Terms of services & privacy

Jun 01, 2023 20:38 pm CEST

This document contains the Terms of Services and Privacy Statement for the usage of the decidemedical platform.

1. Scope of application

1.1 decidemedical.com

decidemedical.com (decidemedical) is a service provided by ClinFlows UG (haftungsbeschränkt) & Co.KG, Grossenberkener Str.40, 32609 Hüllhorst, Germany (hereinafter called „ClinFlows“) through the page decidemedical.com.

1.2 User relationship

These Terms and Conditions (hereinafter called “TOS”) and the controller-processor agreement govern the relationship between ClinFlows and decidemedical Users. If there are individual agreements that have been reached between ClinFlows and the User (including side agreements, additions and changes), they shall prevail over the TOS. ClinFlows does not accept any other agreements other than this TOS.

1.3 Changes

ClinFlows reserves the right to change the TOS. ClinFlows informs its Users about changes via e-mail or notification on the page decidemedical.com. If the user does not object, changes become effective after a period of four weeks once a notification has been sent. ClinFlows is entitled to terminate the User relationship in the case of objections by the User.

2. Conditions of use

2.1 Registration

The use of decidemedical as MEMBER account and participation in a clinical project requires registration with a valid e-mail address and a unique access code (decidepass code). EXPERT accounts and PARTNER accounts (project owner) are created by ClinFlows’ administrators (project manager). ACCOUNT EXECUTIVE accounts are created by the PARTNER account. Upon account creation a temporary password is provided per email, which needs to be updated upon first login by User.

2.2 User's declarations

By their registration, the User, legally binding, declares:

  • their consent to the TOS
  • their consent to the controller-processor agreement
  • that the User is the sole and legitimate owner of the specified email address
  • that the User effectively protects his e-mail account against the unauthorised access of third parties.

2.3 Acceptance of registration

The User relationship shall begin when ClinFlows confirms the account creation by email.

2.4 Legal age

Registration is only allowed for users who have reached the legal age specified in the law of their country. Minors require the written consent of their legal representative in order to register.

2.5 Usage period

The user relationship is concluded for an unlimited period. It can be terminated by the User at any time and by ClinFlows with a notice period of 30 days. The right to extraordinary termination shall be unaffected.

3. Services

3.1 Case Sharing within clinical projects

decidemedical enables its Users to share clinical cases, containing clinical data, medical images and other reports within defined clinical projects. The decidemedical platform allows to individually configure clinical projects (practices) with dedicated access rights and workflows. Owner of MEMBER accounts are enabled to upload clinical cases and submit these to EXPERT(s) accounts determined per project. Owner of EXPERT accounts are enabled to enter in a discussion with MEMBER and to reply to a clinical case uploaded by MEMBER. The sponsor or initiator of a clinical project receives a PARTNER account, which is allowed to review MEMBER’s cases and to potentially download case attachments uploaded by MEMBER. ACCOUNT EXECUTIVE account owner can review cases of MEMBER(s) assigned to their account. The settings of each project on decidemedical may differ from each other, based on its specific requirements.

Clinical projects managed with decidemedical are typically:

  • data collection and data transfers within clinical studies
  • patient eligibility/screening checks
  • second opinion workflows
  • clinical case reviews
  • medical image sizing services
  • transfer of medical information
  • case sharing activities in general

3.2 Data Privacy

The User of decidemedical maintains sole responsibility for complying with all applicable data privacy regulations. The User must ensure that he/she is authorized to upload and share patient data with different stakeholders within a clinical project (patient informed consent) and to use decidemedical. User must consider the specific configurations and workflows of the projects he/she participates in.

ClinFlows will not share your personal data with anyone without your permission.

All data uploaded and processed on decidemedical are only stored on servers located in Roubaix and Strasbourg, France.

3.2.1 Who is responsible for the data processing and whom to contact in case of questions?

The responsible person is the project manager / sponsor / company who initiated the project you are participating in. ClinFlows is responsible for data hosting and supporting the decidemedical system.

Contact details of ClinFlows’ appointed Data Protection Officer:
jhcon.de Unternehmens- und Datenschutzberatung
Dipl.Ing. Jörg Hagen
Veilchenweg 6a
30989 Gehrden
+49 5108 9090112

User can contact ClinFlows at info(at)clinflows.com for further information.

3.2.2 Which sources and data do we use?

Only personal data of the patients are processed on the platform, which are uploaded by the responsible participants within the project. These are mainly clinical data, reports and medical images in DICOM format.

3.2.3 What is the purpose of processing your data and what is the legal basis?

The personal data are processed within the scope of the consent of the patients themselves for joint assessment and evaluation within the respective project by the participating parties as defined by the sponsor or initiator of the project. The legal basis is Article 6 (1) GDPR. The processing of personal data by ClinFlows on behalf of the project manager / sponosor / company takes place within the scope of order processing within the meaning of Article 28 GDPR.

3.2.4 Who receives your data? Your data will not be forwarded to unauthorized third parties.

However, all necessary data within the scope of the project are released to all participants to the required extent. Data are also given to external contractors of ClinFlows such as data centers in accordence with Article 28 GDPR.

3.2.5 Are your data transferred to a third part country or international organisations?

The transfer of your data to a third party country or international organisation is not forseen. However, there can be approvals by the initiator of the study, to access your data by project participants located outside the EU.

3.2.6 How long do we store your data?

The data are stored for the duration of the project. If a patient withdraws consent, the data can be deleted after notifying the project manager / sponsor / company.

3.2.7 What other data protection rights do you have?

You have the right of access to your personald data (Article 15 GDPR) which are processed by ClinFlows, to the responsible person of the project /sponsor / company and also to ClinFlows. Furthermore you have the right of correction (Article 16 GDPR), the earsion (Article 17 GDPR) or to restriction of processing (Article 18 GDPR) and the right of data transferability (Article 20 GDPR). There is the right of appeal to the respective supervisory authority on data protection at any time. To do so, please contact the State Data Protection Officer in North-Rhine-Westphalia, Germany.

3.2.8 What rights of objection do you have?

If you have given your consent to process your data (Article 6, 1a or Article 9,2, GDPR), you have the right to withdraw this consent at any time. In addition, you have the right of objection against the processing of your personal data according to Article 21 GDPR. In case you object, ClinFlows will no longer process your personal data, unless we can prove compelling reasons, worhty of protection for the processing, which outweight your interests, rights and freedoms, or the processing serves to assert, exercise of defend legal claims. For this kind of request, please contact the responsible project manager / sponsor / company or ClinFlows.

4. User's obligations

4.1. Fundamentals

When using decidemedical, the User undertakes to comply with the laws of the Federal Republic of Germany, with the exemption of the UN sales convention, and the present TOS. The User is obliged to do the following:

4.2 True statements

The information provided by the User during registration is truthful and complete. The User shall not attempt to represent someone else or another institution. The User bears all costs arising from false statements, or other reasons that are the responsibility of the User.

4.3 Protection of access data

The User shall keep the access password to the User’s account secret and change it immediately if unauthorized third parties may have acquired access to the User’s account or password. The User is also liable for third parties who are – with the User’s knowledge or due to the negligent handling of their access details – empowered to access the decidemedical platform through their account. This does not apply if the User is not responsible for any unauthorized use.

4.4 Responsibility of the User

The User is solely responsible for the content entered and/or uploaded to decidemedical. The User undertakes to use decidemedical only once the appropriate authority has been obtained as per the applicable privacy regulations.

4.5 Prohibited activities

The User will not use decidemedical for illegal activities, advertising or unwanted messages.

5. Liability

5.1 Exclusion and limitation of liability

ClinFlows assumes unlimited liability for damages caused by intent or gross negligence, also of its legal representatives and executives, or in case of injury to life, body and health. Incidentally, ClinFlows assumes liability only to the extent of predictable losses typical of the contract, moreover, only in so far as it is breach of contractual obligations that endanger the purpose of the contract. Contractual obligations are those obligations whose fulfilment is essential to the proper execution of the contract, which breach endangers the purpose of the contract and on whose compliance the customer may regularly rely. In addition, claims for damages against ClinFlows are excluded.

5.2 Limitation of compensation claims

Claims for damages from customers expire two years after the submission of a case. The above provision does not apply to cases where decidemedical assumes unlimited liability according to clause 6.1, notably for damages caused by intent or gross negligence of ClinFlows, or caused by its legal representatives and executives, or in cases of injury to life, body and health.

6. Applicable law

The complete legal relationship between ClinFlows and decidemedical Users is exclusively governed by the law of the Federal Republic of Germany, excluding the United Nations Convention on Contracts for the International Sale of Goods (UN CISG).

7. Jurisdiction

The exclusive venue for any disputes arising from the User relationship is in Bielefeld, Germany, for all Users who are not consumers or have no jurisdiction in Germany.

Order Processing in accordance with Article 28 General Data Protection Regulation (GDPR)


Any User of the decidemedical platform (decidemedical.com),
referred to as “the Controller”

ClinFlows UG (haftungsbeschränkt) & CoKG Grossenberkener Strasse 40 32609 Hüllhorst Germany
referred to as “the Processor”

1. Introduction, area of application, definitions

This contract stipulates the rights and obligations of the Controller and Processor in the context of processing personal data on behalf of the Controller.
The terms used in this contract are to be understood in accordance with their respective definitions in the EU General Data Protection Regulation (GDPR).

2. Scope and duration of the data processing

2.1 Scope

The Processor shall carry out the following processes: The Processor only transfers, modifies and hosts data on behalf of the Controller within defined clinical projects (clinical studies, second opinion workflows, medical image sizing services etc.). The usage of the provided data is determined by the initiator / sponsor of a clinical project, providing dedicated access to stakeholders participating in the clinical project.

2.2 Duration

Processing shall begin with the initiation of a clinical project on decidemedical.com and be carried out for an unspecified period until either this contract has been terminated by one of the Parties.

3. Nature and purpose of the data processing

3.1 Nature and purpose

Processing the data consists of the following: collecting, transferring, saving, pseudonymization, deleting or destroying of patient data containing clinical data, medical images and reports. The undertaking of the agreed processing of European Economic Area (EEA). Each and every transfer of data to a state which is not a member state of either the EU or the EEA requires the prior agreement of the Controller and shall only occur if the specific Conditions of Article 44 et seq. GDPR have been fulfilled. Each data Controller providing data, acknowledges that the participants of a clinical project, having access to Controller’s data, may be located in a state which is not a member of either the EU or the EEA. The data is processed for the following purposes within clinical projects:

  • data collection and data transfers within clinical studies
  • patient eligibility/screening checks
  • second opinion workflows
  • clinical case reviews
  • medical image sizing services
    • transfer of medical information
    • case sharing activities in general

3.2 Type of data

The following data are to be processed:

  • personal data of decidemedical users (name, address, phone numbers, email addresses)
  • clinical patient data
  • medical images
  • meta data of platform usage (audit trail)

3.3 Categories of persons affected

The following data subjects are affected by the data being processed:

  • user of decidemedical
  • patients

4. Technical and organisational measures

(1) The Processor shall establish the security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 Paragraph 1 GDPR must be taken into account.

(2) The technical and organisational measures are subject to technical progress and further development. In this respect, it is permissible for the Processor to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced.

4.1 Confidentiality (Article 32 Paragraph 1 Point b GDPR)

Physical Access Control

No unauthorised access to Data Processing Facilities (hosted at OVH). Measures: Video monitoring, Movement detection system, Watch teams 24/7, RFID card access control.

Electronic Access Control

No unauthorised use of the Data Processing and Data Storage Systems. Measures: Complex password secured login, e-mail validation, password anti-aging, controlled log-in attempts, session time-out, one session per user, dedicated user rights and roles, SSL remote connection.

Internal Access Control (permissions for user rights of access to and amendment of data).

Measures: Project defined user rights, Audit trail, Data minimisation.


Control Measures: Isolated server environments (development, staging, production), split per project, split per services.

Pseudonymisation (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR)

Measures: Project specific defined pseudonymisation/anonymisation of DICOM headers, responsibility of the data controller to respect data subject privacy rights (informed consent).

4.2 Integrity (Article 32 Paragraph 1 Point b GDPR)

Data Transfer Control

Measures: SSL encryption.

Data Entry Control

Dedicated user right and roles, audit trail.

4.3 Availability and Resilience (Article 32 Paragraph 1 Point b GDPR)

Availability Control

Continuous data mirroring, backup strategy, uninterruptible Power Supply (UPS), virus protection, Advanced DDOS protection, firewall, reporting procedures and contingency planning.

Rapid Recovery (Article 32 Paragraph 1 Point c GDPR) (Article 32 Paragraph 1 Point c GDPR)

Load balancing strategy to avoid system interruption, RAID 1.

4.4. Procedures for regular testing, assessment and evaluation (Article 32 Paragraph 1 Point d GDPR; Article 25 Paragraph 1 GDPR)

  • Data Protection Management;
  • Incident Response Management;
  • Data Protection by Design and Default (Article 25 Paragraph 2 GDPR);
  • Order or Contract Control

No third party data processing as per Article 28 GDPR without corresponding instructions from the Client.

5. Quality assurance and other duties of the Processor

The Processor shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, the Processor ensures, in particular, compliance with the following requirements:

  • (1) Appointed Data Protection Officer, who performs his duties in compliance with Articles 38 and 39 GDPR: , Dipl.Ing. Jörg Hagen, Veilchenweg 6a, 30989 Gehrden, Germany, jhcon.de Unternehmens- und Datenschutzberatung.
  • (2) Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR. The Processor entrusts only such employees with the data processing who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work.
  • (3) Implementation of and compliance with all technical and organisational measures in accordance with Article 28 Paragraph 3 Sentence 2 Point c, Article 32 GDPR.

6. Subcontracting

Subcontracting is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Processor shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the controller's data, even in the case of outsourced ancillary services. The Client agrees to the commissioning of the following subcontractors on the condition of a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR:

Company subcontractor Address/country Service
OVH GmbH Dudweiler Landstrasse 5, 66123 Saarbrücken, Germany Data Hosting Provider

The involvement of a subcontractor and/or the change of existing subcontractors are permitted insofar as:

  • the contractor notifies the customer of such outsourcing to subcontractors in writing or in text in advance and
  • the customer does not object to the planned outsourcing to the contractor in writing or in text form within two weeks of receipt of the notification of the planned outsourcing for good cause and
  • a contractual agreement in accordance with Art. 28 (2) - (4) DS-GMO is completed.

7. Supervisory powers of the Controller

  • (1) The Controller has the right, after consultation with the Processor, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. The Controller has the right to convince itself of the compliance with this agreement by the Processor in his business operations by means of random checks, which are ordinarily to be announced in good time.
  • (2) The Processor shall ensure that the Controller is able to verify compliance with the obligations of the Processor in accordance with Article 28 GDPR. The Processor undertakes to give the Controller the necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures.
  • (3) The Processor may claim remuneration for enabling Controller inspections.

8. Communication in the case of infringements by the Controller

  • (1) The Processor shall assist the Controller in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR.
  • (2) The Processor may claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of the Controller.

9. Ending the commissioned processing

The Processor will not retain or keep data longer then allowed by law, required by law and/or necessary for the purpose of which the data are processed. The retention period depends on the nature of the clinical project Controller participates and therefore may vary accordingly.

Version Applicable since Link
1 2018/05/25 Current
N/A 2011 Privacy statement - Expert agreement - Member agreement