the best possible understanding of your interests. These sources are based on the consent declaration you have voluntarily provided and may include the following data:

E-mail service provider:
Your registration information, such as consents given via the double opt-in procedure or the details you provided in the registration form or clicks within a newsletter. Clicks within the newsletter are measured by the e-mail service provider. Specifically, this includes data such as openings of a mailing, clicks on text and image links and, if applicable, download actions within an e-mail. This information is linked to a unique identifier of the recipient. Based on this identifier, target groups can later be formed, such as for those recipients who have clicked on a specific link. If no consent has been given for profiling, click behaviour is only measured anonymously.

Barmer master data:
In order to provide the best possible content for Barmer prospects and Barmer insured persons, we may check whether you are already insured with us. This enables us to inform prospects in our mailings about the benefits of membership with Barmer.

(Offline) participation cards, such as for competitions:
For example, it is also possible that you give us consent to use your data as part of marketing mailing campaigns after participating in an offline competition (such as via a card). In this case, this information may be used for e-mail marketing campaigns.

Data or Usage Data in the Case of Personalisation

• Start and end time of a usage
• Newsletter opening
• Click on the content of a newsletter
• Title
• First name
• Last name
• Postal code
• Address
• Language
• Country
• Application source
• Email address
• Consent – for example, to receive a newsletter
• Date of birth
• Insured status
• Interests
• Delivery date
• Gender
• Information about children
• Graduation class
• Telephone number
• Information on the use of additional services provided by Barmer, such as apps, digital surveys, online seminars, competitions
• Other information provided as part of a registration form

Retention Period and Deletion Deadlines for Profiling

Barmer uses your data to provide you with tailored, personalised information and offers. You may withdraw your consent to profiling at any time. Your profiling consent no longer applies if you have actively unsubscribed from all subscribed newsletters via the respective unsubscribe link. When you unsubscribe completely from the newsletter service, your profile data is still stored for statistical purposes and automatically deleted within 6 months.

Impact of Unsubscribing from Newsletters and Profiling

You can unsubscribe from a newsletter at any time. To do so, please click on the unsubscribe link located at the end of the respective newsletter. Other newsletters to which you have subscribed will not be affected and will continue to be sent to you.

Your profiling consent no longer applies if you have actively unsubscribed from all subscribed newsletters via the respective unsubscribe link.

Legal Basis

The legal basis for the data processing described in this section is Article 6 (1) (a) GDPR (Consent of the Data Subject).

Digital Information Material

In various places, you have the option to order digital information material. By doing so, you grant us your consent to send a download link to the digital information material to an e-mail address provided by you for this purpose. The sender of the e-mails is always Barmer.

Ordering and Downloading Digital Information Material

To process your order effectively, we require a valid e-mail address. To ensure that the order is genuinely placed by the owner of the e-mail address, we use what is known as the double opt-in (DOI) procedure. To this end, we log the order of the digital information material, the dispatch of a confirmation e-mail and the receipt of the required response. For the logging of each individual step, we record the exact time and the IP address of your device. This is necessary for security reasons, including the prevention of server overloads caused by cyberattacks.

Once your confirmation e-mail has been received as part of the DOI procedure, you will receive the link to download the digital information material.

Retention Periods and Deletion Deadlines

After your confirmation via the DOI procedure, we store your data for up to 150 days for reporting and statistical purposes. After this period, the data is deleted automatically. If the DOI procedure is not confirmed, the e-mail address will be stored in the Inxmail subscription manager log due to our obligation to provide information.

The data protection information in the Newsletter section above on this page applies to newsletters that you subscribe to together with the digital information material or that you have already subscribed to.

Legal Basis

The legal basis for the data processing described in this section is Article 6 (1) (a) GDPR (Consent of the Data Subject).

Communication by E-mail as Part of Online Membership Application

If you wish to become a member of Barmer and use our online membership application for this purpose, we will collect your e-mail address. We can use e-mail to contact you quickly and easily should we have any questions regarding your membership application.

In addition, we will ask for your consent to provide you with a one-time and personalised communication regarding the benefits and advantages of membership with Barmer. This consent applies only in connection with your online membership application and will result in an e-mail being sent to you if you do not complete and submit the online membership application to Barmer. This consent is voluntary and can be revoked at any time with future effect.

Legal Basis

The legal basis for the data processing described in this section is Article 6 (1) (a) GDPR (Consent of the Data Subject).

Information and Advice via E-mail

If you receive a topic-specific customer mailing, we fulfil our role as a health insurance fund by providing information and advice on rights and obligations under the German Social Security Code. We limit the use of your data to what is necessary for the immediate provision of the customer mailing. Typically, this includes your e-mail address, which you have provided to us voluntarily, and any further individual information such as your name.

You may object at any time to the storage and use of your personal data for the delivery of topic-specific customer mailings. Each customer mailing contains a corresponding objection link at the end of the mailing. By clicking on the objection link, you will be unsubscribed from all customer mailings within 24 hours. The lawfulness of processing carried out up to the point of objection remains unaffected by this. Objecting to a topic-specific customer mailing does not mean that you will be unsubscribed from a newsletter you have subscribed to. You will therefore continue to receive any newsletters you have personally subscribed to.

The legal basis for the data processing described in this paragraph is Sec. 13 SGB I (German Social Security Code Vol. I – Information) in conjunction with Sec. 1 (1) SGB I (Support for Self-Help) and Sec. 1 SGB V (German Social Security Code Vol. V). The processing is required for fulfilling the tasks assigned to Barmer as a public law corporation under the German Social Security Code, Article 6 (1) (e) GDPR.

Barmer is the organiser responsible for competitions advertised and accessible through various media.

Contact details for the controller, the Data Protection Officer and our supervisory authorities can be found in the relevant section further below in this privacy notice.

As the organiser, Barmer processes personal data for participation in competitions and stores it within the statutory retention periods insofar as this is necessary for establishing the legal relationship with the participant and for subsequent implementation and handling of the competition (Article 6 (1) (b) GDPR). Any additional declarations of consent for advertising purposes are based on Article 6 (1) (a) GDPR.

From a technical perspective, the collection and processing of personal data is carried out using the double opt-in procedure. When sending the e-mails and handling the double opt-in process, we use Inxmail, an e-mail service provider based in Freiburg, Germany. Data processing is conducted exclusively in Germany and is limited to online competitions only.

In particular, this involves the following personal data:

Depending on the competition, the participant's postal address and/or e-mail address for the purpose of notification of winnings and/or delivery or provision of the prize, their telephone number to help ensure notification of winnings in the event of accidental data entry errors and the date of birth for age verification purposes.

Detailed information on individual competitions, the relevant legal bases and the purposes of data processing can be found in the respective Terms of Use and Participation.

Depending on the competition, the data may be transmitted to service providers such as specialist retailers, travel organisers or other third parties who provide services on behalf of Barmer (order processing, Article 28 GDPR).

Information on data subject rights can be found in the corresponding section further below in this privacy policy.

Chat in Website Public Area

See the section on communicating with insured persons

Response Code Processes (No Barmer User Account Required)

At www.barmer.de/online-antwort, insured persons have the option of submitting selected feedback or requests to Barmer online using a response code provided by Barmer.

Additional personal data is collected for the use of the respective services. The personal data transmitted to Barmer is determined by the respective input form. The corresponding data protection information is also provided for each respective service.

All additional data created in the other services are only used for the respective purpose and not passed on to third parties.

Reporting Barriers

The feedback mechanism is critical to the continuous improvement of accessibility. The feedback mechanism provides us – the operator of the website and/or mobile application – with indispensable information to further reduce barriers. We also receive information on how frequently issues are raised by users. Pursuant to Sec. 12b (2) no. 2 in conjunction with Sec. 1 (2) sentence 1 of the German Federal Act on Equal Opportunities for Persons with Disabilities (BGG), we, as a direct public law corporation, are obliged to provide users of our website and/or mobile application with the opportunity to contact us electronically – for example, in order to report existing barriers. Barmer is required to respond to feedback within one month. For this purpose, we process the data necessary for fulfilling our tasks. The personal data transmitted to Barmer in this context is determined by the feedback mechanism form. We receive the data in order to pursue the aforementioned purposes. Transmission to third parties does not take place. The data is stored for the duration of the task performance in accordance with the legally prescribed retention periods and then deleted. There is no obligation to enter contact data in the feedback form. If you do not provide your contact details, we will not be able to respond to your feedback or inform you of any measures we may have taken as a result of your report.

Barmer-insured persons can use digital services that we develop and provide together with cooperation partners. If you wish to use a specific service, we will ask you for personal data, such as your e-mail address. The data required may vary depending on the service.

We only collect and store personal data for the digital service you have chosen. Information that you voluntarily provide to us for this purpose may be processed and used to contact you. For example, this may be the case if we have information for you during the term of the service or if we contact you after completion to ask about your experiences and satisfaction with the service.

Additionally, you can decide whether we may send you information for marketing purposes beyond the selected digital service. This consent is voluntary. You can also use the service without granting this consent.

Retention Periods and Deletion Deadlines

We process data relating to our digital services from cooperation partnerships for as long as you use the service. This means from the time you actively register or, for example, enter a requested access code until the end of the usage period. You will receive detailed information when you start using the service.

Revocation

Your decision to use a digital service of Barmer from cooperation partnerships is voluntary. You may informally revoke your consent at any time with future effect by telephone or via an e-mail or post to us or also within the service itself.

Information about your rights as a data subject and our contact information can be found below in the sections "Your Data Protection Rights" and "Contact Details of the Controller, the Data Protection Officer and Our Supervisory Authorities".

Thanks to the apps and skills of Barmer, you always have your health insurance with you. You can find an overview of the other digital services offered by Barmer here: Apps and Skills of Barmer

For information on how your personal data is processed when using other digital services, please refer to the privacy policy for the respective app.

The Barmer user account provides insured persons with access and is a prerequisite for using protected online services of Barmer.

Purposes of Processing

When you create a user account, we collect and process personal data for the following purposes:

• Initial set-up of the Barmer user account
• Provision of the Meine Barmer personal member area
• Management of the information stored in the Barmer user account
• Identification and authentication for digital services of Barmer for which a Barmer user account is required. These include the Meine Barmer personal member area in the app and web, the Barmer eCare and eCare app and the Teledoktor app.

Creating the Barmer User Account (Registration)

The following steps are necessary to create the Barmer user account:

• Collecting surname, first name, date of birth, insurance number
• Collecting an e-mail address
• Collecting a phone number
• Consenting to the Terms of Use
• Verifying the e-mail address and telephone number

In addition, the following information is required:

For Registration via Meine Barmer (Internet)

• Setting a password
• Identification and device binding / creating a strongly authenticated telephone number by
  • entering the activation code sent by post (for identification at the standard protection level) or, alternatively,
  • identification via the Barmer-App using procedures other than the activation code for immediate identification at a high protection level. You will need this if you wish to use Barmer eCare, your access to the electronic patient record via the app. More on this in the next paragraph.

For Registration and Authentication via the Barmer-App

• Setting a PIN in the Barmer-App
• Identification, storing a security device and creating a strongly authenticated telephone number via
  • an identity card with a PIN
  • an electronic health card with a PIN
  • entering an activation code sent by post or
  • personal identification at a Barmer branch office

The following personal data is processed as part of the Barmer user account:

• User ID
• Display name (consisting of title, name prefix, name suffix, first name and surname)
• Address (street, number, postcode, city)
• Date of birth
• Place of birth
• Gender
• Username
• Self-chosen password
• Barmer PIN
• Insurance number
• Email address
• Telephone number
• Electronic health card
• Security device (Barmer-App)
• Activation code
• One-time password

For example, you can use the following services with your Barmer user account:

eCare App

In addition, the following data is transferred to and stored by eCare. This is needed to technically check whether you have already agreed to eCare's privacy policy:

• Personal identification number
• Insurance number
• Display name (consisting of title, name prefix, name suffix, first name and surname) – to enable personalised addressing in the eCare app
• E-mail address – for notifications

Teledoktor App

The Teledoktor app is a free service provided by Barmer and is available to all individuals insured with Barmer. The prerequisites for using the Teledoktor app are an activated Barmer user account, the installation of the Teledoktor app and consent to an additional privacy policy.

The Teledoktor app also provides access to further services, such as video consultations or the digital skin check (remote medical treatment). These services involve special health care provisions pursuant to Sec. 140a SGB V, for which a separate declaration of consent for participation and data processing can be given within the Teledoktor app. The declarations and use are voluntary and constitute an optional offer.

Login Using Touch ID and Face ID (iOS) or Fingerprint and Facial Recognition (Android)

See the privacy policy for the Barmer-App below

Logging with Incorrect Entry or Blocking of Password/PIN

To prevent unauthorised use of personal access to the digital services of Barmer – in your interest as well – the following processes are logged:

• Login attempts
• Failed login attempts
• Each triggered processing operation (transaction)

In this context, the user ID, time, date, type of identification and a transaction identifier are logged. The IP address is also stored in the case of failed logins.

The purpose of processing this data is

1. preventing misuse of our services and
2. investigating criminal offences if necessary.

The legal basis for processing this data is Article 6 (1) (e) GDPR in conjunction with Sec. 3 BDSG (German Federal Data Protection Act) and Sec. 25 (2) no. 2 TDDDG (German Telecommunications Digital Services Data Protection Act). The data will be deleted when it is no longer required for processing purposes.

Logging and Analysing User Behaviour

The last time you logged in to your Barmer user account is recorded. To verify whether you have agreed to the most current version of the Terms of Use and Participation, this timestamp is compared with the consents stored. If there have been any changes to the Terms of Use or the Privacy Policy since your last login, we will inform you during the login process.

Furthermore: See the privacy policy for the Barmer website.

Legal Basis

This data is processed based on your consent in accordance with Article 6 (1) (a) GDPR. You may withdraw your consent at any time with future effect. To do so, simply go to your user account in the Meine Barmer personal member area via the app or on the Internet.

Measures to Protect Your Data

Barmer and its processors are obliged to implement technical and organisational measures that are suitable for adequately protecting your data against possible risks. In doing so, we take into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of the processing. We also consider the likelihood of various risks occurring and the potential severity of their impact on the rights and freedoms of natural persons. These measures also include the consistent encryption of resources such as databases, virtual machines and data storage systems.

Disclosure to Third Parties

Data is not disclosed by Barmer to third parties, i.e., natural persons or legal entities, government authorities, institutions or other entities. The only exceptions are processors who, on behalf of Barmer, perform specific tasks in connection with the user account. To this end, Barmer has concluded a data processing agreement with each of its processors in accordance with Article 28 GDPR.

As the data controller, Barmer ensures that its processors are "suitable". This means that the processors also implement suitable technical and organisational measures to meet the requirements of the GDPR and to protect the rights of the data subjects. For this reason, before awarding any contract, we check whether a processor is "suitable" in this sense.

Retention Periods and Deletion Deadlines

The data is stored for as long as the Barmer user account is active or blocked. When the Barmer user account is deleted by the user, the data relating to the Barmer user account is also deleted.

If your Barmer user account is not activated within 63 days, it is automatically deleted by Barmer. The user account is also deleted once the insurance relationship has ended. Insured persons receive a notification 10 days prior to and immediately after the deletion.

If the insurance relationship ends due to the death of the insured person, the user account is blocked and a notification sent 10 days before deletion.

Deleting the User Account

Users can delete the Barmer user account at any time in the Meine Barmer personal member area (website or app) under "Benutzerkonto verwalten" (Manage Barmer User Account). At the request of the user or insured person, Barmer can also delete the Barmer user account via Support. Upon deletion, consent to data processing is considered revoked for the future.

You have the option to use the Meine Barmer personal member area. On the one hand, this is available via the website www.barmer.de/meine-barmer (Privacy Policy for the Barmer website) and, on the other, via the Barmer-App (Privacy Policy for the Barmer-App). Registering and creating a Barmer user account are required for this. Whenever a Barmer user account is created, personal data is collected and processed. You can find more information on this above in the section on the Barmer user account.

Through Meine Barmer, we offer services, applications and content exclusively for persons insured by Barmer. In addition, it is also possible to communicate with each other so that, in particular, messages and posts can be directed to Barmer electronically.

The user's consent to the processing of this data is already obtained at the time of registration and the creation of a Barmer user account. The purpose of processing is to provide the services and content in Meine Barmer.

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. This applies to data processed while using Meine Barmer once the data is no longer required for contract fulfilment and there are no longer any statutory retention obligations preventing its deletion. This principle also applies when the Barmer user account is deleted (Privacy Policy for the Barmer user account).

If you use the Meine Barmer personal member area, your data is processed for the following purposes:

• Identification or verification of your membership with us or of the family insurance with a relative who is a Barmer member
• Provision of services and content exclusively for persons insured by Barmer in the Meine Barmer personal member area

The legal basis for processing this data based on your consent is Article 6 (1) sentence (1) (a) GDPR. The provision of certain services serves to fulfil statutory obligations in accordance with Article 6 (1) (c) and (e) GDPR, Sec. 3 BDSG, in conjunction with Sec. 13, 14 SGB I, in conjunction with Sec. 1 SGB V and Sec. 25 (2) no. 2 TDDDG.

The Barmer user account is used for logging in to the personal member area. Information on data collection and processing within the framework of the Barmer user account can be found above in the section on the Barmer user account.

Scope of Services in Meine Barmer

In the Meine Barmer personal member area, you have the opportunity to use services such as the submission of benefit applications. You can also initiate changes to your personal data or manage this data.

A few services require additional information and data from the user. If necessary, this information will be requested when the user accesses the respective extended service. This data is required by Barmer solely to provide the respective service.

Further personal data will be accessed and processed for the use of the respective services. The personal data transmitted to Barmer in this context is determined by the respective input form of the corresponding service. If necessary, additional data protection information is provided for the respective service as well.
All additional data created in the other services are only used for the respective purpose and not passed on to third parties.

If users make enquiries, it may be necessary for Barmer employees to access the user's data for the respective service in order to respond to the enquiry, provided this is permissible under data protection law. All employees involved in the administration of the services are subject to confidentiality obligations and are required to comply with social data protection regulations.

Individual services can be deactivated or logged off. If you deactivate or unsubscribe from a service, the data you have stored for this purpose is deleted in compliance with the legal deletion requirements.

Mailbox

The mailbox is an integral part of the Barmer user account and cannot be deactivated. The mailbox is used for secure and data protection-compliant communication between insured persons and Barmer. Insured persons can use the mailbox to transmit or submit documents or information to Barmer. In cases where Barmer is unable to process a submission, the mailbox will be used as a feedback channel for such information. Barmer provides information from various services in the mailbox.

Messages posted to the mailbox by Barmer and messages sent by insured persons to Barmer will be retained in the mailbox for a maximum of 6 years. If insured persons save their message as a draft or move a message to the recycle bin, these messages will be retained for a period of 90 days. The individual retention period is displayed in each mailbox message. Once the individual retention period has been reached, the messages will be deleted. In addition, insured persons have the option to delete messages in the mailbox at any time on their own initiative. If the user account is terminated by the insured person, the mailbox messages will also be deleted at the end of the user account.

Notification of Mailbox Receipt

Insured persons are notified by Barmer of incoming messages in their mailbox. Notification is sent via e-mail and/or SMS, linked to the information (e-mail address) from the Barmer user account or a telephone number, which can be specifically stored by the insured person for these notifications.
For mailbox use via the Barmer-App, insured persons also have the option of being notified of mailbox entries by push notification on their mobile device. Further information on push notifications can be found in the Privacy Policy for the Barmer-App.

Notification of Digital Letter Delivery in the Mailbox

You will be notified by e-mail or SMS of every letter delivered to the mailbox. The e-mail address or telephone number stored in the user account is used for this purpose.

Health Manager

With the Barmer Health Manager, you receive individual preventive care and vaccination recommendations as well as an overview of your dental bonus. For full transparency, you can also view all billing statements from doctors or pharmacies, for example. Your customer and billing data are used to provide you with these personalised services within the context of the Health Manager. All additional data entered in the Health Manager will not be used for any purpose other than health management and will not be disclosed to third parties.

Notification from the Health Manager

Insured persons are notified of important events in connection with the Health Manager. The notification is sent to the e-mail address stored in the Barmer user account.

Bonusprogramm

The Barmer Bonusprogramm is part of Meine Barmer and is a free supplementary offer. In principle, all Barmer insured persons are eligible to participate in the Barmer Bonusprogramm. Participation requires consent to an additional privacy policy.

Kompass

The Kompass is part of Meine Barmer. Here you can find selected benefit applications submitted over the past ten years, including their respective processing status. For example, you can see when a sickness notification, prescription, or birth certificate was received and processed by Barmer. In addition, you can receive information on how your benefits (e.g., sickness benefit, injury benefit) are calculated and when and in what amount they were paid out.

The basis for the data displayed in Kompass is the data stored at Barmer. All additional data entered in the Kompass is used solely for the optional extension of Kompass functions (e.g., calculation of the anticipated co-payment amount for approved follow-up rehabilitation) and is not disclosed to third parties.

Submission of Documents via Upload in Meine Barmer and the Barmer-App

If you use the file upload function to transmit documents (e.g., as part of an application process) to Barmer digitally, please retain the original documents for one year for legal reasons.

Service Chat within Meine Barmer

Barmer offers a chat service within Meine Barmer. This service is only available via Meine Barmer on the website and not via the Barmer-App.

The Barmer service chat is an electronic communication service within the personal membership area Meine Barmer that allows you to communicate in real time over the Internet with a Barmer advisor. You can use it to clarify questions that you would otherwise have asked by telephone or in person at one of our branch offices.

The Barmer service chat is provided in a separate window, which opens when you click on the corresponding button.

To use the service chat, you must agree to the Terms of Use and the declaration of consent.

When you use the Barmer service chat from within the personal member area Meine Barmer, your name and insurance number are displayed to our advisor.

If you have provided us with personal data, we will use it only to respond to your enquiries, to process contracts we have entered into with you and for technical administration.

If the personal information collected is no longer required for fulfilling a purpose pursuant to the provisions of the German Social Security Code (e.g., granting a benefit or calculating a contribution), this chat data will be deleted after 12 months. If this data is required in accordance with the provisions of the German Security Social Code, the retention period will be determined by the respective processing purpose. Different retention periods apply here, which are regulated in Sec. 110a SGB IV, Sec. 304 SGB V, Sec. 107 SGB XI and in the General Administrative Regulation on Accounting in Social Insurance (SRVwV) for statutory health insurance funds. Personal information is not passed on to third parties.

Declarations of consent in connection with customer satisfaction surveys are voluntary and do not affect the benefits you receive as an insured person. The purpose of the surveys is to further improve the Barmer service and to align it with our customers' desires and needs. Your consent will remain valid and stored until you revoke it with future effect by notifying Barmer. The data will then be deleted without delay. For further information, please refer to the sections "Your Data Protection Rights" and "Contact Details of the Controller, the Data Protection Officer and our Supervisory Authorities". The satisfaction survey assesses your impressions and your level of satisfaction with Barmer during your contact with a Barmer advisor. The feedback you provide is anonymous. Direct and indirect references to you or third parties are rendered unrecognisable when stored.

After the chat has ended, the chat transcript is placed in the user's online mailbox under Meine Barmer.

We want you to feel safe when using the Barmer-App. For this reason, the protection of your personal data is very important to us. We will inform you of which data we store and the purpose for which we use it.

Personal data is only collected via the Barmer-App to the extent that is technically necessary. Under no circumstances will the data collected be sold or passed on to third parties for other reasons without your consent. Barmer strictly complies with data protection regulations.

The provisions of the EU General Data Protection Regulation (GDPR), which became effective on 25 May 2018, strengthen your rights and are intended to give you greater control over your personal data. With our information on data processing, you can quickly and easily gain an overview of which personal data and social data we collect from you and how we use it. We will also inform you about your rights under applicable data protection law and tell you whom to contact if you have any questions.

What is the Barmer-App?

The Barmer-App provides the personal member area for insured persons in the form of an app. The range of services is therefore almost identical to the "Meine Barmer" function provided on the website.

To use the Barmer-App, you need a Barmer user account for the Barmer digital services. You can easily register for this via the app. All information about the Barmer user account can be found above in the User Account section.

Who provides you with the Barmer-App?

The controller for the processing of personal data in connection with the Barmer-App is Barmer, Axel-Springer-Str. 44, 10969 Berlin.

Contact Details of the Data Protection Officer
Barmer, Data Protection Officer (Datenschutzbeauftragte), Lichtscheider Straße 89, 42285 Wuppertal
Postal address: Barmer, Data Protection Officer (Datenschutzbeauftragte), 42266 Wuppertal, e-mail: datenschutz@barmer.de

Is the Use of the Barmer-App Voluntary?

The use of the Barmer-App is voluntary for every Barmer insured person. It is therefore entirely your own decision whether and how you use the Barmer-App. A Barmer user account is only opened for you at your explicit request. If you decide to create a Barmer user account, you may also voluntarily use the Barmer-App.

Even though the use of the Barmer-App is voluntary, it requires you to agree to the terms of use and to consent to the transmission of personal data.

Your agreement is requested by the Barmer-App as soon as this becomes necessary. For example, this occurs during registration or when activating additional services.

Who Is the Target Audience of the Barmer-App?

The Barmer-App is available to all insured persons with an existing insurance relationship with Barmer.

The prerequisites for using the Barmer-App are an activated Barmer user account for Barmer's digital services and installation of the Barmer-App.

What Steps are Required for the Successful Initial Use of the Barmer-App?

Download from App Stores

The Barmer-App is available via distribution platforms operated by third parties called app stores (Google Play Store and iOS App Store). Downloading may require prior registration with the respective app store and installation of the app store software. When you download the app, the required information is transmitted to the app stores, in particular your username, e-mail address and customer number of your account, the time of download, payment information and the unique device identifier. Barmer has no influence over the collection, processing and use of personal data in connection with your registration and the provision of downloads in the respective app store and app store software. The sole responsible party for this is the operator of the respective app store. Please check directly with the respective app store provider if needed.

Registration Procedure

To use the Barmer-App, you need a Barmer user account for Barmer digital services (see above).

Which Permissions and Functions Does the Barmer-App Require on Your Device?

The Barmer-App requires access to various functions and interfaces of your smartphone. To this end, it is necessary for you to grant certain permissions to the Barmer-App.

The Barmer-App requires access to the Internet connection. You do not have to explicitly grant this permission.

Moreover, to provide additional features, the Barmer-App also requires the following permissions, which you can grant manually:

Access to your camera

• Access is required for uploading documents.

Access to the gallery or to files stored on the device

• In order to upload and save images or documents from your device storage, the Barmer-App requires access to your device storage.

Technical Requirements

The minimum technical requirements necessary for using the Barmer-App can be found in the respective app store:

• iOS App Store: https://apps.apple.com/us/app/barmer-app/id956752981
• Google Play Store: https://play.google.com/store/apps/details?id=de.barmergek.serviceapp

Login Using Touch ID and Face ID (iOS) or Fingerprint and Facial Recognition (Android)

Login with Touch ID or Face ID (iOS) or fingerprint and facial recognition (Android) can be used as an alternative to logging in with an e-mail address and Barmer PIN or password.

• The prerequisite is that your smartphone must require at least the entry of a code to unlock the device and must support Touch ID or Face ID (iOS) or facial recognition or a fingerprint (Android). Only Android versions that provide the required security level for a fingerprint or facial recognition are supported.
• Only the security mechanisms of the device itself have access to the biometric data used (fingerprint, facial recognition). At no time does Barmer have access to this data.
• For your security, you should only use your own fingerprints and your own face on this device, and, should you lose the device, you should immediately have your user account blocked. To do this, you can call us free of charge on 0800 333 10 10 or use our online form to block your user account. Please also ensure that the SIM card of your device is blocked and make sure that your e-mails can no longer be accessed from the device.
• You can change this function at any time in the app settings. Changes to the biometric settings must be confirmed by entering the Barmer PIN.

Notifications

The Barmer-App notifies you via push notifications about new events, such as a new message in your inbox. You will also receive a push notification if approval via the security device is required to log in on another mobile phone or tablet. This presupposes that you have allowed the app to send you push notifications and to establish a direct connection to the servers of Google and Apple for this purpose.

You can allow or decline push notifications – and thus also the connection to the aforementioned servers – before logging into the app. If you allow push notifications, only generated identifiers for the app installation are transmitted; no additional features are transferred for analysis purposes. If you decline, a one-time connection to the above-mentioned servers is established for the purpose of deleting the data that was necessary for the delivery of push notifications.

You can adjust your decision at any time: For push notifications in the device settings and for connecting to the above-mentioned servers in the app settings.

Push notifications are delivered

• on Android via Firebase Cloud Messaging
• on iOS via Firebase Cloud Messaging and the Apple Push Notification Service

Push notifications may contain detailed information and are displayed on the lock screen. Please protect your smartphone against unauthorised access.

What Types of Data are Automatically Processed by the Barmer-App?

To use the Barmer-App, the data from your Barmer user account is used.

What Data Is Stored in the Local Device Memory of the End Device?

What Data Is Stored Locally on the Internal Memory of the Mobile Phone?

The Barmer-App stores configuration information encrypted on the device for devices with iOS and Android operating systems.

If you download documents from your Barmer-App to your device, they are stored locally on your device.

Is It Possible to Store Data on External Storage Media (SD Cards) of the Mobile Phone?

You can save the documents in your Barmer-App on your device. On devices with the Android operating system, expanding the memory via external storage media is partially supported. In these cases, you may choose to save documents to your memory card.

Is Personal Data Only Stored to the Extent and for as Long as Necessary for Operating the App?

On devices with:

• the Android operating system, the encrypted configuration data are also deleted when the Barmer-App is uninstalled.
• the iOS operating system, the configuration data stored and encrypted in the Keychain remain even after the Barmer-App is uninstalled.

Is Usage Behaviour Analysed in the Barmer-App?

Web Tracking

In order to optimise the Barmer-App, Barmer regularly analyses usage behaviour. For example, we use web tracking to analyse how often our online services are accessed and which content is particularly valuable for users. To do this, anonymised data is collected and stored, and usage profiles are created using pseudonyms. Technically, we use cookies that enable an Internet browser to be recognised.

For implementing web tracking, we use the technologies of econda GmbH, which holds the TÜV certificate "Geprüfter Datenschutz" (Certified Data Protection) from TÜV Saarland for the area of web controlling.

We ask whether you consent to or reject the analysis of your usage behaviour the first time you start the app after installation. You can change your decision at any time in the app settings under "Analyses for Improvements".

Tag Management

The Tealium iQ tag management system is used to load pixels from the providers named in the Privacy Policy to the Barmer websites. Tealium uses cookies to collect certain non-personal data. This cookie becomes invalid after 12 months. The following information is stored in the Tealium cookie:

• Timestamp of the website visit
• ID for the page view
• ID for the visitor
• ID for the session

You can disable the transmission of usage data (usage statistics) at any time in the app settings.

Error Report

We use the Sentry error tracking tool to analyse application errors and resolve issues. We ask whether you consent to or reject error tracking the first time you start the app after installation. You can change your decision at any time in the app settings under "Analyses for Improvements".

If you have given your consent, the tool automatically collects data and information from the requesting device whenever there are technical irregularities in the following areas:

• Mobile device
• Operating system
• App version
• Device ID (created when the app is installed)
• Network status
• Connectivity type
• Storage space (total and available)
• RAM (total and available)
• Number of CPU cores
• CPU frequency
• Battery level
• Time zone
• Language and other location parameters such as character set or date and time format
• Date and time
• Boot time (the time the device was last started)
• Screen resolution
• Screen orientation
• Accessed content and functions

This data is sent to us by the tool in real-time crash reports and error reports and subsequently analysed.

Legal Basis for Processing Personal Data

• This data is processed based on your consent in accordance with Article 6 (1) (a) GDPR. You may withdraw your consent at any time with future effect. The purpose of providing certain services is to fulfil legal obligations pursuant to Article 6 (1) (c) and (e) GDPR, Sec. 3 BDSG (German Federal Data Protection Act), in conjunction with sections 13, 14 SGB I (German Social Security Code Vol. I), in conjunction with Sec. 1 SGB V (German Social Security Code Vol. V), Sec. 25 (2) no. 2 TDDDG (German Telecommunications Digital Services Data Protection Act).

Purpose of Data Processing

• The purpose of logging is to maintain the compatibility and stability of the app for as many users as possible and to prevent misuse and resolve disruptions. To do this, it is necessary to log the technical data of the accessing device in order to respond as quickly as possible to display errors, attacks on our IT systems and/or malfunctions in the functionality of our app. In addition, the data is used to optimise the app and to generally ensure the security of our IT systems.

Duration of Storage

• The deletion of the aforementioned technical data takes place as soon as it is no longer needed to ensure the compatibility of this app for all visitors – at the latest 90 days after the app is used.

Feedback on the App (Reporting a Problem with the App)

Another function that contributes to the error-free and user-oriented further development of the Barmer-App is the feedback function. Under "Profile" and "Report a Problem with the App", you can individually submit problems to Barmer using the app. In order to understand the context of your feedback, the following data is sent along with the technical information:

• First name and surname
• Insurance number

Which Cookies Are Set by the App?

Cookies are small text files that are stored both in the device memory of your mobile device and in the mobile app you use. Through cookies, certain information can be transmitted to the entity that sets the cookie (in this case: us). Cookies cannot execute programs or transfer viruses to your mobile device. They serve to make mobile apps more user-friendly and effective overall.

We use cookies to realise important user functions. Whenever you use an online service, you simply receive an identification number that is logged in a cookie. The stored cookies therefore do not contain any personal data. They are deleted after your visit. The cookies are not stored on your local hard drive or on our server.

For more information on cookies, please refer to the Privacy Policy for the Barmer Website section.

IP Addresses

Barmer automatically collects and stores log file information on its servers, which your browser transmits to us.

In connection with your access to our servers, your IP address is stored for a short period of time. This storage is used to identify or subsequently track IT risks such as spam, viruses or attacks on our servers.

The requirements of German Telecommunications and Digital Services Data Protection Act (TDDDG) are fulfilled.

Scope of Services

See the Privacy Policy for the Meine Barmer personal member area.

How Is Your Data Protected?

Whenever you are asked to enter data about yourself, your data is protected by TLS encryption during online transmission so that it cannot be read by unauthorised persons. We use TLS encryption with a 256-bit key.

All personal data you enter is stored on a specially protected server. Access to this data is granted only to a few authorised employees and agents of Barmer, who are responsible for the technical and editorial maintenance of the Barmer websites.

Security is the highest priority at Barmer. For this reason, our online services have been thoroughly tested by an independent body. Experts have confirmed to us that the IT systems of Barmer guarantee the highest possible level of security.

For example, our data centre is certified pursuant to ISO/IEC 27001, undergoes regular security checks and is protected from external access by various measures such as firewalls.

Is Data Passed on to Third Parties?

Your data is treated with strict confidentiality. Your data is be passed on to third parties. The data generated when using the Barmer-App is processed exclusively on servers located in Germany or in another EU or EEA member state within the European Economic Area (EEA).

You can read the Privacy Policy for the Barmer eCare and eCare App here.

You can read the Privacy Policy for the Barmer Teledoktor App here.

The directive of the GKV-Spitzenverband (National Association of Statutory Health Insurance Funds in Germany) entitled "Contact with Insured Persons" sets out minimum requirements for the measures that are to be taken to ensure secure identification.

Against this backdrop, Barmer has developed customer-friendly solutions that also ensure an appropriate level of protection for communications. See below for an overview of this.

Chat in Website Public Area

Barmer offers a chat service on its website. User identification does not need to be verified.

The Barmer chat is an electronic communication service that allows you to converse in real time online with a Barmer advisor.

Please understand that, within the framework of this anonymous online service, we can provide only general information and no legally binding statements. The Barmer chat is a purely text-based chat where text characters are exchanged.

The Barmer chat is provided in a separate window, which opens when you click on the corresponding button.

If you use the chat without having previously logged in to Meine Barmer, no data will be transmitted.

If you have provided us with personal data, we will use it only to respond to your enquiries, to process contracts we have entered into with you and for technical administration.

If the personal information collected is no longer required for fulfilling a purpose pursuant to the provisions of the German Social Security Code (e.g., granting a benefit or calculating a contribution), this chat data will be deleted after 12 months. If this data is required in accordance with the provisions of the German Security Social Code, the retention period will be determined by the respective processing purpose. Different retention periods apply here, which are regulated in Sec. 110a SGB IV, Sec. 304 SGB V, Sec. 107 SGB XI and in the General Administrative Regulation on Accounting in Social Insurance (SRVwV) for statutory health insurance funds. Personal information is not passed on to third parties.

Service Chat in the Meine Barmer Personal Member Area

See the Privacy Policy for the Meine Barmer personal member area.

E-mail

Unencrypted e-mails can be read by bystanders. If you send us an e-mail, your e-mail address is only used for general correspondence with you. We are not permitted to send data protection-relevant content to you by unencrypted e-mail. For this reason, in your own interest, we answer personal service enquiries containing sensitive social data by post or via the digital mailbox in the Meine Barmer member area.

Please note that, when sending e-mails to Barmer, certain attachments (e.g., password-protected ZIP files or signature files) cannot be delivered due to our system security requirements.

In addition to communication via e-mail, you have the option to use the digital mailbox in the Meine Barmer member area or the contact form on our website for secure communication with Barmer.

Customer Advice

When soliciting customer advice, please have an official identification document (e.g., your electronic health card or identity card) ready for identification purposes.

Telephone

We ask you to provide various data on your phone to ensure your identity.

Fax

Fax transmission is unencrypted and involves risks. For this reason, Barmer never transmits sensitive personal data by fax.

Encryption

Whenever you are asked to enter data about yourself, your data is protected by TLS encryption during online transmission so that it cannot be read by unauthorised persons. We use TLS encryption in the current version.

Information on Data Processing in Accordance with Article 13 and 14 GDPR

Responsible Body:

Barmer, Axel-Springer-Str. 44, 10969 Berlin
Telephone: 0800 333 10 10
E-mail: service@barmer.de

Contact Details of the Data Protection Officer:

Barmer, Data Protection Officer (Datenschutzbeauftragte), Lichtscheider Straße 89, 42285 Wuppertal
Postal address: Barmer, Data Protection Officer (Datenschutzbeauftragte), 42266 Wuppertal
E-mail: datenschutz@barmer.de

Purposes of Processing

We use your data to fulfil our legal mandate. See below for information about the individual processing purposes in health and long-term care insurance:

Health Insurance (Sec. 284 SGB V):

• Determination of the insurance relationship and membership, including the data required for initiating an insurance relationship
• Issuance of entitlement certificates and the electronic health card
• Determination of the obligation to contribute and the contributions, their bearing and payment
• Examination of the obligation to provide benefits and the provision of benefits to insured persons, including the conditions of benefit limitations, determination of co-payment status and implementation of procedures for reimbursement of costs, repayment of contributions and determination of the burden limit
• Support for insured persons in the event of treatment errors
• Assumption of treatment costs in cases covered by Sec. 264 of the German Social Security Code Vol. V (SGB V)
• Involvement of the medical service or expert opinion procedure pursuant to Sec. 87 (1c) SGB V
• Billing with the service providers, including checking the legality and plausibility of billing
• Monitoring the efficiency of service provision
• Billing with other service providers
• Implementation of reimbursement and replacement claims
• Preparation, agreement and implementation of compensation contracts
• Preparation and implementation of model projects, implementation of care management pursuant to Sec. 11 (4) SGB V, implementation of contracts for family doctor-centred care, special forms of care and outpatient provision of highly specialised services, including performance and quality audits
• Implementation of risk structure compensation pursuant to Sec. 266 and 267 SGB V, for recruiting insured persons for the programs pursuant to Sec. 137g SGB V and for preparing and implementing these programs
• Implementation of discharge management pursuant to Sec. 39 (1a) SGB V
• Selection of insured persons for measures pursuant to Sec. 44 (4) sentence 1 SGB V and Sec. 39b SGB V and the implementation of these measures
• Monitoring compliance with the contractual and statutory obligations of providers of medical aids pursuant to Sec. 127 (7) SGB V
• Fulfilling the tasks of the health insurance funds as rehabilitation providers pursuant to SGB IX
• Preparing care innovations, informing the insured and submitting offers pursuant to Sec. 68b (1) and (2) SGB V
• Administrative provision of the electronic patient file and for the offer of additional applications within the meaning of Sec. 345 (1) sentence 1 SGB V
• Recruitment of members
• Compensation of employer expenses for continued remuneration pursuant to the Continued Remuneration Act (AAG), the Continued Remuneration Act (EntgFG) and the Maternity Protection Act (MuSchG)

Long-Term Care Insurance (Sec. 94 SGB XI):

• Determination of the insurance relationship and membership
• Determination of the obligation to contribute and the contributions, their bearing and payment
• Review of the obligation to pay benefits and the provision of benefits to insured persons, along with the implementation of reimbursement and compensation claims
• Involvement of the medical service
• Billing with service providers and reimbursement of costs
• Monitoring the efficiency, billing and quality of service provision
• Conclusion and implementation of care rate agreements, remuneration agreements and contracts for integrated care
• Clarification and information
• Coordination of nursing care assistance, nursing care consultation, issuance of consultation vouchers and performance of tasks in the nursing care support centres
• Billing with other service providers
• Statistical purposes
• Support for insured persons in pursuing claims for damages

Information and advice with regard to the maintenance, restoration and improvement of the insured person's state of health. This also includes promoting the insured persons' health literacy and personal responsibility (Sec. 1 SGB V in conjunction with Sec. 13 and 14 SGB I).

Furthermore, data processing by Barmer may also occur on the basis of explicit declarations of consent pursuant to Article 6 (1) (a) GDPR in conjunction with Sec. 67b (2) of German Social Security Code Vol. X (SGB X). Consent is given voluntarily and may be revoked at any time with future effect.

We are only allowed to process your data for other purposes if

1. the data is required for fulfilling tasks under other legal provisions of the German Social Security Code than those for which it was collected.
2. it is required to conduct a specific project of scientific research or planning in the field of social services and the requirements of Sec. 75 (1), (2) or (4a) sentence 1 SGB V are met.

Obligation to Provide Data and Consequences of Non-Provision

In the context our fulfilment of our tasks, you are required – on the basis of your obligations to cooperate in accordance with Sec. 60 et seqq. of German Social Security Code Vol. I (SGB I) – to provide the necessary personal data in the individual case or which we are legally obliged to collect. Without this data, we are generally unable to fully or properly carry out our tasks, which may result in disadvantages for you, such as with regard to the paying out of benefits.

Voluntary information, such as your telephone number or e-mail address, is expressly excluded from this data. Should you not provide this data, there is no breach of a duty to cooperate, and you will not suffer any disadvantage as a result. If submitted documents contain data that is not required, it may be redacted.

Your social data processed by Barmer is subject to the data protection requirements of SGB I, SGB X, the Bundesdatenschutzgesetz (BDSG, German Federal Data Protection Act) and also the General Data Protection Regulation (GDPR). Barmer will ensure that social secrecy as provided for in Sec. 35 SGB I is maintained.

Automated Individual Decisions, Including Profiling

In certain business processes, we make decisions that are based exclusively on automated processing. In doing so, we comply with Article 22 of the General Data Protection Regulation (GDPR).

With regard to simple administrative procedures that can be examined and decided by machine according to a specific scheme, we are permitted to make decisions (administrative acts) fully automatically (Sec. 31a of German Social Security Code Vol. X (SGB X). We take into account all information that is relevant to the decision, i.e., that may influence the outcome. If the information provided by the party involved requires it, we will review the decision personally.

Following the fully automated examination of the legal requirements, we will decide on the application. In the process, we will state the main reasons that led to the decision. If you do not agree with the decision, you may have it reviewed by Barmer employees. You are entitled to present your own point of view to us and to challenge the decision.

We also process data automatically in some cases for the purpose of assessing certain personal aspects to the extent permitted by law (profiling). For example, we use profiling in order to provide you with information and advice on products tailored to your needs. You may object to the processing of your data for advertising purposes. We do not use profiling for the implementation of membership, the granting of benefits or the assessment of contributions in accordance with the provisions of the SGB.

Categories of Recipients

Within Barmer, only those departments or individuals who require access to your data in order to fulfil our contractual and legal obligations will receive such access.

Where necessary, Barmer transmits social data on the basis of legal provisions of the German Social Security Code (SGB) or other legal regulations to the following recipients:

• Deutsche Rentenversicherung (German Statutory Pension Insurance Scheme)
• Federal Employment Office
• Statutory accident insurance
• Financial institutions in the context of payment transactions
• Federal Insurance Office for the Health Fund
• Employers and paying agencies
• Social benefits administration
• Defence Area Administration
• Tax office
• Service providers
• Medical service of the health insurance
• Transmission in individual cases pursuant to Sec. 67d et seqq. SGB X
• Commissioned service providers pursuant to Article 28 GDPR in conjunction with Sec. 80 SGB X

Whenever your data is transferred to commissioned service providers of Barmer, we have ensured by means of technical and organisational measures that data protection regulations are observed.

If a transfer is made to a recipient within a category, you will be informed about the recipient unless one of the exemptions under Sec. 82 (1) and (2) SGB X applies or the requirements of Article 13 (4) GDPR are met. This means that the obligation to provide information does not apply if the data subject already possesses the information, if the storage or disclosure of personal data is expressly regulated by statutory provisions or if informing the data subject proves to be impossible or would involve a disproportionate effort.

Data Transfer to a Third Country

Barmer generally does not transfer personal data to entities in third countries (outside the EU or the EEA) or to international organisations.

Duration of Data Storage

The data provided by a data subject is usually deleted in the following cases:

1. If they are not required for contract fulfilment or if there are other retention obligations or legal reasons
2. When the consent granted is revoked
3. If the data storage is inadmissible for other legal reasons
4. If deletion is necessary to fulfil a legal obligation, statutory retention obligations or other legal reasons

There are different retention periods for social data depending on the purpose of processing, which are regulated in Sec. 110a SGB IV, Sec. 304 SGB V, Sec. 107 SGB XI and in the General Administrative Regulation on Accounting in Social Insurance (SRVwV). If your personal data is no longer required for the above-mentioned purposes and is also not required to be retained on the basis of legal provisions, it is deleted on a regular basis.

We process your personal data exclusively within the framework of statutory provisions. This includes the following categories of personal data / social data:

Social Data of Members and Insured Persons

Personal Data:

• Identification features (e.g., insurance number)
• Surname, first name
• Address
• Photo
• Date of birth
• Place of birth
• Telephone number
• Email address
• Family member indicator
• Bank information
• Marital status
• Gender
• Nationality
• Membership in bodies of the insurance fund
• Pension insurance number

Membership Data:

• Pre-insurance periods
• Start and end
• Supervising authorities
• Indicators for benefit provision (e.g., reimbursement of costs, participation in special forms of care)
• Indicators for supplementary insurance policies

Insurance Relationship Data:

• Type of insurance
• Start and end
• Reasons for reporting
• Activity data
• Contribution groups
• Compensation for work / income / pension payments
• Data on exemption from contributions/insurance
• Data on pension application / retirement
• Employer / paying agency

Contribution Data (Direct Payer):

• Contribution target
• Contribution actual
• Payer
• Data for the collection of contributions
• Dunning procedure data
• Tax identification number

Performance Data:

• Type of service
• Diagnostics
• Service prescriber
• Service provider
• Period / benefit receipt
• Expected/actual date of delivery
• Costs
• Data on suspension, interruption, failure, discontinuation of benefits
• Data about other service providers
• Data on contract services
• Data on compensation claims
• Data on pension entitlements
• Co-payments/deductibles
• Data on structured treatment programs, integrated care, model projects, care management
• Data on bonus programs
• Data on elective tariffs
• Tax identification number
• Data on/about calculation, amount and payment of wage replacement benefits
• Data on processing status

Caregiver Data:

• Master data as under "Personal Data"
• Start and end of care activity
• Reasons for reporting, time periods
• Information on verification of the pension insurance obligation
• Information on collection and payment of contributions to the pension insurance institution
• Qualification details
• Data for statistical reporting

Data on Authorised Persons / Legal Representatives:

• Surname, first name
• Address
• Telephone number
• Email address

Social Data of Corporate Clients

• Identification features (e.g., employer number, company number)
• Name
• Address
• Telephone number
• Email address
• Bank information
• Contribution target
• Contribution actual
• Payer
• Data for the collection of contributions
• Dunning procedure data
• Supervising authorities
• Data for company audits
• Data for settlement types
• Data for implementation of the Expenditure Compensation Act (AAG)

Data of Service Providers

• Identification features (e.g., physician number)
• Name
• Address
• Telephone number
• E-mail address
• Data on professional qualification

Data of Contractual Partners and Suppliers

• Identification features (e.g., institutional identification number)
• Name
• Address
• Telephone number
• Email address
• Bank information
• Data on clearing and settlement operations

Data of Recipients of Publications

• Identification features (e.g., type, scope of publications and serial number)
• Surname, first name
• Address
• Email address

Data of Interested Parties

• Allocation details
• Surname, first name
• Address
• Telephone number
• Email address

IT Service Providers

• Provision of IT infrastructure (hardware and software)
• Provision of IT and telecommunications services, including cloud applications, telecommunications, consulting and support, maintenance and support
• Identification services: Identification of individuals for substantial or higher protection levels

Billing Service Providers

• Review of invoices from service providers

File and Data Carrier Destruction Companies

• Disposal of files and data carriers

Service Providers for Customer Satisfaction Surveys, Market Research, Marketing Activities

Service Providers for Translation Services

Print and Mailing Service Providers

• Creation and dispatch of information materials
• Printing services
• Newsletter (e-mail)

Providers of Digital Products

• Provision of digital health services for Barmer, including Barmer-Apps and the electronic health card

Archiving Services

• File archiving

Insofar as Barmer processes your personal data, you may exercise the following rights via the contact details provided in the section "Contact Details of the Controller, the Data Protection Officer and Our Supervisory Authorities", provided the legal requirements are met:

1. If data processing is based on your consent, you have the right to revoke this consent at any time with future effect.
2. The rights arising from Articles 15, 16, 17, 18, 20 and 21 GDPR (right of access, right to rectification of inaccurate data, right to deletion of data, right to restriction of processing, right to data portability, right to object).
3. The right to contact the Barmer Data Protection Officer to raise your concerns (Article 38(4) GDPR).
4. The right to lodge a complaint with a competent data protection supervisory authority. To this end, you may contact the competent supervisory authority for Barmer.

The aforementioned rights can only be fulfilled by Barmer to the extent that the data to which the asserted claims relate can be clearly attributed to your person.

If you have technical questions or questions regarding the use of your personal data by Barmer, it is best to contact us first – either by e-mail at service@barmer.de or by telephone at 0800 333 1010 (calls from the German landline and mobile network are free of charge for you). You can reach us by post at Barmer, 42266 Wuppertal.

Furthermore, you can also contact our Data Protection Officer by e-mail at datenschutz@barmer.de. You can reach our Data Protection Officer by post at Barmer, Data Protection Officer (Datenschutzbeauftragte), 42266 Wuppertal.

The contact details of our supervisory authorities are:

• Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information – Germany)Graurheindorfer Str. 153, 53117 Bonn, e-mail: zast@bfdi.bund.de.
• Bundesamt für Soziale Sicherung (Federal Office for Social Security – Germany), Friedrich-Ebert-Allee 38, 53113 Bonn, e-mail: poststelle@bas.bund.de.