Data protection

The University Hospital Basel (hereinafter also referred to as "we", "us") collects and processes personal data, in particular personal data about our patients, relatives and persons associated with them, other customers, contracting parties, visitors to the website, participants in events, recipients of newsletters, healthcare providers and employees (hereinafter also referred to as "you"). We use the term "data" here synonymously with "personal data" or "personal information".

"Personal data" refers to data that can be linked to a specific person, and "processing" refers to any handling of it, e.g. obtaining, storing, using, adapting, disclosing and deleting.

In this Privacy Policy, we describe what we do with your data when you use www.unispital-basel.ch, purchase our services, otherwise interact with us under a contract, communicate with us or otherwise deal with us.

If you provide us with information about other people, such as family members, work colleagues, etc., we will not use this information for any other purpose. We assume that you are authorized to do so and that this data is correct. By transmitting data about third parties, you confirm this. Please also ensure that these third parties have been informed about this data protection declaration.

This Privacy Policy is designed to meet the requirements of the EU General Data Protection Regulation ("GDPR"), the Basel-Stadt Information and Data Protection Act ("IDG") and the Swiss Data Protection Act ("DSG"). Data processing in connection with the provision of healthcare services is primarily subject to the provisions of the IDG Basel-Stadt. Whether and to what extent these laws are applicable, however, depends on the individual case.

The University Hospital Basel, Hebelstrasse 32, CH-4031 Basel (the "University Hospital Basel") is responsible under data protection law for the data processing described in this data protection declaration, unless otherwise communicated in individual cases (e.g. in other data protection declarations, on forms or in contracts).

If you have any questions about data protection, please contact the following address:

University Hospital Basel
Data Protection, Legal Services
Hebelstrasse 32
CH-4031 Basel
datenschutz@usb.ch

We process the data of our patients ("patients") in order to provide them with our contractual services, including any pre-contractual communication. The primary purpose is to provide, document and invoice our healthcare services professionally and in accordance with contractual and legal obligations. The data processed in this context, the type, scope and purpose and the necessity of the processing are determined by the underlying contractual relationship. For this purpose, we process your master data (e.g. name, address), as well as contact data (e.g. e-mail address, telephone, etc.), contract data (e.g. services used, costs, names of contact persons) and payment data (e.g. bank details, payment history, etc.). However, we also process your health data in particular (so-called special personal data; information on your past and current state of health, treatment history, therapies, prescribed medication, visual records such as X-rays, tomography or other images, laboratory and other analyses, etc.). We may also receive health data from healthcare professionals who have referred you to the USB or treated you in the past, or we may retrieve health data from the Electronic Patient Record (EPR) or receive information from your relatives, depending on the case.

We may also use this data to protect your safety and the safety of other patients, for education and training purposes and for quality assurance.

The data will be deleted when it is no longer required or after the statutory retention and archiving periods have expired.

The legal basis for the processing of your personal data in connection with the provision of healthcare services is our statutory obligations and public duties as an independent institution under public law in accordance with the Law on Public Hospitals of the Canton of Basel-Stadt (in particular, treatment and documentation, as well as storage and archiving obligations). Treatment, documentation and retention obligations under the Basel-Stadt Health Act or billing obligations under the Federal Health Insurance Act).

On our website, you have the option of registering for a personal user account. The data you provide when registering ("login data") will be transmitted to us and stored.

The USB collects and processes data from applicants (e.g. contact details, CV, qualifications, letter of motivation) for the purpose of handling the application process and, in the case of successful applications, for the preparation and conclusion of a corresponding contract. Please refer to the data protection declaration in the application portal for detailed data protection information about the application process.

In particular, we may transfer your personal data to the following categories of recipients:

• If necessary for the fulfillment of the contract or required by law, we transmit the data we receive from you to medical professionals providing further, follow-up or co-treatment (in particular GPs, medical practices, other clinics and hospitals), cost bearers, authorities, relatives, third parties typically involved in the treatment, such as Laboratories, pharmaceutical and medical product manufacturers, ambulance and rescue services or comparable service providers, insofar as this is required, prescribed by law or with your express consent. These healthcare providers may process data that they have received from us or collected for us on our behalf, in joint responsibility with us or on their own responsibility.
• Subsidiaries of the USB may use the data for the same purposes as we do in accordance with this privacy policy. We may also disclose health data to our subsidiaries. For certain services, we transfer your data to other subsidiaries, e.g. if certain services originate from subsidiaries other than ours and we only coordinate the processing.
• We use various services from third parties, in particular IT services (examples are providers of hosting and data analysis services), shipping and logistics services and services from banks, the post office, consultants, etc. These service providers may also process personal data to the extent necessary. Where appropriate and justifiable, cloud-based solutions may be used (including foreign providers where applicable). Our service providers are contractually obliged to process the data exclusively on our behalf and in accordance with our instructions.

The recipients of data are not only located in Switzerland. This applies in particular to certain service providers (especially IT service providers). These have locations both within the EU or the EEA, but also in other countries worldwide. We may also transfer data to authorities and other persons abroad if we are legally obliged to do so or, for example, as part of legal proceedings. Not all of these countries have adequate data protection. We compensate for the lower level of protection through appropriate contracts, in particular the so-called standard contractual clauses of the European Commission, which can be accessed here. In certain cases, we can also transfer data in accordance with data protection regulations without such contracts, e.g. if you have consented to the corresponding disclosure or if the disclosure is necessary for the execution of the contract, for the establishment, exercise or enforcement of legal claims or for overriding public interests.

Every time you use our website, certain data is automatically collected for technical reasons and temporarily stored in log files (log data), in particular the IP address of the end device, information about the Internet service provider and the operating system of your end device, information about the referring URL, information about the browser used, date and time of access, and content accessed when visiting the website. We use this data so that our website can be used, to ensure system security and stability and to optimize our website, and for statistical purposes. The data is deleted as soon as it is no longer necessary to store the access data for the purposes for which it was collected (usually after 10 to 30 days).

Certain offers and services (e.g. login areas of our website, newsletters, apps) can only be used with a user account or registration, which can be done directly with us or via our external login service providers. In doing so, you must provide us with certain data and we collect data on the use of the offer or service. Registration data includes, among other things, the information you provide when you create an account on our website.

Our website also uses cookies, i.e. files that your browser automatically saves on your end device. This allows us to distinguish individual visitors, but generally without identifying them. Cookies may also contain information about pages viewed and the duration of the visit. Certain cookies ("session cookies") are deleted when the browser is closed. Others ("persistent cookies") remain stored for a certain period of time so that we can recognize visitors on a subsequent visit.

You can configure your browser settings to block certain cookies or similar technologies or to delete cookies and other stored data. You can find out more about this in the help pages of your browser (usually under the heading "Data protection").
In principle, our website can also be used without accepting cookies, although individual offers on our website can then only be used to a limited extent or not at all.
These cookies and other technologies may also originate from third-party companies that provide us with certain functions. These may also be located outside Switzerland and the EEA. For example, we use analysis services so that we can optimize and personalize our website. Cookies and similar technologies from third-party providers also enable them to target you with personalized advertising on our websites or on other websites and social networks that also work with this third party and to measure how effective advertisements are (e.g. whether you have reached our website via an advertisement and what actions you then take on our website). The relevant third-party providers can record the use of the website for this purpose and combine their recordings with other information from other websites. This allows them to record user behavior across multiple websites and end devices in order to provide us with statistical evaluations on this basis. The providers can also use this information for their own purposes, e.g. for personalized advertising on their own website or other websites. If a user is registered with the provider, the provider can assign the usage data to the person concerned.

Two of the most important third-party providers are Google and Facebook. You can find more information about them below. Other third-party providers generally process personal and other data in a similar way, e.g. Vimeo.

• We use "Google Analytics" on our website, an analysis service from Google LLC (1600 Amphitheatre Parkway, Mountain View, CA, USA) and Google Ireland Ltd (Google Building Gordon House, Barrow St, Dublin 4, Ireland). Google uses performance cookies to collect certain information about the user's behavior on the website (duration, frequency of pages viewed, etc.) and about the end device used. The IP addresses of visitors are shortened in Europe before being forwarded to the USA. Google provides us with evaluations based on the recorded data, processes certain data that is not personal data for Google, but also for its own purposes. You can find information on Google Analytics data protection here, and if you have a Google account yourself, you can find more information here.
• Our website also uses the "Facebook pixel" from Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland This pixel is used to establish a connection to the Facebook servers when you visit our website. The fact that you have visited our website is transmitted to Facebook. Facebook assigns this information to your account. The Facebook pixel enables us to measure and evaluate the effectiveness of the campaign. We only receive anonymized reports from Facebook and do not receive any personal data of individual users ("Custom Audience Network"). This also allows us to measure the effectiveness of the ads on Facebook for statistical and market research purposes. You can revoke your consent to the use of the "Custom Audiences" function and the associated use of the Facebook pixel at any time with effect for the future by following this link. We are jointly responsible with Facebook for the exchange of data that Facebook receives as a result, for the display of personalized ads, the improvement of ad delivery and the personalization of content.
• On our website, we occasionally use plug-ins from YouTube (YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA; subsidiary of Google LLC). As soon as you access one of our pages with an embedded YouTube video, a connection to the YouTube servers is established. YouTube is informed which page was visited from which IP address. If you use a YouTube account at the same time, YouTube can assign this information directly to your personal account. Further information on the handling of user data can be found in Google's privacy policy: https: //policies.google.com/privacy?hl=de&gl=de
• Our website occasionally uses the map service Google Maps from Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) via an API to display an interactive map and to create directions. When you use Google Maps, information about your use (e.g. IP address) may be stored and transmitted to a Google server in the USA. You have the option of deactivating the Google Maps service and thus preventing the transfer of data to Google Maps. However, we would like to point out that in this case you will not be able to use the map display on our website. Further information on the handling of user data can be found in Google's privacy policy: https: //policies.google.com/privacy?hl=de&gl=de

We operate our own presences on social networks and other platforms(Facebook fan pages, LinkedIn, Twitter and a YouTube channel) for the purpose of providing information or to communicate with you about topics that are important to you. If you communicate with us there or comment on or disseminate content, we collect information that we use primarily to communicate with you, for marketing purposes and for statistical evaluations. Please note that the provider of the platform also collects and uses data (e.g. on user behaviour) itself, possibly together with other data known to it (e.g. for marketing purposes or to personalize the platform content). For further information on processing by the platform operators, please refer to the privacy policies of the respective platforms. If we are jointly responsible with the provider, we will enter into a corresponding agreement, which you can find out about from the provider.

For the USB, many processes are not possible without processing personal data. It is not always possible to determine this precisely in advance, nor the scope of the data processed, but below you will find details of typical (though not necessarily frequent) cases:

• Initiation, conclusion and execution of contracts: With regard to the conclusion of a contract (e.g. when purchasing hotel services), we may in particular obtain and otherwise process your name, contact details, health data, photos, declarations of consent, powers of attorney, contract contents, creditworthiness data and all other data that you provide to us or that we collect from public sources or third parties (e.g. reference information).
  We obtain and process personal data so that we can comply with our legal and contractual obligations towards patients, authorities, insurers and other contractual partners (e.g. other healthcare providers, referring physicians, suppliers, service providers) and provide and demand the contractual services. This also includes data processing for the care of our customers who are not patients, as well as the enforcement of contracts, accounting and public communication.
• Communication: If you are in contact with us via the contact form, by email, telephone, letter or via social media platforms or other means of communication, we collect the data exchanged between you and us, including your contact details and the marginal data of the communication. We may also process information to verify your identity. We use the information you provide voluntarily (e.g. name, e-mail address, telephone number, question) solely to process your request and involve the departments and persons responsible for this internally.
  We would like to point out that communication by e-mail does not take place via a secure or encrypted data connection. This means that your data may be lost during transmission or may be viewed by unauthorized persons. Contacting us by e-mail is therefore at your own risk; we accept no responsibility in this regard and reject any liability claims made in this respect.
• Compliance with legal requirements: We may disclose data to authorities within the scope of legal obligations or powers and in order to comply with internal regulations (e.g. health police obligations, obligations and reporting rights under child and adult protection law, professional and ethical obligations in healthcare, reporting rights in the area of road traffic law or narcotics law).
• Research: We may also process your personal data for research purposes. For this purpose, we may process your health data in particular, but also your genetic data. Whenever compatible with the research purpose or provided for by law, we anonymize the data so that it is no longer possible to draw conclusions about your person, or only with disproportionate effort. If anonymization is not possible or only possible with disproportionate effort, we will pseudonymize your data. The research results will only be published in anonymized form.
• Prevention: We process data to prevent criminal offenses and other violations, e.g. in the context of combating fraud or internal investigations (e.g. video recordings on the premises, access controls).
• Legal proceedings: If we are involved in legal proceedings (e.g. court or administrative proceedings), we process data, e.g. about parties to the proceedings and other persons involved, such as witnesses or persons providing information, and disclose data to such parties, courts and authorities, possibly also abroad.
• In the case of contractual partners who are companies, we process less personal data because data protection law only covers the data of natural persons (i.e. people). However, we process data of the contact persons with whom we are in contact, e.g. name, contact details, professional details and details from communication, and details of managers etc. as part of the general information about companies with which we work.
• Transactions: If we sell or acquire receivables, other assets, business units or companies, we process data to the extent necessary for the preparation and execution of such transactions, e.g. details of customers or their contact persons or employees, and also disclose corresponding data to buyers or sellers.
• Other purposes: We process data to the extent necessary for other purposes, such as IT security, training and education, administration (e.g. contract management, accounting), enforcement of and defense against claims, evaluation and improvement of internal processes, preparation of anonymous statistics and evaluations; organization of events (e.g. specialist events for health care or insurance companies).events (e.g. specialist events for healthcare or other professionals); acquisition or sale of receivables, businesses, parts of businesses or companies and safeguarding other legitimate interests.

We process your personal data as long as it is necessary for the purpose of processing (in the case of contracts, generally for the duration of the contractual relationship), as long as we have a legitimate interest in storing it (e.g. to enforce legal claims, for archiving and/or to ensure IT security) and as long as data is subject to a statutory retention and archiving obligation (e.g. a 20-year minimum retention period applies to health data). After these periods have expired, we delete or anonymize your personal data.

Depending on the applicable law, data processing is only permitted if the applicable law specifically permits it. This does not apply according to the Swiss Data Protection Act, but e.g. according to the GDPR, insofar as it applies (which can only be determined on a case-by-case basis). In this case, we base the processing of your personal data on the fact that it is necessary for the preparation and execution of contracts, that it is necessary for the legitimate interests of us or third parties, e.g. for statistical evaluations or for marketing purposes, that it is required or permitted by law under EEA or of a Member State, that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us or that you have consented separately to the processing. You will find the relevant provisions in Art. 6 and 9 of the GDPR.

You have certain rights under applicable data protection law to obtain further information about our data processing and to influence it:

• You can request further information about our data processing. We are at your disposal for this purpose. You can also submit a request for information if you would like further information and a copy of your data;
• You can object to our data processing, in particular in connection with direct marketing;
• You can have incorrect or incomplete personal data corrected or completed or have it supplemented by a note of dispute;
• You also have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format, provided that the corresponding data processing is based on your consent or is necessary for the performance of a contract;
• You can request that the disclosure of personal data to private individuals be blocked (e.g. sending the discharge report to the family doctor; so-called information blocking);
• if we process data on the basis of your consent, you can withdraw your consent at any time. The revocation is only valid for the future, and we reserve the right to continue processing data on another basis in the event of revocation.

Please note that these rights are subject to conditions, exceptions or restrictions under the applicable data protection law (e.g. to protect third parties or professional and business secrets).

If you wish to exercise such a right, please contact us (Section 2). As a rule, we will have to verify your identity (e.g. by means of a copy of your ID). You are also free to lodge a complaint against our processing of your data with the competent supervisory authority, which in the canton of Basel-Stadt is the cantonal data protection officer for Basel-Stadt.

We may amend this privacy policy at any time. The version published on this website is the current version.

The University Hospital Basel has a website: www.unispital-basel.ch. This is a summary of data protection for this website. The full privacy policy is legally valid ((LINK)).
The University Hospital Basel website is intended to be practical and useful. When you use our website, we store and use some data. For example, we store when and for how long you have been on the website and which pages you have visited.

Some of the data is stored automatically. For the rest of the data, you can decide whether we may store and use it.

The website of the University Hospital Basel uses files (cookies) that are automatically stored on your computer. Our website can also be used without cookies. However, it will then only function partially.

You can specify which cookies should be saved.

You can create a personal account on the University Hospital Basel website. Your data will be stored there, for example your name and address.

We work with various companies to make our website better, for example Google Analytics, Facebook, YouTube and Google Maps. Sometimes we share data from the website with these companies. The companies may only use the data for what we have agreed. Under certain circumstances, this data is sent abroad. Not all countries ensure good data protection. We adhere to international treaties that are intended to guarantee good data protection.

The University Hospital Basel is active on social media. For example, you can find us on Facebook, LinkedIn, Twitter, TikTok, Instagram and YouTube. If you write to us there or like our posts, we store your data.

Your data is generally deleted when it is no longer needed. We store some of the data for longer, for example if we are required to do so by law. The University Hospital Basel complies with the laws that apply to data protection.

As a user of our website, you have certain rights. You can request information about our data processing. You can determine which data should be processed. You can have errors corrected.

If you would like support or have any questions about data protection, please feel free to write to us.

University Hospital Basel
Data Protection, Legal Services
Hebelstrasse 32
CH-4031 Basel
datenschutz@usb.ch

On this website you will always find the privacy policy that is currently valid. When we update the privacy policy, we will put it back on this website.

Last updated: November 2022

The University Hospital Basel (USB) operates video surveillance systems to protect persons and property from criminal acts or to prosecute such criminal acts. The USB has issued regulations for the operation of the video surveillance system in accordance with §17 and §18 of the Basel-Stadt Information and Data Protection Act.

The USB is responsible for the operation of the video surveillance system and the processing of personal data. If you have any questions or wish to exercise your rights as a data subject under data protection law, please contact us at datenschutz@usb.ch.

The video surveillance regulations are published on the USB website and can be downloaded here:

Under the Cantonal Information and Data Protection Act, public bodies are obliged to keep records of procedures in which personal data is processed (§ 24 IDG and § 16 IDV). The list of procedures involving personal data is published on the USB website and can be downloaded here: