Data protection

The data controller in accordance with the General Data Protection Regulation (GDPR) is:

RoX Health GmbH
Aufgang M, 3. Obergeschoss
Schlesische Str. 29/30
10997 Berlin
[email protected]

Rox Health GmbH (“RoX”) is aware that the protection of privacy and therefore also the protection of our customers’ personal data is very important and assigns it considerable importance. RoX has therefore taken the necessary steps to comply with global data protection requirements and therefore observes the laws of the EU, Germany and other applicable norms. Your personal data is exclusively processed to the extent permitted by law and in consideration of valid laws, especially the transparency obligation.

Rights of the data subject

If your personal data is processed, you are a data subject in accordance with GDPR and you have the following rights with regard to the data controller:

1. Right of access

You can request confirmation from the data controller whether we have processed personal data concerning you.

If such processing takes place, you can request the following kinds of information from the data controller:

  1. the purposes for which the personal data is being processed;
  2. the categories of personal data being processed;
  3. the recipients or categories of recipient to whom the personal data concerning you has been or will be disclosed;
  4. the envisaged period for which the personal data concerning you will be stored, or, if specific information is not possible, the criteria used to determine the storage period;
  5. the existence of the right to request correction or erasure of personal data concerning you, a right to restriction of processing of personal data concerning you or to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. all information available about the origin of the data, if the personal data has not been collected from the data subject;
  8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information about whether personal data concerning you will be transmitted to a third country or an international organisation. In this respect, you may request information about suitable safeguards concerning the transfer in accordance with Article 46 GDPR.

2. Right to correction

You have the right to correction and/or completion by the data controller, insofar as the personal data being processed concerning you is incorrect or incomplete. The data controller must make corrections immediately.

3. Right to restriction of processing

Subject to the following requirements, you can request restriction of processing of personal data concerning you:

  1. if you dispute the accuracy of the personal data concerning you for a duration that makes it possible for the controller to verify the accuracy of the personal data;
  2. processing is unlawful and you reject the erasure of personal data and instead request a restriction of the use of the personal data;
  3. the controller no longer needs the personal data for the purposes of the processing, but it is required for the establishment, exercise or defence of legal claims, or
  4. if you have lodged an objection to processing in accordance with Article 21(1) GDPR and it has not yet been determined whether the legitimate interests of the controller override your reasons.
    If the processing of personal data concerning you was restricted, this data – apart from its storage – can only be processed with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural person or legal entity or for reasons of important public interests of the European Union or a Member State.

If the restriction of processing was limited by the aforementioned requirements, you will be informed by the data controller before the restriction is lifted.

4. Right to erasure

4.1 You can request from the data controller for the personal data concerning you to be erased without undue delay, and the data controller is obliged to erase this data without undue delay if one of the following reasons applies:

  1. The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
  2. You withdraw your consent to processing in accordance with point (a) of Article 6(1) or point (a) of Article 9(2) GDPR, and there is no other legal ground for processing.
  3. You object to processing in accordance with Article 21(1) GDPR and there are no overriding legitimate interests for processing, or you object to the processing in accordance with Article 21(2) GDPR.
  4. The personal data concerning you has been unlawfully processed.
  5. The personal data concerning you must be erased to comply with a legal obligation under the European Union or Member State law to which the controller is subject.
  6. The personal data concerning you has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

4.2 If the data controller has published the personal data concerning you and, in accordance with Article 17(1) GDPR, is obliged to erase such data, the controller shall take suitable measures in consideration of the technology available and costs of implementation, including technical measures, to inform data controllers who process personal data that you as data subject have requested the deletion of all links to this personal data or copies or replications of this personal data.

4.3 The right to erasure does not apply if the processing is necessary

  1. to exercise the right of freedom of expression and information;
  2. to fulfil a legal obligation that requires processing in accordance with the law of the European Union or the Member States, to which the data controller is subject, or to perform a task that is in the public interest or that is exercised in the capacity of an official authority incumbent upon the data controller;
  3. for reasons of public interest in the field of public health in accordance with points (h) and (i) of Article 9(2) and Article 9(3) GDPR;
  4. for archive, scientific or historical research purposes in the public interest or for statistical purposes in accordance with Article 89(1) GDPR, insofar as the right named in Paragraph 1 is expected to make the achievement of the aims of this processing impossible or seriously impaired; or
  5. to assert, exercise or defend legal claims.

5. Right to information

If you have asserted the right to correction, erasure or restriction of processing towards the data controller, they shall be obliged to inform all recipients to whom personal data concerning you has been disclosed of this correction or erasure of data or restriction of processing, unless this proves to be impossible or involves disproportionate effort. You have the right for the data controller to inform you about these recipients.

6. Right to data portability

You have the right to receive personal data concerning you that you have provided to the data controller in a structured, commonly used and machine-readable format. In addition, you have the right to transmit this data to another data controller without hindrance by the data controller to whom the personal data was provided, insofar as

  1. processing is based on consent in accordance with point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or an agreement in accordance with point (b) of Article 6(1) GDPR and
  2. processing is carried out using automated methods.

By exercising this right, you also have the right to have personal data concerning you sent directly from one data controller to another data controller, insofar as this is technically feasible. This must not adversely affect the rights and freedoms of any other person as a result.

The right to data portability does not apply to the processing of personal data that is required to perform a task that is in the public interest or that takes place in the capacity of an official authority incumbent upon the data controller.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR; this also applies to profiling based on those provisions.

The data controller shall then no longer process the personal data concerning you unless they can prove compelling reasons worth protecting for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims.

If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.

You have the option to exercise your right to object in connection with the use of information society services – Directive 2002/58/EC notwithstanding – using automatic methods in which technical specifications are used.

8. Right to withdraw the data protection consent

You have the right withdraw your data protection consent at any time. The lawfulness of any processing of your data that takes place on the basis of your consent prior to the withdrawal will not be affected by revocation of consent.

9. Automatic decision-making on a case-by-case basis, including profiling

You have the right to not be subject to decision-making based exclusively on automatic processing – including profiling – that has a legal effect for you or considerably impacts you in a similar way. This does not apply if the decision

  1. is necessary to enter into or fulfil a contract between you and the data controller,
  2. is permitted as a result of legal regulations of the European Union or of Member States to which the data controller is subject and these legal regulations include suitable measures to protect your rights and freedoms as well as your legitimate interests or
  3. is made with your explicit consent.

However, these decisions must not be based on certain categories of personal data in accordance with Article 9(1) GDPR, unless point (a) or (g) of Article 9(2) apply and suitable measures to protect your rights and freedoms as well as your legitimate interests have been implemented. In the cases specified under a. and c., the data controller shall implement suitable measures to protect your rights and freedoms as well as your legitimate interests, including at least the right obtain human intervention on the part of the controller, to present your own perspective and to challenge the decision.

10. Right to lodge a complaint with a supervisory authority

Any other administrative or judicial remedy notwithstanding, you have the right to lodge a complaint with a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes GDPR.

The supervisory authority to whom the complaint was submitted shall inform the complainant about the status and results of the complaint, including the option for judicial remedy in accordance with Article 78 GDPR.

The relevant supervisory authority is: Berlin state officer for data protection and freedom of information, An der Urania 4-10 · 10787 Berlin, tel. +49 30 2155050, website www.datenschutz-berlin.de

Cookies and Website Analytics (Google Analytics)

Rox’s websites use cookies, if you give your permission for them to do so. A cookie is a record that is automatically made on your computer’s hard drive whenever you access certain websites. The server uses the cookie to unambiguously identify your browser. Cookies allow us to store information on the server to make visiting websites more pleasant for you and make it possible to analyse sites and to check the performance of a website.

Most web browsers have been set up to accept cookies. You can also adjust your browser settings so that it rejects all cookies or shows you whenever a cookie will be placed. Please note, however, that some areas of our site might not work properly if you reject cookies.

To analyse your use of the website and to create usage statistics, after obtaining your consent (point (a) of Article 6(1) GDPR), we use Google Analytics, a web analysis service used by Google Ireland Ltd (“Google”, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland), a subsidiary of Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA). The information generated by the cookie about your use of this website is generally transmitted to and stored by Google on servers in the United States of America. When activating IP anonymisation on this website, Google will first abbreviate your IP address within the EU Member States and other contracting parties to the Agreement on the European Economic Area. The full IP address will be transmitted to a Google server in the USA and abbreviated there in exceptional cases only. Google will use this information on our behalf (Article 28 GDPR) to assess your use of the website, in order to compile reports about website activities and to provide further services related to the use of the website and the internet. The IP addresses transmitted by your browser as part of Google Analytics are not connected with other Google data. You can reject the storage of cookies on your computer by changing the settings of your browser accordingly. However, please note that not all functions on our website may be fully available if you reject cookies. You can also prevent the collection of data related to your website use generated by the cookie (including your IP address), as well as the processing of this data by Google by downloading and installing the browser plugin under the following link: http://tools.google.com/dlpage/gaoptout?hl=en

You can prevent data collection by Google Analytics by clicking on the following link: disable Google Analytics. This sets an opt-out cookie which prevents the future collection of your data when visiting this website: Deactivate Google Analytics. This alternative is the best option for mobile devices. If you decide to do so, do not delete the opt-out cookie. Otherwise you will lose the protection that this opt-out cookie offers until you reinstall it.

Detailed information on our Terms of Use and Data Protection can be found at http://www.google.co.uk/analytics/terms/gb.html or http://www.google.com/intl/en/analytics/privacyoverview.html. Please note that Google Analytics has been expanded by the code “anonymizeIp” on this website to ensure the anonymous collection of IP addresses (IP masking).

We use Google Analytics to evaluate AdWords data for statistical purposes. Should you not wish us to do so, you can deactivate this via the ads preferences manager (https://www.google.com/settings/ads).

The storage of data recorded by Google Analytics is limited to 14 months. The data will then be deleted.

Social media and social media plugins

To present our company in the best way possible and to communicate with you as a user, customer or interested party and be able to inform you about the services we offer, we have a presence on social media.

Applications (startups)

You can submit a speculative application to us with a startup. If you send personal data about yourself to us as part of an application, we will store it and use it as part of the selection process and/or to contact you. The data may include, in particular, your name, address, contact details, professional experience, skills and other information about you.

The legal basis for the processing of your data in terms of startup applications shall be point (b) of Article 6(1) GDPR. After the end of the application process, your data will be erased after three years (startup applications), unless we keep working with you, then the data will generally be stored for the duration of our cooperation and then erased after three years. Your data will, in some cases, also be forwarded to Roche Pharma AG and other companies in the Roche group.

Applications (individuals)

You can submit an application to us as an individual. As part of the recruitment process, we cooperate with a human resources company (contact: [email protected]) as joint data controllers in accordance with Article 26 GDPR. If you send personal data about yourself to us or the human resources company as part of an application, we will store it and use it jointly as part of the selection process and/or to contact you. In general, the data is collected and processed by the human resources company, but the selection decision will be made by us. The data may include, in particular, your name, address, contact details, professional experience, skills and other information about you.

The legal basis for the processing of your data is point (b) of Article 6(1) GDPR in conjunction with 26(1)(1) Federal Data Protection Act. After the end of the application process, your data will be erased within six months (individual applications), unless we onboard you as an employee. We do not pass on your data to third parties. To assert your rights regarding your application data (see also under “Rights” further up on this website), you can either contact us or the human resources company.

Forwarding and transmission of data

The publisher also forwards personal data about you to various external companies or representatives entrusted with technical maintenance work or that work on our behalf and help us in making business transactions, such as by providing customer service, sending marketing information about our products, services and offers. We may also transmit personal data to our subsidiary and group companies. All of these companies and representatives are obliged to observe the provisions of our data protection guidelines. Bodies involved in processing personal data of roxhealth.de are:

  • For the website’s technical support: Lorenz IT-Dienstleistungen Ltd. & Co. KG, Friedrich-Jung-Str. 5, 79618 Rheinfelden
  • For website hosting: Digital Ocean, https://www.digitalocean.com

Data privacy policy concerning children

Our website is intended for an adult audience. If we discover that a user is not yet 16 years old, we will not collect any personal data from them before receiving verifiable consent from their legal guardian. Such legal guardian may, on request, inspect the information made by the child and/or request the deletion of this data.

Legal basis for data processing

Insofar as we obtain consent from the data subject for the processing of personal data, the legal basis shall be point (a) of Article 6(1) General Data Protection Regulation (GDPR). When processing personal data that is necessary to fulfil an agreement for which the contractual party is the data subject, the legal basis shall be point (b) of Article 6(1) GDPR. This also applies to processing procedures that are necessary to perform precontractual measures.

Insofar as the processing of your personal data is necessary to meet a legal obligation to which our company is subject, the legal basis shall be point (c) of Article 6(1) GDPR. In the event that vital interests of the data subject or of another natural person make processing of personal data necessary, point (d) of Article 6(1) GDPR shall serve as the legal basis. The legal basis for the processing of your data shall be point (f) of Article 6(1) GDPR if the processing s required to safeguard a legitimate interest of our company or a third party and the interests, basic rights and basic freedoms of the data subject do not override the aforementioned interests. Our company’s legitimate interest lies in performing our business operations.

« Back to RoX Hackathon