For reasons of better readability, the simultaneous use of the language forms male, female and diverse (m/f/d) is omitted. All personal designations apply equally to all genders.
The German Heart Centre Berlin (hereinafter referred to as DHZB) always endeavours to ensure that participants in training and further education measures do not regularly gain knowledge of personal data, in particular data from or about patients, or of confidential information of the DHZB. Should a participant nevertheless gain knowledge of such data in individual cases, the following applies:
I undertake to maintain confidentiality with regard to information about patients and/or staff of the DHZB and with regard to all information that is confidential, in particular trade and business secrets of the DHZB, which have become known to me during my training or further training at the DHZB. I will also take all necessary measures to prevent unauthorised persons from gaining knowledge of and using this information.
My duty of confidentiality also applies to such patient- and personnel-related information that becomes known to me as a result of the DHZB working together with other healthcare facilities (hospitals, medical practices, etc.) and thereby gaining access to patient- and personnel-related information from these healthcare facilities.
The duty of confidentiality applies in particular to:
- all individual details about personal or factual circumstances of patients and/or staff of the DHZB as well as other healthcare facilities cooperating with the DHZB that are not in the public domain, i.e. cannot be obtained from publicly accessible sources of information;
- Factual information for which the following applies: they are only known to a limited group of persons at the DHZB, the management of the DHZB recognisably and justifiably wishes to keep them secret and they are not easily accessible to persons outside the DHZB (e.g. all economic data of the DHZB that are not readily accessible to outsiders; inventions and unpublished scientific findings; DHZB-specific know-how; balance sheets; personnel matters; communications marked as internal and the like).
I am aware that another healthcare institution may request an additional confidentiality agreement from me.
The German Federal Data Protection Act (hereinafter: BDSG) and the EU General Data Protection Regulation (hereinafter: GDPR) require that personal data (any information relating to an identified or identifiable natural person, e.g. name, address or email address, but also religious affiliation or health) be processed. This includes, for example, name, address or e-mail address, but also information on a person's religious affiliation or health). I am only authorized to process such data if this serves a purpose that is part of my respective legitimate task fulfillment. The principles for the processing of personal data set out in Art. 5 para. 1 GDPR must be observed. - I must also observe these obligations in accordance with the BDSG and the GDPR after completing my training and further education at the DHZB.
I acknowledge that violations of data secrecy in accordance with § 41-43 of the BDSG and Art. 82 and 83 GDPR as well as other relevant legal provisions, in particular also in accordance with the provisions of §§ 203, 204 of the German Criminal Code (StGB), may be punished with imprisonment or a fine; this does not exclude measures under labor law on the part of the DHZB.
I am aware that members of the medical profession (doctors, dentists, pharmacists, nurses, etc.) as defined in § 203 para. 1 no. 1 of the German Criminal Code (StGB) as well as "their professional assistants" according to § 203 para. 4 of the StGB can be prosecuted for unauthorized disclosure of another person's secret.
I acknowledge that the DHZB reserves the right to terminate my participation immediately and, if necessary, to take legal action against me if I do not comply with this confidentiality obligation. This duty of confidentiality also applies to me after the end of my participation.
Appendix: Relevant provisions
Art. 5 para. 1 GDPR Principles for the processing of personal data
Personal data must
- be processed lawfully, fairly and in a manner that is comprehensible to the data subject ("lawfulness, fairness and transparency");
- be collected for specified, explicit and legitimate purposes and shall not be further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes ("purpose limitation") in accordance with Article 89(1);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization");
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy")
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data are processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organizational measures required by this Regulation to safeguard the rights and freedoms of the data subject ("storage limitation");
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures ("integrity and confidentiality")
Art. 83 (4) GDPR General conditions for the imposition of fines
Infringements of the following provisions shall, in accordance with paragraph 2, be subject to fines of up to EUR 10 000 000 or, in the case of an undertaking, up to 2 % of its total worldwide annual turnover in the preceding business year, whichever is the higher:
- the obligations of controllers and processors under Articles 8, 11, 25 to 39, 42 and 43;
- the obligations of the certification body pursuant to Articles 42 and 43;
- the obligations of the supervisory authority pursuant to Article 41(4).
§ Section 203 StGB Violation of private secrets
Anyone who, without authorization, discloses a secret belonging to another person, in particular a secret belonging to the personal sphere of life or a trade or business secret, which he or she considers to be a
- Physician, dentist, veterinarian, pharmacist or member of another medical profession that requires state-regulated training in order to practice the profession or use the professional title,
- Professional psychologists with a state-recognized scientific final examination,
- lawyer, chamber counsel, patent attorney, notary public, defense counsel in legal proceedings, auditor, sworn accountant, tax consultant, tax agent or member of a body of a law firm, patent attorney, auditing, accounting or tax consulting firm,
- Marriage, family, educational or youth counsellor or counsellor for addiction issues in a counselling centre that is recognized by a public authority or corporation, institution or foundation under public law,
- member or representative of a recognized counselling centre in accordance with §§ 3 and 8 of the Pregnancy Conflict Act,
- a state-recognized social worker or state-recognized social pedagogue or
- a member of a private health, accident or life insurance company or a private medical, tax consultant or lawyer's clearing office
or has otherwise become known is punishable by a custodial sentence not exceeding one year or a monetary penalty.
Likewise, anyone who discloses a secret belonging to another person without authorization, namely a secret belonging to the personal sphere of life or a trade or business secret, which is known to them as
- Public officials,
- persons with special duties in the public service,
- a person who performs duties or exercises powers under staff representation law,
- a member of an investigative committee, other committee or council working for a federal or state legislative body who is not himself a member of the legislative body, or as an assistant to such a committee or council,
- a publicly appointed expert who has been formally bound by law to conscientiously fulfill his or her duties, or
- a person who has been formally bound by law to conscientiously fulfill his or her duty of confidentiality when carrying out scientific research projects,
has been entrusted or has otherwise become known. Individual details of personal or factual circumstances of another person which have been recorded for public administration tasks shall be deemed equivalent to a secret within the meaning of sentence 1; however, sentence 1 shall not apply if such individual details are disclosed to other authorities or other bodies for public administration tasks and the law does not prohibit this.
There shall be no disclosure within the meaning of this provision if the persons referred to in paragraphs 1 and 2 make secrets accessible to their professional assistants or to persons working for them in preparation for their profession. The persons named in subsections 1 and 2 may disclose other persons' secrets to other persons who are involved in their professional or official activities, insofar as this is necessary for the utilization of the activities of the other involved persons; the same applies to other involved persons if they make use of other persons who are involved in the professional or official activities of the persons named in subsections 1 and 2.
A custodial sentence not exceeding one year or a monetary penalty shall be imposed on any person who, without authorization, discloses a secret of a third party which has come to his knowledge in the course of or on the occasion of his work as a contributor or as a data protection officer working for the persons referred to in subsections 1 and 2. The following shall also be punished
- as a person referred to in subsections 1 and 2, has not ensured that another contributor who discloses without authorization a secret of which he or she has become aware in the course of or on the occasion of his or her work has been bound to secrecy; this does not apply to other contributors who are themselves a person referred to in subsections 1 or 2,
- as a contributor referred to in paragraph 3, makes use of another contributor who, without authorization, discloses a secret that has become known to them in the course of or on the occasion of their work and has not ensured that they have been bound to secrecy; this does not apply to other contributors who are themselves a person referred to in paragraphs 1 or 2, or
- after the death of the person bound under sentence 1 or under subsections 1 or 2, discloses without authorization a secret belonging to another person which he/she learned from the deceased or obtained from his/her estate.
Paragraphs 1 to 4 shall also apply if the offender discloses the secret without authorization after the death of the person concerned.
If the offender acts in return for payment or with the intention of enriching himself or another person or harming another person, the penalty shall be a custodial sentence not exceeding two years or a monetary penalty.
§ 42 Section 42 BDSG Penal provisions
A custodial sentence not exceeding three years or a monetary penalty shall be imposed on any person who knowingly makes personal data that is not generally accessible available to a large number of persons without being authorized to do so,
- makes it accessible in any other way
and acts commercially in doing so.
Anyone who discloses personal data that is not generally accessible is liable to a prison sentence of up to two years or a fine,
- processed without being authorized to do so, or
- obtained through incorrect information
and acts in return for payment or with the intention of enriching himself or another person or harming another person.
The offense will only be prosecuted upon application. The data subject, the controller, the federal commissioner and the supervisory authority are entitled to file an application.
A report pursuant to Article 33 of Regulation (EU) 2016/679 or a notification pursuant to Article 34(1) of Regulation (EU) 2016/679 may only be used in criminal proceedings against the person obliged to report or notify or their relatives referred to in Section 52(1) of the Code of Criminal Procedure with the consent of the person obliged to report or notify.
§ Section 43 BDSG Fining provisions
Any person who wilfully or negligently
- does not correctly handle a request for information contrary to Section 30 (1) or
- does not inform a consumer correctly, completely or in good time contrary to Section 30 (2) sentence 1.
The administrative offence may be punished with a fine of up to fifty thousand euros.
No fines shall be imposed on authorities and other public bodies within the meaning of Section 2 (1).
A report pursuant to Article 33 of Regulation (EU) 2016/679 or a notification pursuant to Article 34(1) of Regulation (EU) 2016/679 may only be used in proceedings pursuant to the Act on Regulatory Offences against the person obliged to report or notify or their relatives specified in Section 52(1) of the Code of Criminal Procedure with the consent of the person obliged to report or notify.