Privacy policy

Summary

  • A. General information
  • B. Definitions
  • C. Scope of application and competent supervisory authority
  • D. Data collection and purpose limitation (scope of use)
  • E. Transfer of data
  • F. Contract data processing
  • G. Data retention
  • H. Your rights as a data subject
  • I. Data protection officer
  • J. Changes to this privacy policy
  • K. Observance of national particularities

A. General information

I. General information about this privacy policy; our contact details

The purpose of this privacy policy (“DSE”) of our clinic, the joint practice “Plastmed Privatklinik” (also the “controller” within the meaning of the General Data Protection Regulation, i.e. EU Regulation 2016/679 of April 27, 2016 – “GDPR”), is in particular to inform you, as the data subject of data processing measures, in a transparent, simple, and understandable manner about, among other things:

  • what data we collect, how and why this is done;
  • how we handle your data, including, where applicable, with the involvement of third parties;
  • what circumstances are covered by the GDPR;
  • what rights and opportunities for participation you have with regard to your data and its use;
  • what rights we have and how these may affect your rights.

Our contact details are as follows:

Plastmed Private Clinic GbR
Neuer Zollhof 2
40221 Duesseldorf, Germany
Owners: Dr. Andreas Arens-Landwehr, Dr. Jens Diedrichson, Dr. Naja-Norina Pluto, Dr. Till Scholz

T +49 211 876 302 40
info@plastmed.de
www.plastmed.de

II. Terms used in data protection law

In data protection law, as well as in applications relevant to data protection law, terms are sometimes used that are not self-explanatory per se and/or have not yet become part of everyday language to such an extent that everyone can be expected to know their meaning without further explanation. For this reason, we have provided a more detailed explanation of some of the terms that occur particularly frequently in Section B. (Definitions).

III. Our approach to data protection

Data protection is important to us, and we take a variety of measures to ensure that your data is in good hands with us. The principles set out in the GDPR are also our own principles when handling your data. These include, not least, the requirements of data purpose limitation and data minimization. In this context, we regularly request only the minimum amount of data from you (or, if necessary, from third parties) that is necessary for us to establish the clinic/patient relationship with you in accordance with recognized professional principles and to provide you with excellent service. This principle of necessity is also applied at the employee level, i.e., only those employees who absolutely need the personal data to perform the tasks assigned to them have access to it. At the same time, we only store data for as long as is necessary for the aforementioned purposes, unless longer retention periods are required by law. Another component of our data protection system is that of technical design and organization. Through modern data processing systems, other technical precautions, and, if necessary, the involvement of external specialist companies, we ensure that a high level of data security is guaranteed within the clinic (including through the use of data encryption technology) and that the risk of unauthorized external access is excluded as far as possible. At the same time, data is stored in such a way that it can be easily found at any time and, if necessary, restored. In addition to the legality of the acquisition, we strive to only process correct data, so we are happy to accept any updates you may provide.

IV. Legal basis
Data processing by us is carried out in particular on the basis of the GDPR as well as the Federal Data Protection Act (“BDSG”) and other relevant provisions of Union law and national law in the field of data protection law, which may include professional and other special legal regulations. To give an example: the specific legal basis for collecting your data for certain purposes may be Art. 6 (1) a) GDPR in the event of your corresponding effective consent.

B. Definitions

Processor: an entity that processes personal data on behalf of another (namely the controller of such data), for example a data center.

BDSG: a federal law in the field of data protection, enacted on June 30, 2017, and, like the GDPR, coming into force on May 25, 2018.

Legitimate interest: a legitimate interest may exist both in relation to enabling and avoiding data processing, depending on the perspective of the actor (clinic) or data subject (natural person). In practice, it usually depends on whose interest prevails in the specific situation, whereby a variety of factors (type of data, situation in which it is collected, intended use, etc.) must be taken into account in the corresponding assessment, while respecting the fundamental rights and freedoms of the data subject.

Data subject: the person whose data is the subject of a data processing operation, in this case specifically: you.

Browser: a computer program for displaying web pages on the World Wide Web, i.e., a type of user interface for Internet applications. Well-known examples are Microsoft Edge, Mozilla Firefox, and Google Chrome.

Cookie: a small text file that is sent to your computer (or other device used to access the Internet) and stored there. If you visit the site again, this is recognized there due to the cookie that has been set, which means that, for example, certain usage preferences (such as language settings) or interim results from previous use (such as the shopping cart of an online store) can be activated directly.

Data processing: the use or collection of data in the broadest sense, whether automated or not, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, distribution or other forms of provision, comparison or linking, restriction, erasure or destruction of data.

GDPR: a regulation of the European Union (EU 2016/679) in the field of data protection, adopted on April 27, 2016, and effective as of May 25, 2018 (with immediate effect also for Germany).

Last contact: by last contact with you, we mean a situation in which no contractual relationship has been established between you and us and we have not “heard” from you for more than 3 (three) months, whereby it is not the acoustic nature of the contact that matters, but any type of contact between you and us that is perceptible to us (e.g., via email, letter, or text message) is sufficient to restart the aforementioned 3-month period.

Personal data: all information relating to an identified or identifiable natural person; the latter is the case if a person can be identified, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

Special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership of a natural person, as well as genetic or biometric data (with identification function), health data, or data concerning the sex life or sexual orientation of that natural person.

Profiling: any form of automated processing of personal data for the purpose of evaluating certain personal aspects of a natural person, in particular to analyze or predict aspects relating to their work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or changes of location.

Controller: an entity (including a non-public entity) that, alone or jointly with others, determines the purposes and means of the processing of personal data, in this case specifically: us.

When we refer to data in the following, we mean personal data. The terms European Union, EU, and Union are used interchangeably.

C. Scope of application and competent supervisory authority

I. Applicability regardless of the nationality of the data subject

Data protection regulations usually concern the protection of natural persons and their personal data. This also applies to the central legislation relevant in this context, the GDPR and the Federal Data Protection Act (“BDSG”), to which we as a German joint practice (regularly referred to as the ‘controller’ or “responsible body” in data protection law) are automatically subject. To date, the question of the extent to which legal entities can also claim data protection against data-processing companies has not been fully clarified. As a precautionary measure and in the interests of data protection, which also includes granting you the right to choose whether to disclose information, we treat legal entities as natural persons in any case where their personal data is concerned. This is the case, for example, when it comes to the natural persons behind the legal entity, i.e., when these persons also appear in a recognizable manner as natural persons in practice-related actions. We owe the legal requirements of data protection law described here (and others) not only to German data subjects or citizens of EU member states, but to all persons, regardless of (or whether they exist at all) to whom we process data in the EU (or have data processed), even if the actual processing takes place outside the EU.

II. Competent (supervisory) authorities

Our clinic is based in North Rhine-Westphalia. The following supervisory authority is therefore primarily responsible for monitoring our compliance with data protection obligations:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia, Kavalleriestr. 2-4, 40213 Düsseldorf, telephone: 0211/38424-0, Fax: 0211/38424-10, Email: poststelle@ldi.nrw.de

D. Data collection and purpose limitation (scope of use)

I. Type of data collection

Data collection is the first step and also part of data processing. It is only permissible (lawful) if the legal requirements (in particular those of the GDPR and the BDSG) for measures of this kind are met. In the practice of our clinic, the following four situations in particular can legitimize the collection of data (as well as its further processing):

(a) (explicit) consent has been given;

(b) the measure is necessary either for the performance of a contract with you or for the implementation of pre-contractual measures taken at your request;

(c) the measure is necessary to fulfill a legal obligation incumbent on us (e.g., a statutory retention obligation);

(d) there is a legitimate interest in our favor which outweighs your interests, rights, etc. under data protection law in individual cases.

In our clinic, the following types of collection are carried out in more detail:

1. Collection from you (the “data subject”)

We usually collect the data relevant to the purposes of our clinic directly from you, which can be done in various ways:

You contact us via the contact form on our website, in which certain basic data must be provided;
You contact us in another way, e.g., with an inquiry about a product, and request further information, which we will send to your address;
You provide us with data on your own initiative—by whatever means of communication—for example, to receive an individual offer from us based on this data or to propose a contract to us;
We contact you – within the scope of what is permissible under competition law – (e.g., at an information event), resulting in a business transaction for the completion/further processing of which we ask you to provide us with certain data.
We generally consider the above-mentioned transactions to be those in which either you have given your (at least tacit) consent or the data processing is the result of a request made by you involving data. Your consent is not bound to a specific form. However, since we are obliged to prove that you have actually given your consent with regard to the processing of data on the basis of consent, but this cannot be directly documented in every communication situation (e.g., telephone conversation), we may contact you again after such an event to ask for formal confirmation of your consent.

2. Collection from third parties

In exceptional cases, we (also) collect data about you from third parties, although if you have not given your consent, this is only permissible if we have a legitimate interest or if there is a legal exception. Such an interest may exist (in our favor), for example, in the case of a treatment contract with you, in which we have an extensive obligation to provide advance services / and we would need to check your credit rating with a relevant provider (such as Creditreform). If necessary, we would also obtain information from public registers and generally accessible (public) sources (e.g., www.Bundesanzeiger.de), which would also fall within the scope of information collection from third parties and the corresponding admissibility requirements. However, the data obtained in this way never leads to automated decision-making in our company, but is only intended to broaden the basis for our own decision-making. If we collect data about you from third parties, we will inform you of the type and scope of this data in accordance with legal requirements, at the latest within one month of obtaining the data collected in this way. Our aforementioned obligation to provide information may be waived in special exceptional cases, e.g. if fulfilling this obligation would involve disproportionate effort.

3. Automated data collection

Each time you access content on our website, data that may allow identification is temporarily stored. The following data is stored each time you visit www.plastische-chirurgie-medienhafen.de: date and time of access, name of the Internet service accessed, the resource accessed and the action/query used by the client, amount of data transferred, notification of whether the access was successful, IP address of the accessing computer. The stored data is collected for the purpose of statistical evaluation of the use of the website and summarized anonymously. It is also used to defend against and analyze attacks on the website. Cookies may also be used in connection with your use of our website, in which case we will provide you with a corresponding notice directly on the website and ask for your consent, which you are (of course) completely free to give or withhold. You can also set your browser (for more information, see its “Help” menu) to block all cookies (and thus automatically those from our website) or, alternatively, to receive a notification before a cookie is set. In this case, however, you may no longer be able to use our website to its full extent and/or only with significant delays, and user-specific preferences for the purpose of more convenient use (e.g., correct language settings) may no longer be available. Once cookies have been set, you can delete them yourself at any time using your browser.

Tracking and analysis tools also use cookies. We also use such cookies. In particular, we use the following tracking and analysis tools:

Google Analytics

Web analysis service provided by Google Inc. (https://www.google.de/intl/en/about/) (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter “Google”). In this context, pseudonymized usage profiles are created and cookies (see section 4) are used. The information generated by the cookie about your use of this website, such as browser type/version, operating system used, referrer URL (the previously visited page), host name of the accessing computer (IP address), time of the server request, is transmitted to a Google server in the USA and stored there. This data is evaluated to determine how the website is used. The evaluation is output in reports on the activities, which then form the basis for market research. This data is then passed on to third parties, insofar as this is permissible or necessary. However, your IP address remains anonymous and is not merged with other Google data. You can also prevent the installation of cookies by adjusting your browser software settings accordingly; but we would like to point out that in this case you may not be able to use all the functions of this website to their full extent. Finally, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) and the processing of this data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=de). As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent Google Analytics from collecting data by clicking on this link. An opt-out cookie will be set to prevent future collection of your data when you visit this website. The opt-out cookie is only valid in this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you must set the opt-out cookie again. For more information about data protection in connection with Google Analytics, please refer to the Google Analytics Help Center (https://support.google.com/analytics/answer/ 6004245?hl=en).

Social media

We also use social networks to promote our clinic. This is for commercial purposes that we pursue. Responsibility for data protection-compliant operation lies with the respective providers of the corresponding service. We have integrated these services into our website using the so-called “two-click” procedure in order to protect your data.

Facebook Pixel

Our website uses the visitor action pixel from Facebook, Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”) to measure conversions.

This allows the behavior of page visitors to be tracked after they have been redirected to the provider’s website by clicking on a Facebook advertisement. This allows the effectiveness of Facebook advertisements to be evaluated for statistical and market research purposes and future advertising measures to be optimized.

The data collected is anonymous to us as the operator of this website, we cannot draw any conclusions about the identity of the users. However, the data is stored and processed by Facebook so that it can be linked to the respective user profile and Facebook can use the data for its own advertising purposes in accordance with the Facebook Data Use Policy. This enables Facebook to place advertisements on Facebook pages and outside of Facebook. As the website operator, we have no influence on this use of the data.

You can find further information on the protection of your privacy in Facebook’s privacy policy: https://www.facebook.com/about/privacy/.

You can also deactivate the “Custom Audiences” remarketing function in the ad settings section at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you must be logged in to Facebook.

If you do not have a Facebook account, you can deactivate usage-based advertising from Facebook on the website of the European Interactive Digital Advertising Alliance: http://www.youronlinechoices.com/de/praferenzmanagement/.

YouTube

We have integrated the video portal YouTube LLC, San Bruno, CA, US (YouTube) on our website via plugins/cookies. You can recognize the corresponding interface by the YouTube logo. As soon as you visit one of our web pages that contains such a plugin/cookie, a direct connection is established between your browser and the YouTube server. YouTube is thereby automatically notified that you have visited our web pages with your IP address. If you click on the “YouTube button” while you are logged into your YouTube account, the content of our web pages can be linked to your YouTube channel in the background. This allows YouTube to associate your visit to our website with your user account. We would like to point out that, as the provider of the website, we have no knowledge of the content of the data transmitted or its use by YouTube or the companies behind it. If you do not want YouTube to be able to associate your visit to our website with your profile, please contact YouTube to find out whether simply logging out of YouTube is sufficient. account is sufficient for this.

Vimeo

We have integrated the video portal Vimeo LLC, based in White Plains, NY, USA, into our website via plugins/cookies. You can recognize the corresponding interface by the Vimeo logo. As soon as you visit one of our web pages that contains such a plugin/cookie, a direct connection is established between your browser and the Vimeo server. Vimeo is automatically notified that you have visited our website with your IP address. If you click on the “Vimeo button” while you are logged into your Vimeo account, the content of our website can be linked to your Vimeo channel in the background. This allows Vimeo to associate your visit to our website with your user account. We would like to point out that, as the provider of the websites, we have no knowledge of the content of the data transmitted or its use by Vimeo or the companies behind it. If you do not want Vimeo to be able to assign your visit to our pages to your profile, please contact Vimeo to find out whether simply logging out of your Vimeo account is sufficient for this purpose.

An alert box has been set up for the social media channels Facebook, Twitter, Instagram, and Google+. You will receive an explicit notice that you are leaving our website and switching to the selected social media channel.

Microsoft Clarity

This website uses Clarity. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, https://docs.microsoft.com/en-us/clarity/ (hereinafter referred to as “Clarity”).
Clarity is a tool for analyzing user behavior on this website. In particular, Clarity records mouse movements and creates a graphical representation of which parts of the website users scroll through most frequently (heat maps). Clarity can also record sessions so that we can view page usage in the form of videos. We also receive information about general user behavior within our website.
Clarity uses technologies that enable user recognition for the purpose of analyzing user behavior (e.g., cookies or device fingerprinting). Your personal data is stored on Microsoft servers (Microsoft Azure Cloud Service) in the USA.
If consent has been obtained, the above-mentioned service is used exclusively on the basis of Art. 6 (1) lit. a GDPR and § 25 TTDSG. Consent can be revoked at any time. If consent has not been obtained, the use of this service is based on Art. 6 (1) lit. f GDPR; the website operator has a legitimate interest in effective user analysis.
Further details on Clarity’s data protection can be found here: https://docs.microsoft.com/en-us/clarity/faq Opt-out option: https://choice.microsoft.com/de-DE/opt-out

4. Collection of special data

Special categories of personal data (see section B above) are collected by us. We expressly declare that we require your consent for this data processing in particular.

II. Purpose limitation (scope of use), type of data collected

1. Main purposes

When we collect data, we do so solely for the operational purposes of our clinic, in particular to ensure:

the proper receipt and awarding of orders (regardless of their legal nature), including their processing;
the ability to prepare cost estimates, offers, and the like for you;
the formulability and executability of contracts, including their payment and shipping processing;
compliance with our statutory warranty obligations and any existing contractual guarantees, or the assertion of these against third parties (e.g., our suppliers);
the traceability (including legal) and enforcement/enforceability of our claims against patients, as well as the defense of claims asserted against us;
ensuring a high level of customer service, which can reach and support you in various ways as necessary and thereby meet your high expectations of our company.

2. Secondary purposes

In addition, your data may be used for secondary purposes of our clinic, e.g. for:

Determining the satisfaction of our patients with our services (including our website);
Improving our services (including our website);
Enabling the development of customized offers for patients;
Providing support/goodwill for our services beyond the warranty periods (if applicable);
With regard to the collection/use of data for such secondary purposes (especially in the case of direct marketing), you may have extended rights compared to those for primary operational purposes, even if you have expressly consented to the collection of data. Details can be found (among other places) in Section H XI.

3. Change of purpose

If we wish to process your data for purposes other than those for which it was collected and we do not have your consent to do so, we will only do so if the current purpose is still compatible with the original purpose.

In doing so, we will carry out a comprehensive weighing of interests, taking into account, among other things: the context of the original collection, the degree of connection between the original collection and current processing purposes, the nature (sensitivity) of the data, and the consequences of further processing for you, as well as the existence of processing safeguards (e.g., encryption).

4. Type of data collected or stored

The following types of data in particular are collected by us and then stored: Your name, address, date of birth, your occupation or the industry in which you work, if applicable, your marital status, your (other) data for easier contact (e.g., email and/or telephone and/or fax), your bank details, if applicable, and, if applicable, certain additional data (such as company key figures, HRG number, tax numbers, management relationships), as well as our own findings after data collection, such as your treatment history with us, complaints, use of warranty rights, etc., possible need for further services, and the associated payment behavior.

E. Transfer of data

We do not transfer data to third parties unless this is necessary for:

  • the fulfillment of primary and secondary operational purposes, whereby such transfer is limited to companies with which we have a contractual relationship in order to fulfill the contractual purpose towards you (e.g., laboratories, doctors, and suppliers of medical products);
  • coordination with our (external) advisors in tax, business, and legal matters, whereby these will generally be persons who are already subject to a legal duty of confidentiality due to their professional position;
  • the processing of payment transactions, regardless of whether we are the paying or payable party;
  • enabling the assessment of the (in particular) financial risk of a legal transaction that is being considered or has already been concluded but not yet fully executed with regard to various characteristics of the (future) contractual partner, such as their creditworthiness, liquidity, payment history, etc.;
  • the fulfillment of public law obligations, for example, at the request of an authority based on relevant legal provisions.

F. Order data processing

We work with order processors. Guarantee agreements oblige the order processors to comply with our data protection policy.

G. Storage of data

In accordance with the principle of storage limitation, we only store your data for as long as is necessary for the purposes for which it is/has been processed. If, for example, no business contact has been established with you after a contractual initiation phase and there is no prospect of this happening in the foreseeable future, there is no longer any operational interest in storing the data after the expiry of the limitation period, which covers any possible claims – regardless of which party is entitled to them – arising from a possible pre-contractual obligation. In some situations, such an interest in storage may even expire in an even shorter period of time. However, due to legal regulations – over which we naturally have no influence – we may be forced to store data for longer than we ourselves would consider necessary. Such retention obligations arise in particular from commercial and tax law, and in some cases also from professional law or other special legal provisions, according to which, for example, every commercial/business letter, whether received or sent, must be retained for a period of 6 years (from the date of receipt or dispatch). This may, among other things, affect your right to erasure, namely by postponing it for a certain period of time or downgrading it to a right to restriction. For more details, please refer to Section H VI. (below).

H. Your rights (rights of the data subject)

I. General information

1. Non-exhaustive list of your rights under this DSE, informality

For reasons of better readability, we have not listed every right to which you may or actually are entitled in detail below, nor have we looked at which cases may arise in practice for our clinic or for you as a data subject in the data processing we carry out. The presentation here is therefore not exhaustive with regard to your rights, but is supplemented (particularly in peripheral areas) by the GDPR and other relevant legislation. No special form is required to assert your rights, so that this can also be done by telephone or e-mail, for example.

2. Deadlines for our response to your exercise of rights

If you assert any of the rights in this section H, we will inform you immediately, but at the latest—subject to the following sentence—within one month of receiving your request, how this will affect your specific case (in particular, what legal consequences this may have). If your request is based on complex circumstances and we are faced with a large number of requests at the same time, we are entitled to respond to the content within a period of 3 months, in which case we will notify you of such a delay within the aforementioned one-month period and provide reasons for it. We must also respond to you in a reasoned manner within one month if we do not wish to take action on your request.

3. Costs

Notification of your rights, the fulfillment of other information obligations by us, and measures taken to implement your rights are free of charge for you. Only in the case of manifestly unfounded or excessive requests (in particular in terms of number) are we entitled to charge a reasonable fee corresponding to the administrative effort involved or to refuse to process the request.

4. Contact details for asserting your rights

All of the rights described in this section H—with the exception of the right to lodge a complaint—must be asserted against us. Our contact details are provided below:

Plastmed Private Clinic
Neuer Zollhof 2
40221 Düsseldorf

T +49 211 876 302 40
info@plastmed.de

II. Right to information

You have the right to obtain information from us as to whether we process personal data relating to you. If this is the case, the information provided will also include, among other things:

(a) what type of data is processed and for what purposes;

(b) to whom the data may have been forwarded (and what guarantees, if any, have been given by the recipient for the handling of your data in accordance with data protection law, for example in the case of third-country involvement);

(c) duration—or criteria for the duration—of the (planned) storage of this data;

(d) where applicable, the origin of the data (in the case of collection from third parties);

(e) where applicable, meaningful information about the (system) logic used and the scope and intended effects of data processing for you, if this was the subject of automated decision-making (note: this does not occur in our clinic).

We will provide you with a copy of this information, in electronic form (i.e., in a commonly used electronic format) if you submit your request electronically. We may charge a reasonable fee for additional copies, commensurate with the administrative costs incurred by us.

III. Right to revoke consent given

You have the right to revoke your consent at any time. Such revocation does not affect the lawfulness of consent-based data processing prior to the revocation, but it does mean that we may no longer carry out any activities with regard to your data if the consent that has been revoked in the meantime was the only legal basis for this. This is not the case, for example, if we are still subject to a retention obligation with regard to the data. The revocation is informal and can be made in the same form in which the consent was previously given.

IV. Right to rectification

You have the right to request that we rectify any inaccurate personal data concerning you without delay. Taking into account the purposes of the processing, you also have the right to request the completion of incomplete personal data, including by means of a supplementary statement. If your data has been disclosed to third parties, we will notify them of the data correction, unless this is impossible or involves disproportionate effort. At your request, we will name the aforementioned third parties to you.

V. Right to erasure (also known as the “right to be forgotten”)

1. Right to erasure

Subject to the exceptions set out in subsection 3 below, you may request that we delete your personal data immediately if:

(a) it (in particular its further storage) is no longer necessary in relation to the purposes for which it was collected;

(b) you have withdrawn your consent in the case of consent-based data processing;

(c) you object to further processing;

(d) the data processing was unlawful;

(e) the deletion is necessary to fulfill a legal obligation under Union or national law;

(f) the data was collected from a child (under the age of 16) in relation to information society services, which in this context is understood to mean a service usually provided for a fee, which is provided electronically by means of distance communication (i.e., without direct physical contact between the parties involved) and on individual request.

If your data is deleted, we generally assume that you agree to us adding your name to our list of people who do not wish to be contacted by us (any longer). This minimizes the chance that you will be contacted in the future, for example if your data is re-entered in another context. If you do not wish this to happen, please notify us accordingly.

2. Further rights regarding the publication of your data and third-party involvement

If we have published the data to which your deletion request relates, we will take reasonable measures (taking into account the available technology and implementation costs) to ensure that those responsible for this data are informed that you have requested the deletion of the data (including links to and copies of this data). If your data has been disclosed to third parties (in any other way), we will notify them of the data deletion, unless this is impossible or involves disproportionate effort. At your request, we will name the aforementioned third parties to you.

3. Exceptions to the right to erasure

You are not entitled to the right to erasure, even temporarily, in particular if the data processing is necessary:

(i) to exercise the right to freedom of expression and information;

(ii) to fulfill a legal obligation to which we are subject under Union or national law (this may be, for example, a statutory retention obligation [before its expiry]);

(iii) for the assertion, exercise, or defense of legal claims,

or if

(iv) in the event of your revocation within the meaning of above (Section III), there is another legal basis for data processing;

(v) in the event of your objection within the meaning of above (Section V. 1. c), firstly, there are overriding legitimate grounds for data processing and, secondly, your objection is not directed solely against direct marketing and any related profiling (in the latter case – direct marketing, related profiling – you always have a right to erasure).

4. Rights similar to deletion

If you are not entitled to deletion (at least temporarily), you may nevertheless have a right to restriction of (further) data processing by us. For more details, please refer to Section VI below.

VI. Right to restriction of processing

If data has been collected by us unlawfully and you are therefore (actually) entitled to erasure, you can request that we restrict data processing instead of erasure. The same applies to lawfully collected data in the event that we have fulfilled our purpose, but you need the data to assert, exercise, or defend legal claims. If you have objected to the processing of data concerning you (and we do not have to comply with this simply because it is directed against direct marketing/related profiling) or have disputed the accuracy of data, you can request that we restrict the use of your data during the corresponding review phase (balancing of interests in the event of an objection, investigation of the data for actual inaccuracy). This means that we may only process the data thus restricted (apart from its storage and special cases of particular public interest) with your consent or for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person.

Even without any action on your part, we will restrict the use of your data to the extent described above if the last contact with you (see section B) was more than three (3) years ago, plus the remainder of the year in which the last contact took place. Any rights of restriction or erasure that may have arisen at an earlier point in time remain unaffected by this.

If data restriction has been carried out in the aforementioned sense and is due to be lifted (e.g., because it has been determined that the data is not incorrect), we will inform you before taking this step. If your data has been disclosed to third parties, we will inform them of the data restriction, unless this is impossible or involves disproportionate effort. At your request, we will name the aforementioned third parties to you.

VII. Right to data transfer

If we process your data automatically on the basis of your consent or within the framework of a contractual relationship, you can request that we provide you with the corresponding data in a structured form in a common, machine-readable format, for example, so that you can forward it yourself (and without any influence from us) to another data controller. To the extent technically feasible and not affecting the rights of other persons, you may also request that we transfer such data directly to another data controller of your choice (e.g., a company with which you wish to conclude a contract). Any additional right to erasure that you may have is not affected by a data transfer request.

VIII. Right to notification in the event of a data breach

If a situation arises in which a breach of data protection (e.g., a so-called data breach) poses a high risk to your personal rights and freedoms, we will notify you immediately. Such notification shall include, among other things, the details of your contact person in this matter, information on the consequences of the breach, and the measures already taken or intended to be taken to mitigate it. Such notification may be omitted if we have already taken such effective mitigation measures that a high risk in the aforementioned sense can no longer be assumed, if the data – in particular through technical measures (e.g., encryption) – were already significantly secured against unauthorized access, or if the notification would involve a disproportionate effort (in which case we would initiate a public announcement or measure with a similar broad impact).

IX. Your right not to be subject to data processing based solely on automated decision-making

In principle (i.e. apart from special exceptional cases), you have the right not to be subject to a decision based solely on automated processing, including profiling, if this has legal effects on you or similarly significantly affects you. We do not currently work with such decision-making structures and would inform you separately if this were to change and your data were to be affected.

X. Right to lodge a complaint

You can complain about our conduct in relation to data processing to the competent supervisory authority (named in section C II above) at any time. Of course, you can also complain to us so that we can try to resolve any problems that may have arisen together.

XI. Right to object

If we have processed your data to protect our legitimate interests (or to fulfill a task in the public interest), you can object to this at any time. Further processing by us is then only (still) permissible if we can demonstrate to you reasons for the processing that are so compelling that they outweigh your interests, rights, and freedoms, or if it serves to assert, exercise, or defend legal claims. If your objection is directed against the use of your data for direct marketing purposes/related profiling, we will no longer use/process your data in this respect. You can send us your objection in any form.

I. Data protection officer

Our clinic does not have a data protection officer. You can also contact any department of our clinic at any time, where you will also receive helpful assistance with any questions you may have about data protection.

J. Changes to this privacy policy

This privacy policy may be amended from time to time, for example to adapt it to current/updated decisions in case law on data protection law that were not yet known/foreseeable on May 25, 2018. We will announce any changes on our website, whereby particularly serious changes will be communicated individually (regularly by email) to all patients/other affected parties in a relevant form, whose contact details we still have at the relevant time.

Make an appointment