PRIVACY POLICY

This website is operated by the Krankenfürsorge für oö. Gemeinden, hereinafter referred to as "we", "us", and "KFG", based in Linz. In this privacy policy, we, as the controller pursuant to Art. 4 (7) GDPR, describe what data we collect when you visit our website and for what purpose we process this data. We also inform you about how we generally process the data of our customers, suppliers, and interested parties, and finally explain what rights and safeguards we offer in the course of data processing. You can find all relevant contact information under point 7 of this privacy policy.

As the protection of your personal data is of particular concern to us, we strictly adhere to the legal provisions of the DSG and the GDPR when collecting and processing your personal data.

Below, we provide detailed information about the scope and purpose of our data processing as well as your rights as a data subject. Please read our privacy policy carefully before continuing to use our website and possibly giving your consent to data processing.

1. Personal Data

Using our website is generally possible without providing personal data. However, different provisions may apply for the use of individual services, which we will inform you about separately.

We only collect and store data that you voluntarily provide by entering it into our input forms or otherwise actively interacting with our website.

Personal data includes all information relating to an identified or identifiable natural person. This includes, for example, your name, address, phone number, or date of birth, but also your IP address or geolocation data that can be used to identify you.

2. Collection and Processing of Personal Data

a. Website

Personal data is processed by us in the course of operating our website only when you voluntarily provide it, for example when registering with us, entering into a legal relationship with us as an insured person, or otherwise contacting us. This data consists exclusively of contact details and information regarding your inquiries.

We use the personal data you provide only to the extent necessary to fulfill the purpose of the processing (e.g., registration, insurance, answering a question, enabling access to certain information) and only if permitted by law (especially according to Art. 6 or Art. 9 GDPR).

The purpose of processing your data is to operate our website and to provide company-specific information and showcase our service offerings.

Further use of your data only occurs if you have expressly consented, if we need your data to fulfill a contract with you or our legal obligations, or if we are legally required to retain the data. Any consent given can be revoked at any time for the future, as described in more detail below.

b. Insurance

In the context of our legal mandate, we are required to collect and process various information from insured persons, which serves as the basis for fulfilling our service obligations. "Insured persons" in this context refers to members according to § 4 and dependents according to § 9 of the Upper Austrian Law on Health Insurance for Municipalities (Oö. KFGG).

In case of a claim, we receive various information about the incident through a separate application, including health-related data about illnesses, injuries, diagnoses, and necessary treatments. Processing this data is necessary to assess a claim and, if applicable, provide a benefits approval. We retain this data during the active insurance relationship and beyond, as long as legal retention obligations exist or we are facing claims from insured persons or third parties and need the data to defend against unjustified claims.

In case of initiating or concluding a contract with other customers or third parties involved in service provision, we process their personal data after complete contract fulfillment until the end of applicable warranty, liability, limitation, and legal retention periods, and beyond until the conclusion of any legal disputes where the data may be required as evidence.

c. Application Management & HR

We collect data from applicants for our open job positions for the purpose of initiating a potential employment relationship under Art. 6 (1) s. 1 lit. b GDPR or, if applicable, based on explicit consent for inclusion in our applicant pool.

We are obligated to process personal data of our employees to the extent necessary for payroll, time tracking, and verification of other employment obligations. A detailed privacy notice has been made available to all our employees.

3. Data Retention

Data that you provide to us solely for customer service, marketing, or informational purposes is generally retained for up to three years after our last contact. If you wish, we will delete your data earlier unless there is a legal reason preventing deletion.

In case of contract initiation or completion, we process your personal data after full contract fulfillment until the end of the warranty, limitation, and statutory retention periods, and beyond until the conclusion of any legal disputes where the data is needed as evidence.

Data of our insured persons and their dependents is stored in accordance with the legal provisions of the Upper Austrian Law on Health Insurance for Municipalities (Oö. KFGG).

Data you provide during an application process will be retained for a maximum of 6 months without separate consent.

If data retention is legally required, we comply with the prescribed period. If we process your personal data beyond the purposes stated in this privacy policy based on legitimate interest, we will inform you separately before processing begins.

4. Data Transfer

a. General

Your data is generally not transferred to third parties unless we are legally obligated to do so, the data transfer is necessary for the execution of a contract, or you have given your express consent in advance.

External processors or partners receive your data only if necessary for contract fulfillment, if we have a legitimate interest (which we will disclose separately if applicable), or if required by special regulations with your consent.

We do not sell or otherwise market your personal data to third parties. If our processors or partners are based in a third country (i.e., outside the EEA), we will inform you about the implications in the service description.

Wherever a processor comes into contact with your personal data, we ensure that they comply with data protection laws just as we do.

b. Data Transfer to the USA?

We occasionally offer services that involve or may involve data transfers to the USA. Data transfers to the USA have posed legal challenges in recent years. There are several legal bases for lawful data transfers to the USA, and we generally rely on two:
• Data transfer based on an adequacy decision

On July 10, 2023, the European Commission adopted a new adequacy decision under Art. 45 GDPR for the USA – the EU-U.S. Data Privacy Framework.

However, this adequacy decision applies only to data importers in the USA that are registered in the Data Privacy Framework List (https://www.dataprivacyframework.gov/s/participant-search).

We verify for each service provider receiving personal data in the USA whether they are registered in the Data Privacy Framework List. If so, this will be indicated in our privacy policy for the respective provider.

The press release from the EU Commission about the EU-U.S. Data Privacy Framework is available at: https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721.
• Consent

If a data importer is not registered in the Data Privacy Framework List, and no other justification (e.g., performance of a contract) exists, you must consent to the use of such services and the transfer of your data to the USA (Art. 49 (1) lit. a GDPR).

We currently cannot predict how case law will develop regarding the EU-U.S. Data Privacy Framework. We obtain this consent – depending on the service – via our cookie banner or separately before using a particular service.

Your consent is necessary because, according to the most recent court and authority rulings, the USA does not offer an adequate level of data protection (C-311/18, Schrems II). These rulings highlight, in particular, that U.S. government agencies may access data under FISA 0702 without adequate legal restriction, without requiring independent approval, and without offering sufficient legal remedies.

Apart from the contractual agreements with U.S. service providers, we have no direct influence on access by U.S. authorities to personal data transmitted to the USA when using these services. Even though we expect our service providers to take the necessary steps to provide the promised level of protection, access by U.S. authorities remains conceivable.

We therefore ask for your consent before using such services. We will inform you separately for each service or application if there is a possibility of data transfer to the USA.

5. Security

We use numerous technical and organizational security measures to protect your data against manipulation, loss, destruction, and unauthorized access by third parties. Our security measures are continuously improved in line with technological development. If you would like detailed information on the type and scope of the security measures we have implemented, we are happy to provide it in writing upon request.

6. Your Rights

Under the General Data Protection Regulation and the Data Protection Act, you have the following rights and remedies as a data subject:

• Right of access (Art. 15 GDPR)

  You have the right to request information about whether and what personal data concerning you is being processed. To protect your privacy – so that no unauthorized person receives information about your data – we will verify your identity appropriately before providing any information.

• Right to rectification (Art. 16) and erasure (Art. 17 GDPR)

  You have the right to demand the immediate rectification of inaccurate personal data concerning you or – considering the purposes of processing – the completion of incomplete data and the erasure of your data if the conditions of Art. 17 GDPR are met.

• Right to restriction of processing (Art. 18 GDPR)

  You have the right to restrict the processing of all collected personal data under the legal conditions. From the time of the restriction request, the data will only be processed with your consent or for the assertion and enforcement of legal claims.

• Right to data portability (Art. 20 GDPR)

  You may request the unhindered and unrestricted transfer of personal data you have provided to us to yourself or a third party.

• Right to object (Art. 21 GDPR)

  You may object at any time for reasons arising from your particular situation to the processing of your personal data based on our legitimate interests or those of a third party. Your data will no longer be processed unless compelling legitimate grounds for the processing override your interests, rights, and freedoms or the processing is necessary for the establishment, exercise, or defense of legal claims. You may object to processing for direct marketing purposes at any time with future effect.

• Withdrawal of consent

  If you have given separate consent to data processing, you may withdraw it at any time. Such a withdrawal affects the legality of the processing of your personal data after you have communicated your withdrawal to us.

  If you exercise any of the above rights under the GDPR, KFG will respond to your request without delay and at the latest within one month.

  We will respond to all reasonable requests free of charge and as quickly as possible within the legal framework.

  For complaints concerning the right of access, confidentiality, rectification, or deletion, the competent authority is:
  Austrian Data Protection Authority
  Barichgasse 40-42
  1030 Vienna
  dsb@dsb.gv.at

7. Contact Information / Contact Person

a. Contact Information of the Controller

Kranken- und Unfallfürsorge für oö. Gemeinden (KFG)
Friedrichstraße 11
4041 Linz

b. Contact Information of the Data Protection Officer

Mag. Philipp Summereder
(Lawyer / Partner)
 
Summereder Pichler Wächter Rechtsanwälte GmbH
Dr. Herbert-Sperl-Ring 3, 4060 Leonding (Head Office)
Raiffeisenplatz 1, 4863 Seewalchen (Branch Office)
office@spwr.at | +43 732 272887 | www.spwr.at
FN 441762a LG Linz | ADVM-Code P430533

Last updated: June 2025