Data protection declaration
This data protection declaration does not constitute a contract with you. We may amend it at any time. The current version is always the one published on this website.
1. What data do we process?
General personal data: We process general personal data about you. [Note: relates to ch. 4: all data processing].
Health-related data: We process your health-related data. [Note: relates to ch. 4: provision of care, communication, management and performance of contracts, other data processing].
Private sphere: We process data relating to your private and intimate sphere. [Note: relates to ch. 4: provision of care, management and performance of contracts, other data processing].
Biometric data: We process your biometric data. [Note: relates to ch. 4: provision of care, registration, security and access controls, management and performance of contracts].
Location data: We process your location data. [Note: relates to ch. 4: market research, service improvement etc.].
Financial data: We process your financial data. [Note: relates to ch. 4: communication, management and performance of contracts].
Data provided: We process the personal data that you make available to us. [Note: relates to section 5, point 1].
Collected data: We process the personal data about you that we collect. [Note: relates to point 5, 2nd bullet].
Received data: We process personal data about you that we receive from third parties. [Note: relates to point 5, 2nd bullet].
- Marketing: We use your personal data for marketing and advertising purposes. [Note: relates to ch. 4: marketing and public relations].
- Product development: We use your personal data to develop and improve products and services. [Note: relates to ch. 4: marketing research, service improvement etc.].
- Other purposes: We use your personal data for other purposes that are not related to the main service. [Note: relates to section 4: security etc.].
In Switzerland: We only process your personal data in Switzerland. [Note: see section 7].
In Switzerland and Europe: We only process your personal data in Switzerland and the EEA. [Note: relates to ch. 7].
Worldwide: We process your personal data outside Switzerland and the EEA. [Note: relates to ch. 7].
2. What is this data protection declaration about?
CIC Groupe Santé SA, CIC Riviera SA and RXPM SA, headquartered at Rue du Grammont 2 -1815 Clarens, CIC Valais SA, headquartered at Route du Léman 29 - 1907 Saxon and CIC Collombey SA, headquartered at Z. A des Plavaux 103, 1893 Collombey-Muraz, Clinique CIC Suisse Group (hereinafter also referred to as "we" or "us"), collects and processes personal data, in particular personal data relating to our patients, their relatives and associated persons, other customers, contractors, visitors to our website, event participants, newsletter recipients, other healthcare service providers and other authorities, resp. their contact persons and employees (hereinafter also referred to as "you" or "us"). In this data protection declaration, we inform you about this data processing. In addition to this declaration, we can also provide you with information on the processing of your data at your request (e.g. via forms or contractual conditions).
When you provide us with data about other people (e.g. relatives, friends or other (healthcare) service providers), we assume that you are authorized to do so and that this data is correct. We also assume that you have made sure that these persons have been informed of this communication (e.g. by submitting this data protection declaration to them beforehand), insofar as the law provides for such an obligation to inform.
When processing your personal data, we are primarily subject to the Swiss Federal Data Protection Act (DPA). As part of the service mandate entrusted to us by the cantons of Vaud and Valais, we are also subject to these cantons' provisions on information processing and data protection. In addition, we are also likely to be dependent on the EU's General Data Protection Regulation (GDPR). The application of these legislations depends on each individual.
3. Who is responsible for processing your data?
In accordance with data protection law, the following establishment is responsible for the processing described in this data protection declaration:
CIC Groupe Santé SA
Rue du Grammont
4. For what purposes do we process your data and for what purposes?
We collect and process various types of personal data about you when you make use of our services (in particular in connection with the provision of care but also hospitality and other services), when you purchase products (in particular medicines and medical devices), when you visit our website www.cliniquecic.ch our other websites www.cliniquecic-montreux.ch, www.cliniquecic-saxon.ch, www.cliniquecic-collombey.ch or our apps (hereinafter collectively referred to as "website") or when we enter into other types of relationships. In general, we collect and process data for the following purposes in particular:
- Provision of health-related services: We process your personal data in order to provide our health-related services in a professional manner. For this purpose, we need in particular your identity, contact details and health data (e.g. information on current and past diagnoses, therapies, prescribed medication, imaging data such as X-rays, tomograms or similar, laboratory or other analyses, treatment reports and notes, as well as other information about your state of health that has been collected in the course of history-taking, examinations, treatments and consultations).
- Preparing and concluding contractual relationships: In order to conclude a contract (and not only to establish a therapeutic relationship, but also when you use our hotel services or other services, when you purchase products from us, or when we purchase products or services from your principal or employer), we collect and process your identity, contact details, health data, photos, powers of attorney, declarations of consent, information about third parties (e.g. contact persons, details of parents and relatives), contract wordings, dates of conclusion, creditworthiness data and any other data you make available to us or that we collect from you. We collect and process your identity, contact details, health data, photographs, powers of attorney, declarations of consent, information about third parties (e.g. contact details, details of relatives), contract wordings, dates of conclusion, creditworthiness data and any other data you make available to us or that we obtain from public sources or third parties (e.g. references).
- Contract management and fulfillment: We collect and process personal data in order to fulfill our legal and contractual obligations towards our patients, the authorities, insurance companies and other contractual parties (e.g. other care providers, referrers, suppliers, contractors, project partners), and in particular to provide and claim contractually agreed services. In addition, we process data required for the care of our non-patient customers, as well as for the execution of contracts (insurance billing, collection, legal proceedings, etc.), accounting and public relations purposes. In particular, we process data received or collected in the course of preparing, concluding and fulfilling contracts, as well as, for example, data relating to contractual services and the provision of services, feedback data (e.g. satisfaction data) and financial and payment information.
- Communication: In order to communicate with you and with third parties by e-mail, telephone, fax, digital communication channels, post or otherwise (e.g. to answer questions in connection with a treatment or consultation or to prepare or conclude a contract), we process in particular the contents of communications, your contact details and secondary communication data.
- Public relations and marketing: We also process your data for public relations and marketing purposes, in particular in order to send our customers, other contracting parties and interested third parties personalized advertising (e.g. on our website, by post, by e-mail or via other channels) about products, services and new products offered by ourselves or third parties (e.g. product partners), about free services (e.g. invitations, vouchers) or as part of promotional activities (e.g. events, competitions). In particular, we process names, e-mail addresses, telephone numbers and other contact details that we collect when concluding or fulfilling a contract, or when registering (e.g. for the newsletter). You may object to such mailings at any time, or refuse or withdraw your consent to any contact for advertising purposes by notifying us of your decision (see hospital contact details in section 3).
- Improving our services and business, as well as product development: In order to continually improve our products and services (including our website and other electronic offerings), we collect data about your behavior and preferences - this enables us to analyze, for example, how you navigate our website, how you interact with our social network profiles or [other electronic offerings], or which products are used in which way by which groups of people. Where appropriate, we may supplement this information with information from third parties (including public sources).
- Registration: In order to benefit from certain offers and services (e.g. reserved domains, [free Wi-Fi], newsletter, apps), you must register (directly with us or with our external supplier). To this end, we process the data provided as part of the registration process. In addition, we may collect personal data about you when you use the offer or service; if necessary, we will provide you with further information about the processing of this data.
- Security and access control: We collect and process personal data in order to guarantee and constantly improve the security of our IT systems and other infrastructures (e.g. buildings). This includes, for example, monitoring and controlling electronic access to our IT systems and physical access to our premises (including biometric data processing), analysis and testing of our IT infrastructures, system and error analysis, and the creation of back-up copies. For documentation and security purposes (as a preventive measure and to clarify incidents), we use access protocols or access lists for our premises and surveillance systems (e.g. cameras). Signs alert you to the presence of these systems in areas subject to such surveillance.
- Compliance with laws, directives and recommendations of authorities as well as internal regulations ("governance"): We collect and process personal data in order to comply with applicable laws (e.g. health police obligations, child and adult protection obligations, obligations under social insurance or tax law, ethical or professional obligations), self-regulation, certifications, industry standards, our "corporate governance", as well as for both internal and external investigations (e.g. by a criminal prosecution or supervisory authority or by a mandated private body).
- Risk management and corporate management: We collect and process personal data in the context of risk management (e.g. for protection against criminal activities) and corporate management. This includes the organization of operations (e.g. resource planning) and the development of the company (e.g. acquisition and sale of sectors or companies).
- Applications: When you apply for a job with us, we collect and process the relevant data for the purposes of checking your profile, conducting the procedure and, in the event of employment, preparing and drawing up the contract. In addition to your contact details and communication details, we process in particular the data contained in your application file and any data we may have collected about you, e.g. on professional social networks, on the Internet, in the media and also from references if you have given us permission to consult them.
- Other purposes: Other purposes include, for example, education and training, administrative purposes (e.g. accounting) or the organization of events (e.g. seminars for healthcare professionals or others, patients and other customers, and the public). We may use your data, and in particular your health data, for teaching and training purposes, for the protection and safety of yourself or other patients, employees, third parties or the community, and for quality assurance purposes. We may also listen to or record tele- or videoconferences for teaching, evidence management and quality assurance purposes. In such cases, we will expressly inform you (e.g. by means of a message during the videoconference), and you are free to terminate the communication or to inform us that you object to the recording (if you do not wish your image to appear, simply switch off your camera). In addition, we may need to process personal information such as participant lists, conference and discussion content, and audio and video recordings made during events, in order to organize, run and evaluate them. Other purposes include the exercise of other justified interests, which cannot be listed exhaustively.
5. Where do the data come from?
- From you: Most of the data we process is provided by you or your terminal (e.g. in connection with the provision of care or our own services, the use of our website and apps or your communications with us). You are not obliged to disclose your data, with a few exceptions (e.g. statutory obligations). However, if you enter into a contract with us, for example, or if you wish to make use of our services (including the use of our website and other services), you must provide us with certain data.
- From third parties: We also collect the data we process for the provision of care and for the preparation and execution of contracts from other service providers, social or private insurers, authorities, your relatives or other third parties. We may also collect other data from publicly available sources (e.g. debt enforcement register, land register, commercial register, media or the Internet, including social networks) or receive it (i) from authorities, (ii) from your employer or principal who has a business relationship with us or is otherwise in contact with us, as well as (iii) from other third parties (e.g. credit institutions, address providers, associations, contractors, Internet analysis services). This includes in particular data that we process in the course of preparing, concluding and fulfilling contracts, as well as data from correspondence and discussions with third parties, but also all the other categories of data mentioned in ch. 4.
6. To whom do we disclose your data?
In connection with the purposes mentioned in section 4, we may disclose your personal data to the following categories of recipients:
- Group companies: You will find a list of our group companies in section 1. Group companies may use your data, as described in this data protection declaration, for the same purposes as we do (see section 4). As a rule, recipients process data on their own responsibility.
- Other healthcare service providers: We collaborate with other healthcare service providers (e.g. referral or follow-up personnel, mainly family doctors, doctors' surgeries, other hospitals and clinics, rehabilitation facilities, etc.), particularly in the preparation and follow-up of patients. In addition, and especially during the course of treatment, we are called upon to collaborate with other service providers (e.g. laboratories, manufacturers of medicines and medical devices, ambulance and rescue services, registered doctors, etc.). These health service providers may process the data that we have communicated to them or that they have collected for us (i) on our behalf, (ii) in shared responsibility with us or (iii) under their own responsibility.
- Service providers: We cooperate with other service providers in Switzerland and abroad, who process the data we have disclosed to them or which they have collected for us (i) on our behalf (e.g. IT provider), (ii) in shared responsibility with us or (iii) under their own responsibility. Such service providers include, for example, IT providers, advertisers, banks, insurers, collection agencies, credit institutions, address providers, consultancy firms or lawyers. As a rule, we conclude contracts with these third parties governing the use and protection of personal data.
- Patients, customers and other contractors: This category primarily includes patients, customers and other contractors to whom we are contractually obliged to pass on your data (e.g. because you work for a contractor or because they provide services on your behalf). This category of recipients also includes contractors with whom we cooperate or who advertise on our behalf. As a general rule, recipients process data on their own responsibility.
- Authorities and courts: We may disclose personal data to offices, courts and other authorities (including social security authorities) in Switzerland and abroad if we are obliged or entitled to do so by law, or in order to protect our interests if this appears necessary. These recipients process the data under their own responsibility.
- Other persons: This includes other situations in which the involvement of third parties is necessary for the purposes mentioned in point 4, e.g. supplier or payment addresses that you have provided, or the contact details of third parties in the context of representation (e.g. your lawyer, your bank or a trustee, a person authorized to represent you or other third parties) or persons involved in official or legal proceedings. When we collaborate with the media and communicate material (e.g. photos), you may also be affected. As part of the development of our business, we may sell or acquire businesses, parts of businesses, assets or companies, or enter into partnerships, which may involve the disclosure of data (including your data, e.g. as a patient, customer or supplier, or as their representative) to those involved in such transactions. In the course of communication with our competitors, industry organizations, associations and other bodies, data may be exchanged which also concerns you.
For their part, all these categories of recipient may involve third parties, so that your data will also be accessible to them. We are able to restrict processing by some third parties (e.g. IT suppliers) but not others (e.g. authorities, banks etc.).
We also allow certain third parties to collect personal data about you on our website and at events under their own responsibility (e.g. press photographers, suppliers of tools we have integrated into our website, etc.). Insofar as we are not decisively involved in such data collection, these third parties alone are responsible for it. Should you have any queries or wish to assert your data protection rights, please contact these third parties directly. These are listed in section 9.
7. Do your personal requests also take place abroad?
We process and store personal data mainly in Switzerland and the European Economic Area (EEA). In exceptional cases - e.g. via one of our service providers' subcontractors - personal data may be processed in any country in the world.
Where a recipient is located in a country that does not ensure an adequate level of protection for personal data, we contractually require it to comply with an adequate level (to this end, we apply the European Commission's standard contractual clauses: https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX:32021D091421D0914; including the necessary supplements for Switzerland) insofar as it is not already subject to a legally recognized set of rules designed to ensure data protection and we are not faced with an exception. An exception may exist in the context of legal proceedings abroad, and also in cases of overriding public interest.
There are also exceptions where the performance of a contract which is in your interest requires disclosure (e.g. where we disclose data to the law firm representing us), where you have given your consent, or where your consent cannot be obtained within a reasonable time and disclosure is necessary to protect your life or physical integrity or that of a third party, or where it concerns data which you have made generally accessible and to the processing of which you have not objected.
8. What are your rights?
You have certain rights with regard to the processing of your personal data by us. Depending on the applicable law, you may in particular request information on the processing of your personal data, have incorrect data corrected, demand the deletion of personal data, object to data processing, demand the publication of certain personal data in a current electronic format or its transmission to other data controllers.
Insofar as cantonal provisions on information and personal data are applicable, you may, depending on cantonal law and the circumstances, assert further rights, e.g. the blocking of your personal data.
If you wish to exercise your rights, please contact us directly. Our contact details are listed in section 3. In order to prevent misuse, we will need to identify you (e.g. by means of a copy of your identity document, if necessary).
Please note that these rights are subject to conditions, exceptions or limitations (e.g. for the protection of third parties or professional or business secrecy). For reasons of data protection or secrecy, we reserve the right to redact copies or deliver extracts only.
You can set your browser to refuse, accept or delete cookies automatically. You can also deactivate or delete individual cookies. Your browser's help menu explains how to manage cookies.
The technical data we collect and the cookies we use do not, as a rule, contain any personal data. However, personal data stored by us or a third party commissioned by us (e.g. when you have a user account with us or with this supplier) may be combined with this technical data or with stored cookies and information about you, which may make it possible to establish a relationship with you.
We also use social plug-ins. These are small extensions that establish a relationship between your visit to our website and another provider. The social plug-in informs the provider that you have visited our website, and may pass on cookies that it has previously placed on your browser. You can find out more about how these providers use your personal data collected via their social plug-ins in their data protection declarations.
Some of the third-party suppliers we use may be based outside Switzerland. For information on the transfer of data abroad, please see section 7. From the point of view of data protection law, they are sometimes "solely" commissioned by us, and are sometimes responsible organizations. Further information can be found in our data protection declarations.
10. How do we handle personal data on our social networking pages?
On social networks and other platforms operated by third parties, we manage pages and maintain an online presence. In this context, we may process data about you. We may receive data from you (e.g. when you communicate with us or comment on our content) or from the platform (e.g. statistics). Platform operators may analyze your use of the platform and process this data in combination with other data they have about you. They also process this data for their own purposes (e.g. marketing and market analyses, management of their platforms). In doing so, they act on their own responsibility. Further information can be found in the data protection declarations of the individual platforms.
We currently use the following platforms - the identity and contact details of the operators are given in the data protection declarations:
Data protection declaration: www.facebook.com/privacy/policy
Data protection declaration: https://privacycenter.instagram.com/policy
Data protection declaration: https://policies.google.com/privacy?hl=de
Data protection declaration: https://de.linkedin.com/legal/privacy-policy
We are entitled, but not obliged, to check third-party content after it has been published on our online pages, to delete content without notice and, if necessary, to report it to the platform operator.
Some platform operators may be based outside Switzerland. For information on the transfer of data abroad, please see section 7.
11. What else do we need to watch out for?
We do not consider that the EU General Data Protection Regulation (GDPR) is applicable to our case. Should this exceptionally be the case for certain data processing operations, this ch. 11 only applies to the purposes covered by the GDPR and to the data processing operations subject to it.
In particular, we process your personal data for the following purposes:
- the fact that such processing is necessary for the preparation and conclusion of contracts as well as for their management and performance (art. 6 al. 1 let. b RGPD; in addition ch. 4),
- the fact that such processing is necessary for the fulfilment of legitimate interests pursued by ourselves or third parties, in particular for communication with you or third parties, for the management of our website, for the improvement of our digital offerings and for the registration of specific offers and services, for security purposes, for compliance with Swiss law and internal regulations, for our risk management and corporate management (art. 6 al. 1 let. f RGPD; in addition ch. 4) and for other purposes such as education and training, administration, administration of evidence and quality assurance, the organization, conduct and assessment of events as well as for other legitimate interests (ch. 4),
- the fact that such processing is prescribed or authorized by EEA or Member State law.
- the fact that such processing is essential to safeguard your vital interests or those of other natural persons,
- the fact that this processing is indispensable for the performance of a task of public interest or relating to the public force that has been entrusted to us,
- on the fact that you have specifically consented to the processing, resp. via a corresponding request on our website (art. 6 al. 1 let. a and art. 9 al. 2 let. a RGPD.
Please note that we normally process your data for as long as required by our purposes (see section 3), legal retention periods and legitimate interests, in particular for documentation and evidence purposes, or if storage is necessary for technical reasons (e.g. for back-up systems or documentation management). In principle, where there is no legal or contractual obligation or technical reason to the contrary, we will delete or anonymize your data on expiry of the storage or processing period as part of our usual procedures and in accordance with our retention guidelines.
If you do not provide us with certain personal data, it may not be possible for us to provide the related services or to conclude a contract. In principle, we specify which personal data is mandatory.
The right to object to the processing of your data, referred to in point 8, applies in particular to processing for direct marketing purposes.
Please let us know if you do not agree with the way we handle your rights or data protection (see contact details in section 3). If you live in the EEA, you also have the right to appeal to the data protection authorities in your country. A list of these authorities can be found at https://edpb.europa.eu/about-edpb/about-edpb/members_fr.
Our representative in the EEA within the meaning of Art. 27 RGPD (if necessary) is: Management, CIC Groupe Santé SA, Rue du Grammont 2, 1815 Clarens, email@example.com