Privacy Policy

RESPONSIBILITY FOR DATA PROCESSING

Smart Dry Eyes GmbH
Stralauer Allee 14
10245 Berlin
Email: info@smartdryeyes.com

Data Protection Officer

We have appointed a Data Protection Officer. You can contact our Data Protection Officer at:

Dr. Ludger Hanneken
Smart Dry Eyes GmbH
Stralauer Allee 14
10245 Berlin
Germany
Email: info@smartdryeyes.com (please mark your message “For the attention of the Data Protection Officer”)

Collection of Personal Data When Visiting Our Website

Provision of Data

In general, you are not legally or contractually required to provide personal data in order to use our website. If the provision of data is necessary for concluding a contract, or if the user is obliged to provide personal data, we will inform you of this and the consequences of not providing such data in this privacy policy.

Data Transfers to Third Countries

We may use service providers and third-party vendors located in countries outside the European Union and the European Economic Area. The transfer of personal data to such third countries takes place—unless based on the user’s consent—either under an adequacy decision by the European Commission (Art. 45 GDPR) or with appropriate safeguards to ensure data protection (Art. 46 GDPR). If an adequacy decision exists for the transfer to a third country, we will indicate this in this privacy policy. Otherwise, users may request a copy of the appropriate safeguards unless already included in the privacy policies of those service providers or third parties.

Automated Decision-Making

Should we perform any automated decision-making, including profiling, we will inform you in this privacy policy about this fact, the underlying logic, and the significance and intended effects of such processing. In all other cases, no automated decision-making takes place.

Processing for Other Purposes

Data is generally processed only for the purposes for which it was collected. If, in exceptional cases, it is processed for other purposes, we will inform you beforehand and provide all relevant information (Art. 13(3) GDPR).

Data Processing When Visiting the Website

Whenever a user accesses our website, their browser transmits various data. During the website visit, the following data is processed and stored in log files even after the session ends:

  • Browser type and version
  • Operating system
  • Pages and files accessed
  • Transferred data volume
  • Date and time of access
  • User’s internet provider
  • IP address
  • Referrer URL

Processing this data is necessary to deliver the website to the user and optimize it for their device. Storage in log files helps improve the security of our website (e.g., protection against DDoS attacks).

The legal basis for this processing is Art. 6(1)(f) GDPR. Our legitimate interest lies in providing the website and improving its security. Log files are automatically deleted after six months.

Cookies, Tracking Pixels, and Mobile Identifiers

We use technologies on our website to recognize the device being used. These may include cookies, tracking pixels, and/or mobile identifiers.

Recognizing a device may serve different purposes. It may be necessary to provide certain features of our website, such as a shopping cart. These technologies may also be used to track user behavior on the site, e.g., for advertising purposes. The specific technologies we use and their purposes are described separately in this privacy policy.

Here’s a general explanation of how these technologies work:

  • Cookies are small text files containing specific information stored on the user’s device. They typically include an identification number (cookie ID) assigned to a device.
  • Tracking pixels are transparent image files embedded in web pages that enable log file analysis.
  • Mobile identifiers are unique numbers (Mobile ID) stored on a mobile device and can be read by a website.

Some cookies are necessary for our website to function properly. The legal basis for such cookies is Art. 6(1)(f) GDPR. Our legitimate interest lies in providing essential website features.

Non-essential cookies are used to make our website more user-friendly or to track usage. The legal basis depends on whether we obtain the user’s consent or can rely on a legitimate interest. Users may revoke their consent at any time via their browser settings.

Users can prevent or object to data processing via cookies by adjusting their browser settings. However, doing so may limit the availability of certain website features. We provide more information about objection options in this privacy policy. Where applicable, we also provide opt-out links.

To obtain and manage your consent for cookies and similar technologies, we use the consent management platform Cookiebot (Cybot A/S); see "Hosting and Service Providers" above for further details. You can change or withdraw your consent at any time via the cookie settings on our website.

Contact

When users contact us, we process their information, along with the date and time, for the purpose of handling the inquiry, including any follow-up questions.

The legal basis for this processing is Art. 6(1)(f) GDPR. Our legitimate interest is in responding to user inquiries. If the inquiry relates to the fulfillment of a contract or pre-contractual measures, the legal basis is additionally Art. 6(1)(b) GDPR.

Data is deleted once the inquiry and any follow-ups are resolved. We review, at least every two years, whether data collected through user contact should be deleted.

When you use our contact form, we process the data you enter there — in particular your name, your e-mail address, the subject and the content of your message. We use this data solely to handle your enquiry. Depending on its subject matter, your enquiry may be forwarded internally to the location responsible (Berlin, Zurich or Escaldes-Engordany). The legal basis is Art. 6(1)(b) GDPR where your enquiry relates to a contractual or pre-contractual matter, and otherwise our legitimate interest in dealing with enquiries (Art. 6(1)(f) GDPR). The data is deleted once your enquiry has been fully resolved, unless statutory retention obligations apply.

Processing of Health Data (Special Categories of Personal Data)

As a medical service provider, we process special categories of personal data within the meaning of Art. 9(1) GDPR — in particular data concerning your health — where this is necessary for the purposes of medical diagnosis, the provision of treatment and care, and the management of our healthcare services.

The legal basis for the processing of health data is Art. 9(2)(h) GDPR in conjunction with § 22(1) no. 1(b) of the German Federal Data Protection Act (BDSG). Where we process health data on the basis of your consent, the legal basis is additionally Art. 9(2)(a) GDPR; you may withdraw such consent at any time with effect for the future.

All persons involved in the processing of health data are bound by medical confidentiality pursuant to § 203 of the German Criminal Code (StGB) and by their professional duty of secrecy. Your health data is treated as strictly confidential and is disclosed to third parties only where you have consented or where we are legally permitted or obliged to do so.

Patient records and health data are retained for the statutory retention periods applicable to medical documentation — as a rule at least ten years after the conclusion of treatment pursuant to § 630f(3) of the German Civil Code (BGB), and longer where other statutory provisions require.

Patient Portal (smartdryeyes.net)

We operate a patient portal at smartdryeyes.net. The patient portal is operated by Smart Dry Eyes GmbH as the sole controller and is not run by a third party. Through the portal you can, for example, manage your personal data and track the progress of your treatment.

Within the patient portal we process your account and login data, your contact details and — where you provide it — health data relating to your treatment. The legal basis is Art. 6(1)(b) GDPR for the provision and administration of your portal account and, with regard to health data, Art. 9(2)(h) GDPR in conjunction with § 22(1) no. 1(b) BDSG (and Art. 9(2)(a) GDPR where the processing is based on your consent).

The patient portal is hosted within the European Union / European Economic Area. A separate privacy policy applies to the processing carried out within the patient portal; you can view it at https://smartdryeyes.net.

Other Third-Party Services

Google Analytics

We use Google Analytics to analyze the use of our website.
Provider: Google Ireland Ltd., Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

To track user activity on the website, a cookie is placed on the user’s device. We use Google Analytics with the “anonymize IP” extension, which shortens the user’s IP address before it is transmitted to servers in the USA. Data evaluated includes approximate location, device type, screen resolution, browser, and visited pages including time spent on them.

We have concluded a data processing agreement with Google Ireland Ltd. pursuant to Art. 28 GDPR. Insofar as data is transferred to Google LLC in the USA, the transfer is safeguarded by Google LLC’s certification under the EU-U.S. Data Privacy Framework and, additionally, by the EU Standard Contractual Clauses.

Personal data is only processed with the user’s consent under Art. 6(1)(a) GDPR.

Data collected by Google Analytics is automatically deleted after 14 months.

Opt-Out: You can withdraw your consent at any time via the cookie settings on our website. You can also prevent Google Analytics from collecting your data by installing the browser add-on available at https://tools.google.com/dlpage/gaoptout. Further information on data processing by Google is available in Google’s privacy policy at https://policies.google.com/privacy.

WhatsApp

We offer WhatsApp as an optional channel for contacting us and arranging appointments. WhatsApp is operated by WhatsApp Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, a company belonging to Meta Platforms Inc., 1601 Willow Road, Menlo Park, CA 94025, USA.

If you choose to contact us via WhatsApp, we process the data you transmit to us — in particular your mobile phone number, your WhatsApp profile name, the content of your messages and the associated metadata (such as the date and time of the message). The legal basis for this processing is your consent pursuant to Art. 6(1)(a) GDPR, which you provide by actively initiating contact with us through WhatsApp. You can withdraw this consent at any time with effect for the future. We use the data solely to handle your enquiry and delete it once your enquiry has been dealt with, unless statutory retention obligations require otherwise.

When you use WhatsApp, data may be transferred to and processed on servers of Meta Platforms Inc. in the USA. Meta Platforms Inc. is certified under the EU-US Data Privacy Framework. Please note, however, that for the consumer version of WhatsApp no data processing agreement within the meaning of Art. 28 GDPR can be concluded, and that WhatsApp processes metadata (for example device information and address-book matching) on its own responsibility. Further information is available in WhatsApp’s privacy policy at https://www.whatsapp.com/legal/privacy-policy.

Important: Please do not send any health data or other sensitive information (for example symptoms, diagnoses or treatment details) via WhatsApp. For confidential or health-related matters, please use our secure channels — telephone, e-mail or the patient portal. If you prefer not to use WhatsApp, you can contact us at any time using the telephone number and e-mail address provided in this privacy policy and in our Legal Notice.

Hosting and Service Providers

Hosting: We host our website (smartdryeyes.com) with GoDaddy.com, LLC, 2155 E. GoDaddy Way, Tempe, Arizona 85284, USA. GoDaddy processes personal data — in particular the server log data described above — on our behalf as a processor within the meaning of Art. 28 GDPR, on the basis of a data processing agreement. The legal basis is our legitimate interest in the secure and efficient provision of our website (Art. 6(1)(f) GDPR). Insofar as personal data is transferred to the USA, this takes place on the basis of the EU-U.S. Data Privacy Framework and/or the EU Standard Contractual Clauses.

Consent management (Cookiebot): To obtain and document your consent for cookies and similar technologies, we use Cookiebot, a service of Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark, acting as our processor pursuant to Art. 28 GDPR. The legal basis is our obligation to obtain and document consent (§ 25 TTDSG; Art. 6(1)(c) GDPR) together with our legitimate interest in compliant consent management (Art. 6(1)(f) GDPR).

Multilingual plugin (WPML): Our website uses WPML, software provided by OnTheGoSystems Limited, to offer content in several languages. WPML stores a cookie to determine your preferred language (see the cookie declaration below). The legal basis is our legitimate interest in providing a multilingual website (Art. 6(1)(f) GDPR).

Your Rights as a Data Subject

As a data subject, you have the following rights regarding your personal data under the General Data Protection Regulation (GDPR):

  • Right of access (Art. 15 GDPR): You have the right to obtain confirmation as to whether personal data concerning you is being processed and, where that is the case, to access that data together with the information listed in Art. 15 GDPR.
  • Right to rectification (Art. 16 GDPR): You have the right to obtain the rectification of inaccurate personal data concerning you and to have incomplete data completed.
  • Right to erasure (Art. 17 GDPR): You have the right to obtain the erasure of your personal data (the “right to be forgotten”) where one of the grounds set out in Art. 17 GDPR applies.
  • Right to restriction of processing (Art. 18 GDPR): You have the right to obtain a restriction of the processing of your personal data in the cases provided for in Art. 18 GDPR.
  • Right to data portability (Art. 20 GDPR): You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and to transmit it to another controller.
  • Right to object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on Art. 6(1)(e) or (f) GDPR.
  • Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent, you have the right to withdraw that consent at any time with effect for the future. The withdrawal does not affect the lawfulness of processing carried out on the basis of the consent before its withdrawal.

To exercise any of these rights, you can contact us using the details provided under “Responsibility for Data Processing” above.

Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right under Art. 77 GDPR to lodge a complaint with a data protection supervisory authority if you consider that the processing of your personal data infringes data protection law. The supervisory authority responsible for us is:

Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit)
Friedrichstraße 219
10969 Berlin
Germany
Website: https://www.datenschutz-berlin.de

You may also lodge a complaint with the supervisory authority of your habitual residence or place of work.

Cookies in Use on This Site

Scroll to Top
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.