1. Responsible body
The controller within the meaning of the General Data Protection Regulation (GDPR) for the "Gesund um die Welt" platform and its registration is:
Siemens Company Health Insurance Fund (SBK)
Ganghoferstraße 29
80339 Munich
Tel.:0800 072 572 572 50
Email:info@sbk.org
Contact the Executive Board representative for data protection and the data protection team:
SBK
SBK-Pflegekasse
Data Protection Officer
Ganghoferstraße 29
80339 Munich
By email: datenschutz@sbk.org
Or you can use our online form for encrypted transmission: Contact form Data protection
The technical implementation, operation of the servers, and certain contractually specified processing tasks for the "Gesund um die Welt" digital health platform are carried out by
Acture Germany GmbH
Kronenstraße 71
10117 Berlin
Germany
within the framework of a data processing agreement in accordance with Art. 28 GDPR. Acture Germany acts exclusively in accordance with instructions and processes personal data solely for the purposes specified by SBK.
2. Data processing in general
We attach great importance to the protection of your personal data. The following statement provides an overview of when we store which data and for what purpose it is collected and used.
As a public-law corporation, we are subject to the provisions of the European General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), the Telecommunications Digital Services Data Protection Act (TDDDG), and the special provisions for the protection of social data in accordance with the Social Security Code, in particular Books I, V, X, XI, and XII. Compliance with the legal provisions is checked regularly.
This privacy policy refers to the processing of personal data within the framework of "Gesund um die Welt" (Healthy Around the World).
If you would like to find out more about data processing at SBK in general, cookies in general, and your rights as a data subject, you can find this information at: https://www.sbk.org/service-navigation/datenschutz/
If you would like to know more about data processing by your employer, please refer to your employer's data protection information or ask your employer's data protection officer.
3. Data processing through the use of "Gesund um die Welt"
3.1 Data processing during registration
Use of "Gesund um die Welt" requires a user account with SBK.
The management of user accounts serves as the basis for individual data collection within the digital health platform. The legal basis for the processing of your data is consent in accordance with Art. 6 (1) a GDPR.
We store your user account and the associated data for up to 4 years after our last contact with you. In doing so, we are guided by the retention requirements for business letters under commercial law and want to be able to provide you with proof of your participation even some time after the campaign has ended.
Employers regularly cover the costs of using the digital health platform. Participants are assigned to a cost bearer partly by using an email address from the cost bearer's address range and partly by using the digital health platform via a subdomain assigned to the respective employer.
We do not provide employers with usage data relating to individual participants. The digital health platform is a service offered by SBK as part of its healthcare provision, but it is not used to monitor performance or behavior. If your employer would like to offer prizes as part of the digital health platform, you can voluntarily submit your personal passport from the platform to your employer. Your passport contains an encrypted code that the company can use to check whether the passport is valid. The employer can see which countries you have traveled to on the passport: only when you have completed at least 80% of the tasks in a particular country will you receive a passport stamp for that country. However, the employer cannot see in detail which tasks you have completed.
After registering, you will receive an individual access code by email, which authorizes access to the platform (for details, see point 5 Use of the digital health platform).
You will also receive notifications (e.g., reminders) about your modules by email, which are sent automatically by SBK.
Consent to contact
When you create your user account for the digital health platform, you can consent to SBK contacting you to introduce you to further SBK services by means of a separate declaration during the registration process. In accordance with your consent, contact may be made by telephone, e-mail, or other means. The legal basis is your consent.
For all other questions regarding the processing of your data, the storage period, and the purpose of contacting you, please also refer to the SBK's general data protection information: www.sbk.org/datenschutz.
The data categories include your name, contact details (address, telephone number, email address), and consent status.
The data recipient is the SBK. There is no transfer to third countries.
3.2 Data processing on the digital health platform
In order for a web server to make our Internet pages available to your browser, the server must collect technical data about the device you are using, your browser, and your Internet access. This is referred to as a log file or weblog. This is the same data that you are required to leave behind every time you visit a website. The focus is on the IP address from which you access our pages. The web server sends the data you want to see to this Internet address.
When you visit the website, data that is technically necessary to deliver the website and ensure the security of the system is processed automatically. This includes, in particular
- the IP address of the device used
- Date and time of page view
- accessed content
- Browser type and browser version
- the operating system used
- as well as previous page views
This data is logged on the server side to ensure functionality, detect attacks or malfunctions, and continuously improve the technical stability of the system.
The data recipient is our provider Acture Germany GmbH and its hosting service provider as a subcontractor, who are bound to data protection by data processing agreements. No transfer to third countries takes place.
The processing is based on Art. 6 (1) e GDPR, as SBK has a legitimate interest in a secure, error-free, and technically stable website. In the specific case of an attack on our website, we have a legitimate interest in being able to provide investigators with evidence of how the attack took place.
The data is generally deleted after 30 days at the latest, unless further storage is necessary to clarify security-related events.
4. Use of the digital health platform
The SBK provides a digital health platform that is made available to users via individual access codes. These access codes are not personal, do not allow any conclusions to be drawn about individual persons, and enable completely anonymous use of the platform. When an access code is redeemed, only the technical data necessary to enable access, prevent misuse, and ensure the stability of the platform is processed.
Users can voluntarily provide personal information such as their first name, last name, and email address. This information is not required to use the platform and is only used to improve the user experience, for example, to simplify registration or to provide technical support.
The data is not stored in plain text. Voluntary information is hashed using SHA-256 immediately after entry and additionally protected by further anonymization mechanisms. Identification based on the stored values is impossible. The SBK does not receive this data in plain text at any time and cannot assign it to any person.
When using the platform, only technical usage data is processed, such as which modules were opened, whether content was displayed, or which technical playback parameters were required. This data is necessary to provide the content correctly, stabilize the platform, and ensure technical functionality. No personal evaluation takes place; in particular, no health data is processed, no performance profiles are created, and no behavioral analyses are performed.
SBK receives only completely anonymized usage statistics, such as the total number of users of a module or general access patterns. These statistics do not allow any conclusions to be drawn about individual persons and are used exclusively for the further development and improvement of the service.
5. Cookie management
5.1 Registration cookies
For information on the use of cookies during registration, please read the SBK privacy policy.
5.2 Cookies used by the digital health platform
Our website uses technically necessary cookies that are required for the operation of the website, for example for session management, to store language settings, or to provide basic platform functions. These cookies do not contain any personal data, serve exclusively for technical provision, and are based on Art. 6 (1) e GDPR in conjunction with § 25 (2) TDDDG.
For external content, in particular the playback of videos via the Vimeo service, additional cookies are only set once users have given their express consent. Consent is given via a consent management tool and can be revoked or adjusted at any time. The integration of such cookies is based on Art. 6 (1) lit. a GDPR in conjunction with § 25 (1) TDDDG.
Use of Vimeo and data transfer to third countries
The platform uses the Vimeo service to provide video content. We use the Vimeo player to offer you high-performance video streaming. The legal basis for processing the weblog/streaming data, setting Vimeo cookies, and transferring data to the USA is your consent.
External media are only loaded after express consent has been given. When playing a video, connection data such as
- the IP address
- browser information
- device information
- Time of retrieval and
- technical reproduction parameters
transmitted to Vimeo. For details, see Vimeo's privacy policy.
Vimeo is certified under the EU-US Data Privacy Framework (DPF). Certified providers have received an adequacy decision from the European Commission in accordance with Art. 45 GDPR, meaning that data transfers to the US are permitted and considered secure under data protection law. Insofar as Vimeo also processes data in regions not covered by the DPF, the transfer is based on standard contractual clauses in accordance with Art. 46 GDPR and supplementary technical and organizational measures.
SBK does not transmit any voluntary profile data or usage data to Vimeo. Vimeo only receives data that is technically necessary to provide the video stream.
In addition, the digital health platform accesses the value of how far you have watched a video for individual tasks. Depending on the duration you have watched, our system assigns you a different number of points.
Further information on how your data is handled can be found in Vimeo's privacy policy: https://vimeo.com/privacy
Since Vimeo processes data in the USA, you can only use the video service if you consent to the transfer of data to the USA. The data recipient is Vimeo.com Inc., 555 West 18th Street, New York, New York 10011, USA. Vimeo processes the data in the USA. For this third-country transfer, Vimeo ensures that the data is handled in accordance with EU data protection standards by concluding EU standard data protection clauses.
The storage period is the responsibility of Vimeo. It is not necessary for us to delete data, as we do not collect any personal data from you through the use of Vimeo itself.
7. Storage period and deletion
Personal data will only be stored for as long as is necessary to fulfill the respective purposes.
7.1 Registration data
- are automatically deleted 4 years after registration
- Consents are stored until they are revoked.
7.2 Data on the digital health platform
- Voluntary profile data in the digital health platform will be deleted or completely anonymized after seven months at the latest (6 months program duration + 6 weeks follow-up period).
- Technical session data and log data are stored for a maximum of 30 days.
- Anonymized statistical data is not subject to any deletion requirement, as it does not contain any personal references.
- Consents are stored until they are revoked.
8. Rights of data subjects
Data subjects have the following rights under the GDPR: the right to information about the stored data, the right to correction of incorrect data, the right to deletion, the right to restriction of processing, the right to object to data processing on the basis of Art. 6 (1) lit. f GDPR, the right to data portability, and the right to revoke consent granted at any time with effect for the future.
In addition, you have the right to lodge a complaint with a data protection supervisory authority, in particular with the
Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Graurheindorfer Straße 153
53117 Bonn.
If you have any questions about data protection, you can also contact the SBK data protection officer (datenschutz@sbk.org).
9. Updating this privacy policy
This privacy policy is updated regularly to reflect legal, technical, or organizational changes. The current version is available on this website at any time.
As of January 2026