Privacy Policy

The new Privacy Policy makes it clearer for you how and for what purpose we process personal data, and takes account of current legal requirements. The changes concern in particular the following areas:

• Thanks to privacy icons, you can establish at a glance how and for what purpose we process personal data;
• The Swiss Data Protection Act has been updated. We have amended the Privacy Policy in line with the new statutory disclosure requirements; 
• We have simplified the Privacy Policy, making it clearer which categories of personal data we process for which purposes.

The following list shows which company from the Medbase Group is responsible in each specific individual case for data protection within the business area at the respective locations. 

*HIN = Health Information Network (in response you will receive an encrypted email from us, which you can read through the HIN portal and answer securely where appropriate)

Our data processing may in particular affect the following categories of people, where we process personal data:

• customers at our shops;
• patients at our practices;
• persons who receive services from us or who contact us concerning products and services;
• users of our online content and apps;
• participants in the Medbase pharmacies club card program;
• visitors to our websites;
• visitors to our premises;
• persons who write to us or who otherwise contact us;
• recipients of information and marketing communications;
• participants in competitions and prize draws; 
• participants in customer initiatives and public events;
• participants in market research, opinion surveys and customer questionnaires;
• contact persons at our suppliers, buyers or any other business partner as well as organizations and authorities;
• shareholders of Medbase (subsidiary) companies; and
• job applicants.

Please also consult the contractual terms and conditions applicable to individual services (e.g. General Terms and Conditions, Terms of Use or Terms of Participation). These may contain additional information concerning data processing by us.

Master data include e.g.:

• form of address, first name, surname, gender, date of birth, nationality, religious affiliation (information concerning religious affiliation constitutes particularly sensitive personal data; you can find further information concerning processing of such data in section ‎10 below);
• postal address, email address, telephone number and other contact data;
• customer and booking numbers (e.g. Medbase pharmacies club card program, online appointment reservations etc.);
• health insurance scheme number and insurance model chosen;
• portrait photograph for customer file;
• payment information (e.g. means of payment lodged, bank details, invoicing address);
• user name and profile picture for accounts used for online products and services;
• information concerning the usage of online products and services (e.g. health report, myChange, myRelax, Oviva - online nutritional coaching), apps (e.g. Medbase physio.coach app) and subscriptions (e.g. Medbase magazine);
• information concerning related websites, social media profiles etc.; 
• information concerning preferences and interests, preferred Medbase locations, language preferences etc.
• information concerning your relationship with us (customer, patient, visitor, supplier etc.);
• information concerning related third parties (e.g. contact persons, recipients of services or representatives, family members);
• settings relating to the receipt of advertising, newsletters subscribed to etc.;
• information concerning your status with us (e.g. facility ban);
• information concerning participation in competitions and prize draws;
• information concerning participation in advertising events, sponsorship initiatives or cultural or sporting events;
• official documents in which you appear (e.g. identification documents, vaccination certificate, Commercial Register extracts, licenses etc.);
• information concerning the titles and functions of contact persons at our business partners;
• date and time of registrations. 

Contractual data include e.g. information:

• relating to the conclusion of a contract and steps taken prior to entering into a contract, e.g. the nature and duration of the treatment contract, the date on which the contract was concluded (e.g. purchase date), information from the application process and details concerning the corresponding contract (e.g. nature and duration);
• relating to the performance and management of contracts (e.g. contact information, delivery addresses, successful or unsuccessful deliveries as well as information relating to the means of payment, tariff items generated and other bills);
• relating to enquiries concerning our products or services or requesting technical support; 
• relating to our interactions with you (along with any history and corresponding entries);
• relating to claims as well as entitlements or benefits acquired (e.g. Medbase pharmacies club card points level or a win in one or our competitions);
• relating to products and services purchased;
• relating to defects and complaints as well as amendments to a contract;
• relating to customer satisfaction, that we may collect via surveys;
• relating to financial matters such as e.g. in order to determine creditworthiness (i.e. information enabling inferences to be made concerning the likelihood that claims will be settled), concerning reminders or debt collection and in order to enforce claims;
• in relation to a job application, e.g. CV, references, qualifications, certificates, interview notes etc. (which may also contain the personal data of third parties); 
• in relation to a sponsorship application, e.g. information concerning the project and other participants;
• in relation to interactions with you as a contact person or representative of a business partner;
• in relation to security checks and other checks with a view to establishing a business relationship.

Data concerning health include e.g.: 

• health history and patient file;
• vaccination certificate;;
• laboratory test results;
• information from DNA analyses or concerning hereditary diseases;
• x-ray images;
• ECG results;
• medical prescriptions;
• discharge report from a hospital.

Communication data include e.g.:

• name and contact details such as e.g. postal address, email address and telephone number;
• the contents of emails, written correspondence, chat messages, social media posts, comments left on a website, telephone conversions, video conferences etc.;
• answers to customer and satisfaction surveys;
• information concerning the nature time and, under certain circumstances, the location of the communication;
• proof of identity such as e.g. copies of official identity documents;
• metadata relating to the communication (e.g. date and time of a call or when an email was sent).

Conversations by telephone and video conference with us may be recorded; we shall inform you concerning this at the start of each discussion. If you do not want it to be recorded, you have the option at any time of ending the conversation and contacting us in another manner (e.g. by email).

Data relating to behavior and transaction data include e.g. the following information, where we hold it as personal data:

• concerning your behavior on websites;
• concerning your behavior when shopping (where we process orders in your name or you use the Medbase pharmacies club card);
• concerning attendance at events or the usage of test offers (e.g. date, location and type of event or usage);
• concerning participation in competitions, prize draws and similar initiatives;
• concerning the installation and usage of mobile apps;
• concerning your usage of electronic messages (e.g. whether and when you opened an email or clicked on a link).

You can also use many of our products and services in anonymized form. For example, you can make purchases in our pharmacies without providing your Medbase pharmacies club card number. It is also possible, to some extent, to purchase products and services online (including in our apps) without using an account. However, if you have an account, data relating to behavior and transaction data may under certain circumstances also be allocated to your profile, unless you logged off before visiting the website or using the app. 

We may cross-reference data relating to behavior and transaction data with other information, for instance with master data, contractual data and technical data as well as non-personal statistical information, and assess them in order to obtain information concerning your characteristics, preferences and anticipated behavior. We can in particular create segments (either permanent or case-specific), which are groups of people who are similar in terms of particular characteristics. Data relating to preferences may be used as personal data (e.g. in order to display advertising of interest to you or to provide you with relevant special offer vouchers), and also as non-personal data (e.g. for market research or product development). 

Technical data include inter alia:

• the IP address of your device and other device IDs (e.g. MAC address);
• identifiers allocated to your device by cookies and similar technologies (e.g. pixel tags);
• information concerning your device and how it is configured, e.g. operating system or language settings;
• information concerning the browser that you use to access content as well as how it is configured;
• information concerning your behavior and actions on our websites and in our apps;
• information concerning your internet provider;
• your approximate location and the time of usage;
• system-generated logs of accesses and other processes (log files).

In most cases, these technical data do not in themselves enable us to make any inferences concerning your identity. However, they may be cross-referenced with other categories of data – and thus potentially associated with you as an individual – within the ambit of user accounts, registrations, the performance of contracts or the assessment of data relating to preferences.

Please also refer to our Cookie Notice for information concerning the processing of technical data.

Visual and sound recordings include e.g.:

• recordings made within the ambit of a medical examination (photographs, x-ray images) and therapeutic treatments (videos);
• recording of conversations by telephone or video conference (e.g. during remote medical consultation);
• photographs, videos and sound recordings at customer events and public events (e.g. advertising events, sponsorship events etc.);
• photographs, videos and sound recordings of courses, seminars, training sessions etc.;
• footage recorded by video monitoring systems.

You will share personal data with us yourself e.g. in the following cases:

• you sign up for a medical appointment or one of our courses; 
• you undergo a medical examination with one of our specialists;
• you make a purchase on one of our pharmacies;
• you register on one of our apps and enter your medical information or results of training;
• you register for the Medbase pharmacies club card program;
• you participate in a prize draw or a competition;
• you contact the Medbase contact center.

The provision of personal data is generally voluntary, i.e. you are not normally obliged to share personal data with us. However, we must collect and process any personal data that are necessary for the performance of a contract (e.g. medical examination) and for compliance with related duties or that are prescribed by law, e.g. mandatory master and contractual data. Otherwise, we shall be unable to conclude or perform under the respective contract.

If you provide us with data concerning other persons (e.g. family members), we shall presume that you are authorized to do so and that the data are accurate. Please also ensure that these other people have been informed concerning this Privacy Policy.

We collect data relating to you on our own initiative e.g. in the following cases:

• you make a purchase in one of our pharmacies and when doing so use your Medbase pharmacies club card or the related code;
• you sign up online for one of our products or services (e.g. blood pressure measurement);
• you visit one of our websites (e.g. Medbase.ch) or use one of our apps (e.g. the Medbase physio.coach app);
• you clink on a link in one of our newsletters or otherwise interact with one of our electronic advertising messages

We may analyze data relating to behavior and transaction data obtained for instance in relation to purchases made in our pharmacies and, on this basis, make assumptions concerning your personal interests, preferences, affinities and habits. This enables us for instance to tailor our products and services as well as our information to your individual needs and interests. This means that we may provide you with an individual selection of special offer vouchers relevant for you, e.g. within the ambit of the Medbase pharmacies club card program. Further information concerning data relating to behavior and transaction data can be found in section ‎4.5 and, concerning profiling in this regard, in section ‎11.

Specialists may also infer additional personal data by analyzing your examination data (e.g. laboratory test results, diagnoses).

We may obtain information relating to you e.g. from the following third parties:

• from other medical practices;
• from cooperation partners, e.g. our pharmacies partner, through the online shop of which you can order products online;
• from service providers (e.g. medical laboratories that assess tests);
• from your employer and colleagues in relation to a job application and your professional functions (e.g. references from previous employers); 
• from third parties, where correspondence and discussions concern you;
• from persons associated with you (family members, legal representatives etc.), e.g. your address for deliveries, references, powers of attorney or illnesses within the family;
• from credit information agencies, e.g. if we obtain credit check information;
• from Swiss Post and address management services, e.g. for updating addresses;
• from bankers, insurers, sales partners and other contractual partners in relation to purchases and payments; 
• from providers of online services, e.g. providers of internet analysis services;
• from authorities, parties and other third parties in relation to administrative and judicial proceedings; 
• from media monitoring companies in relation to articles and reports that mention you;
• from public registers, such as e.g. the Debt Enforcement Register or the Commercial Register, from public bodies such as e.g. the Federal Office of Statistics, from the media or from the internet. 

Communication occurs in particular for the following purposes:

• making appointments;
• answering enquiries;
• contacting you in relation to any questions;
• communication in relation to product recalls (e.g. we may contact you directly if we know that you have purchased a product that is affected by a recall);
• authentication, e.g. when using our online products and services;
• all other purposes of processing, where we are communicating with you for the respective purpose (e.g. performance of a contract, providing information and direct marketing).

The purpose of performance of a contract covers in general terms anything that is necessary or expedient for the conclusion, performance and where appropriate enforcement of a contract. This may also entail the involvement of other companies from the Medbase Group as well as third parties (e.g. delivery service, medical laboratories, medical practice). 

This includes e.g. processing:

• in order to plan and prepare for the provision of our services, e.g. planning the deployment of our staff;
• in order to provide services agreed upon under contract, e.g. medical and pharmaceutical services, the delivery of goods and the provision of functions (including personalized service elements);
• in order to decide whether and how (e.g. with which payment options) we enter into a contract with you (including the credit check); 
• in order to obtain commitments concerning the payment of costs;
• in order to bill our services (and where applicable to generate cost recovery documentation for the health insurance scheme) as well as generally for accounting purposes;
• in order to provide customer services and increase customer satisfaction;
• in order to manage the loyalty and bonus program (e.g. the Medbase pharmacies club card program) and, e.g. to account for and credit entitlements and benefits accruing (e.g. loyalty points);
• in order to identify, notify and where appropriate publicly announce the winners of competitions and prize draws;
• in order to examine and where applicable act upon sponsorship orders;
• in order to examine the suitability of job applicants and where applicable in order to prepare for and conclude the employment contract;
• in order to examine whether we are willing and able to cooperate with a company and to monitor and assess its services;
• in order to prepare for and implement corporate transactions, e.g. company purchases, sales and mergers; 
• in order to enforce legal claims under contracts (debt collection, judicial proceedings etc.); 
• in order to manage and administer our IT and other resources; 
• in order to store data under the terms of data retention requirements;
• in order to terminate and cancel contracts.

Quality improvement, product development and market research include in particular:

• the assessment of pseudonymized or anonymized data concerning health (i.e. where it is not possible to make any inferences concerning you);
• the implementation of customer questionnaires, surveys and studies;
• the further development of our products and services (e.g. design of products and services, choice of location, pricing and planning of special offers etc.);
• the assessment and improvement of uptake of our products and services and communication by us in relation to products and services;
• the optimization and improvement of user-friendliness for websites and apps;
• the development and testing of new products and services;
• the testing and improvement of our internal processes;
• core and advanced training as well as staff instruction;
• statistical assessments, e.g. in order to assess information concerning interaction between customers and us on a non-personal basis; 
• the assessment of the position concerning products and services on a particular market and the behavior of our competitors;
• market monitoring, e.g. in order to understand and respond to current developments and trends.

Compliance with legal requirements includes in particular: 

• the administration and retention of patient files;
• personal clarification concerning risks and side effects associated with medications and healthcare procedures;
• filing reports with authorities that are required by law (e.g. concerning particular illnesses);
• implementing health and protection concepts;
• clarifications via business partners;
• receiving and processing complaints and other reports; 
• carrying out internal examinations; 
• ensuring compliance and risk management;
• disclosing information and documents to authorities, where we are entitled or obliged to do so by law; 
• cooperating with external investigations e.g. by criminal prosecution or supervisory authorities;
• ensuring the level of data security prescribed by law;
• supporting our shareholders and other investors in complying with these obligations;
• complying with obligations to grant access, to provide information or to file reports e.g. in relation to duties under supervisory or tax law, e.g. with regard to archival duties and for the purpose of preventing, detecting and clarifying criminal offences and other breaches.

In all instances we may be subject to Swiss law although also the provisions of foreign laws, as well as self-regulatory, sectoral and other standards, internal corporate governance rules or official instructions.

The purpose of security and prevention includes e.g.:

• the recording and assessment (manually and automatically) of video footage for detecting and prosecuting criminal offences;
• the imposition of facility bans and the management of facility ban lists;
• the analysis of data relating to behavior and transaction data for the purpose of identifying suspicions types of behavior and fraudulent activities;
• the assessment of system-generated logs concerning usage of our systems (log files);
• preventing, defending against and investigating cyber and malware attacks;
• analysis and testing of our networks and IT infrastructure as well as system and error tests;
• controlling access to electronic systems (e.g. log-ins to user accounts);
• physical access controls (e.g. access to office premises);
• documentation purposes and the lodging of backup copies.

The purpose of enforcing rights includes in particular:

• the investigation and enforcement of our legal claims, which may also include claims of companies associated with us and of our contractual or business partners;
• the defense of claims brought against us, our employees, companies associated with us and against our contractual or business partners;
• clarification of the prospects within litigation along with other legal, economic or other questions;
• participation in proceedings before courts and authorities in Switzerland and abroad. For example, we may secure evidence, arrange for prospects within litigation to be clarified or file documentation with an authority. It is also possible that authorities may instruct us to file documentation and data carriers that contain personal data.

These messages and offers may include e.g. the following:

• newsletters, advertising emails, in-app messages and other electronic messages; 
• advertising brochures, magazines and other printed matter;
• the provision of vouchers and loyalty coupons;
• notifications concerning specialist items that are likely to be relevant;
• invitations to participate in events, prize draws and competitions.

Where we do not ask for your consent separately in order to contact you for marketing purposes, you can object to any such contact at any time (see section ‎15). For newsletters and other electronic messages, you will normally be able to unsubscribe from the service concerned via the unsubscribe link incorporated into the message.

By personalizing our messages, we are able to target information to your specific individual needs and interests and to offer you, where possible, only products and services that are relevant for you. For example, under the Medbase pharmacies club card program we provide you with an individual selection of special offer vouchers that are relevant for you or display you online content that is specifically tailored to you. You can find further information in section ‎11 concerning profiling in this regard.

Intragroup support and administration includes in particular: 

• the management of IT and real estate;
• accounting; 
• the archival of data and the management of our archive;
• training and instruction, e.g. where we assess recordings of telephone, video or other forms of communication; 
• centralized data storage and management, which is used by various companies from the Medbase Group;
• the review or execution of corporate transactions such as e.g. company purchases, sales and mergers;
• the forwarding of enquiries to the competent bodies, e.g. if you submit an enquiry to a Medbase company concerning another company;
• the sale of receivables, where we for instance transmit information to the buyer concerning the reason for and the amount of the claim and, where applicable, the creditworthiness and behavior of the debtor;
• in general, the testing and improvement of internal processes.

We have a legitimate interest in particular in processing for the purposes referred to in section ‎6 above as well as the disclosure of data according to section 8 and the respective aims related with such disclosure. Legitimate interests include both our own interests as well as the interests of third parties. 

These legitimate interests comprise e.g. the interest in:

• improving existing products and services and developing new products and services; 
• delivering products and services to third parties (e.g. to recipients of gifts); 
• good customer relations, maintaining contact and communications with customers, also separately from any contracts; 
• advertising and marketing activities;
• intragroup management and intragroup dealings, insofar as required where group entities cooperate on the basis of a division of responsibilities; 
• mutual support among Group companies with reference to their respective activities and goals;
• combatting fraud and preventing and investigating crime; 
• protecting customers, employees and other persons, data, secrets and assets of the Medbase Group; 
• ensuring IT security, particularly in relation to the usage of websites, apps and other IT infrastructure; 
• ensuring and organizing business operations, including the operation and development of websites and other systems; 
• corporate management and development; 
• the sale or purchase of companies, company units or other assets; 
• the exercise or defense of legal claims; 
• compliance with Swiss and foreign law as well as internal rules.

As is the case for any association of companies, also the Medbase Group has an overall interest in the successful business operations of Group companies, and our Group companies for their part have an interest in their own operations and their own purposes of processing (section ‎6). In order to support these activities and purposes, the personal data necessary for this purpose may be shared with Group companies and, where appropriate, supplemented by them or compared and linked with other available personal data. 

This may involve e.g. the following forms of data disclosure:

• all categories of personal data referred to in section 4 for the management and performance of contractual relationships, in particular in relation to products and services involving performance by more than one Group company (e.g. with regard to the supplementation of centrally managed medical history with relevant information obtained from other medical centers of pharmacies);
• master data, contractual data, data concerning health, communication data, data relating to behavior and transaction data as well as data relating to preferences, information obtained from customer questionnaires, surveys and studies as well as visual and sound recordings for product development and market research, where such information must contain personal data;
• master data, contractual data, communication data, technical data, data relating to behavior, transaction data, data relating to preferences as well as visual and sound recordings for the provision and personalization of products and services, communication and marketing activities; 
• master data, contractual data, communication data, technical data, data relating to behavior and transaction data, in addition to data relating to preferences for the purpose of preventing fraud and misuse as well as for credit checks (e.g. in relation to the provision of services on account);
• master data, contractual data, communication data, technical data, data relating to behavior and transaction data, as well as visual and sound recordings for the purpose of preventing fraud and for evidentiary purposes;
• information of security relevance for security purposes and compliance with legal requirements; 
• information concerning support in relation to the enforcement of rights.

If you contact us for instance with a concern relating to a service, we may pass this information on to the Medbase company that provided the service for the purpose of service and quality improvement. Also where you participate in the Medbase pharmacies club card program, we share for instance data relating to behavior, transaction data and data relating to preferences with regard to purchases made in pharmacies with Medbase companies, for instance in order to enable them to offer you services that may be of interest for you in the light of the products purchased by you. 

The services concerned relate e.g. to the following areas:

• medical services, e.g. laboratory analyses
• advertising and marketing services, e.g. for dispatching messages and information;
• corporate management, e.g. accounting or the management of assets;
• payment services;
• shipping and logistics, e.g. for shipping goods ordered;
• information concerning creditworthiness , e.g. if you would like to purchase on account;
• debt collection services;
• IT services, e.g. services in the fields of data storage (hosting), cloud services, the dispatch of email newsletters, data analysis and refinement etc.;
• advisory services, e.g. services provided by tax advisors, lawyers, corporate consultants or staff recruitment or intermediation advisors.

These include e.g. the following scenarios:

• transfer to hospitals or other specialists;
• provision of information concerning the state of your health to relatives, subject to professional secrecy;
• notifications to health insurance schemes for the purpose of assessing commitments concerning the payment of costs;
• the sharing of anonymized or pseudonymized data concerning health with educational institutions for the purpose of usage within scientific studies;
• the assignment of receivables to other companies such as e.g. debt collection companies;
• the review or execution of corporate transactions such as e.g. company purchases, sales and mergers;
• the disclosure of personal data to courts and authorities in Switzerland and abroad, e.g. to criminal prosecution authorities in the event of any suspicion of criminal activity or within the ambit of health protection concepts; 
• the processing of personal data in order to comply with an order of a court of law or to exercise or defend legal claims, or where we consider it to be necessary due to other legal reasons. In such cases, we may also share personal data with other parties to the proceedings.

Please also note our Cookie Notice concerning the independent collection of data by third party providers whose tools we have incorporated into our websites and apps.

One way of ensuring adequate data protection is e.g. to conclude data sharing agreements with the recipients of your personal data situated in third countries, which guarantee the necessary data protection. These include the contracts that have been approved, drafted or recognized by the European Commission and the Federal Data Protection and Information Commissioner, which are known as standard contractual clauses. An example of the data sharing agreements that are generally used by us can be found here. Please note that any such contractual precautions may in part make up for weaker or absent statutory protection, although cannot fully exclude all risks (e.g. of state interference abroad). In exceptional cases, transmission to countries without adequate protection may also be permitted in other cases, specifically on the basis of consent, in relation to legal proceedings abroad, if transmission is necessary for the performance of a contract, in cases involving an overriding public interest or if the data has been made generally accessible by you and you have not objected to the processing thereof.

We may process particularly sensitive personal data e.g. in the following cases:

• you log in to a Medbase app and provide information concerning physical complaints or enter your training data;
• you notify us concerning health-related complaints after taking, using or applying a product;
• you purchase from us a medical device covered by health insurance or receive a service and request documentation for the purpose of obtaining reimbursement;
• you receive one of our services and provide information on the patient form concerning medical history, intolerances, allergies etc.;
• you apply for an open position and provide information concerning your health, trade union membership or previous criminal convictions and measures of criminal enforcement.

We may process e.g. personal data relating to children under the following circumstances:

• you sign up your child for a therapy session or another service and fill in the patient form for your child;
• a young person registers for a medical service, concerning the provision of which he/she is free to decide himself/herself (e.g. measuring blood pressure, vaccination, contraception);
• your child completes a competition slip in his/her own name. 

We conduct profiling e.g. within the ambit of the Medbase pharmacies club card program by assessing your purchasing history and allocating you to specific customer segments on the basis of it. These are groups of people that have similarities in terms of particular characteristics. These customer segments may be established on either a long-term or an ad hoc basis and may relate e.g. to the phase of life or reason for purchasing. This profiling enables us e.g. to provide you with special offer vouchers that are relevant for you. For instance, if you frequently purchase herbal remedies from us, you will often receive special offer vouchers and offers relating to other plant-based products. Similarly, we may inform you concerning products and services where you live, if we are aware of your preferred location. Alternatively, we can prevent you from receiving special offer vouchers for baby products if we have reason to believe that you do not have any children.

Profiling occurs for instance also in relation to your account if we assess your behavior when using our apps, for instance by offering you an individual training plan and presenting you with offers tailored to your interests and preferences. 

Technical security measures include e.g. data encryption and pseudonymization, the creation of log files, access restrictions and the storage of backup copies. Organizational security measures include e.g. the issue of instructions to our staff, the conclusion of non-disclosure agreements and the conduct of checks. We also oblige our controllers to adopt adequate technical and organizational security measures.

— The competent supervisory authority for Switzerland is the Federal Data Protection and Information Commissioner (EDÖB).

— The competent supervisory authority in the Principality of Liechtenstein is the Data Protection Authority of the Principality of Liechtenstein (Datenschutzstelle).