Certified data privacy with INSITE

INSITE-Interventions GmbH has been distinguished with the “Data Privacy Certificate" since 2013. Each year, the renowned certification body VdS GmbH inspects all company processes for aspects of data privacy and security. This helps us ensure that our company guards and protects personal data as much as possible. INSITE fulfils not only the criteria of the Federal Data Protection Act and General Data Protection Regulation, but continually installs new protective measures to offer state-of-the-art data privacy.

What does a “Data Privacy Certificate” mean?

To award a “Data Privacy Certificate”, a VdS auditor monitors compliance with all statutory requirements of the Federal Data Protection Act and the General Data Protection Regulation, as well as aspects of information technology, privacy rights, commissioned data processing, and IT security. To this end, the specialists of VdS data privacy audits perform thorough internal and external security analyses. During those analyses, our employees, corporate processes and systems are intensively checked for whether the confidentiality and integrity of the processed data satisfy the high security requirements, the stipulations of data privacy documents are effectively implemented, and personal data are effectively protected according to the current German Federal Data Protection Act and the European General Data Protection Regulation (for example, by technically securing all systems against unauthorised use).

The validity of the VdS certificate lasts three years and is reviewed in an annual monitoring audit. The review checks for whether the protection and safety of the data continues to be ensured and how processes can be continually optimised. After three years, a complete recertification will be pending, with which the continual improvement processes can be continued regarding data protection and data security. This cycle requires building trust and guarantees that the security precautions are always current.

Was does data privacy mean when it comes to consultation?

As a general principle, employees and their families can use all consultation services anonymously by giving a nickname, with no need to provide their name or personal data such as their email address or telephone number. If people decide to trust us with their data, they can be assured that we will protect those data and handle them with the greatest care, exclusively to perform consultation services.

Do you have questions about our approach to data privacy? Then please call us (+49 69 90 555 29 - 0) or send your question to office@insite.de and speak with our Data Protection Officer, Deborah Schütt.

1. General information regarding

Name and address of the controller

For the purposes of the General Data Protection Regulation, other national data protection laws of the member states, and other data protection provisions, the controller is:

INSITE-Interventions GmbH
Managing Director: Dr. Matthias Conradt, Marcel Willems
Clemensstr. 10-12
60487 Frankfurt am Main
Germany
Phone: +49 69 90555 290 
Email: office@insite.de

We are serious about protecting your personal data. We treat your personal data confidentially, according to statutory data protection provisions and this data privacy statement.

As a rule, you can use our websites without providing personal data. Any personal data collected on our sites (such as your name, address or email addresses) is provided voluntarily as much as possible. These personal data will not be forwarded to third parties without your express consent.

Please note that data transmission in the internet (such as during communication by email) can contain security flaws. Data cannot be absolutely protected from third-party access.

The following regulations will inform you to that extent about the type, scope and purpose of the collection, use and processing of personal data by the provider.

2. Basic information about data processing

We collect, process and use the personal data or our users only in compliance with relevant data protection provisions. Therefore, that data will be used only if we are permitted to do so by law or with your consent.

We take state-of-the-art organisational, contractual and technical security measures to ensure that the provisions of data privacy laws will be complied with and to protect the data we manage against accidental or intentional manipulation, loss or destruction, and against unauthorised access.

The purpose of the collection, processing and use of personal data

The users’ personal data will be used to offer our websites and associated services. We will forward the data to third parties to fulfil our contractual obligations toward users, if this is permitted by law or we have your consent.

When contact with us is established, the information provided will be stored to handle the request and in case of follow-up questions. The personal data will be erased if they are no longer needed and such erasure does not oppose any statutory retention requirements.

3. Collecting access data

We collect data on every server access on which this service is located (server log files). Access data include the name of the accessed website, files, data and time of access, the quantity of transmitted data, a message about the successful access, browser type and version, the user’s operating system, referrer URL (the previously visited site), the IP address and the requesting provider.

We use the log data only for statistical evaluation to operate, secure and optimise our services, in accordance with statutory provisions. We do not allocate that data to the user personally or otherwise create any profiles. However, we reserve the right to check the server log files at a later time if there are specific indications of illicit use.

4. Cookies

The internet sites use what are known as “cookies”. Cookies do not damage your computer and contain no viruses. Cookies are small text files that are placed on your computer and stored by your browser. The cookies we use are “session cookies”. They are deleted automatically after your session is over. Other cookies remain on your end device until you delete them. You can set your browser to inform you about the placement of cookies and decide to accept them on a case-by-case basis, exclude their acceptance for individual cases or in general, and erase the cookies automatically when you close your browser.

5. Server log files

The provider of the sites collects and saves information automatically in server log files, which your browser transmits to use automatically. This information includes:

Browser type and browser version

Operating system used

Referrer URL

Hostname of the accessing computer

Time of server request

These data cannot be allocated to a certain person. These data will not be combined with other data sources.

6. Contact possibility

Our website gives you the option of contacting us via email, a contact form, or both. In this case, the data provided by users will be stored to process the user contact. The data are not forwarded to third parties. And the data collected in this way will not be compared with data collected with other components of our site. The contact can be erased at any time (see “rights of the data subject”). The legal basis for collecting and processing the data is Art. 6 (1) GDPR.

7. Making appointments

In some cases, we offer users the opportunity to make appointments directly via our website. In doing so, we process the personal data you provide, such as your name and contact details (e-mail, telephone number if applicable) as well as your appointment request. The service is provided by TerminApp GmbH, Munich, as part of order processing. The personal data transmitted will be processed there for INSITE-Interventions GmbH as the client exclusively for the purpose of making online appointments. The legal basis for the processing of your personal data for making appointments is Art. 6 para. 1 sentence 1 lit. b GDPR. The personal data collected in the course of making an appointment will be deleted after 18 months.

Further information about timify can be found on the following TerminApp GmbH website: www.timify.com/de-de/pages/nutzungsbedingungen-fuer-terminbucher/ and in timify's privacy policy https://www.timify.com/de-de/legal/

8. Digital self-help modules

Via our website, we offer users the opportunity to make use of self-help modules provided by Minddistrict B.V., Amsterdam, as part of an order processing agreement. We process the e-mail address you provide and your pseudonym, as well as the data you enter in the modules. This personal data is processed by Minddistrict exclusively for INSITE-Interventions GmbH and only for the purpose of providing and using the self-help modules.

The legal basis for the processing of your personal data in the context of the use of the self-help modules is Art. 6 para. 1 sentence 1 lit. b GDPR.

Further information about Minddistrict can be found on the Minddistrict website: www.minddistrict.com/de-de and in Minddistrict's privacy policy: https://www.minddistrict.com/de-de/privacyerklaerung

9. AI chat

We offer users the option of using an AI-based chat via our website. In doing so, we process the personal data you provide, such as your user name and the chat data you enter. The service is provided by Shaanty UG, Ortsteinweg 6B, 22159 Hamburg, Germany, as part of order processing.

Shaanty only receives the text content, but not the user names. OpenAI is used in the background to generate dialogues based on prompts. Text entries in OpenAI are deleted immediately after the dialogue is generated.

In general, if no personal data is entered, it will not be processed and stored. All chats entered are generally anonymised and stored in encrypted form.

At Shaanty, the transmitted personal data is processed for INSITE-Interventions GmbH as the client exclusively for the purpose of providing the chatbot. Shaanty has concluded data protection agreements with all other contractors.

The legal basis for the processing of personal data for the use of the AI chat is Art. 6 para. 1 lit. a GDPR. The conversations recorded as part of the AI chat are deleted after 4 weeks.

Further information about Shaanty UG can be found on the following website: shaanty.com/allgemeine-geschaeftsbedingung/ and in the privacy policy of Shaanty shaanty.com/data-policy/

10. Rights of the data suject

If your personal data are processed, you are the data subject as defined by the GDPR and are entitled to the following rights toward the controller:

a. Right of access

You can demand that the controller confirm whether we are processing personal data concerning you. If this is the case, you can demand access to the following information from the controller:

(1) the purposes for which the personal data are being processed;

(2) the categories of personal data being processed;

(3) the recipient or categories of recipients to whom the personal data concerning you were or will be disclosed;

(4) the planned duration of the storage of the personal data concerning you, or if no specific information is available to this end, the criteria for determining the storage period;

(5) the existence of a right to have the personal data concerning you rectified or erased, a right to restrict its processing through the controller, or a right to object to that processing;

(6) the existence of a right to complain to a supervisory authority: https://datenschutz.hessen.de/

(7) all available information on the origin of the data, if the personal data was not collected from the data subject;

(8) the existence of automated decision-making, including profiling under Art. 22 (1) and 4 GDPR and—at least in these cases—meaningful information about the logic involved, as well as the implications and sought-after effects such processing would have for the data subject.

You have the right to demand whether the personal data concerning you are transmitted to a third country or international organisation. In this context, you may demand to be informed about the appropriate guarantees under Art. 46 GDPR in connection with such transmission.

b. Right to rectification

If the processed personal data that concerns you is incorrect or incomplete, you have the right against the controller to have it corrected, deleted, or both. The controller must undertake such correction without undue delay.

c. Right to restriction of processing

You can demand that the processing of the personal data concerning you be restricted, under the following conditions:

(1) if you dispute that the personal data concerning you is incorrect, for a duration which enables the controller to check its correctness;

(2) the processing is incorrect and you waive your right to have it deleted, instead demanding that its use be restricted;

(3) the controller of the personal data no longer needs it for the purposes of its processing, but you need it to assert, exercise or defend against legal claims, or

(4) if you have filed an objection against the processing under Art. 21 (1) GDPR and it has not yet been established whether the legitimate reasons of the controller outweigh your reasons.

If the processing of the personal data concerning you has been restricted, these data – regardless of their storage – may be processed only (1) with your consent, (2) to assert, exercise or defend against legal claims, (3) to protect the rights of another natural person or legal entity, or (4) for reasons of an important public interest of the EU or a member state.

If the processing has been restricted according to the aforementioned conditions, the controller will inform you before that restriction is lifted.

d. Right to erasure

Obligation to erase

You may demand from the controller that the personal data concerning you be erased without undue delay, and the controller will be obligated to do so provided one of the following grounds applies:

(1) The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed;

(2) You withdraw your consent on which the processing is based under Art. 6 (1) a or Art. 9 (2) a GDPR, and there is no other legal basis for the processing;

(3) You object to the processing under Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing under Art. 21 (2) GDPR.

(4) The personal data concerning you was illegally processed.

(5) The personal data concerning you must be deleted to fulfil a legal obligation under EU or member state law to which the controller is subject.

(6) The personal data concerning you was collected in regard to information society services offered pursuant to Art. 8 (1) GDPR.

Information to third parties

If the controller has publicised the personal data and is obligated under Art. 17 (1) GDPR to erase that data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

Exceptions

The right to erasure does not exist if the processing is necessary:

(1) to exercise the right to information and freedom of expression;

(2) to fulfil a legal obligation which requires the processing under EU or member state law to which the controller is subject, or to carry out a task in the public interest or in the exercise of public authority vested in the controller;

(3) for reasons of the public interest in the area of public health under Art. 9 (2) h and i as well as Art. 9 (3) GDPR;

(4) for purposes of archiving, academia or historical research which lie in the public interest, or for statistical purposes under Art. 89 (1) GDPR, insofar as the right mentioned in section a) is expected to prevent or seriously impair the realisation of the objectives of this processing, or

(5) to assert, exercise or defend against legal claims.

e. Right to information

If you have asserted your right to rectification, erasure or restriction of the processing toward the controller, that controller is obligated to communicate such correction or deletion of the data or restriction of its processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or would entail a disproportionate effort.

You have the right to be informed by the controller about those recipients.

f. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit these data to another controller without hindrance from the controller to which the personal data were provided, as long as

(1) the processing is based on consent pursuant to Art. 6 (1) a GDPR or Art. 9 (2) a GDPR or on a contract pursuant to Art. 6 (1) b GDPR and

(2) the processing occurs with the help of automated procedures.

In exercising this right, you may also effect that the personal data concerning you are transmitted directly from one controller to another, insofar as this is technically feasible. Doing so must not impair the rights and freedoms of others.

The right to data portability does not apply if personal data must be processed to carry out a task in the public interest or in the exercise of public authority vested in the controller.

g. Right to object

You have the right to object at any time, for reasons arising from your particular situation, if personal data concerning you are processed based on Art. 6 (1) e or f GDPR. This also applies to profiling based on these provisions.

The controller will cease processing the personal data concerning you unless the controller can verify compulsory legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing is done to assert, exercise or defend against legal claims.

If the personal data concerning you are processed for direct marketing purposes, you may object to that processing at any time. This also applies to any profiling connected to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

In connection with the use of information society services, you may exercise your right to object using an automatic procedure in which technical specifications are used (regardless of Directive 2002/58/EC).

h. Right to withdraw the declaration of consent granted under data protection laws

You have the right to withdraw your declaration of consent under data protection laws at any time. Withdrawing your consent will not affect the legality of processing that has already occurred based on your consent.

i. Automatic ecision-making in individual cases, including profiling

You have the right not to be subject to a decision based exclusively on automated processing—including profiling—which legally affects or otherwise significantly impairs you. This does not apply if that decision

(1) is necessary to conclude or fulfil a contract between you and the controller,

(2) is permitted under EU or member state law to which the controller is subject and which stipulate reasonable measures for guarding your rights, freedoms and legitimate interests, or

(3) is made with your express consent.

However, these decisions may not be based on special categories of personal data under Art. 9 (1) GDPR unless Art. 9 (2) a or g GDPR apply and reasonable measures have been taken to protect your rights, freedoms and legitimate interests.

Regarding the cases mentioned in (1) and (3), the controller shall take reasonable measures to guard your rights, freedoms and legitimate interests, which must include at least the right to obtain human intervention on the part of the controller, to present your own point of view, and to contest the decision.

j. Right to complain to a supervisory authority

If you believe that the processing of the personal data concerning you breaches the GDPR, you have the right to complain to a supervisory authority—especially in the member state of your abode, your workplace, or the place of the suspected breach—without prejudice to other administrative rights or judicial remedies.

The supervisory authority to which the complaint is submitted shall inform the complainant about the status and results of that complaint, including the possibility for judicial remedy under Art. 78 GDPR.

j. Name and address of the data protection officer

The controller’s data protection officer is:

Ms Deborah Schütt
Clemensstr. 10-12
60487 Frankfurt am Main
Germany
Phone: +49 69 90555 29-0; Extension -20
Email: datenschutz@insite.de

13. Amendments to the data privacy statement

We reserve the right to amend the data privacy statement, to adjust it to altered legal situations, or to changes in services or data processing. Therefore, users are asked to inform themselves periodically about its contents.

Frankfurt am Main, January 2025
The Management