As of: May 28, 2025
Dear Sir or Madam,
The protection of your personal data is important to us.
With this notice, we would like to inform you about how your personal data is processed and explain your rights. The processing of your data is only permitted for data protection reasons if there is a legal basis for it or if you, as a patient, have given your consent.
If you have any further questions after reading this notice, please contact the person listed below.
The motus med app enables patients or legal guardians to securely transmit video and audio recordings of potential epileptic seizures to the treatment team and for them to retrieve such data. The app is not a medical device and does not provide diagnoses.
1. Name and Contact Details of the Controller
Controller responsible for data processing:
Charité – Universitätsmedizin Berlin
Public Law Corporation
Charitéplatz 1
10117 Berlin
Represented by the Chairman of the Board:
Prof. Dr. Heyo K. Kroemer
Executing unit:
Charité – Universitätsmedizin Berlin
Department of Neurology with Experimental Neurology
Computational Neurology Working Group
Charitéplatz 1
10117 Berlin
Email: info@motusmed.de
Phone: +49 30 450 560 196
2. Contact Details of the Data Protection Officer
Official Data Protection Officer
Charité – Universitätsmedizin Berlin
Charitéplatz 1
10117 Berlin
Email: datenschutzbeauftragte@charite.de
3. Purposes and Legal Bases of Processing
Your data is processed for the following purposes on the basis of the specified legal grounds:
Purpose 1: Registration and account management
Creation and assignment of a user account by the inviting hospital
Password assignment/reset
Storage and management of consents
Legal basis: Article 6(1)(a) and Article 9(2)(a) GDPR (consent)
Purpose 2: Upload and end-to-end transmission of video/audio recordings
Assignment of recordings in the app to the corresponding case
Provision to the treatment team
Legal basis: Article 6(1)(a) and Article 9(2)(a) GDPR (consent)
Purpose 3: Retrieval and review of recordings by medical professionals
Review, professional assessment, and annotation by the treatment team
Assignment of findings to the patient record in the hospital information system
Legal basis: Article 6(1)(b) GDPR (treatment contract)
Purpose 4: Technical provision, IT security, error logging
Operation of server infrastructure, database backups, content delivery
Prevention of abuse and troubleshooting
Legal basis: Article 6(1)(f) GDPR (legitimate interest in secure and error-free operation)
Purpose 5: Usage analysis with Matomo (without cookies, with IP anonymization)
Analysis of navigation paths, loading times, and crashes
Derivation of optimizations for the user interface and stability
Legal basis: Article 6(1)(f) GDPR (interest in app improvement and stable provision)
Purpose 6: Fulfillment of statutory retention obligations
Legal basis: Article 6(1)(c) GDPR (legal obligation)
Purpose 7: Delivery of push notifications
Generation of generic notices (“New summary available”) without medical content
Legal basis: Article 6(1)(a) GDPR (consent)
4. Categories of Data
Category: Basic identification data
Details:
Last name
First name
Date of birth
Email address
Category: Medical data
Details:
Video/audio data of possible seizures
Medical assessments
Category: Data of relatives
Details: Collected only if they are incidentally captured in the submitted video/audio recordings or explicitly provided by patients
Category: Usage and log data
Details:
Timestamps
Access rights
Log files
Category: Push identification data (Firebase Cloud Messaging)
Details: These data are used solely for the technical delivery of push notifications. No medical or personal data are transmitted in the notifications.
Firebase Installation ID (FID)
Truncated IP address
Device type and app version
Category: Analytics data (Matomo – without cookies)
Details:
Truncated IP address
Device type
App version
5. Source of Data in Case of Indirect Collection
Your email address originates from the inviting hospital so that we can invite you to use the app.
6. Recipients or Categories of Recipients of Personal Data
Your personal data may be shared with the following recipients or groups of recipients:
Charité – Universitätsmedizin Berlin, Department of Neurology with Experimental Neurology, Computational Neurology Working Group, to operate the platform
Treatment team of the inviting hospital, to review recordings and communicate with you in the context of treatment
OVH GmbH, Oskar-Jäger-Str. 173/K6, 50825 Cologne, for hosting the platform and collected data under a data processing agreement according to Article 28 GDPR
Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, as the provider of Firebase Cloud Messaging under a data processing agreement according to Article 28 GDPR
7. Transfer of Personal Data to a Third Country
It is planned to transfer your personal data to third countries outside the European Union and the European Economic Area for the purpose of delivering push notifications via Firebase Cloud Messaging (FCM).
This includes, in particular, Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This company is subject to an adequacy decision of the European Commission under Article 45 GDPR (EU-U.S. Data Privacy Framework), ensuring a level of data protection comparable to that of the EU.
Important: Only pseudonymous technical data (e.g., Firebase Installation ID, app version, device type) are processed via Firebase. No medical or identifying data are transmitted.
8. Duration of Storage of Personal Data or Criteria for Determining This Duration
Your data will be stored until the purpose is fulfilled, you withdraw your consent, or you object to the processing based on reasons arising from your particular situation.
Medical data will be deleted 10 years after the last medical review. Documentation of your consent will be deleted after 10 years due to legal obligations of proof.
9. Risks of Data Processing and Security Measures
Whenever data is collected, stored, or transmitted in the context of using the motus med app—including video and audio data of possible epileptic seizures and associated health information – there remains a residual risk of re-identification through the use of additional information, e.g., from the internet or social networks. This is especially relevant if you yourself have published genetic or other health-related data online (e.g., ancestry research).
We assure you that we do everything technically feasible to protect your privacy. This includes contractual assurances of purpose limitation and confidentiality from the inviting hospital, the treating physicians, and OVH as a data processor.
10. Data Subject Rights and Contact
You have the following rights regarding the processing of your data:
Right to withdraw consent, Article 7 GDPR
If you have consented to processing, you may withdraw your consent at any time with future effect, without disadvantage. The legality of processing up to the time of withdrawal remains unaffected.
Right of access, Article 15 GDPR
You have the right to obtain information about the personal data stored about you.
Right to rectification, Article 16 GDPR
If you find that inaccurate data about you is being processed, you can request correction. Incomplete data must be completed in view of the processing purpose.
Right to erasure, Article 17 GDPR
You have the right to request deletion of your data if certain grounds apply. This is particularly the case when the data is no longer necessary for the original purpose.
Right to restriction of processing, Article 18 GDPR
You may request that the processing of your data be restricted. This means the data will not be deleted but marked to limit further processing or use.
Right to data portability, Article 20 GDPR
Personal data you have provided may be made available to you in a commonly used, structured format, provided this is technically feasible.
Contact:
To exercise the above rights, please contact the executing unit using the contact details provided above.
For questions about data protection, you can also contact the official data protection officer of Charité using the contact details provided above.
Right to lodge a complaint with a supervisory authority:
You also have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data. The complaint can be submitted informally to any supervisory authority of your choice. For example, the contact details of the Berlin supervisory authority are:
Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59–61
10555 Berlin
Phone: +49 30 13889-0
Fax: +49 30 2155050
Email: mailbox@datenschutz-berlin.de