DE  |  FR  |  IT  |  EN
Meineimpfungen

The Swiss electronic vaccination record


Privacy policy

Privacy Policy

This Privacy Policy is to inform about the personal data we process in order to offer our meineimpfungench online platform as well as our other services in connection with the electronic vaccination certificate. With this Privacy Policy, we also inform you about the rights of persons whose data we process.

Our offer is subject to Swiss data protection law as well as any other applicable foreign data protection law, in particular of the European Union (EU) with the General Data Protection Regulation (GDPR). The European Commission recognises that adequate data protection is guaranteed by Swiss data protection law.

Special, complementary or further privacy policies as well as other legal documents such as General Terms & Conditions (GTC), Terms of Use or Terms of Participation may apply to individual or additional offers and services.

We may adapt and complement this Privacy Policy at any time. We will inform about such adaptations and complements in a suitable manner, in particular by publishing the respective current privacy policy on our website.

1. Contact addresses

Responsibility for personal data processing:

Stiftung meineimpfungen
Mattenstrasse 9
3073 Gümligen
Switzerland

support@meineimpfungen.ch

We point out if other controllers exist for personal data processing in a given case. We engaged the Swiss Arpage AG based in Küsnacht ZH to operate the myvaccinations.ch online platform.

1.1 Data Protection Officer

We have the following data protection officer as point of contact for data subjects and as contact person for supervisory authorities for enquiries under data protection law:

Stiftung meineimpfungen
Data Protection
Mattenstrasse 9
3073 Gümligen
Switzerland

privacy@meineimpfungen.ch

1.2 Data Protection Representation in the European Economic Area (EEA)

We have the following data protection representation under Art. 27 GDPR in the European Economic Area (EEA) including European Union (EU) and Principality of Liechtenstein, Iceland and Norway as additional point of contact for supervisory authorities and data subjects for enquiries in connection with the General Data Protection Regulation (GDPR):

VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg
Germany

info@datenschutzpartner.eu

2. Personal Data Processing

2.1 Terminology

Personal data means any information relating to an identified or identifiable natural person. Data subject means a person whose personal data is processed. Processing comprises any handling of personal data, irrespective of the means and procedures applied, in particular the storage, disclosure, procurement, collection, erasure, retention, modification, destruction and use of personal data.

The European Economic Area (EEA) comprises the European Union (EU) as well as the Principality of Liechtenstein, Iceland and Norway. In the General Data Protection Regulation (GDPR), the handling of personal details is referred to as personal data processing.

2.2 Legal Bases

We process personal data in line with Swiss data protection law, including, in particular, the Federal Act on Data Protection (FDAP) and the Ordinance to the Federal Act on Data Protection (OFDAP).

Where and to the extent that the European General Data Protection Regulation (GDPR) is applicable, we process personal data under at least one of the following legal bases:

  • Point (b) of Art. 6(1) GDPR for personal data processing necessary for the performance of a contract to which the data subject is party or in order to take steps prior to entering into a contract.
  • Point (a) of Art. 6(1) GDPR for personal data processing with the consent of the data subject.
  • Point (d) of Art. 6(1) GDPR for the necessary personal data processing in order to protect the vital interests of the data subject or of another natural person.
  • Point (f) of Art. 6(1) GDPR for the necessary personal data processing for the purposes of the legitimate interests pursued by us or third parties, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Legitimate interests include, in particular, our interest in providing our offer on a permanent, user-friendly, secure and admissible basis, as well as in advertising it if necessary, in the information security, the protection against misuse and unauthorised use, the implementation of our own legal claims and compliance with Swiss law.
  • Point (c) of Art. 6(1) GDPR for the necessary data protection processing for compliance with a legal obligation to which we are subject under any applicable law of member states in the European Economic Area (EEA).
  • Point (e) of Art. 6(1) GDPR for the necessary data protection processing for the performance of a task carried out in the public interest.

2.3 Nature, Scope and Purpose

We process any personal data that is required in order to provide our offer in a permanent, user-friendly, secure and admissible manner. Such personal data may fall, in particular, into the categories of contact data, health data, contract data and access data.

We process personal data only after the data subject has given his or her consent, unless processing is exceptionally required or admissible for other legal reasons, for example for the performance of a contract with the data subject and in order to take relevant steps prior to entering into a contract.

In this context, we process, in particular, details a data subject transfers voluntarily and personally to us when establishing contact, for example by letter mail, e-mail, contact form, phone, or when registering for a user account or has transferred by entitled third parties, such as a physician, to us. We may retain such details, for example, in an electronic address book or with comparable aids. We may send notifications and communications in connection with our offer by e-mail, SMS and other communication channels.

We process personal data for any duration required for the respective purpose(s) or by law. Personal data which no longer needs to be processed will be anonymised or erased. Persons whose data we process have a right to erasure. The data of a deactivated dossier will be erased after 12 months by default, but may also be erased immediately at the data subject’s request.

2.4 Personal Data Processing by Third Parties

We may have personal data processed by engaged third parties or process personal data jointly with as well as with the help of third parties or transfer personal data to third parties. Such third parties are, in particular, providers whose services we use. We guarantee a suitable level of data protection for such third parties as well. The personal data is exclusively retained in Switzerland.

3. Data Subjects’ Rights

Data subjects, whose personal data we process, may request a confirmation free of charge as to whether we process their personal data and, if yes, access to information concerning the processing of their personal data, may have the processing of their personal data restricted, may exercise their right to data portability and may have their personal data rectified, erased (“right to be forgotten”), blocked or completed.

Data subjects, whose personal data we process, may revoke a consent given at any time with effect for the future and may object to the processing of their personal data at any time.

Data subjects, whose personal data we process, have the right to lodge a complaint with a competent supervisory authority. Supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

4. Data Security

We take reasonable and adequate technical and organisational measures to guarantee data protection and, in particular, data security. We develop and maintain our software in line with ISO 62304 for medical devices software life cycle processes. Our information security management system is governed by ISO 27001.

Health data is processed exclusively by or under the control of trained and informed professionals. We ensure data security, in particular, by the continuous monitoring and improvement of data processing processes and systems. To that end, we also cooperate with specialised companies, including, in particular, Netchange Informatik GmbH and Health Info Net AG (HIN) each based in Switzerland.

Our online offer can be accessed by transport encryption (SSL / TLS, in particular with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers mark transport encryption by a padlock in the address bar.

5. Website Use

We may capture the following details for each access to our website, where these are transferred by the browser to our server infrastructure or can be determined by our web server: date and time including time zone, Internet Protocol (IP) address, access status (HTTP status code), operating system including user interface and version, browser including language and version, opened individual subpage of our website including transferred data volume, last website opened in the same browser window (referer or referrer).

We retain such details, which may also be personal data, in server log files. The details are required to provide our online offer on a permanent, user-friendly and reliable basis as well as to ensure data security and thus, in particular, the protection of personal data.

We use the free Matomo (formerly Piwik) open source software on our own server infrastructure to measure without personal reference how our online offer is used. Here, we may also use cookies. Internet Protocol (IP) addresses are anonymised prior to the analysis.