DATA PROTECTON DECLARATION
CRUSE APP
(Chronic Urticaria Self Evaluation APP)
Status: January 27, 2022, last updated on February 24, 2022

As a user of the CRUSE APP, we ask you to take note of the following data protection declaration. The minimum age to use our services is eighteen (18) years.

This data protection declaration applies to England, Wales, Scotland and Northern Ireland (collectively hereinafter referred to as "UK") and applies regardless of the systems, platforms and devices used (e.g. iOS or Android) on which the app is running.

The following data protection declaration is divided into:

  1. General
  2. Data collected/purpose of processing/legal basis/duration of storage
  3. Disclosure to Third Parties
  4. Deletion of Data
  5. Rights regarding the processing of personal data
  6. Right to Object
  7. Changes to this data protection declaration / person responsible

1. General

The GA²LEN eV, c/o DGAKI, Robert-Koch-Platz 7, 10115 Berlin, Germany (hereinafter "GA²LEN eV") is pleased about your decision to use the CRUSE app (hereinafter "CRUSE APP") with the self-evaluation of your hives/urticaria contained therein (hereinafter “CRUSE”). We protect your privacy and your personal data in the best possible way.

CRUSE can be operated via a download as an app and is available as a mobile app for iOS and Android. Only natural persons are permitted to use the CRUSE APP. The use of the CRUSE APP for commercial purposes or for purposes that can be attributed to self-employed professional activity is not permitted unless GA²LEN e.V. has permitted this on the basis of a separate written agreement in individual cases.

The name and contact details of the person responsible are as follows:

GA²LEN e.V
c/o DGAKI
Robert-Koch-Platz 7
10115 Berlin
E-Mail: cruse@ga2len.berlin

The contact details of the data protection officer are as follows:

Frau Claudia Hayford
Charité
Hindenburgdamm 30, Haus II
12203 Berlin
Tel.: +49 30 450 618 524
E-Mail: claudia.hayford@charite.de

In the United Kingdom, the use and processing of personal data is controlled by the United Kingdom General Data Protection Regulation (hereafter “UK GDPR”) and the Data Protection Act 2018 (hereafter “DPA”). The DPA contains the so-called UK-GDPR in Chapter 3, Part 2 and thus the implementation of the General Data Protection Regulation (EU) 2016/679 (hereinafter "GDPR"). The principles of the UK GDPR and the GDPR are almost identical. The requirements of the GDPR were also taken into account by the so-called adequacy decision for the United Kingdom of June 28, 2021, cf. Art. 44 et seq. GDPR.

According to Chapter 1 Section 3 DPA, personal data means any information relating to an identified or identifiable natural person. A natural person is considered to be identifiable if, directly or indirectly, in particular by means of assignment to an identifier such as a name, an identification number, location data, an online identifier or to one or more special features, the expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person can be identified.

Special categories of personal data - also relevant for the CRUSE APP - are named in Chapter 2 Section 10 DPA. Health data is personal data relating to the physical or mental health of a natural person, including the provision of health services, and which reveals information about their state of health (e.g. complaints, diagnoses, medication plans). Biometric data is data on the physical, physiological or behavioral characteristics of a natural person, which were obtained using special technical processes and enable or confirm the clear identification of this natural person, such as facial images or dactyloscopic data (e.g. ID card photos).

According to Chapter 2 Section 4 DPA, the term processing of data is understood to mean any process or series of processes in connection with personal data, such as the collection, recording, organization, ordering, storage, which is carried out with or without the aid of automated processes Adaptation or modification, reading, retrieval, use, disclosure by transmission, distribution or any other form of provision, comparison or association, restriction, deletion or destruction.

MySQL from Peercode BV in Geldermalsen/Netherlands is used to store the data in the CRUSE APP. The Peercode BV servers we use are located in the Netherlands. As a cloud provider, CLOUDVPS is our processor with whom we have concluded an order processing agreement. In accordance with the applicable regulations on data security, data stored by us is also saved on media (backup).

This data protection declaration is supplemented by our general terms and conditions, available at https://cruse-control.com/privacy-policy, as well as our cookie policy, available at https://cruse-control.com. The imprint is available at https://cruse-control.com/imprint.

2. Data collected/purpose of processing/legal basis/ duration of storage

Below we show you which categories of data are collected, the purpose of the processing, the applicable legal basis and the duration of storage.

2.1 When using the CRUSE APP without a user account

Categories of data

Purpose of processing

Legal basis

Duration of storage

authentication data

= IP address, date and time of the request, time zone difference to Greenwich Mean Time, content of the request (specific page), access status/http status code, amount of data transferred in each case, website from which the request comes, browser, operating system and its interface, language and the version of the browser software.

Access to the medical device.

Ensuring the use of the medical device.

Analysis of the operability of the system.

Administrative Purposes.

User Consent, Chapter 3 Section 35, undersection 2a) DPA.

performance of a contract.

Interest in the error-free operation and functionality of the app in order to avoid misuse and improve the app (legitimate interest pursured by controller).

1 month.

User data part 1

Surname, first name, gender, birthday

Access to the medical device.

Proper evaluation of the specified health parameters for the user in order to use the data for the user himself and/or his doctor.

Administrative Purposes.

User Consent, Chapter 3 Section 35, undersection 2a) DPA.

performance of a contract.

User consent for processing of health data (gender), Chapter 3 Section 35, undersection 2a),3 and 4 DPA.

Until the user deletes the app or requests deletion.

If the app is inactive for 24 months, the user will be contacted to evaluate the validity of the account. In the event of continued inactivity for a further three months, the data will be deleted or irrevocably anonymised.

Section 4 of this data protection declaration also applies.

User data part 2

Health data: Information on your symptoms, their development and medication, any triggers, information on the medication taken, if necessary uploading photos by the user.

Proper evaluation of the specified health parameters for the user in order to use the data for the user himself and/or his doctor.

Your health data will also be processed in pseudonymised form in order to compile summary statistics on the geographic and drug-related distribution of certain types of symptoms and manifestations of urticaria. Such statistics are made available to cooperation partners, but only using irrevocably anonymous data.

User Consent, Chapter 3 Section 35, undersection 2a), 3 and 4 DPA.

performance of a contract.

Processing for scientific research purposes and statistical purposes is only carried out using anonymous data.

See user data part 1.

In addition, for this category (user data part 2): If you separately request the deletion of a specific symptom or information about triggers or medication or delete this yourself in your account, your data will no longer be used for the specified purpose.

The research projects and statistics are anonymous.

Device data to deliver the content

= mobile phone model, operating system, installation-specific device ID.

Access to the medical device.

Ensuring the use of the medical device.

Analysis of the operability of the system.

Administrative Purposes.

User Consent, Chapter 3 Section 35, undersection 2a) DPA.

performance of a contract.

Interest in the error-free operation and functionality of the app in order to avoid misuse and improve the app (legitimate interest pursured by controller).

See user data part 1.

Progress data on the operation of the app

= viewed and completed content.

Proper evaluation of the specified health parameters for the user.

Administrative Purposes.

User Consent, Chapter 3 Section 35, undersection 2a) DPA.

performance of a contract.

Interest in the error-free operation and functionality of the app in order to avoid misuse and improve the app (legitimate interest pursured by controller).

See user data part 1.

content data

= User consent to terms and conditions, data protection, cookie policy, push service reminder service, data interface camera, version of the installed app.

Access to the medical device.

Ensuring the use of the medical device.

Analysis of the operability of the system.

Administrative Purposes.

User Consent, Chapter 3 Section 35, undersection 2a) DPA.

performance of a contract.

Interest in the error-free operation and functionality of the app in order to avoid misuse and improve the app (legitimate interest pursured by controller).

See user data part 1.

2.2 When using the CRUSE APP with a user account

Categories of data

Purpose of processing

Legal basis

Duration of storage

authentication data

= IP address, date and time of the request, time zone difference to Greenwich Mean Time, content of the request (specific page), access status/http status code, amount of data transferred in each case, website from which the request comes, browser, operating system and its interface, language and the version of the browser software.

Access to the medical device.

Ensuring the use of the medical device.

Analysis of the operability of the system.

Administrative Purposes.

User Consent, Chapter 3 Section 35, undersection 2a) DPA.

performance of a contract.

Interest in the error-free operation and functionality of the app in order to avoid misuse and improve the app (legitimate interest pursured by controller).

1 month.

User data part 1

Email address and password, account identification number, last name, first name, CURE ID (optional), gender, birthday

Access to the medical device using a user account.

Proper evaluation of the specified health parameters for the user in order to use the data for the user himself and/or his doctor.

Administrative Purposes.

User Consent, Chapter 3 Section 35, undersection 2a) DPA.

performance of a contract.

User consent for processing of health data (gender), Chapter 3 Section 35, undersection 2a),3 and 4 DPA.

35, undersection 2a), 3 and 4 DPA.

Until the account is deleted by the user or his request for deletion.

If the account is inactive for 24 months, the user will be contacted to evaluate the validity of the account. In the event of continued inactivity for a further three months, the account will be deleted within one month and the data will be deleted or irrevocably anonymised.

Section 4 of this data protection declaration also applies.

User data part 2

Health data: Information on your symptoms, their development and medication, any triggers, information on the medication taken, if necessary uploading photos by the user.

Proper evaluation of the specified health parameters for the user in order to use the data for the user himself and/or his doctor.

Your health data will also be processed in pseudonymised form in order to compile summary statistics on the geographic and drug-related distribution of certain types of symptoms and manifestations of urticaria. Such statistics are made available to cooperation partners, but only using irrevocably anonymous data.

User Consent, Chapter 3 Section 35, undersection 2a), 3 and 4 DPA.

performance of a contract.

Processing for scientific research purposes and statistical purposes is only carried out using anonymous data.

See user data part 1.

In addition, for this category (user data part 2): If you separately request the deletion of a specific symptom or information about triggers or medication or delete this yourself in your account, your data will no longer be used for the specified purpose.

The research projects and statistics are anonymous.

Device data to deliver the content

= mobile phone model, operating system, installation-specific device ID.

Access to the medical device.

Ensuring the use of the medical device.

Analysis of the operability of the system.

Administrative Purposes.

User Consent, Chapter 3 Section 35, undersection 2a) DPA.

performance of a contract.

Interest in the error-free operation and functionality of the app in order to avoid misuse and improve the app (legitimate interest pursured by controller).

See user data part 1.

Progress data on the operation of the app

= viewed and completed content.

Proper evaluation of the specified health parameters for the user.

Administrative Purposes.

User Consent, Chapter 3 Section 35, undersection 2a) DPA.

performance of a contract.

Interest in the error-free operation and functionality of the app in order to avoid misuse and improve the app (legitimate interest pursured by controller).

See user data part 1.

content data

= User consent to terms and conditions, data protection, cookie policy, push service reminder service, data interface camera, version of the installed app.

Access to the medical device.

Ensuring the use of the medical device.

Analysis of the operability of the system.

Administrative Purposes.

User Consent, Chapter 3 Section 35, undersection 2a) DPA.

performance of a contract.

Interest in the error-free operation and functionality of the app in order to avoid misuse and improve the app (legitimate interest pursured by controller).

See user data part 1.

2.3 Data from children

The medical device is not intended for marketing to children under the age of 18.

The CRUSE APP does not intend to collect and/or store personal data from children. Nevertheless, the use of services may occur under certain circumstances. If this is the case, children according to Chapter 2 Section 9 DPA, i.e. all users who are 13 years of age or younger, must obtain the consent of their parents before they can use the CRUSE APP offer. If parents become aware that their child has provided personal information in the app without their consent, they must request us to delete that personal information and terminate the child's account. For this we ask you to send an email to cruse@ga2len.berlin. If only the person responsible becomes aware that personal data has been collected from a child under the age of 18, the necessary measures will be taken immediately to either obtain parental consent for the processing of the child's personal data or to delete this personal data and the account to dissolve the child.

3. Disclosure to third parties

We do not sell your personal data. We also do not transmit any personal data to third parties without your consent, unless such transmission is permitted by law. The personal data you enter will only be collected and stored for internal use by the person responsible for processing and for their own purposes. The person responsible for processing can arrange for the data to be passed on to one or more processors, who also use the personal data exclusively for internal use attributable to the person responsible for processing. If the processing is carried out on behalf of the person responsible, the latter only works with processors who offer sufficient guarantees that suitable technical and organizational measures are implemented in such a way that the processing is carried out in accordance with the requirements of the DPA and the UK GDPR and the protection of the persons concerned is guaranteed. Selling your data to third parties and/or passing on the data for the purpose of marketing is hereby excluded. We are also legally obliged to provide information to certain public bodies upon request. These are criminal prosecution authorities, authorities that prosecute administrative offenses subject to fines and the financial authorities. This data is passed on in accordance with the requirements of the DPA on the basis of our legitimate interest in combating abuse, prosecuting criminal offenses and securing, asserting and enforcing claims, provided that your rights and interests in protecting your personal data do not prevail. The DPA allows data processing within the EU, especially since an adequacy decision between the EU and the United Kingdom takes effect. Processing outside the UK in a so-called third country is permitted provided that there is a comparable level of protection in the third country. The service providers we use are either based in the UK or in the EU or in a country in which an adequate level of data protection has been established.

4. Deletion of data

The following specifications apply in addition to the information provided under Section 2 of this data protection declaration. The legislator has issued a variety of retention periods and obligations. After these periods have expired, the corresponding data will be routinely deleted. If data are not affected by this, they will be deleted or made anonymous if the purposes mentioned in this data protection declaration no longer apply. Unless this data protection declaration contains other, deviating provisions regarding the storage of data, the data collected by us will be stored by us for as long as they are necessary for the above purposes for which they were collected. Further processing or use of your personal data generally only takes place if this is permitted by law or if you have consented to the data processing or use. In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these other purposes before further processing and provide you with the other relevant information. We keep information for detecting and tracking misuse, in particular your IP address, for a maximum of one month.

5. Rights regarding the processing of personal data

right of providing information

You have the right to request information from us at any time about the personal data we have processed that relates to you. To do this, you can submit an application by post or email to the addresses given above. Your right of access can be exercised in accordance with the Data Protection Legislation, e.g. Chapter 3 DPA.

Right to rectification of inaccurate data

You have the right to demand that we correct your personal data without delay if it is incorrect. To do this, please use the contact addresses given above. Your right of rectification can be exercised in accordance with the Data Protection Legislation, e.g. Chapter 3 DPA.

Right to Erasure

You have the right to immediate deletion (“right to be forgotten”) of your personal data if there are certain legal reasons. Your right to erasure can be exercised in accordance with the Data Protection Legislation, e.g. Chapter 3 DPA. Legal reasons exist, for example, if the personal data are no longer necessary for the purposes for which they were originally processed or you have revoked your consent and if there is no other legal basis for the processing; the data subject objects to the processing. To assert your above right, please use the contact addresses given above.

Right to restriction of processing

You have the right to restriction of processing if the conditions are met. Your right of access can be exercised in accordance with the Data Protection Legislation, e.g. Chapter 3 DPA. Accordingly, the restriction of processing may be necessary in particular if the processing is unlawful and the data subject refuses the deletion of the personal data and instead requests the restriction of the use of the personal data or the data subject has lodged an objection to the processing for as long as this is not certain whether our legitimate reasons outweigh yours. To assert your above right, please use the contact addresses given above.

Right to data portability

You have a right to data portability. Your right of data portability can be exercised in accordance with the Data Protection Legislation, e.g. Chapter 3 DPA. You have the right to receive the data concerning you that you have provided to us in a common, structured and machine-readable format and to transfer this data to another person responsible, such as another service provider. The prerequisite for this is that the processing is based on consent or on a contract and is carried out using automated processes. To assert your above right, please use the contact addresses given above.

6. Right to Object

Objection

You have the right to object to the processing of your personal data at any time for reasons that arise from your particular situation. We will stop processing your personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. To assert your above right, please use the contact addresses given above. Your right to object can be exercised in accordance with the Data Protection Legislation, e.g. Chapter 3 DPA.

7. Changes to this data protection declaration / person responsible

The current version of this data protection declaration is always available at www.cruse-control.com and relates exclusively to the CRUSE APP. The data protection notices are subject to constant adjustment.

The imprint can be found at www.cruse-control.com.

Responsible in the sense of the DPA and the UK-GDPR:

GA²LEN e.V
c/o DGAKI
Robert-Koch-Platz 7
10115 Berlin
E-Mail: cruse@ga2len.berlin

Status: February 2022

https://www.cruseapp.org/data-protection-declaration / en