Data protection

The data controller in accordance with the General Data Protection Regulation (GDPR) is:

RoX Health GmbH
Schlesische Str. 29/30
10997 Berlin
hello@roxhealth.com

Rox Health GmbH (“RoX”) is aware that the protection of privacy and therefore also the protection of our customers’ personal data is very important and assigns it considerable importance. RoX has therefore taken the necessary steps to comply with global data protection requirements and therefore observes the laws of the EU, Germany and other applicable norms. Your personal data is exclusively processed to the extent permitted by law and in consideration of valid laws, especially the transparency obligation.

Rights of the data subject

If your personal data is processed, you are a data subject in accordance with GDPR and you have the following rights with regard to the data controller:

1. Right to restriction of processing

Subject to the following requirements, you can request restriction of processing of personal data concerning you:

  1. if you dispute the accuracy of the personal data concerning you for a duration that makes it possible for the controller to verify the accuracy of the personal data;
  2. processing is unlawful and you reject the erasure of personal data and instead request a restriction of the use of the personal data;
  3. the controller no longer needs the personal data for the purposes of the processing, but it is required for the establishment, exercise or defence of legal claims, or
  4. if you have lodged an objection to processing in accordance with Article 21(1) GDPR and it has not yet been determined whether the legitimate interests of the controller override your reasons.

If the processing of personal data concerning you was restricted, this data – apart from its storage – can only be processed with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural person or legal entity or for reasons of important public interests of the European Union or a Member State.

If the restriction of processing was limited by the aforementioned requirements, you will be informed by the data controller before the restriction is lifted.

2. Right to erasure

4.1 You can request from the data controller for the personal data concerning you to be erased without undue delay, and the data controller is obliged to erase this data without undue delay if one of the following reasons applies:

  1. The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
  2. You withdraw your consent to processing in accordance with point (a) of Article 6(1) or point (a) of Article 9(2) GDPR, and there is no other legal ground for processing.
  3. You object to processing in accordance with Article 21(1) GDPR and there are no overriding legitimate interests for processing, or you object to the processing in accordance with Article 21(2) GDPR.
  4. The personal data concerning you has been unlawfully processed.
  5. The personal data concerning you must be erased to comply with a legal obligation under the European Union or Member State law to which the controller is subject.
  6. The personal data concerning you has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

4.2 If the data controller has published the personal data concerning you and, in accordance with Article 17(1) GDPR, is obliged to erase such data, the controller shall take suitable measures in consideration of the technology available and costs of implementation, including technical measures, to inform data controllers who process personal data that you as data subject have requested the deletion of all links to this personal data or copies or replications of this personal data.

4.3 The right to erasure does not apply if the processing is necessary

  1. to exercise the right of freedom of expression and information;
  2. to fulfil a legal obligation that requires processing in accordance with the law of the European Union or the Member States, to which the data controller is subject, or to perform a task that is in the public interest or that is exercised in the capacity of an official authority incumbent upon the data controller;
  3. for reasons of public interest in the field of public health in accordance with points (h) and (i) of Article 9(2) and Article 9(3) GDPR;
  4. for archive, scientific or historical research purposes in the public interest or for statistical purposes in accordance with Article 89(1) GDPR, insofar as the right named in Paragraph 1 is expected to make the achievement of the aims of this processing impossible or seriously impaired; or
  5. to assert, exercise or defend legal claims.
3. Right to information

If you have asserted the right to correction, erasure or restriction of processing towards the data controller, they shall be obliged to inform all recipients to whom personal data concerning you has been disclosed of this correction or erasure of data or restriction of processing, unless this proves to be impossible or involves disproportionate effort. You have the right for the data controller to inform you about these recipients.

4. Right to data portability

You have the right to receive personal data concerning you that you have provided to the data controller in a structured, commonly used and machine-readable format. In addition, you have the right to transmit this data to another data controller without hindrance by the data controller to whom the personal data was provided, insofar as

  1. processing is based on consent in accordance with point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or an agreement in accordance with point (b) of Article 6(1) GDPR and
  2. processing is carried out using automated methods.

By exercising this right, you also have the right to have personal data concerning you sent directly from one data controller to another data controller, insofar as this is technically feasible. This must not adversely affect the rights and freedoms of any other person as a result.

The right to data portability does not apply to the processing of personal data that is required to perform a task that is in the public interest or that takes place in the capacity of an official authority incumbent upon the data controller.

5. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR; this also applies to profiling based on those provisions.

The data controller shall then no longer process the personal data concerning you unless they can prove compelling reasons worth protecting for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims.

If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.

You have the option to exercise your right to object in connection with the use of information society services – Directive 2002/58/EC notwithstanding – using automatic methods in which technical specifications are used.

6. Right to withdraw the data protection consent

You have the right withdraw your data protection consent at any time. The lawfulness of any processing of your data that takes place on the basis of your consent prior to the withdrawal will not be affected by revocation of consent.

7. Automatic decision-making on a case-by-case basis, including profiling

You have the right to not be subject to decision-making based exclusively on automatic processing – including profiling – that has a legal effect for you or considerably impacts you in a similar way. This does not apply if the decision

  1. is necessary to enter into or fulfil a contract between you and the data controller,
  2. is permitted as a result of legal regulations of the European Union or of Member States to which the data controller is subject and these legal regulations include suitable measures to protect your rights and freedoms as well as your legitimate interests or
  3. is made with your explicit consent.

However, these decisions must not be based on certain categories of personal data in accordance with Article 9(1) GDPR, unless point (a) or (g) of Article 9(2) apply and suitable measures to protect your rights and freedoms as well as your legitimate interests have been implemented. In the cases specified under a. and c., the data controller shall implement suitable measures to protect your rights and freedoms as well as your legitimate interests, including at least the right obtain human intervention on the part of the controller, to present your own perspective and to challenge the decision

8. Right to lodge a complaint with a supervisory authority

Any other administrative or judicial remedy notwithstanding, you have the right to lodge a complaint with a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes GDPR.

The supervisory authority to whom the complaint was submitted shall inform the complainant about the status and results of the complaint, including the option for judicial remedy in accordance with Article 78 GDPR.

The relevant supervisory authority is: Berlin state officer for data protection and freedom of information, An der Urania 4-10 · 10787 Berlin, tel. +49 30 2155050, website https://www.datenschutz-berlin.de/

 
 

Cookies

Rox’s websites use cookies, if you give your permission for them to do so. A cookie is a record that is automatically made on your computer’s hard drive whenever you access certain websites. The server uses the cookie to unambiguously identify your browser. Cookies allow us to store information on the server to make visiting websites more pleasant for you and make it possible to analyse sites and to check the performance of a website.

Most web browsers have been set up to accept cookies. You can also adjust your browser settings so that it rejects all cookies or shows you whenever a cookie will be placed. Please note, however, that some areas of our site might not work properly if you reject cookies.

Website Analytics

This website uses the open source web analytics service Matomo. Matomo uses technologies that enable the recognition of the user across pages for the analysis of user behaviour (e.g. cookies or device fingerprinting). The information collected by Matomo about the use of this website is stored on our server. The IP address is anonymised before storage.

With the help of Matomo, we are able to collect and analyse data about the use of our website by website visitors. This enables us to find out, among other things, when which page views were made and from which region they come. We also collect various log files (e.g. IP address, referrer, browsers and operating systems used) and can measure whether our website visitors perform certain actions (e.g. clicks, purchases, etc.).

The use of this analysis tool is based on Art. 6 para. 1 lit. f DSGVO. The website operator has a legitimate interest in the anonymised analysis of user behaviour in order to optimise both its website and its advertising. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO; the consent can be revoked at any time.

Social media and social media plugins.

To present our company in the best way possible and to communicate with you as a user, customer or interested party and be able to inform you about the services we offer, we have a presence on social media.

Applications (startups)

You can submit a speculative application to us with a startup. If you send personal data about yourself to us as part of an application, we will store it and use it as part of the selection process and/or to contact you. The data may include, in particular, your name, address, contact details, professional experience, skills and other information about you.
The legal basis for the processing of your data in terms of startup applications shall be point (b) of Article 6(1) GDPR. After the end of the application process, your data will be erased after three years (startup applications), unless we keep working with you, then the data will generally be stored for the duration of our cooperation and then erased after three years. Your data will, in some cases, also be forwarded to Roche Pharma AG and other companies in the Roche group.

Applications (individuals)

You can submit an application to us as an individual. As part of the recruitment process, we cooperate with a human resources company (contact: hr@roxhealth.com) as joint data controllers in accordance with Article 26 GDPR. If you send personal data about yourself to us or the human resources company as part of an application, we will store it and use it jointly as part of the selection process and/or to contact you. In general, the data is collected and processed by the human resources company, but the selection decision will be made by us. The data may include, in particular, your name, address, contact details, professional experience, skills and other information about you.
The legal basis for the processing of your data is point (b) of Article 6(1) GDPR in conjunction with 26(1)(1) Federal Data Protection Act. After the end of the application process, your data will be erased within six months (individual applications), unless we onboard you as an employee. We do not pass on your data to third parties. To assert your rights regarding your application data (see also under “Rights” further up on this website), you can either contact us or the human resources company.

Forwarding and transmission of data

The publisher also forwards personal data about you to various external companies or representatives entrusted with technical maintenance work or that work on our behalf and help us in making business transactions, such as by providing customer service, sending marketing information about our products, services and offers. We may also transmit personal data to our subsidiary and group companies. All of these companies and representatives are obliged to observe the provisions of our data protection guidelines. Bodies involved in processing personal data of roxhealth.de are:

  1. For website hosting: netcup GmbH, Daimlerstraße 25, D-76185 Karlsruhe

Data privacy policy concerning children

Our website is intended for an adult audience. If we discover that a user is not yet 16 years old, we will not collect any personal data from them before receiving verifiable consent from their legal guardian. Such legal guardian may, on request, inspect the information made by the child and/or request the deletion of this data.

Legal basis for data processing

Insofar as we obtain consent from the data subject for the processing of personal data, the legal basis shall be point (a) of Article 6(1) General Data Protection Regulation (GDPR). When processing personal data that is necessary to fulfil an agreement for which the contractual party is the data subject, the legal basis shall be point (b) of Article 6(1) GDPR. This also applies to processing procedures that are necessary to perform precontractual measures.

Insofar as the processing of your personal data is necessary to meet a legal obligation to which our company is subject, the legal basis shall be point (c) of Article 6(1) GDPR. In the event that vital interests of the data subject or of another natural person make processing of personal data necessary, point (d) of Article 6(1) GDPR shall serve as the legal basis. The legal basis for the processing of your data shall be point (f) of Article 6(1) GDPR if the processing s required to safeguard a legitimate interest of our company or a third party and the interests, basic rights and basic freedoms of the data subject do not override the aforementioned interests. Our company’s legitimate interest lies in performing our business operations.

On our „Jobs“ website we offer you the opportunity to contact us for the purpose of applying for an advertised job.
For the organization and processing of the application process, we use the services of Recruitee B.V., Johan Huizingalaan 763, (1066 VH) Amsterdam, The Netherlands (hereafter: „Recruitee“).

We use Recruitee on the basis of our legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR) in the optimization and efficient design of the application process and our internal procedures and a contract processing agreement in accordance with Art. 28 GDPR.

When you visit the career site, Recruitee automatically collects personal access data. This information includes the requesting device, the web browser used, the operating system, the IP address, the website from which you came and the behavior on the Recruitee Website. For more information about Recruitee’s privacy policy, please refer to Recruitee’s privacy policy at recruitee.com/en/privacy.

Legal Notice

All information on our website has been carefully checked. We endeavour to constantly expand and update the information we offer. No guarantee can be made for its completeness, accuracy and up-to-dateness. © Copyright Rox Health GmbH

Provider in accordance with the Telemedia Act:
RoX Health GmbH

Management
Dr Robert Schnitzler (CEO)

Registry Court:  Berlin District Court (Charlottenburg)
VAT ID no.: DE328615973

Aufgang M, 3. Obergeschoss
Schlesische Str. 29/30
10997 Berlin
hello@roxhealth.com

Data controller in accordance with Section 55(2) State Broadcasting Agreement (RStV):
Rox Health GmbH
Berlin District Court (Charlottenburg)
HRB 213853