The website www.cereneo.ch (hereinafter „website“) is operated by cereneo Switzerland Ltd., Hertensteinstrasse 162, CH-6353 Weggis (hereinafter „cereneo“ or „we“). cereneo is responsible for the collection, processing and use of personal data, which are collected from or entered into by the visitors of the website (hereinafter „user“ or „you“), and the compliance of the data processing with the applicable law.

Your trust is very important to cereneo. cereneo is aware of the fact that personal data may contain sensitive health data, which are particularly worthy of protection. Therefore, cereneo takes the subject of data protection very seriously and complies with the applicable data protection regulations.

cereneo takes data protection very seriously. Consequently, we are committed to the protection of your personal data and comply with the legal requirements of the Swiss Federal Data Protection Act (DSG), the Ordinance to the Federal Data Protection Act (VDSG) and the General Data Protection Regulation of the European Union (GDPR).

Certain information provided by the user may fall under the scope of patient’s secrecy according to art. 321StGB. Even if cereneo implements the highest security measures for the transmission and storage of data, cereneo recommends to not transmit such information through the website or to keep the according information as general as possible. Reservation is made for data processing opportunities for which it is hereafter explicitly mentioned that patient data can be submitted.

Hereinafter, you as user will find information about which personal data cereneo will collect and process in connection with the website. Section 2 also contains information on data processing outside the website, in particular in connection with the provision of services by cereneo to patients. Data processing outside the website is also carried out by cereneo International AG, Seestrasse 18, 6354 Vitznau. The legal responsibility for data processing outside the website lies with either cereneo or cereneo International AG, depending on which company the patient is assigned to. In section 2 the term «cereneo» is also used to refer to cereneo International AG.

The data protection representative of cereneo and cereneo International AG in the sense of Art. 27 GDPR is: relearnlabs GmbH, Kleine Hamburger Strasse 24, 10115 Berlin, Germany (relearnlabs), privacy@relearnlabs.com.

1. Scope and purpose of the collection, processing and use of personal data on the website

1.1 When accessing the website

While visiting the website, the server temporarily stores each access in a log file. Until the automatic deletion, the IP address of the requesting computer, date and time of the access, the name and the URL of the retrieved file, the website from which the access took place and the operating system used by user’s computer and the browser used by the user as well as the country, from where the user has accessed among other things, will be automatically collected.

The collection and processing of these data are generally anonymized without personal reference for the purpose, to enable the use of the website (connection establishment), to guarantee permanently the system security and stability and to optimize the internet offer as well as for internal statistical purposes. The information mentioned above will not be linked or stored with personal data.

Only in the case of an attack on the net infrastructure of cereneo or in case of suspicion of an illegal use or misuse of the website the IP-address will be analyzed for investigation and defense purposes and potentially used in the course of a criminal proceeding for the identification and for civil and criminal law actions against the respective user.

We rely on our legitimate interests within the meaning of Art. 6 para. 1 lit. f. GDPR to process the data for these purposes.

1.2 Contact form

Apart from this passive data acquisition and the hereinafter described data processing for advertising purposes, cereneo collects and processes personal data only if the user voluntarily forwards the personal data to cereneo, e.g. by email or contact form.

By communicating personal data to cereneo, the users agree that cereneo stores the data and processes it to answer questions, process requests, send the requested information or provide eventually requested services.

The legal basis for the processing of data voluntarily provided by the user lies in the consent pursuant to Art. 6 para. 1 lit. a GDPR and, e.g. for contact inquiries, in our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Users can object to this data processing at any time (see contact data below).

1.3Use of data for advertising purposes/ Newsletter

cereneo uses so-called re-targeting technologies on the website. In doing so, the user’s behavior is analyzed on the website in order to be able to subsequently offer individual tailored advertising to the user on the partner websites. The behavior of the user is recorded pseudonymously.

Most of the re-targeting technologies work with cookies (see therefore section 1.4 below).

This website uses Doubleclick by Google, a service of Google LLC. („Google“). Google uses therefore the so-called DoubleClick-Cookie which allows to recognize the browser used by a specific user when this user visits other websites. The information generated by the cookie regarding the visit of these websites (including the IP addresses) are transmitted to a Google server in the US and stored there (you will find additional information about personal data transfer to the US in section 1.5.2 below).

Google will use this information to evaluate the use of the website with regard to the ads to be served, to compile reports on the website activities and advertisements for the website operators and to provide other services connected with the use of the website and the Internet. Google may also transfer this information to third parties as far as this is required by law or if third parties process this data on behalf of Google. However, under no circumstances will Google associate the user’s IP address with other data from Google.

User can prevent re-targeting at any time by rejecting or deactivating the cookies in the web browser’s menu bar (see section 1.4 below).

The legal basis for this processing of personal data lies in the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. Users can object to this data processing at any time by rejecting or deactivating cookies as described above.

1.5 Cookies

In order to make the visit of the website attractive and to enable the use of certain functions, so-called cookies are installed on the website. The cookies are small text files, which are stored on the user’s device. Some of the installed cookies are automatically deleted after the end of the browser session (so-called session cookies). Other cookies remain on the user’s device and allow cereneo to recognize the browser on the next visit (persistent cookies).

cereneo hereby advises the users that certain cookies are already set as soon as a user accesses the website. Users can, however, set up the browser in such a way that they are informed of the setting of cookies and may decide individually about their acceptance or can exclude the acceptance of cookies for certain cases or in general. The non-acceptance or de-activation of cookies may restrict the functionality of the website.

Browsers allow the users to control the storage of cookies on their respective devices. The description for the respective browsers can be found under the following links:

Internet Explorer™: http://windows.microsoft.com/de-DE/windows-vista/Block-or-allow-cookies

Safari™: http://apple-safari.giga.de/tipps/cookies-in-safari-aktivieren-blockieren-loeschen-so-geht-s/

Chrome™: http://support.google.com/chrome/bin/answer.py?hl=de&hlrm=en&answer=95647

Firefox™: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen

Opera™ : http://help.opera.com/Windows/10.20/de/cookies.html

1.5 Tracking Tools

1.5.1 Google (Universal) Analytics

We use the web analytics service Google Analytics to maintain a user-oriented and continuously improving website. Google Analytics is provided by Google Ireland Limited, a company under Irish law with registered seat at Gordon House, Barrow Street, Dublin 4, Ireland („Google“). We create pseudonymized user profiles and cookies (see section 1.4) for this purpose. Information that is generated by the cookies includes:

• browser type/version,
• operating system used,
• referrer URL (the previously visited website),
• host name of the accessing computer (IP address),
• time of server inquiry, and
• device used.

This information will be transmitted to and stored by Google. We have concluded a data processing agreement with Google for this purpose and use Google Analytics with a privacy-friendly set up. This privacy-friendly setting means that we have masked the last octet of your IP address, have turned off ‘sharing data with Google’ and do not use other Google services in combination with the Google Analytics cookies.

The information obtained with Google Analytics is used to evaluate the use of the website, to compile reports on website activity and to provide other services relating to website activity and internet usage for the purposes of market research and the design of these Internet pages to meet requirements. This information may also be transferred to third parties where required to do so by law, or where such third parties process the information on Google’s behalf.

It cannot entirely be excluded that the data obtained with Google Analytics will be processed in locations outside of the European Union or the European Economic Area, including the United States of America. Google acts as our data processor in providing the services. We have concluded a data processing agreement with Google, and standard EU contractual clauses have been agreed and implemented. Additional information on data protection at Google can be found in Google’s data protection information.

For more information about the web analytics service used, please visit the Google Analytics website. The following link https://tools.google.com/dlpage/gaoptout?hl=en

on how to prevent the use of user data by the web analytics service.

We rely on our legitimate interests within the meaning of Art. 6 para. 1 lit. f GDPR to use the Google Analytics cookies for the mentioned purposes. Our legitimate interests consist of the optimal functioning of the website.

1.6.2 Google AdWords Conversion-Tracking

We use the offer of Google Ads Conversion to draw attention to our attractive offers by means of advertising material (so-called Google Ads) on external websites. In relation to the data of the advertising campaigns, we can determine how successful the individual advertising measures are. In this way, we pursue the interest of displaying advertising that is of interest to users, making our website more interesting for users and achieving a fair calculation of advertising costs.

These advertising materials are delivered by Google via so-called «Ad Servers». For this purpose, we use Ad Server Cookies, through which certain parameters can be measured to measure success, such as the display of the ads or clicks by users. If users reach our website via a Google ad, Google Ads will store a cookie on their end device. For this cookie, the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be addressed) are usually stored as analysis values.

The cookies enable Google to recognize users’ internet browser. If a user visits certain pages of an ad client’s website and the cookie stored on their computer has not expired, Google and the client may recognize that the user clicked on the ad and was redirected to that page. A different cookie is assigned to each AdSense client. Cookies cannot be tracked through the websites of ad clients. We ourselves do not collect and process any personal data in the advertising measures mentioned. We only receive statistical evaluations from Google. These evaluations enable us to identify which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising material, in particular we cannot identify the users on the basis of this information.

Due to the marketing tools used, users’ browsers automatically establish a direct connection with the Google server. We have no influence on the scope and further use of the data collected by Google through the use of these tools and therefore inform users according to our state of knowledge: through the integration of Ads Conversion, Google receives the information that users have called up the corresponding part of our website or clicked on an advertisement from us. If users are registered with a Google service, Google can assign the visit to their account. Even if users are not registered with Google or have not logged in, it is possible that the provider will find out their IP address and save it.

Users can find additional information about the conversion-tracking here.

Users may prevent this tracking by rejecting or de-activating cookies (see section 1.5).

For the sake of completeness, we inform our users which have a Swiss or a Dutch (or a different non-US) residency or domicile, that there are surveillance measures by the US authorities that generally enable the storage of all personal data of all persons whose data have been transferred from Switzerland or the Netherlands (or the user’s home country, as applicable) to the US. This is done without differentiation, restriction or objective criterion, which would make it possible to limit the access of the US authorities to the data and their subsequent use to very specific, strictly limited purposes, access to such data as well as their use. We also point out that in the US there are no legal remedies available to the persons concerned from Switzerland or the Netherlands (or a different non-US home country, as applicable) which allow them to gain access to their personal data and to correct or eradicate them, and that there is no effective judicial protection against general access rights from US authorities.

The legal basis for this data processing lies in the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. Users can object to this data processing at any time by using the aforementioned opt-out options.

1.7 Social Plugins

On this website social plugins are installed. These social plugins consist on the one hand side of “Like-Buttons” or similar functionalities that are typical for social media networks, on the other hand side of “dynamic” links to the sites of cereneo on the respective social media network. Users recognize the respective plugins because they are displayed using the logo of the respective network.

If a user is logged into their user account with the respective social media network when accessing the website of cereneo, the respective network may connect the website visit to his / her user account. If a user interacts with the plugins, the respective information will directly be forwarded to the server of the respective provider and stored there. The information may be published on the respective social media network and in certain circumstances displayed to other users of the network (e.g. if the “like”-button is used).

The provider of the social media network uses the information for marketing purposes, market surveys and the user-focused design of its services. In this respect, the use, interest or relation profiles may be created, e.g. in order to analyze the use of the cereneo website by the respective user with respect to the advertising displayed to this user on the social media network, in order to inform other users of the social media network about the activities of the respective user on the cereneo website, and in order to provide other services connected to the use of the social media network.

Purpose and extent of the data collection, processing and use by the provider of the social media networks as well as the rights and user settings for the protection of the users’ privacy may be found in the data privacy policies for the social media networks.

If users do not want that the provider of a social media network is able to connect the data collected on the website of cereneo directly with their user account, the respective user must log out from his user account prior to using the plugins or prior to visiting the website.

The legal basis for this data processing lies the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. Users can object to this data processing at any time by using the aforementioned opt-out options.

On this website plugins of the following providers are implemented:

• Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, www.facebook.com/privacy/explanation
• Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA, twitter.com/en/privacy
• Instagram Inc., 1601 Willow Rd., Menlo Park, CA 94026, USA, https://help.instagram.com/519522125107875

2. Data processing other than through the website

2.1 Medical and therapeutic treatment

cereneo only processes the following categories of personal data of patients and, if applicable, their accompanying persons and/or (legal) representatives:

• Personal data which the patients or their legal representatives provide to cereneo within the framework of the offer, upon entry or registration (e.g. personal master data, doctor’s reports of prior treatment, clinical pictures, medical documents);
• Personal data which cereneo receives from third parties with the consent of the patient (e.g. travel and accommodation information, medical records and medical documents from third-party service providers consulted; laboratory examination reports); or
• Personal data collected during treatment (e.g. clinical pictures, prescribed therapies and therapy results, diagnostic/assessment/imaging material, reports, recording of training progress as well as the withdrawal report and accounts).

The legal basis for this data processing is the preparation and/or fulfilment of the contract (Art. 6 para. 1 lit. b GDPR), exceptionally legitimate interests of cereneo (Art. 6 para. 1 lit. f GDPR) as well as, in explicitly mentioned constellations, the consent of the patients given in the admission form or via specific individual consent.

2.2 Teletherapy and home-based services

Unless otherwise agreed with the patient or their (legal) representative, teletherapy and home-based services are carried out by CHBV, a company of the Neuro Recovery Group, on the basis of an independent contractual relationship with the patient or their (legal) representative. Personal data of patients treated by CSAG or CIAG that, after discharge from the inpatient facility of CSAG or CIAG, decide to continue treatment through teletherapy and/or home-based services, will be transferred from CSAG or CIAG to CHBV to the extent that such personal data is required for the continuation of the treatment, which includes the personal data mentioned under section 2.1 of this data privacy statement.

In connection with teletherapy services, cereneo cooperates with relearnlabs GmbH, Germany. relearnlabs is a company of the Neuro Recovery Group. relearnlabs provides technical support, management services and legal and technical clarification of the tools used for the teletherapy services offered by cereneo. After informing the patient and with his consent, cereneo can also transfer the patient to relearnlabs, which then enters into an independent contractual relationship with the patient. In this case, relearnlabs will be responsible for the data processing carried out after the transfer has been made. In order to provide the aforementioned services, relearnlabs shall have access to the data of the patients concerned (e.g. name, year of birth, e-mail address, technical devices used by the patient, medical history of the patient, certain information on the limitations and duration of teletherapy, assessments regarding satisfaction with and improvements through teletherapy). Where cereneo is the data controller, it shall contractually ensure that relearnlabs processes the data only as cereneo is permitted to do.

The legal basis for this data processing is the preparation and/or fulfilment of the contract (Art. 6 para. 1 lit. b GDPR), exceptionally legitimate interests of cereneo (Art. 6 para. 1 lit. f GDPR) as well as, in explicitly mentioned constellations, the consent of the patients given in the admission form or via specific individual consent.

2.3 Data exchange with cefir foundation

For the purpose of the advancement and improvement of therapeutic approaches as well as for the review, the measurement and the evaluation of the rehabilitation progress, cereneo cooperates with cereneo — Center for Interdisciplinary Research (cefir), a non-profit foundation under Swiss law, which was established in 2017. The patient will primarily be cared about by employees of cereneo. Sensitive personal data of the patient (for example measurements regarding the development of the locomotor system) will be collected for the purposes mentioned above, also after the stay in the clinic. The employees of cereneo or cefir may contact the patient for that purpose.

cereneo provides cefir with access to the patient files in order to process the personal data contained therein for the purposes mentioned above. The data collected from or about the patient in connection with the aforementioned purposes will be stored on servers of cereneo. cereneo ensures that cefir will process the sensitive personal data collected from or about the patient (including the data in the patient file) solely in a manner that would also be permitted to cereneo in accordance with this data privacy statement and the Law.

For the purposes mentioned above, cereneo or cefir, respectively, may suggest the use of (software) applications — including mobile applications — of third party service providers (for example, teletherapy applications, which compose patient data by means of smartphone measurements and forward these data to cereneo, or applications that allow communication between cereneo or cefir, respectively, and the patient and that assist with the scheduling of visits). The final decision about the use of such applications remains with the patient. cereneo is not responsible  for  the  collection  and  processing  of  personal  data  by  such  applications. Instead, responsibility is with the provider of the respective application. It is the responsibility of the patient to gather necessary information about the data processing by such applications.

2.4 Data exchange within Neuro Recovery Group

In connection with the service performance and administration data may be exchanged between the various companies of the Neuro Recovery Group. These data exchanges result from the fact that certain administrative services (e.g. HR, finance) are performed centrally. For the purpose of coordinated medical and therapeutic service provision, patient data is also exchanged between the various Neuro Recovery Group companies, and employees of other Neuro Recovery Group companies may be provided with access to the patient data. In order to ensure suitable accommodation and for administrative purposes, personal data is also passed on to certain companies of the POK Pühringer Group. The individual group companies of the Neuro Recovery Group and the POK Pühringer Group are listed below. Access to patient data by these companies is granted and controlled according to the «need-to-know» principle. In addition, it is contractually ensured that these companies only process the data in the way that cereneo is likely to do.

The legal basis for this data processing is the preparation and/or fulfilment of the contract (Art. 6 para. 1 lit. b GDPR), exceptionally legitimate interests of cereneo (Art. 6 para. 1 lit. f GDPR).

3. General provisions

3.1 Transfer of data to third parties

cereneo only discloses personal data if the data subject either has consented explicitly, if cereneo has a legal obligation to disclose or if it is required for the enforcement of rights and claims of cereneo.

In addition, cereneo will pass on personal data to third parties as far as it is necessary in the context of the use of the website as well as the answering of questions, processing of inquiries or for the possible provision of services. The use of the data submitted by the third parties is strictly limited to the purposes described in this data privacy statement.

A list with third party service providers as mentioned above is available in section «third party providers in connection with the Website» (see below). Additional service providers are explicitly mentioned in this data privacy statement (see for example in sections 1.4, 1.6, 1.7 and 2.2) or also in the admission form to be signed by the patient.

If the personal data is confidential information falling under the scope of professional or medical secrecy, this information shall in no case be passed on to third parties without the consent of the user.

3.2 Transfer of personal data abroad

cereneo is entitled to forward personal data to third parties and service providers abroad, provided that this is necessary within the scope of the purposes mentioned in section 3.1 above. In doing so, the statutory provisions for the transfer of personal data to third parties are complied with.

If a country in which a recipient of personal data is located does not have in place data protection legislation which is considered to offer an adequate level of data protection, cereneo – to the extent required by law – will conclude an agreement with this third party with reliance upon standard EU contractual clauses on data protection or equivalent safeguards, which provide sufficient safeguards for the transfer of personal data.

A list with third party service providers in connection with the website and their domiciles can be found in section «list with third party provider» (see below). Most of these service providers have their domiciles in the neighbouring countries. The website is hosted on a server in Switzerland. Some of the service providers explicitly mentioned in this data privacy statement have, however, their domicile in the US (see sections 1.4, 1.6 and 1.7). Additional information about the transfer of personal data to the US can be found in section 1.6.2.

3.3 Entitlement to disclosure, deletion, correction and data portability

Data subjects have, upon request and free of charge, the following rights:

Information right: Data subjects have the right at any time to request access to their personal data stored by us. This gives them the opportunity to check which personal data we process about them and that we use it in accordance with applicable data protection regulations.

Correction right: Data subjects have the right to have inaccurate or incomplete personal data corrected and to be informed of the correction. We will inform the individual concerned of the adjustments made to any incorrect data, unless such notification is impossible or involves a disproportionate effort.

Deletion right: Data subjects have the right to require us to delete their personal data, as long as there is no legal basis that allows us to further process such data.

Right to limitation of processing: Data subjects have the right, under certain conditions, to request the processing of their personal data to be restricted.

Data transferability rights: Under certain circumstances data subjects have the right to receive from us the personal data that they have provided to us, free of charge and in a

readable format.

Right to complain: If data subjects are residents of an EU or EEA member country, they have the right to lodge a complaint with a competent supervisory authority against the way in which their personal data is processed at any time.

Right of revocation: Data subjects can withdraw their consent to certain data processing at any time, with effect for the future.

Right to object: Data subjects can object to certain data processing at any time.

For this, the data subject contact datenschutz@cereneo.ch.

3.4 Data retention

cereneo stores personal data for as long as it is necessary to achieve the data processing purposes mentioned above. Contract data is retained by cereneo for a longer period, as this is prescribed by legal retention obligations.

Personal data collected as part of medical treatments in Switzerland is retained for 10 years, unless it is foreseeable or already known that the underlying treatment will become the subject of a legal dispute. In this case, the retention period is extended to a period of 20 years.

In the Netherlands, a record obligation of 20 years applies to personal data collected in the context of medical treatment. Consequently, personal data collected by CHBV in the context of the medical treatment cannot be deleted immediately after the client relationship ends, unless the patient has explicitly requested it.

Retention duties, which oblige cereneo to store data, furthermore result from regulations on accounting and tax law. According to these regulations, business communications, contracts concluded and accounting records must be stored for up to 10 years. If cereneo no longer needs any such data to perform the services for the users, the data will be blocked. This means that the data may then exclusively be used for accounting and tax purposes.

3.5 Data security

cereneo uses appropriate technical and organizational security measures to protect personal data against manipulation, partial or total loss and against unauthorized access by third parties. These safety measures are continuously improved according to the technological development.

4. Contact

If you have any questions regarding data privacy, please contact datenschutz@cereneo.ch.