Best possible protection for your data

Through its website, Barmer provides articles and information about its services and health topics. Insured persons can access the Meine Barmer member area via the website.

Legal basis

Insofar as personal data are collected on this website, this is done either on the basis of your express consent, Article 6 (1) p. 1 (a) GDPR, to fulfil legal obligations which Barmer is subject to, Article 6 (1) p. 1 c GDPR, to perform tasks in the public interest or in the exercise of official authority vested in Barmer, Article 6 (1) p. 1 (e) GDPR.

Accessing and purely informational use of our website

Every time our website is retrieved and used for informative purposes, the browser used on your end device automatically sends data and information to the server of our website. The following data are collected:

• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Contents of the request (specific page)
• Access status / HTTP status code
• Amount of data transmitted in each case
• http referrer
• User agent (operating system, browser, etc.)
• Language and version of the browser software
• Action type or type of retrieval
• Other similar data and information used for security purposes in the event of attacks on our information technology (IT) systems

These data are also temporarily stored in log files in our system. These data are not stored together with your personal data. The temporary storage of the IP address by the system is necessary to provide you with the website. To this end, the IP address must remain stored for as long as the website is used.

Storage of the aforementioned data in log files

Storing the aforementioned data in log files is necessary for the following purposes:

• Provision of access to the website
• Analysis and elimination of possible technical problems
• Assessment of system security and stability

The legal basis for data processing is Article 6 (1) (c) and (e) GDPR, Sec. 3 BDSG (German Federal Data Protection Act), in conjunction with Sec. 13 and 14 SGB I (German Social Security Code Vol. I) in conjunction with Sec. 1 SGB V (German Social Security Code Vol. V), Sec. 25(2) no. 2 TDDDG (German Telecommunications Digital Services Data Protection Act) insofar as data processing is necessary to provide the website.

The data collected for providing the website will be deleted when the session on the website has ended.

The log files are kept for a maximum of 90 days and then deleted.

Use of cookies and similar technologies

We use technologies such as cookies and plugins on our website. Cookies are small text files that are stored on your device when you visit websites. They can store information you enter, as well as settings such as the language or display preferences of a website. If you revisit the website using the same device and browser, the web server recognises by means of the cookie ID that you have visited before and adapts content and functions accordingly. This is how cookies help to improve user experience on the internet.

Barmer uses its own cookies (first-party cookies) as well as cookies from third parties (third-party cookies). Depending on their purpose and function, cookies can be divided into the following types:

Technically necessary cookies

Technically necessary cookies are essential for providing our website and its functions and cannot be deactivated. They ensure that users can navigate our web pages or access the Meine Barmer members' area.

Analytics cookies

Analytics cookies help us to better understand user behaviour. Pseudonymised user profiles are used to record how users interact with our content. It is not possible to directly identify a person. For example, this enables us to find out how often a particular web page is accessed or how long visitors stay on our pages. This allows us to further develop and improve our content in line with user interests.

Marketing cookies

Marketing cookies support us in placing advertisements on the websites of our advertising partners (remarketing cookies) and in measuring the effectiveness of our campaigns (conversion cookies). It is not possible to directly identify a person. Marketing cookies help us display advertising content that is as relevant to you as possible. If these cookies are not set, you can still see advertising from Barmer, but it may be less relevant.

Services provided by other companies (independent third-party providers)

On our barmer.de website, we use services provided by third parties such as YouTube and Google Maps. These external contents are not active on our website by default, a fact that we clearly point out. They only appear after you have actively chosen to enable them, either via the slider for external content or within the privacy settings.

Third-party providers may be based outside the European Union. This may also include countries where the level of data protection does not correspond to the GDPR standard in Germany. If your data are transferred to the USA, it may be accessed and used by US authorities for the purposes of monitoring and oversight without you having any legal means of redress. Detailed information about third-party providers and their services can be found in the privacy settings.

You can make your individual choices within the "privacy settings": you decide whether cookies and similar technologies from the categories of analytics, marketing, and third-party providers are used. You can revoke your consent at any time with future effect or adjust the settings to your specific needs.

In the "Services" section, you will find detailed information about all services, including processing purposes, legal bases and technologies used. The consent status for each individual technology, such as cookies or plugins, is documented transparently. You will also find a personal ID (visitor ID) there, which you can use to obtain information about your consent if required.

Reference to social media channels

Use of plugins

Plugins are generally defined as independent software modules that enable the integration of additional functionalities. Examples include Like and Share buttons from social media providers and advertising networks.
Barmer maintains various channels within social networks to communicate with users active there or to provide information. Furthermore, Barmer can be contacted via these channels and is thus available for all matters related to social security law.

Information for visitors to our social media channels

• Do not publish any data or information on social media that you do not wish to make public. Think about what data you want to put there and with whom you want to share it. Review the privacy preferences on your social media profiles. Your data may be automatically visible to all users.
• Any questions you ask us on the social media channels may only be answered by us in compliance with data protection laws. We are allowed to provide general information about health, our healthcare services and insurance law. However, we are not allowed to address specific cases of insured persons or the cases of others. As a public health insurance fund, we must treat the data of those we insure confidentially. This precludes communication about personal matters via public channels.
• Barmer does not store any personal data of individual visitors to its social media presences in its systems. Comments, posts and suggestions are used solely to improve advice and service.
• If participant data are collected in the context of competitions, users will receive further information in the respective terms and conditions of participation.
• Please observe the generally applicable principles for the use of social media portals and take into account copyright law and the netiquette of Barmer social media channels. Discrimination, bullying and insults are not tolerated by Barmer, either on the Internet or in real life. In the event of any violations of netiquette, Barmer reserves the right to delete the relevant content.

Share buttons

When you click a Facebook, Twitter, Instagram, YouTube, XING, or LinkedIn button on barmer.de, your browser establishes a direct connection to the respective service provider. In doing so, information is transmitted to the respective service provider that the corresponding web page on barmer.de was accessed or that a specific service on barmer.de was used. We have no control over the scope of the data that service providers collect using the share buttons.

Barmer Chat is a chatbot and knowledge assistant based on artificial intelligence (AI). As part of text-based communication, it prepares content from the public area of our website barmer.de and provides it as answers to users' questions. Using Barmer Chat is voluntary. You do not need to register or be insured with Barmer.

Purpose of data processing

The chatbot uses large language models (LLMs) and neural networks to analyze user input and generate responses:

• You ask your questions in natural language and receive tailored, relevant answers without having to spend a long time searching the website.
• Information from multiple subject areas is consolidated and presented in line with your query.
• Where appropriate, you receive links and references to additional information and services.

At the end of a conversation, you can provide feedback on Barmer Chat. Providing feedback is voluntary. It is used solely to improve the chatbot.

Please also read our Terms of Use.

Legal basis

The processing of your data by the chatbot is based on Article 6 para. 1 point c and e GDPR, Section 3 of the Federal Data Protection Act (BDSG), in conjunction with Sections 13 and 14 of Book I of the German Social Code (SGB I) together with Section 1 of Book V of the German Social Code (SGB V), as well as Section 25 para. 2 no. 2 of the Telecommunications-Digital Services Data Protection Act (TDDDG), as the chatbot is used in the context of using the services on the website.

Collection and processing of data

As part of the interaction, the chatbot processes all information you enter, as well as data and information about the web page from which you open Barmer Chat.
The chatbot also processes technical information:

• Your IP address
• Log data such as timestamp, browser type, and device
• Metadata such as language settings and the source web page

These data are used to ensure the chatbot's functionality. The data are not shared with third parties. Your questions and inputs are not used to train language models.

Personal data such as name, email address, or health insurance number are not systematically collected or stored. Please do not enter such data.

Retention and deletion periods

The contents of the conversation, that is, your questions, the answers generated by the chatbot, and any optional feedback, are deleted after 12 months. The log and metadata required for the technical implementation of the chatbot are deleted as soon as the purposes for which they were collected no longer apply, but no later than after 4 weeks.

Facebook and Instagram

Barmer uses the technical platform and services of Facebook Ireland for the information service offered here. Visitors to our page on Facebook or Instagram are statistically analyzed (tracking). As the page operator, we can view these statistics in "Insights." The page statistics to which Barmer has access as the page operator are used to evaluate reach, interactions and posts and do not enable any conclusions to be drawn about individuals or profiles. Joint controllership is regulated as follows: Data subject rights may be asserted both with Facebook Ireland and with us. The primary responsibility under the GDPR (General Data Protection Regulation) for the processing of Insights data lies with Facebook, and Facebook fulfils all obligations under the GDPR with regard to processing. Facebook Ireland provides the essence of the Page Insights Addendum to the data subjects. We do not make any decisions regarding the processing of Insights data and all further information arising from Article 13 GDPR, including the legal basis, identity of the controller and the storage duration of cookies on users' end devices. You can find the current Page Insights Addendum Regarding the Controller with Facebook here.

YouTube

Our website uses plugins for the website YouTube. The operator of the YouTube pages is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. We use YouTube in privacy-enhanced mode. This mode, according to YouTube, results in YouTube not storing any information about the visitors on this website before they watch the video. Privacy-enhanced mode, however, does not necessarily exclude data being shared with YouTube partners. For example, YouTube – irrespective of whether or not you play a video – connects to the Google DoubleClick network. A connection to YouTube's servers is established as soon as you start a YouTube video on our website. The YouTube server is thereby notified about which of our pages you have visited. If you are logged into your YouTube account, you allow YouTube to link your browsing behaviour directly with your account. You prevent this by signing out of your YouTube account. YouTube may, in addition, store various cookies on your end device after starting a video. With the help of these cookies, YouTube can obtain information about visitors to our website. This information is used to collect video statistics, improve user-friendliness, prevent attempted fraud, etc. The cookies remain on your end device until you delete them. After starting a YouTube video, further data processing operations may be triggered over which we have no influence. The legal basis for the data processing described in this paragraph is Article 6 1 (a) GDPR (consent of the data subject).

Further information about data protection at YouTube can be found in their privacy policy at https://policies.google.com/privacy?hl=en

Newsletter

At various points, you have the option to subscribe to one or more email newsletters. By doing so, you give us consent to use your email address for promotional purposes. The sender of the emails is always Barmer. The content of the emails consists of information, offers and benefits from Barmer.

Registering for a newsletter

For a valid registration, we require a valid email address. To verify that the registration is actually being carried out by the owner of an email address, we use the double opt-in (DOI) procedure. We record the request for the newsletter, the sending of a confirmation email and the receipt of the response requested for this purpose. To document each process, we record the exact time and the IP address of your device.

Content-specific newsletters and personalised newsletters

If you choose to subscribe to a newsletter, we will not tailor its content to your interests. Accordingly, we do not require any data from you for profiling purposes but limit ourselves to the data necessary for the immediate provision of the newsletter. Typically, this includes your email address and, if applicable, other individual information such as your name or, in the case of the pregnancy newsletter, your expected due date, due to technical procedures.

In addition, the contents of the newsletter can be personalized so that they match your personal interests. Details of this profiling can be found below in the section "Personalization and prospect profiles".

Subscribers may also be informed by email about circumstances that are relevant to the service or their registration (e.g. changes to the newsletter service or technical conditions).

Retention and deletion periods

When you register for the newsletter, your data will be stored until you withdraw your consent. Successful registration takes place when you click the confirmation link in the email addressed to you.

If you do not confirm the newsletter registration link in your email, we will store your data for up to 6 months. After that, the link will become invalid, and registration via the link will no longer be possible. You can, of course, re-register by signing up again.

As soon as you unsubscribe from our newsletter, such as via the unsubscribe link included in every mailing, you will be completely unsubscribed from the respective (topic-specific) newsletter within 24 hours. Your data will be transferred to the unsubscribe list, where it will be stored for up to 6 months for statistical purposes and then automatically deleted.

Revocation of content-specific newsletters

You can revoke your consent to the storage of your personal data and its use for the newsletter dispatch at any time. There is an unsubscribe link at the end of each newsletter. The revocation of your consent does not affect the lawfulness of the processing conducted on the basis of the consent until the revocation. Technical and organisational processing times mean that, in exceptional cases, you may receive the respective newsletter a second time after you have unsubscribed.

Legal basis

The legal basis for the data processing described in this section is Article 6 (1) (a) GDPR (Consent of the Data Subject).

Personalisation and prospect profiles

If you mainly want to receive content that is relevant to you, you can give consent to profiling using a prospect profile. Please note that profiling will only take place after you have given your consent and that a one-time consent to profiling will apply to all newsletter services of Barmer that you have already subscribed to or may subscribe to in the future until you withdraw your consent. You can withdraw your consent at any time by unsubscribing from the newsletter.

Service providers used

As part of personalised marketing campaigns, we use the campaign management services of a service provider based in Germany. Data processing takes place exclusively in Germany.

Prospective customer profile

We need to understand your interests as best we can in order to show you content that is relevant to you. We therefore create a prospective customer profile of you for the personalised information.

In this prospect profile, we store identifying characteristics such as salutation, first and last name or email address, and date of birth, together with your contract and usage data. The contract data comprise only the status of your membership, that is, whether you are a Barmer member. In particular, the usage data includes your response to our marketing activities (the newsletters sent to you and opened, clicks on links within a newsletter, etc.). This enables us to personalise our services for you. In this way, for example, the newsletter will provide you with information about healthcare services that are relevant to you or special offers that suit you – whichever applies to you.

Data sources

During our mailing campaigns, we combine data from various Barmer sources in prospect profiles in order to obtain the best possible understanding of your interests. These sources depend on the declaration of consent you voluntarily provide and may include the following data:

Email service provider:
Your registration information, such as consents given via the double opt-in procedure or the details you provided in the registration form or clicks within a newsletter. Clicks within the newsletter are measured by the email service provider. Specifically, this includes data such as openings of a mailing, clicks on text and image links and, if applicable, download actions within an email. This information is linked to a unique identifier of the recipient. Based on this identifier, target groups can later be formed, such as for those recipients who have clicked on a specific link. If no consent for profiling is present, click behavior is measured only anonymously.

Barmer master data:
To provide the best possible content for Barmer prospects and Barmer insured persons, we may check whether you are already insured with us. This allows us to inform prospects in our mailings about the advantages of membership with Barmer.

(Offline) participation cards, e.g. for competitions:
For example, it is also possible that you give us consent to use your data as part of marketing mailing campaigns after participating in an offline competition (such as via a card). In this case, this information may be used for email marketing campaigns.

Data or usage data in the case of personalisation

• Start and end time of a usage
• Newsletter opening
• Click on the content of a newsletter
• Title
• First name
• Last name
• Postcode
• Address
• Language
• Country
• Application source
• Email address
• Consent – for example, to receive a newsletter
• Date of birth
• Insured status
• Interests
• Delivery date
• Gender
• Information about children
• Graduation class
• Telephone number
• Information on the use of additional services provided by Barmer, such as apps, digital surveys, online seminars, competitions
• Other information provided in a registration form

Retention and deletion periods for profiling

Barmer uses your data to provide you with tailored, personalised information and offers. You can revoke this consent to profiling at any time. Your profiling consent no longer applies if you have actively unsubscribed from all subscribed newsletters via the respective unsubscribe link. When you unsubscribe completely from the newsletter service, your profile data are still stored for statistical purposes and automatically deleted within 6 months.

Impact of unsubscribing from newsletters and profiling

You can unsubscribe from a newsletter at any time. To do so, please click on the unsubscribe link located at the end of the respective newsletter. Other newsletters to which you have subscribed will not be affected and will continue to be sent to you.
Your profiling consent no longer applies if you have actively unsubscribed from all subscribed newsletters via the respective unsubscribe link.

Legal basis

The legal basis for the data processing described in this section is Article 6 (1) (a) GDPR (Consent of the Data Subject).

Digital information material

You can order digital information material through various channels. By doing so, you grant us your consent to send a download link to the digital information material to an email address provided by you for this purpose. The sender of the emails is always Barmer.

Ordering and downloading digital information material

We require a valid email address for your order to be processed. To ensure that the order is genuinely placed by the owner of the email address, we use what is known as the double opt-in (DOI) procedure. To this end, we log the order of the digital information material, the dispatch of a confirmation email and the receipt of the required response. To log the individual steps, we record the exact time and the IP address of your device. This is necessary for security reasons, including the prevention of server overloads caused by cyberattacks.

Once your confirmation email has been received as part of the DOI procedure, you will receive the link to download the digital information material.

Retention and deletion periods

After your confirmation via the DOI procedure, we store your data for up to 150 days for reporting and statistical purposes. After this period, the data are deleted automatically. If the DOI procedure is not confirmed, the email address will be stored in the Inxmail subscription manager log due to our obligation to provide information.

For newsletters that you subscribe to together with ordering the digital information material, or that you have already subscribed to, the information in the "Newsletter" section above applies.

Legal basis

The legal basis for the data processing described in this section is Article 6 (1) (a) GDPR (Consent of the Data Subject).

Communication by email in the context of the online membership application

If you wish to become a member of Barmer and use our online membership application for this purpose, we will collect your email address. We can use email to contact you quickly and easily should we have any questions regarding your membership application.

In addition, we will ask for your consent to provide you with a one-time and personalised communication regarding the services and advantages of membership with Barmer. This consent applies only in connection with your online membership application and will result in an email being sent to you if you do not complete and submit the online membership application to Barmer. It is voluntary and can be withdrawn at any time with effect for the future.

Legal basis

The legal basis for the data processing described in this section is Article 6 (1) (a) GDPR (Consent of the Data Subject).

Information and advice via email

If you receive a topic-specific customer mailing, we fulfil our role as a health insurance fund by providing information and advice on rights and obligations under the German Social Security Code. We limit the use of your data to what is necessary for the immediate provision of the customer mailing. Typically, this includes your email address, which you have provided to us voluntarily, and any further individual information such as your name.

You may object at any time to the storage and use of your personal data for the delivery of topic-specific customer mailings. Each customer mailing contains a corresponding unsubscribe link at the end of the mailing. By clicking on the unsubscribe link, you will be unsubscribed from all customer mailings within 24 hours. The lawfulness of processing carried out up to the point of objection remains unaffected by this. Unsubscribing from a topic-specific customer mailing does not mean that you will be unsubscribed from a newsletter you have subscribed to. You will therefore continue to receive the newsletters you have personally subscribed to.

Legal basis

The legal basis for the data processing described in this paragraph is Sec. 13 SGB I (German Social Security Code Vol. I – Information) in conjunction with Sec. 1 (1) SGB I (Support for Self-Help) and Sec. 1 SGB V (German Social Security Code Vol. V). The processing is required for fulfilling the tasks assigned to Barmer as a public law corporation under the German Social Security Code, Article 6 (1) (e) GDPR.

Barmer is the organiser responsible for competitions advertised and accessible through various media.

Contact details for the controller, the Data Protection Officer and our supervisory authorities can be found in the relevant section further below in this privacy policy.

As the organiser, Barmer processes personal data for participation in competitions and stores it within the statutory retention periods insofar as this is necessary for establishing the legal relationship with the participant and for subsequent implementation and handling of the competition (Article 6 (1) (b) GDPR). Any additional declarations of consent for advertising purposes are based on Article 6 (1) (a) GDPR.

From a technical perspective, the collection and processing of personal data is carried out using the double opt-in procedure. When sending the emails and handling the double opt-in process, we use Inxmail, an email service provider based in Freiburg, Germany. Data processing is conducted exclusively in Germany and is limited to online competitions only.

In particular, this involves the following personal data:

depending on the competition, the participant's postal address and/or email address for the purpose of notification of winnings and/or delivery or provision of the prize, their telephone number to help ensure notification of winnings in the event of accidental data entry errors and the date of birth for age verification purposes.

Detailed information on individual competitions, the relevant legal bases and the purposes of data processing can be found in the respective Terms of Use and Participation.

Depending on the competition, the data may be transmitted to service providers such as specialist retailers, tour operators, or other third parties that provide services on behalf of Barmer (processing on behalf, Article 28 GDPR).

Information on data subject rights can be found in the corresponding section further below in this privacy policy.

Response code processes (no Barmer user account required)

At barmer.de/online-antwort, insured persons have the option to submit selected feedback to Barmer online using a response code provided by Barmer, or to submit applications also using a provided response code.

Additional personal data are used for the use of the respective services. The personal data transmitted to Barmer is determined by the respective input form. The respective data protection information is also provided with the relevant service.
All additional data created in the other services are only used for the respective purpose and not passed on to third parties.

Reporting barriers

The feedback mechanism is critical to the continuous improvement of accessibility. The feedback mechanism provides us – the operator of the website and/or mobile application – with indispensable information to further reduce barriers. We also receive information on how frequently issues are raised by users. Pursuant to Sec. 12b (2) no. 2 in conjunction with Sec. 1 (2) sentence 1 of the German Federal Act on Equal Opportunities for Persons with Disabilities (BGG), we, as a direct public law corporation, are obliged to provide users of our website and/or mobile application with the opportunity to contact us electronically – for example, in order to report existing barriers. Barmer is required to respond to feedback within one month. For this purpose, we process the data necessary to perform our tasks. The personal data transmitted to Barmer in this context is determined by the feedback mechanism form. We receive the data to pursue the purposes stated above. Transmission to third parties does not take place. The data are stored for the duration of the task performance in accordance with the legally prescribed retention periods and then deleted. There is no obligation to enter contact data in the feedback form. If you do not provide your contact details, we cannot respond to your feedback or inform you of any measures we may have taken as a result of your report.

Barmer insured persons can use digital offerings that we develop and provide together with cooperation partners. Barmer bonus programs are also provided as a digital offering. If you wish to use a specific service, we will ask you for personal data, such as your email address. The data required may vary depending on the service.

We only collect and store personal data for the digital service you have chosen. Information that you voluntarily provide to us for this purpose may be processed and used to contact you. For example, this may be the case if we have information for you during the term of the service or if we contact you after completion to ask about your experiences and satisfaction with the service.

Additionally, you can decide whether we may send you information for marketing purposes beyond the selected digital service. This consent is voluntary. You can also use the service without granting this consent.

Retention and deletion periods

We process data relating to our digital offerings from cooperation partnerships and bonus programs for as long as you use the offering. This means from the time you actively register or, for example, enter a requested access code until the end of the usage period. You will receive detailed information when you start using the service.

Revocation

Your decision to use a Barmer digital offering from cooperation partnerships and bonus programs is voluntary. You can revoke it informally at any time with effect for the future, by phone, email, or post to us, or within the offering itself.
Information on your data subject rights and our contact details can be found below in the sections "Your data protection rights" and "Contact details of the controller, the data protection officer, and our supervisory authorities".

Thanks to the apps and skills of Barmer, you always have your health insurance with you. You can find an overview of other digital offerings from Barmer here: The apps and skills of Barmer

For information on how your personal data are processed when using other digital services, please refer to the privacy policy for the respective app.

The Barmer user account provides insured persons with access and is a prerequisite for using protected online services of Barmer.

Purposes of processing

When you create a user account, we collect and process personal data for the following purposes:

• Initial set-up of the Barmer user account
• Provision of the Meine Barmer member area
• Management of the information stored in the Barmer user account
• Identification and authentication for digital services of Barmer for which a Barmer user account is required. These are the member area Meine Barmer in the app and on the web, Barmer eCare, and Barmer Teledoktor

Creating the Barmer user account (registration)

The following steps are necessary to create the Barmer user account:

• Collection of last name, first name, date of birth, insurance number
• Collecting an email address
• Collecting a phone number
• Consenting to the Terms of Use
• Verifying the email address and telephone number

In addition, the following information is required:

For registration via Meine Barmer (online)

• Creating a password
• Identification and device binding / creation of a strongly authenticated phone number via
  • entering the activation code sent by post (for identification at the standard protection level) or, alternatively,
  • identification via the Barmer-App using procedures other than the activation code for immediate identification at a high protection level. You need this if you want to use Barmer eCare. More on this in the next section.

For registration and authentication via the Barmer-App

• Setting a PIN in the Barmer-App
• Identification, registering a security device, and creation of a strongly authenticated phone number via
  • an identity card with a PIN
  • an electronic health card with a PIN
  • entering an activation code sent by post or
  • personal identification at a Barmer branch office

The following personal data are processed as part of the Barmer user account:

• User ID
• Display name (consisting of title, name prefix, name suffix, first name and surname)
• Address (street, number, postcode, city)
• Date of birth
• Place of birth
• Gender
• Username
• Password chosen by the user
• Barmer PIN
• Insurance number
• Email address
• Telephone number
• Electronic health card
• Security device (Barmer-App)
• Activation code
• One-time password

For example, you can use the following services with your Barmer user account:

Barmer eCare

In addition, the following data are transmitted to and stored in Barmer eCare. These are needed to technically verify whether you have already agreed to the Barmer eCare privacy policy:

• Personal identification number
• Insurance number
• Display name (consisting of title, name prefix, name suffix, first name and last name) - to enable your personal salutation in Barmer eCare
• Email address – for notifications

Barmer Teledoktor

Barmer Teledoktor is a free offering from the Barmer-App that, in principle, all insured persons of Barmer can use. To use it, you need an activated Barmer user account, the app installed and consent to an additional privacy policy.

Barmer Teledoktor is also the access point to additional healthcare services such as video consultations or the digital skin check (remote medical treatment). These services constitute special care under Section 140a of Book V of the German Social Code (SGB V), for which separate consent to participation and data processing can be given within Teledoktor. The declarations and use are voluntary and constitute an optional offering.

Login using Touch ID and Face ID (iOS) or fingerprint and facial recognition (Android)

See the privacy policy for the Barmer-App below

Logging in the event of incorrect entry or blocking of the password / pin

To prevent unauthorised use of personal access to the digital services of Barmer – in your interest as well – the following processes are logged:

• Login attempts
• Failed login attempts
• Each triggered processing operation (transaction)

In this context, the user ID, time, date, type of identification and a transaction identifier are logged. The IP address is also stored in the case of failed logins.
The purpose of processing these data are

1. preventing misuse of our services and
2. investigating criminal offences if necessary.

The legal basis for processing these data are Article 6 (1) (e) GDPR in conjunction with Sec. 3 BDSG (German Federal Data Protection Act) and Sec. 25 (2) no. 2 TDDDG (German Telecommunications Digital Services Data Protection Act). The data will be deleted when it is no longer required for processing purposes.

Logging and analysing user behaviour

The last time you logged in to your Barmer user account is recorded. To verify whether you have agreed to the most current version of the Terms of Use and Participation, this timestamp is compared with the consents stored. If there have been any changes to the Terms of Use or the Privacy Policy since your last login, we will inform you during the login process.
Please also refer to the privacy policy for the Barmer website

Legal basis

These data are processed based on your consent in accordance with Article 6 (1) (a) GDPR. You may withdraw your consent at any time with future effect. To do so, simply go to your user account in the Meine Barmer member area via the app or on the Internet.

Measures to protect your data

Barmer and its processors are obliged to implement technical and organisational measures that are suitable for adequately protecting your data against possible risks. In doing so, we take into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of the processing. We also consider the likelihood of various risks occurring and the potential severity of their impact on the rights and freedoms of natural persons. These measures also include the consistent encryption of resources such as databases, virtual machines and data storage systems.

Disclosure to third parties

Data are not disclosed by Barmer to third parties, i.e., natural persons or legal entities, government authorities, institutions or other entities. The only exceptions are processors who, on behalf of Barmer, perform specific tasks in connection with the user account. To this end, Barmer has concluded a data processing agreement with each of its processors in accordance with Article 28 GDPR.

As the data controller, Barmer ensures that its processors are "suitable". This means that the processors also implement suitable technical and organisational measures to meet the requirements of the GDPR and to protect the rights of the data subjects. For this reason, before awarding any contract, we check whether a processor is "suitable" in this sense.

Retention and deletion periods

The data are stored for as long as the Barmer user account is active or blocked. When the Barmer user account is deleted by the user, the data relating to the Barmer user account is also deleted.

If your Barmer user account is not activated within 63 days, it is automatically deleted by Barmer. The user account is also deleted once the insurance relationship has ended. Insured persons receive a notification 10 days prior to and immediately after the deletion.

If the insurance relationship ends due to the death of the insured person, the user account is blocked and a notification sent 10 days before deletion.

Deleting a user account

Users can delete the Barmer user account at any time in the Meine Barmer member area (website or app) under "Manage Barmer User Account". At the request of the user or insured person, Barmer can also delete the Barmer user account via Support. Upon deletion, consent to data processing is considered revoked for the future.

You have the option to use the Meine Barmer member area. This is available via our website barmer.de/meine-barmer (see information above) and the Barmer-App (see information below). Registering and creating a Barmer user account are required for this. Whenever a Barmer user account is created, personal data are collected and processed. You can find more information on this above in the section on the Barmer user account.

Through Meine Barmer, we offer services, applications and content exclusively for persons insured by Barmer. You can also communicate directly with us, e.g. via Barmer Live Chat, Barmer email, or the inbox.

The user's consent to the processing of these data is already obtained at the time of registration and the creation of a Barmer user account. The purpose of processing is to provide the services and content in Meine Barmer.

The data are deleted as soon as they are no longer required to achieve the purpose for which they were collected. This applies to data processed while using Meine Barmer once the data are no longer required for contract fulfilment and there are no longer any statutory retention obligations preventing its deletion. This principle also applies when deleting the Barmer user account (see information on the Barmer user account above).

If you use the Meine Barmer member area, your data are processed for the following purposes:

• Identification or verification of your membership with us or of the family insurance with a relative who is a Barmer member
• Provision of services and content exclusively for Barmer insured persons in the member area Meine Barmer

The legal basis for processing these data based on your consent is Article 6 (1) sentence (1) (a) GDPR. The provision of certain services serves to fulfil statutory obligations in accordance with Article 6 (1) (c) and (e) GDPR, Sec. 3 BDSG, in conjunction with Sec. 13, 14 SGB I, in conjunction with Sec. 1 SGB V and Sec. 25 (2) no. 2 TDDDG.

The Barmer user account is used for logging in to the member area. Information on data collection and processing within the framework of the Barmer user account can be found above in the section on the Barmer user account.

Scope of services in Meine Barmer

In Meine Barmer, you have the option to use services such as submitting applications for healthcare services. You can also request changes be made to your personal data or manage them.

A few services require additional information and data from the user. These are requested when accessing the respective extended service, where necessary. These data are required by Barmer solely to provide the respective service.

For the use of the respective services, additional personal data are used and processed. The personal data transmitted to Barmer in this context is determined by the respective input form of the corresponding service. Similarly, where necessary, additional data protection information is provided with the respective service.

All additional data created in the other services are only used for the respective purpose and not passed on to third parties.
If users make enquiries, it may be necessary for Barmer employees to access the user's data for the respective service in order to respond to the enquiry, provided this is permissible under data protection law. All employees involved in supporting the services are bound by confidentiality and are obliged to comply with social data protection requirements.

Individual services can be deactivated or logged off. If you deactivate or unsubscribe from a service, the data you have stored for this purpose is deleted in compliance with the legal deletion requirements.

Mailbox

The mailbox is an integral part of the Barmer user account and cannot be deactivated. The mailbox is used for secure and data protection-compliant communication between insured persons and Barmer. Insured persons can use the mailbox to transmit or submit documents or information to Barmer. In cases where Barmer is unable to process a submission, the mailbox will be used as a feedback channel for such information. Barmer provides information from various services in the mailbox.

Messages posted to the mailbox by Barmer and messages sent by insured persons to Barmer will be retained in the mailbox for a maximum of 6 years. If insured persons save their message as a draft or move a message to the recycle bin, these messages will be retained for a period of 90 days. The individual retention period is displayed in each mailbox message. Once the individual retention period has been reached, the messages will be deleted. In addition, insured persons have the option to delete messages in the mailbox at any time on their own initiative. If the user account is terminated by the insured person, the mailbox messages will also be deleted at the end of the user account.

Notification of new message

Insured persons are notified by Barmer of incoming messages in their mailbox. Notification is sent via email and/or SMS, linked to the information (email address) from the Barmer user account or a telephone number, which can be specifically stored by the insured person for these notifications.

For mailbox use via the Barmer-App, insured persons also have the option of being notified of mailbox entries by push notification on their mobile device. Further information on push notifications can be found in the Privacy Policy for the Barmer-App.

Notification of digital letter delivery in the mailbox

You will be notified by email or SMS of every letter delivered to the mailbox. The email address or telephone number stored in the user account is used for this purpose.

Health Manager

With the Health Manager, you receive individual preventative care and vaccination recommendations, as well as an overview of your dental bonus. For full transparency, you can also view all billing statements from doctors or pharmacies, for example. Your customer and billing data will be used to provide you with these personalised services as part of the Health Manager. Any additional data entered in the Health Manager will not be used for any purpose other than health management and will not be disclosed to third parties.

Notification from the Health Manager

Insured persons are notified of important events related to the Health Manager. The notification is sent to the email address stored in the Barmer user account.

Barmer bonus offers

Our bonus offers – Barmer Bonus, Barmer Erfolgsbonus, and Barmer Extrabonus – are part of Meine Barmer and a free additional offering. In principle, all Barmer insured persons are eligible to participate. The separate privacy policies of the respective offer apply to their use.

Kompass

The Kompass is part of Meine Barmer. Here you can find selected applications for healthcare services submitted over the past ten years, including their respective processing status. For example, you can see when a sickness notification, prescription, or birth certificate was received and processed by Barmer. You also receive information on how your income replacement benefit (e.g. sickness benefit, injury benefit) is calculated and when and in what amount it was paid.

The data displayed in the Kompass are based on the data stored by Barmer. All additional data entered in the Kompass are used solely for the optional extension of Kompass functions (e.g. calculation of the anticipated co-payment amount for approved follow-up rehabilitation) and is not disclosed to third parties.

Submitting documents via upload in Meine Barmer in the app or on the web

If you use the file upload function to transmit documents (e.g. as part of an application process) to Barmer digitally, please retain the original documents for one year for legal reasons.

Barmer Live Chat in Meine Barmer (web)

Barmer offers its insured persons a web chat in the member area Meine Barmer.

Barmer Live Chat is an electronic communication service that allows you to converse in real time over the internet with a Barmer advisor. You can use it to get answers to questions that you would instead ask by phone or in person at one of our branch offices.

Barmer Live Chat is offered in a separate window that opens when you click the corresponding button.

Before using Barmer Live Chat, you must agree to the terms of use and the consent declaration.

If you use Barmer Live Chat from the member area Meine Barmer, your name and insurance number are shown to our advisor.

If you have provided us with personal data, we use it only to answer your inquiries, to perform contracts concluded with you and for technical administration.

If the personal information collected is no longer required for fulfilling a purpose pursuant to the provisions of the German Social Security Code (e.g. granting a benefit or calculating a contribution), this chat data will be deleted after 12 months. If these data are required in accordance with the provisions of the German Security Social Code, the retention period will be determined by the respective processing purpose. Different retention periods apply here, which are regulated in Sec. 110a SGB IV, Sec. 304 SGB V, Sec. 107 SGB XI and in the General Administrative Regulation on Accounting in Social Insurance (SRVwV) for statutory health insurance funds. No personal information is passed on to third parties.

Declarations of consent in connection with customer satisfaction surveys are voluntary and do not affect the healthcare services you receive as an insured person. The purpose of the surveys is to further improve the service Barmer providers and to align it with our customers' desires and needs. Your consent will remain valid and stored until you revoke it with future effect by notifying Barmer. The data are then deleted without delay. For more information, see the sections "Your data protection rights" and "Contact details of the controller, the data protection officer, and our supervisory authorities." The satisfaction survey assesses your impressions and your level of satisfaction with Barmer during your interaction with a Barmer advisor. The feedback you provide is anonymous. Direct and indirect references to you or third parties are redacted when stored.

After the chat has ended, the chat transcript is placed in the user's online mailbox under Meine Barmer.

We want you to feel safe when using the Barmer-App. Protecting your personal data is therefore very important to us. We tell you when we store which data and for what purpose we use it.

Personal data are only collected via the Barmer-App to the extent that is technically necessary. Under no circumstances are the data collected sold or disclosed to third parties for other reasons without your consent. Barmer strictly complies with data protection regulations.

The provisions of the EU General Data Protection Regulation (GDPR), which became effective on 25 May 2018, strengthen your rights and are intended to give you greater control over your personal data. With our information on data processing, you can quickly and easily gain an overview of which personal data and social data we collect from you and how we use them. We also inform you about your rights under applicable data protection law and tell you whom to contact if you have questions.

What is the Barmer-App?

The Barmer-App provides the member area for insured persons in the form of an app. The scope of services is therefore largely identical to the Meine Barmer offering on the web.

To use Barmer digital services in the Barmer-App, you need a Barmer user account. You can simply register via the app. All the information about the Barmer user account can be found above in the "Barmer user account" section.

Who is the provider of the Barmer-App?

The controller for the processing of personal data in connection with the Barmer-App is Barmer, Axel-Springer-Str. 44, 10969 Berlin.

Contact details of the Data Protection Officer Barmer, Data Protection Officer, Lichtscheider Straße 89, 42285 Wuppertal Postal address: Barmer, Data Protection Officer, 42266 Wuppertal, Email: datenschutz@barmer.de

Is using the Barmer-App voluntary?

Use of the Barmer-App is voluntary for every Barmer insured person. It is therefore entirely your own decision whether and how you use the Barmer-App. A Barmer user account is only opened for you if you specifically request it. If you decide to create a Barmer user account, you may also choose to use the Barmer-App.

Even though the use of the Barmer-App is voluntary, it requires you to agree to the terms of use and to consent to the transmission of personal data.

Your agreement is requested by the Barmer-App as soon as this becomes necessary. This happens, for example, during registration or when activating additional services.

Who is the target audience of the Barmer-App?

The Barmer-App is available to all insured persons with an existing insurance relationship with Barmer.

The prerequisites for using the Barmer-App are an activated Barmer user account for Barmer digital services and installation of the Barmer-App.

What steps are required before the Barmer-App can be used for the first time?

Download from an app store

The Barmer-App is available via third-party distribution platforms, known as app stores (Google Play and iOS App Store). Your download may require prior registration with the respective app store and installation of the app store software. When you download the app, the required information is transmitted to the app stores, in particular your username, email address and customer number of your account, the time of download, payment information and the unique device identifier. Barmer has no influence over the collection, processing and use of personal data in connection with your registration and the provision of downloads in the respective app store and app store software. In this respect, the sole controller is the operator of the respective app store. Please check directly with the respective app store provider if needed.

Registration procedure

To use the Barmer-App, you need a Barmer user account for Barmer digital services (see above).

Which permissions and functions does the Barmer-App require on your device?

The Barmer-App requires access to various functions and interfaces of your phone. To this end, it is necessary for you to grant certain permissions to the Barmer-App.

The Barmer-App requires access to the internet. You do not need to explicitly grant this permission.

Moreover, to provide additional features, the Barmer-App also requires the following permissions, which you can grant manually:

Access to your camera

• Access is required for uploading documents.

Access to the gallery or to files in the device storage

• In order to upload and save images or documents from your device storage, the Barmer-App requires access to your device storage.

Technical requirements

The minimum technical requirements necessary for using the Barmer-App can be found in the respective app store:

• iOS App Store: https://apps.apple.com/us/app/barmer-app/id956752981
• Google Play: https://play.google.com/store/apps/details?id=de.barmergek.serviceapp

Login using Touch ID and Face ID (iOS) or fingerprint and facial recognition (Android)

Login with Touch ID or Face ID (iOS) or fingerprint and facial recognition (Android) can be used as an alternative to logging in with an email address and Barmer PIN or password.

• A prerequisite is that your phone at least requires a passcode to unlock and supports Touch ID or Face ID (iOS) or facial recognition or fingerprint (Android). Only Android versions that provide the required security level for a fingerprint or facial recognition are supported.
• Only the device's security mechanisms can access the biometric data used (fingerprint, facial recognition). At no time does Barmer have access to these data.
• For your security, you should only use your own fingerprints and your own face on this device, and, should you lose the device, you should immediately have your user account blocked. To do so, call us at 0202 568 333 1010 or write to us via our Online form: block user account. Please also ensure that the SIM card of your device is blocked and make sure that your emails can no longer be accessed from the device.
• You can change this function at any time in the app settings. Changes to the biometric settings must be confirmed by entering your Barmer PIN.

Notifications

The Barmer-App notifies you via push notifications about new events, such as a new message in your inbox. You will also receive a push notification if approval via the security device is required to log in on another mobile phone or tablet. This presupposes that you have allowed the app to send you push notifications and to establish a direct connection to Google and Apple servers for this purpose.

You can allow or decline push notifications – and thus also the connection to the aforementioned servers – before logging into the app. If you allow push notifications, only generated identifiers for the app installation are transmitted; no additional features are transferred for analysis purposes. If you decline, a one-time connection to the above-mentioned servers is established for the purpose of deleting the data that was necessary for the delivery of push notifications.

You can alter your decision at any time – for push notifications in the device settings and for connecting to the above-mentioned servers in the app settings.

Push notifications are delivered

• on Android via Firebase Cloud Messaging
• on iOS via Firebase Cloud Messaging and the Apple Push Notification Service

Push notifications may contain detailed information and are displayed on the lock screen. Please protect your mobile phone against unauthorized access.

What types of data are automatically processed by the Barmer-App?

Data from the Barmer user account are transferred for use in the Barmer-App.

Which data are stored in the device's local storage?

Which data are stored locally on the phone's internal storage?

The Barmer-App stores configuration information encrypted on the device for devices with iOS and Android operating systems.

If you download documents from your Barmer-App to your device, they are stored locally on your device.

Is it possible to store data on the phone's external storage media (SD cards)?

You can save the documents in your Barmer-App on your device. On devices with the Android operating system, expanding the memory via external storage media is partially supported. In these cases, you can choose to save documents to your memory card.

Are personal data only stored to the extent and for as long as necessary for operating the app?

On devices with:

• The Android operating system, the encrypted configuration data are also deleted when the Barmer-App is uninstalled.
• The iOS operating system, the configuration data stored and encrypted in the Keychain remain even after the Barmer-App is uninstalled.

Is usage behaviour analysed in the Barmer-App?

Web tracking

In order to optimise the Barmer-App, Barmer regularly analyses usage behaviour. For example, we use web tracking to analyse how often our online services are accessed and which content is particularly valuable for users. To do this, anonymised data are collected and stored, and usage profiles are created using pseudonyms. From a technical viewpoint, we use cookies that enable the recognition of an internet browser.

We use technologies from econda GmbH to implement web tracking. econda GmbH holds the TÜV Saarland 'Certified Data Protection' certificate for web controlling.

We ask whether you consent to or reject the analysis of your usage behaviour the first time you start the app after installation. You can change your decision at any time in the app settings under "Analyses for Improvements".

Tag management

The Tealium iQ tag management system is used to load pixels from the providers named in the Privacy Policy to the Barmer websites. Tealium collects some non-personal data via a cookie for this purpose. This cookie expires after 12 months. The following information is stored in the Tealium cookie:

• Timestamp of the visit to the website
• ID for the page view
• ID for the visitor
• ID for the session

You can disable the sending of usage data (usage statistics) at any time in the app settings.

Error report

We use the Sentry error tracking tool to analyse application errors and resolve issues. We ask whether you consent to or reject error tracking the first time you start the app after installation. You can change your decision at any time in the app settings under "Analyses for Improvements".

If you have given your consent, the tool automatically collects data and information from the requesting device whenever there are technical irregularities in the following areas:

• Mobile device
• Operating system
• App version
• Device ID (created when the app is installed)
• Network status
• Connectivity type
• Storage space (total and available)
• RAM (total and available)
• Number of CPU cores
• CPU frequency
• Battery level
• Time zone
• Language and other location parameters such as character set or date and time format
• Date and time
• Boot time (the time the device was last started)
• Screen resolution
• Screen orientation
• Accessed content and functions

These data are sent to us by the tool in real-time crash reports and error reports and subsequently analysed.

Legal basis for processing personal data

Processing of these data is based on your consent under Article 6(1) sentence 1 point a GDPR and Section 25(1) TDDDG. You may withdraw your consent at any time with future effect. The purpose of providing certain services is to fulfil legal obligations pursuant to Article 6 (1) (c) and (e) GDPR, Sec. 3 BDSG (German Federal Data Protection Act), in conjunction with sections 13, 14 SGB I (German Social Security Code Vol. I), in conjunction with Sec. 1 SGB V (German Social Security Code Vol. V), Sec. 25 (2) no. 2 TDDDG (German Telecommunications Digital Services Data Protection Act).

Purpose of data processing

The purpose of logging is to maintain the compatibility and stability of the app for as many users as possible and to prevent misuse and resolve disruptions. To do this, it is necessary to log the technical data of the accessing device in order to respond as quickly as possible to display errors, attacks on our IT systems and/or malfunctions in the functionality of our app. In addition, the data are used to optimise the app and to generally ensure the security of our IT systems.

Duration of storage

The deletion of the aforementioned technical data takes place as soon as it is no longer needed to ensure the compatibility of this app for all visitors – at the latest 90 days after the app is used.

Feedback on the app (reporting a problem with the app)

Another feature that contributes to the accuracy and user-oriented development of the Barmer-App is the feedback function. You can submit problems individually to Barmer in the "Profile" and "Report a Problem with the App" sections of the app. In order to understand the context of your feedback, the following data are sent along with the technical information:

• First name and surname
• Insurance number

Which cookies are set by the app?

Cookies are small text files that are stored both in the internal memory of your mobile device and in the mobile app you use. Certain information can be transmitted through cookies to the entity that sets the cookie (in this case: us). Cookies cannot execute programs or transfer viruses to your mobile device. They serve to make mobile apps more user-friendly and effective overall.

We use cookies to realise important user functions. Whenever you use an online service, you simply receive an identification number that is logged in a cookie. The stored cookies therefore do not contain any personal data. They are deleted after your visit. The cookies are not stored on your local hard drive or on our server.

You can find more on cookies above in the "Barmer website" section.

IP addresses

Barmer automatically collects and stores log file information on its servers, which your browser transmits to us.

Your IP address is stored for a short period of time in connection with your access to our servers. This storage is used to identify or subsequently track IT risks such as spam, viruses or attacks on our servers.

The requirements of German Telecommunications and Digital Services Data Protection Act (TDDDG) are fulfilled.

Scope of services

See above in the "Meine Barmer member area" section.

How are the data protected?

Whenever you are asked to enter data about yourself, your data are protected by TLS encryption during online transmission so that they cannot be read by unauthorised persons. We use TLS encryption with a 256-bit key.

All personal data you enter are stored on a specially protected server. Access is permitted only to a small number of authorized employees and agents of Barmer who are entrusted with the technical and editorial administration of the Barmer websites.

Security is the highest priority at Barmer. This is why we have had our online offering thoroughly examined by an independent body. Experts have confirmed to us that the IT systems of Barmer guarantee the highest possible level of security.

For example, our data centre is certified pursuant to ISO/IEC 27001, undergoes regular security checks and is protected from external access by various measures such as firewalls.

Are data passed on to third parties?

Your data are treated with strict confidentiality. Your data are not disclosed to third parties. The data generated when using the Barmer-App are processed exclusively on servers located in Germany or in another EU or EEA member state within the European Economic Area (EEA).

The National Association of Statutory Health Insurance Funds (GKV-Spitzenverband) directive "Contact with insured persons" defines minimum requirements for measures to ensure secure identification.

Against this backdrop, Barmer has developed customer-friendly solutions that also ensure an appropriate level of protection for communications. The following provides an overview.

Barmer Live Chat in Meine Barmer

See above in the section for the Meine Barmer member area.

Information on Barmer Chat in the public area of the website barmer.de can be found above in the "Barmer website" section.

Email

Unencrypted emails can be read by unauthorised persons. If you send us an email, your email address is only used for general correspondence with you. We are not permitted to send privacy-sensitive content to you by unencrypted email. For this reason, in your own interest, we answer personal service enquiries containing sensitive social data by post or via the digital mailbox in the Meine Barmer member area.

Please note that, when sending emails to Barmer, certain attachments (e.g. password-protected ZIP files or signature files) cannot be delivered due to our system security requirements.

In addition to communication via email, you have the option to use the digital mailbox in the Meine Barmer member area or the contact form on our website for secure communication with Barmer.

Customer service

When contacting customer service, please have an official form of identification ready (e.g. your electronic health card or identity card) for identification purposes.

Telephone

We ask you to provide various data on your phone to ensure your identity.

Fax

Fax transmission is unencrypted and involves risks. For this reason, Barmer never transmits sensitive personal data by fax.

Encryption

Whenever you are asked to enter data about yourself, your data are protected by TLS encryption during online transmission so that they cannot be read by unauthorised persons. We use the latest version of TLS encryption.

Information on data processing in accordance with Articles 13 and 14 GDPR

Controller:

Barmer, Axel-Springer-Str. 44, 10969 Berlin
Tel: 0202 568 333 1010
Email: service@barmer.de

Contact details of the data protection officer:

Barmer, Data Protection Officer, Lichtscheider Straße 89, 42285 Wuppertal
Postal address: Barmer, Data Protection Officer, 42266 Wuppertal
Email: datenschutz@barmer.de

Purposes of processing

We use your data to fulfil our legal obligations. See below for information about the individual processing purposes in health and long-term care insurance:

Health Insurance (Sec. 284 SGB V):

• Determination of the insurance relationship and membership, including the data required for initiating an insurance relationship
• Issuance of entitlement certificates and the electronic health card
• Determination of the obligation to contribute and the contributions, their bearing and payment
• Examination of the obligation to provide healthcare services and the provision of services to insured persons, including the conditions of healthcare service limitations, determination of co-payment status and implementation of procedures for reimbursement of costs, repayment of contributions and determination of the burden limit
• Support for insured persons in the event of errors in treatment
• Assumption of treatment costs in cases covered by Sec. 264 of the German Social Security Code Vol. V (SGB V)
• Involvement of the medical service or expert opinion procedure pursuant to Sec. 87 (1c) SGB V
• Billing with the service providers, including checking the legality and plausibility of billing
• Monitoring the efficiency of service provision
• Billing with other service providers
• Implementation of reimbursement and replacement claims
• Preparation, agreement and implementation of compensation contracts
• Preparation and implementation of model projects, implementation of care management pursuant to Sec. 11 (4) SGB V, implementation of contracts for family doctor-centred care, special forms of care and outpatient provision of highly specialised services, including performance and quality audits
• Implementation of risk structure compensation pursuant to Sec. 266 and 267 SGB V, for recruiting insured persons for the programs pursuant to Sec. 137g SGB V and for preparing and implementing these programs
• Implementation of discharge management pursuant to Sec. 39 (1a) SGB V
• Selection of insured persons for measures pursuant to Sec. 44 (4) sentence 1 SGB V and Sec. 39b SGB V and the implementation of these measures
• Monitoring compliance with the contractual and statutory obligations of providers of medical aids pursuant to Sec. 127 (7) SGB V
• Fulfilling the tasks of the health insurance funds as rehabilitation providers pursuant to SGB IX
• Preparing care innovations, informing the insured and submitting offers pursuant to Sec. 68b (1) and (2) SGB V
• Administrative provision of the electronic patient file and for the offer of additional applications within the meaning of Sec. 345 (1) sentence 1 SGB V
• Recruitment of members
• Compensation of employer expenses for continued remuneration pursuant to the Continued Remuneration Act (AAG), the Continued Remuneration Act (EntgFG) and the Maternity Protection Act (MuSchG)

Long-Term Care Insurance (Sec. 94 SGB XI):

• Determination of the insurance relationship and membership
• Determination of the obligation to contribute and the contributions, their bearing and payment
• Review of the obligation to provide healthcare services and the provision of services to insured persons, along with the implementation of reimbursement and compensation claims
• Involvement of the medical service
• Billing with service providers and reimbursement of costs
• Monitoring the efficiency, billing and quality of service provision
• Conclusion and implementation of care rate agreements, remuneration agreements and contracts for integrated care
• Clarification and information
• Coordination of nursing care assistance, nursing care consultation, issuance of consultation vouchers and performance of tasks in the nursing care support centres
• Billing with other service providers
• Statistical purposes
• Support for insured persons in pursuing claims for damages

Information and advice with regard to the maintenance, restoration and improvement of the insured person's state of health. This also includes promoting the insured persons' health literacy and personal responsibility (Sec. 1 SGB V in conjunction with Sec. 13 and 14 SGB I).

Furthermore, data processing by Barmer may also occur on the basis of explicit declarations of consent pursuant to Article 6 (1) (a) GDPR in conjunction with Sec. 67b (2) of German Social Security Code Vol. X (SGB X). Consent is voluntary and can be withdrawn at any time with effect for the future.

We are only allowed to process your data for other purposes if

1. The data are required for fulfilling tasks under other legal provisions of the German Social Security Code than those for which they were collected.
2. They are required to conduct a specific project of scientific research or planning in the field of social services and the requirements of Sec. 75 (1), (2) or (4a) sentence 1 SGB V are met.

Obligation to provide data and consequences of non-provision

In order for us to fulfil our obligations, you are required – on the basis of your obligations to cooperate in accordance with Sec. 60 et seqq. of German Social Security Code Vol. I (SGB I) – to provide the necessary personal data in the individual case or which we are legally obliged to collect. Without these data, we are generally unable to fully or properly carry out our tasks, which may result in disadvantages for you, such as with regard to the provision of healthcare services.

Voluntary information, such as your telephone number or email address, is expressly excluded from these data. Should you not provide these data, there is no breach of a duty to cooperate, and you will not suffer any disadvantage as a result. If submitted documents contain data that are not required, these can be redacted.

Your social data processed by Barmer are subject to the data protection requirements of SGB I, SGB X, the Bundesdatenschutzgesetz (BDSG, German Federal Data Protection Act) and also the General Data Protection Regulation (GDPR). Barmer will ensure that social secrecy as provided for in Sec. 35 SGB I is maintained.

Automated individual decision-making, including profiling

In certain business processes, we make decisions that are based exclusively on automated processing. In doing so, we comply with Article 22 of the General Data Protection Regulation (GDPR).

With regard to simple administrative procedures that can be examined and decided by machine according to a specific scheme, we are permitted to make decisions (administrative acts) fully automatically (Sec. 31a of German Social Security Code Vol. X (SGB X). We take into account all information that is relevant to the decision, i.e. that may influence the outcome. If the information provided by the party involved requires it, we will conduct an in-person review of the decision.

Following the fully automated examination of the legal requirements, we will decide on the application. We will state the key reasons that led to the decision. If you do not agree with the decision, you may have it reviewed by Barmer employees. You may present your own position, and you may challenge the decision.

We also process data automatically in some cases for the purpose of assessing certain personal aspects to the extent permitted by law (profiling). For example, we use profiling in order to provide you with information and advice on products tailored to your needs. You may object to the processing of your data for advertising purposes. We do not use profiling for the implementation of membership, the provision of healthcare services or the assessment of contributions in accordance with the provisions of the SGB.

Categories of recipients

Within Barmer, only those departments or individuals who require access to your data in order to fulfil our contractual and legal obligations will receive such access.
Where necessary, Barmer transmits social data on the basis of legal provisions of the German Social Security Code (SGB) or other legal regulations to the following recipients:

• German Pension Insurance,
• Federal Employment Office
• Statutory accident insurance
• Financial institutions in the context of payment transactions
• Federal Insurance Office for the Health Fund
• Employers and paying agencies
• Social benefits administration
• Defence Area Administration
• Tax office
• Service providers
• Medical service of the health insurance
• Transmission in individual cases pursuant to Sections 67d et seq. of Book X of the Social Code (SGB X),
• Commissioned service providers pursuant to Article 28 GDPR in conjunction with Sec. 80 SGB X

Whenever your data are transferred to commissioned service providers of Barmer, we have used technical and organisational measures to ensure that data protection regulations are observed.

If data are transferred to a recipient within a category, you will be informed about the recipient unless one of the exemptions under Sec. 82 (1) and (2) SGB X applies or the requirements of Article 13 (4) GDPR are met. This means that the obligation to provide information does not apply if the data subject already possesses the information, if the storage or disclosure of personal data is expressly regulated by statutory provisions or if informing the data subject proves to be impossible or would involve a disproportionate effort.

Transfer of data to a third country

Barmer generally does not transfer personal data to entities in third countries (outside the EU or the EEA) or to international organisations.

Duration of data storage

The data provided by a data subject are usually deleted in the following cases:

1. If they are not required for contract fulfilment or if there are other retention obligations or statutory reasons
2. When previously granted consent is revoked
3. If the data storage is inadmissible for other statutory reasons
4. If deletion is necessary to fulfil a legal obligation, statutory retention obligations or other statutory reasons

There are different retention periods for social data depending on the purpose of processing, which are regulated in Sec. 110a SGB IV, Sec. 304 SGB V, Sec. 107 SGB XI and in the General Administrative Regulation on Accounting in Social Insurance (SRVwV). If your personal data are no longer required for the above-mentioned purposes and are also not required to be retained due to statutory provisions, they are deleted on a regular basis.

We process your personal data exclusively within the framework of statutory provisions. This includes the following categories of personal data / social data:

Social data of members and insured persons

Personal data:

• Identification features (e.g. health insurance number (Versichertennummer)
• Surname, first name
• Postal address
• Photo
• Date of birth
• Place of birth
• Telephone number
• Email address
• Information about dependent family members
• Bank account details
• Marital status
• Gender
• Nationality
• Membership in bodies of the insurance fund
• Pension insurance number

Membership data:

• Previous insurance periods
• Start and end
• Supervising authorities
• Indicators for benefit provision (e.g. reimbursement of costs, participation in special forms of care)
• Indicators for additional insurance cover

Data pertaining to insurance status:

• Type of insurance
• Start and end
• Reasons for reporting
• Activity data
• Contribution groups
• Income from work / income / pension payments
• Data on exemption from contributions/insurance
• Data on pension application/pension benefit payment
• Employer / paying agency

Contribution data (direct payer):

• Contribution target
• Contribution actual
• Payer
• Data for the collection of contributions
• Dunning procedure data
• Tax identification number

Performance data:

• Type of healthcare service
• Diagnostics
• Service prescriber
• Service provider
• Time period/benefit receipt
• Expected/actual date of delivery
• Costs
• Data on suspension, interruption, failure, discontinuation of healthcare services
• Data about other service providers
• Data on contract services
• Data on compensation claims
• Data on pension entitlements
• Own share of costs/co-payments
• Data on structured treatment programs, integrated care, model projects, care management
• Data on bonus programs
• Data on optional tariffs
• Tax identification number
• Data on calculation, amount and payment of replacement income
• Data on processing status

Caregiver data:

• Master data as under "Personal Data"
• Start and end of care activity
• Reasons for reporting, time periods
• Details of verification of the mandatory obligation to pay pension insurance contributions
• Details of collection and payment of contributions to the pension insurance institution
• Qualification details
• Data for statistical reporting

Data on authorized representatives / legal representatives:

• Surname, first name
• Postal address
• Telephone number
• Email address

Social data of corporate clients

• Identification features (e.g. employer number, company number)
• Name
• Postal address
• Telephone number
• Email address
• Bank account details
• Contribution target
• Contribution actual
• Payer
• Data for the collection of contributions
• Dunning procedure data
• Supervising authorities
• Data for company audits
• Data for settlement types
• Data for implementation of the Expenditure Compensation Act (AAG)

Data of service providers

• Identification features (e.g. physician number)
• Name
• Postal address
• Telephone number
• Email address
• Data on professional qualifications

Data of approved partners and suppliers

• Identification features (e.g. institutional identification number)
• Name
• Postal address
• Telephone number
• Email address
• Bank account details
• Data on clearing and settlement operations

Data of recipients of publications

• Identification features (e.g. type, scope of publications and serial number)
• Surname, first name
• Postal address
• Email address

Data of interested parties

• Allocation details
• Surname, first name
• Postal address
• Telephone number
• Email address

IT service providers

• Provision of IT infrastructure (hardware and software)
• Provision of IT and telecommunications services, including cloud applications, telecommunications, consulting and support, maintenance and support
• Identification services: Identification of individuals for substantial or higher protection levels

Billing service providers

• Review of invoices from service providers

File and data carrier destruction companies

• Disposal of files and data carriers

Service providers for customer satisfaction surveys, market research, marketing activities

Service providers for translation services

Print and mailing service providers

• Creation and dispatch of information materials
• Printing services
• Newsletter (email)

Providers of digital products

• Provision of digital health services for Barmer, including Barmer-Apps and the electronic health insurance card

Archiving services

• File archiving

Where Barmer processes your personal data, you may exercise the following rights via the contact details listed in the section "Contact details of the controller, the data protection officer, and our supervisory authorities," provided the legal requirements are met:

1. Where data processing is based on consent, you have the right to revoke it at any time with effect for the future.
2. The rights arising from Articles 15, 16, 17, 18, 20 and 21 GDPR (right of access, right to rectification of inaccurate data, right to deletion of data, right to restriction of processing, right to data portability, right to object).
3. The right to contact the Barmer Data Protection Officer to raise your concerns (Article 38(4) GDPR).
4. The right to lodge a complaint with a competent data protection supervisory authority. To this end, you may contact the competent supervisory authority for Barmer.

The aforementioned rights can only be fulfilled by Barmer to the extent that the data to which the asserted claims relate can be clearly attributed to your person.

For technical questions and questions about the use of your personal data by Barmer, please contact us first, either by email at service@barmer.de or by phone at 0202 568 333 1010. You can reach us by post at Barmer, 42266 Wuppertal.

You can also contact our data protection officer by email at datenschutz@barmer.de. You can reach our Data Protection Officer by post at Barmer, Data Protection Officer (Datenschutzbeauftragte), 42266 Wuppertal.

The contact details of our supervisory authorities are:

• Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information – Germany) Graurheindorfer Str. 153, 53117 Bonn, email: poststelle@bfdi.bund.de.
• Bundesamt für Soziale Sicherung (Federal Office for Social Security – Germany), Friedrich-Ebert-Allee 38, 53113 Bonn, email: poststelle@bas.bund.de.