Privacy policy

Summary

  1. Genral
  2. Definitions
  3. Scope and competent supervisory authority
  4. Data collection and purpose limitation (Scope of use)
  5. Transfer of data
  6. Order Data Processing
  7. Storage of Data
  8. Your rights as an individual whose data are being processed (data subject)
  9. Data protection officer
  10. Changes to this privacy policy
  11. Compliance with national regulations

A. General

I. General information about this privacy policy; our contact details

The purpose of this privacy policy (In German: Datenschutzerklärung, abbreviated DSE) of our Private Clinic Plastmed, Plastische Chirurgie im Medienhafen (the responsible party, also the ‘controller’ within the meaning of the General Data Protection Regulation, i.e. EU Regulation 2016/679 of 27 April 2016 – abbreviated GDPR), is to inform you, as the affected subject of data processing measures, in a transparent, simple and understandable manner, among other things, about:

  • what data we collect, how and why this is done;
  • how we handle your data, including, where applicable, with the involvement of third parties;
  • the scope of the GDPR;
  • what rights and opportunities for participation you have regarding your data and its use;
  • what rights we have and how these may affect your rights

Our contact details are as follows:

Plastmed GbR
Private Clinic officially licensed under §30 GewO (Trade Regulation Act, Germany)
Neuer Zollhof 2
40221 Duesseldorf, Germany
Clinic Owners: Dr. med. Andreas Arens-Landwehr, Dr. med. Jens Diedrichson, Dr. med. Naja-Norina Pluto, Dr. med. Till Scholz

E-Mail: info@plastische-chirurgie-medienhafen.de
Website: www.plastische-chirurgie-medienhafen.de
Phone: +49 (0)211 87630240

II. Terms used in Data Protection Law

In data protection law, as in applications relevant to data protection, terms are sometimes used that are not self-explanatory and/or have not yet become part of everyday language to such an extent that everyone can be expected to know their meaning. For this reason, we have explained some of the most frequently used terms in more detail in Section B. (Definitions).

III. Our approach to data protection

Data protection is important to us, and we take a variety of measures to ensure that your data is in safe hands with us. The principles set out in the GDPR are also our own principles when handling your data. This includes, not least, the requirement of data purpose limitation and minimization. In this context, we regularly request only the minimum amount of data from you (or, if necessary, from third parties) that is necessary for us to establish a clinic/patient relationship with you in accordance with recognized professional principles and to provide you with excellent service. This principle of necessity is also applied at employee level, i.e. only those employees who absolutely need personal data to perform the tasks assigned to them have access to such data. At the same time, we only store data for as long as is necessary for the aforementioned purposes, unless longer storage periods are required by law. Another component of our data protection system is that of technical design and organization. Through modern data processing equipment, other technical precautions and, where necessary, the involvement of external specialist companies, we ensure that a high level of data security is guaranteed within our private clinic (including through the use of data encryption technology) and that the risk of unauthorized access by third parties is excluded as far as possible. At the same time, data is stored in such a way that it can be easily found at any time and, if necessary, restored. In addition to the legality of the acquisition, we strive to only process correct data, so we welcome receiving updates from your side.

IV. Legal Basis

Our data processing is carried out in particular based on the GDPR as well as the Federal Data Protection Act (in German: Bundesdatenschutzgesetzes ‘BDSG’) and other relevant provisions of European Union law and national law in the field of data protection law, which may include professional law-related and other special legal regulations. For instance: Given your effective consent, the specific legal basis for collecting your data for certain purposes may be Art. 6 (1) a) GDPR.

B. Definitions

Processor: an entity that processes personal data on behalf of another entity (namely the controller responsible for such data), for example a data centre.

BDSG: a federal law in the field of data protection, enacted on 30 June 2017 and, like the GDPR, entering into force on 25 May 2018.

Legitimate interest: A legitimate interest may exist both in relation to enabling and preventing data processing, depending on the perspective of the actor (private clinic) or the data subject (natural person). In a private clinic, it usually depends on whose interest prevails in the specific situation, whereby a variety of factors (type of data, situation in which it is collected, intended use, etc.) must be taken into account in the corresponding assessment, taking into consideration the fundamental rights and freedoms of the affected individual.

Affected Individual or Data Subject: the person whose data is the subject of a data processing operation, in this case: you.

Browser: a computer program for displaying web pages on the World Wide Web, i.e. a kind of user interface for Internet applications. Well-known examples are Microsoft Edge, Safari and Google Chrome.

Cookie: a small text file that is sent to your computer (or other device used to access the Internet) and stored there. When visiting the website again, the cookie is recognized, allowing certain usage preferences (such as language settings) or previous usage (such as the shopping basket of an online shop) to be activated.

Data Processing: the use or collection of data in the broadest sense, whether automated or not, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.

GDPR (German: DSGVO): a regulation of the European Union (EU 2016/679) in the field of data protection, adopted on 27 April 2016 and applicable since 25 May 2018 (with immediate effect also for Germany.

Last Contact: this means a situation in which no contractual relationship has been established between you and us and we have not ‘heard’ from you for more than 3 (three) months, whereby the acoustic nature of the contact is not relevant, but rather any type of contact between you and us that is perceptible to us (e.g. also via email, letter or text message) is sufficient to restart the aforementioned 3-month period.

Personal Data: all information relating to an identified or identifiable natural person; the latter is the case if a person can be identified, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special Categories of Personal Data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data (with identification function), health data or data concerning a natural person’s sex life or sexual orientation.

Profiling: any form of automated processing of personal data intended to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Controller: an entity (including a non-public entity) that alone or jointly with others determines the purposes and means of the processing of personal data, in this case specifically: us.
When we refer to data in the following, we mean personal data. The terms European Union, EU and Union are used interchangeably.

C. Scope of application and competent supervisory authority

I. Applicability regardless of the Nationality of the Data Subject

Data protection regulations are usually intended to protect natural persons and their personal data. This is also the case with the central legislation relevant in this context, the GDPR and the Federal Data Protection Act (‘BDSG’), to which we, as a German Private Clinic (regularly referred to as “controller” or ‘responsible body’ in data protection law), are subject without further ado. The question of the extent to which legal entities can also claim data protection rights against data processing companies has not yet been fully clarified. As a precautionary measure and in the interests of data protection, which also includes granting you options in connection with the disclosure of information, we treat legal entities as natural persons in all cases where their personal content is affected. This is the case, for example, when it comes to the natural persons behind the legal entity, i.e. if they also appear as natural persons in a recognizable manner in private clinic. We owe the legal requirements of data protection law described here (and others) not only to German data subjects or members of EU member states, but to all persons, regardless of their nationality (or whether they have any), in respect of whom we carry out data processing activities in the EU (or have such activities carried out), even if the actual processing takes place outside the EU.

II. Competent (supervisory) authorities

Our Private Clinic is based in North Rhine-Westphalia. The following supervisory authority is therefore primarily responsible for monitoring our compliance with data protection obligations:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia, Kavalleriestr. 2-4, 40213 Duesseldorf, Germany, Phone: +49 (0)211/38424-0, Fax: +49 (0)211/38424-10, E-Mail: poststelle@ldi.nrw.de

D. Data collection and purpose limitation (scope of use)

I. Type of data collection

Data collection is the first step and at the same time part of data processing. It is only permissible (lawful) if the legal requirements (in particular those of the GDPR and the BDSG) applicable to measures of this kind are met. In our private clinic, the following four situations in particular may justify the collection of data (and its further processing):

(a) we have obtained your (explicit) consent;

(b) the measure is necessary either for the performance of a contract with you or for the implementation of pre-contractual measures taken at your request;

(c) the measure is necessary to fulfil a legal obligation to which we are subject (e.g. a statutory retention obligation;

(d) there is a legitimate interest on our part which outweighs your interests, rights, etc. of a data protection nature in individual cases.

In our private clinic, the following types of data collection occur in particular:

1. Collection from you (the ‘data subject, i.e. the person whose data are being processed’)

As a rule, we collect the data relevant to our private clinic directly from you, which can be done in various ways:

  • You contact us via the contact form on our website, in which certain basic data must be provided;
  • You contact us in another way, e.g. with an enquiry about a product, and request further information which we will send to your address;
  • You provide us with data on your own initiative, by whatever means of communication, e.g. in order to receive an individual offer from us based on this data or to propose the conclusion of a contract to us;
  • We contact you – within the limits of competition law – (e.g. at an information event), which results in a business transaction for the completion / further processing of which we ask you to provide us with certain data.

We generally consider the above-mentioned processes to be those in which either you have given your (at least tacit) consent or the data processing is the result of a request made by you involving data. Your consent is not tied to a specific form. However, as we are obliged to prove that you have actually given your consent to the processing of data based on consent, but this cannot be immediately documented in every communication situation (e.g. telephone conversation), we may contact you again after such an event to ask for formal confirmation of your consent.

2. Collection from third parties

In exceptional cases, we collect data about you (also) from third parties, whereby this is only permissible if you have not given your consent, if we have a legitimate interest or if there is a legal exception. Such an interest may exist (in our favour), for instance, if we have a treatment contract with you that involves a significant advance performance obligation on our part and we would need to assess your creditworthiness with a relevant provider (such as Creditreform) in order to evaluate the associated (cost) risk. If necessary, we would also obtain information from public registers and generally accessible (public) sources (e.g. www.Bundesanzeiger.de), which would fall within the scope of information collection from third parties and the corresponding conditions for permissibility, too. However, the data obtained in this way never leads to automated decision-making in our company, but is only intended to broaden the basis for our own decision-making. If we collect data about you from third parties, we will inform you of the type and scope of this data in accordance with the legal requirements, at the latest, within one month of obtaining the data collected as described. Our aforementioned obligation to inform you may be waived in exceptional cases, e.g. if fulfilling this obligation would involve disproportionate effort.

3. Automated data collection

Every time you access content on our website, data that may allow you to be identified is temporarily stored. The following data is stored each time you visit www.plastmed.de: date and time of access, name of the Internet service accessed, the resource accessed and the action/query made by the client, amount of data transferred, notification of whether the access was successful, IP address of the accessing computer. The data stored is collected for the purpose of statistical evaluation of the use of the website and is summarized in anonymized form. They are also used to defend against and analyze attacks on the website. Cookies may also be used in connection with your use of our website, in which case we will provide you with a corresponding notice directly on the website and request your consent, which you are (of course) completely free to give or withhold. You can also set your browser (see the ‘Help’ menu for more details) so that all cookies (and thus automatically those of our website) are blocked or, alternatively, a message appears before such a cookie is set. In this case, however, you may no longer be able to use our website to its full extent and / or only with significant delays, and user-specific presettings for the purpose of a more convenient use (e.g. correct language setting) may no longer be available. Once set, you can delete cookies yourself at any time using your browser.
Tracking and analysis tools also use cookies. We also use such cookies. In particular, we use the following tracking and analysis tools:

Google Analytics

Web analytics service provided by Google Inc. (https://www.google.de/ intl/en/about/) (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter ‘Google’). In this context, pseudonymized usage profiles are created and cookies (see section 4) are used. The information generated by the cookie about your use of this website, such as browser type/version, operating system used, referrer URL (the previously visited page), host name of the accessing computer (IP address), time of the server request, is transferred to a Google server in the USA and stored there. This data is evaluated to determine how the website is used. The evaluation is presented in reports on activities which are then used for market research. This data is then passed on to third parties if this is permitted or necessary. However, your IP address remains anonymous and is not merged with other data from Google. You can also prevent the installation of cookies by adjusting your browser software settings; accordingly, however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent. Finally, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) and the processing of this data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=de). As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent Google Analytics from collecting data by clicking on this link. An opt-out cookie will be set to prevent future collection of your data when you visit this website. The opt-out cookie is only valid in this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you will have to set the opt-out cookie again. Further information on data protection in connection with Google Analytics can be found in Google Analytics help (https://support.google.com/analytics/answer/en).

Social Media

Like others, we, too, use social networks to promote our private clinic. This is done for commercial purposes. Responsibility for data protection lies with the respective providers of the relevant services. We have integrated these services into our website using the so-called ‘two-click’ procedure to protect your data.

Facebook Pixel

Our website uses the visitor action pixel from Facebook, Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (‘Facebook’) to measure conversion.

This allows to track the behaviour of visitors to the website after they have been redirected to the provider’s website by clicking on a Facebook advertisement. This allows the effectiveness of Facebook advertisements to be evaluated for statistical and market research purposes and future advertising measures to be optimized.

The data collected is anonymous to us as the operator of this website; we cannot draw any conclusions about the identity of the users. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes in accordance with the Facebook data usage policy. This enables Facebook to place advertisements on Facebook pages and outside Facebook. We, as the website operator, have no influence on this use of these data.

For further information on the protection of your privacy in Facebook’s privacy policy, please got to: https://www.facebook.com/about/privacy/.

You can also deactivate the ‘Custom Audiences’ remarketing function in the ad settings at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen To do this, you must be logged in to Facebook.

If you do not have a Facebook account, you can deactivate usage-based advertising from Facebook on the website of the European Interactive Digital Advertising Alliance: http://www.youronlinechoices.com/de/praferenzmanagement/.

Microsoft Clarity

This website uses Clarity. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, https://docs.microsoft.com/en-us/clarity/ (hereinafter referred to as ‘Clarity’).
Clarity is a tool for analyzing user behaviour on this website. In particular, Clarity records mouse movements and creates a graphical representation of which parts of the website users scroll through most frequently (heat maps). Clarity can also record sessions so that we can view page usage in the form of videos. We also receive information about general user behaviour on our website.
Clarity uses technologies that enable user recognition for the purpose of analyzing user behaviour (e.g. cookies or device fingerprinting). Your personal data is stored on Microsoft servers (Microsoft Azure Cloud Service) in the USA.
If consent has been obtained, the above-mentioned service will be used exclusively based on Art. 6 para. 1 lit. a GDPR and § 25 TTDSG. Consent can be revoked at any time. If no consent has been obtained, the use of this service is based on Art. 6 para. 1 lit. f GDPR; the website operator has a legitimate interest in effective user analysis.
Further details on Clarity’s data protection can be found here: https://docs.microsoft.com/en-us/clarity/faq Opt-out option: https://choice.microsoft.com/de-DE/opt-out

4. Collection of special Data

We collect special categories of personal data (see section B above). We expressly declare that we require your consent for this data processing in particular.

II. Purpose limitation (scope of use), type of data collected

1. Main Purposes

When collecting data, we do so solely for operational purposes of our private clinic, in particular to ensure:

  • the proper receipt and assignment of orders (regardless of their legal nature), including their processing;
  • the ability to provide you with cost estimates, offers, etc;
  • the formulation and executability of contracts, including their payment and dispatch;
  • compliance with our statutory warranty obligations and any existing contractual guarantees or the assertion of such against third parties (e.g. our suppliers);
  • the (possibly also judicial) traceability and enforcement/enforceability of our claims against patients as well as the defence of claims asserted against us;
  • der ensuring a high level of customer service, which can be ensured and supported by various means if necessary and which meets your high expectations of our company.

2. Secondary Purposes

In addition, your data may be used for secondary purposes of our private clinic, e.g. for:

  • Determining the satisfaction of our patients with our services (including our website);
  • Improving our services (including our website);
  • Enabling the development of tailor-made offers for patients;
  • Providing support/goodwill for our services beyond the warranty periods;

With regard to the collection / use of data for such secondary purposes (especially in the case of direct marketing), you may have extended rights compared to those for primary operational purposes, even if you have expressly consented to the collection of data. Details can be found (amongst others) in Section H XI.

3. Change of Purpose

If we wish to process your data for purposes other than those for which it was collected and we do not have your consent to do so, we will only do so if the current purpose is compatible with the original purpose.
In doing so, we will carry out a comprehensive balancing of interests, taking into account, among other things, the context of the original collection, the degree of connection between the original collection purposes and the current processing purposes, the nature (sensitivity) of the data and the consequences of further processing for you, as well as the existence of processing safeguards (e.g. encryption).

4. Type of data collected or stored

The following data (types) collected by us and subsequently stored are particularly relevant: Your name, address, date of birth, your occupation or the industry in which you work, if applicable, your marital status, your (other) data for easier contact (e.g. email and/or telephone and/or fax), your bank details, if applicable, and, if necessary, certain additional data (such as company key figures, HRG number, tax numbers, management relationships) as well as our own findings after data collection, such as your treatment history with us, complaints, use of warranty rights, etc., possible need for further services and the associated payment behaviour.

E. Transfer of Data

We do not transfer data to third parties unless this is necessary for:

  • the fulfilment of primary and secondary operational purposes, whereby such transfer is limited to companies with which we have a contractual relationship to fulfil the contractual purpose towards you (e.g. laboratories, doctors and suppliers of medical products);
  • coordination with our (external) advisors in tax, business and legal matters, whereby these will generally be persons who are already subject to a statutory duty of confidentiality due to their professional position;
  • the processing of payment transactions, regardless of whether we are the paying party or the party to be paid;
  • enabling the assessment of the (in particular) financial risk of a legal transaction that is being considered or has already been concluded but not yet fully executed regarding various characteristics of the (future) contractual partner, such as its creditworthiness, liquidity, payment history, etc.;
  • fulfilling public law obligations, for example at the request of an authority because of relevant legal provisions.

F. Order data processing

We engage service providers who act as processors. Guarantee agreements oblige the order processors to comply with our data protection policy.

G. Storage of data

In accordance with the principle of storage limitation, we only store your data for as long as is necessary for the purposes for which it is / has been processed.
If, for instance, no business contact has been established with you after a contractual initiation phase and there is no prospect of this happening in the foreseeable future, there is no longer any operational interest in retaining the data after the expiry of the limitation period to which any claims – regardless of which party is entitled to them – arising from a possible pre-contractual obligation would be subject. In some situations, such an interest in storage may even expire in an even shorter period of time. However, due to legal regulations – on which we naturally have no influence – we may be obliged to store data for longer than we would consider necessary. Such retention obligations arise from commercial and tax law, and in some cases also from professional or other special legal provisions, according to which, for example, every commercial / business letter, whether received or sent, must be retained for a period of 6 years (from the date of receipt). This may, among other things, affect your right to erase, postpone for a certain period of time or downgrade to a right to restriction. For more details, please refer to Section H VI. (below).

H. Your rights (rights of the data subject)

I. General

1. No exhaustive list of your rights under this Data Protection Agreement, informality

For reasons of better readability, we have not set out every right to which you may be entitled to or which you actually have in detail below, nor have we examined which cases may arise in our private clinic for us or for you as the data subject of the data processing to be carried out by us. The present description is therefore not exhaustive with regard to your rights but is supplemented (particularly in peripheral areas) by the GDPR and other relevant legislation. No special form is required to assert your rights; you may do so by e.g. telephone or email.

2. Deadlines for our response to the exercise of your rights

If you assert any rights under this Section H, we will inform you immediately, but no later than one month after receipt of your request, of the specific effects this will have in your case (in particular, any legal consequences this may entail).
If your request is based on complex circumstances and we are faced with a large number of requests at the same time, we are entitled to respond to your request within a period of three months, in which case we will notify you of such delay within the aforementioned one-month period and provide reasons for it. We must also respond to you in a reasonable manner within one month if we do not intend to take action on your request.

3. Costs

Notification of your rights, the fulfilment of other information obligations by us and measures taken to implement your rights are free of charge for you. Only in case of manifestly unfounded or excessive requests (in particular in terms of quantity), are we entitled to charge a reasonable fee corresponding to the administrative effort involved or to refuse to process the request.

4. Contact details for asserting your rights

All rights described in this section H – with the exception of the right to lodge a complaint – must be asserted against us. Our contact details are provided below:

Plastmed GdR
Private Clinic officially licensed under §30 GewO (Trade Regulation Act, Germany)
Neuer Zollhof 2
40221 Duesseldorf, Germany

E-Mail: info@plastmed.de
Phone: +49 (0)211 87630240

II. Right to information

You have the right to obtain information from us as to whether we process personal data relating to you. If this is the case, the information shall also include, among other things:
(a) the type of data processed and the purposes for which it is processed.
(b) to whom the data may have been disclosed (and any necessary guarantees, for example in the case of third-country involvement, that the recipient will handle your data in accordance with data protection law).
(c) the duration – or criteria for determining the duration – of the (planned) storage of this data.
(d) where applicable, the origin of the data (in the case of collection from third parties).
(e) where applicable, meaningful information about the (system) logic used and the scope and intended effects of data processing for you, if this was the subject of automated decision-making (note: this does not occur in our private clinic).

We will provide you with a copy of this information, in electronic form (i.e. in a commonly used electronic format) if you submit your request electronically. We may charge a reasonable fee for additional copies, commensurate with the administrative effort involved.

III. Right to withdraw consent

You have the right to withdraw your consent at any time. Such revocation does not affect the lawfulness of consent-based data processing prior to the revocation but means that we may no longer carry out any activities regarding your data if the consent revoked in the meantime was the only legal basis for this. This is not the case in case we are still subject to a retention obligation regarding the data. The revocation is informal and can be made in any form, including the form in which the consent was previously given.

IV. Right to rectification

You have the right to request that we immediately rectify any inaccurate personal data. Taking into account the purposes of the processing, you also have the right to request the completion of incomplete personal data, including by means of a supplementary statement. If your data has been disclosed to third parties, we will inform them of the data correction, unless this is impossible or involves disproportionate effort. At your request, we will inform you of the aforementioned third parties.

V. Right to erasure (also known as the ‘right to be forgotten’)

1. Right to Erasure

Subject to the exceptions set out in subsection 3 below, you may request the erasure of your personal data without undue delay if:

(a) it is no longer necessary (in particular for further storage) in relation to the purposes for which it was collected;

(b) you have withdrawn your consent in the case of consent-based data processing;

(c) you object to further processing;

(d) the data processing was unlawful;

(e) erasure is necessary to comply with a legal obligation under Union or national law;

(f) the data was collected from a child (under the age of 16) in relation to information society services, which in this context means a service provided for remuneration, which is generally provided electronically by means of distance communication (i.e. without immediate physical contact between the parties) and at the individual request of the child.

In the event that your data is deleted, we generally assume that you agree to us adding your name to our list of persons who do not wish to be contacted by us (any longer). This minimizes the chance that you will be contacted in the future, for example if your data is collected again in a different context. If you do not wish this to happen, please let us know.

2. Further rights in the event of publication of your data and third-party involvement

If we have published the data to which your deletion request relates, we will take reasonable steps (taking into account the available technology and implementation costs) to ensure that the controllers are informed that you have requested the deletion of the data (including links to and reproductions of the data). If your data has been disclosed to third parties (in any other way), we will inform them of the data deletion, unless this is impossible or involves disproportionate effort. At your request, we will name the aforementioned third parties to you.

3. Exceptions to the right to erasure

You are not entitled to erasure, even temporarily, if the data processing is necessary:

(i) for exercising the right of freedom of expression and information;

(ii) to fulfil a legal obligation to which we are subject under Union or national law (this may be, for instance, a statutory retention obligation [before its expiry]);

(iii) for the assertion, exercise or defence of legal claims,

or if

(iv) in the event of your revocation within the meaning of the above (Section III), there is a different legal basis for data processing;

(v) in the event of your objection within the meaning of the above (Section V. 1. c), firstly, there are overriding legitimate grounds for the data processing and, secondly, your objection is not directed solely against direct marketing and any related profiling (in the latter case, i.e. profiling related to direct marketing – you always have a right to erasure).

4. Rights similar to erasure

If you are not entitled to an erasure (at least temporarily), you may nevertheless have a right to restrict our (further) processing of your data. For more details, please refer to Section VI below.

VI. Right to restriction of processing

If data has been collected by us unlawfully and you are therefore (actually) entitled to erasure, you may request that we restrict data processing instead of erasure. The same applies to lawfully collected data in the event that the purpose for which it was collected has been fulfilled on our part, but you require the data to assert, exercise or defend legal claims. If you have objected to the processing of your data (and we are not required to comply with this objection because it is directed against direct marketing/profiling related to this) or if you have disputed the accuracy of the data, you may request that we restrict the use of your data during the corresponding review phase (balancing of interests in the event of an objection, investigation of the data for factual inaccuracy). This means that we may only process the data restricted in this way (apart from its storage and special cases of public interest) with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.
Even without any action on your part, we will restrict the use of your data to the extent described above if the last contact with you (see section B) was more than a period of time corresponding to 3 (three) years plus the remainder of the year in which the last contact took place. Any rights to restriction or erasure that may have arisen at an earlier point in time remain unaffected by this.
If data has been restricted in the aforementioned sense and its restriction is due to be lifted (e.g. because it has been determined that the data is not inaccurate), we will inform you before taking this step. If your data has been disclosed to third parties, we will inform them of the restriction of data unless this is impossible or involves disproportionate effort. At your request, we will name the aforementioned third parties to you.

VII. Right to data portability

If we process your data automatically on the basis of your consent or within the framework of a contractual relationship, you can request that we provide you with the corresponding data in a structured, commonly used and machine-readable format, for example so that you can transfer it to another data controller yourself (without any influence from us).
To the extent technically feasible and not affecting the rights of other persons, you may also request that we forward such data directly to another data controller of your choice (e.g. a company with which you wish to conclude a contract). Any additional right to erasure in your favour shall not be affected by a request for data transfer.

VIII. Right to notification in the event of data breaches

If a situation arises in which a breach of data protection (e.g. a so-called data breach) poses a high risk to your personal rights and freedoms, we will notify you immediately. Such notification shall include, among other things, the details of your contact person in this matter, information on the likely consequences of the breach and the measures already taken or intended to be taken to mitigate it. Such notification may be omitted if we have already taken effective mitigation measures that mean that a high risk in the aforementioned sense can no longer be assumed, if the data – in particular through technical measures (e.g. encryption) – were already secured against unauthorized access to a significant extent or if the notification would involve a disproportionate effort (in which case we would arrange for a public announcement or a measure with similar scope).

IX. Your right not to be subject to decisions based solely on automated processing in connection with data processing

In principle (i.e. except in special cases), you have the right not to be subject to a decision based solely on automated processing, including profiling, if this decision has legal effects on you or significantly affects you in a similar way. We do not work with such decision-making structures until further notice and would inform you separately if this changes and your data is affected.

X. Beschwerderecht

Jederzeit können Sie sich über unser Verhalten in Bezug auf die Verarbeitung von Daten bei der zuständigen (oben in Abschnitt C II genannten) Aufsichtsbehörde beschweren. Selbstverständlich können Sie sich auch bei uns beschweren, so dass wir versuchen können, ein ggfs. entstandenes Problem gemeinsam zu lösen.

XI. Right to lodge a complaint

If we have processed your data to protect our legitimate interests (or to fulfil a task in the public interest), you can object to this at any time.
Further processing by us is then only permissible if we can demonstrate to you that the reasons for the processing are so compelling that they outweigh your interests, rights and freedoms, or if it serves to assert, exercise or defend legal claims. If your objection is directed against the use of your data for direct marketing purposes/related profiling, we will no longer use/process your data in this respect. You can send us your objection in any form.

I. Data protection officer

Our private clinic does not have a data protection officer. You can also contact any department of our private clinic at any time, where you will receive helpful assistance with any questions you may have regarding data protection.

J. Changes to this privacy policy

This privacy policy may be amended from time to time, for example to adapt it to current/updated decisions in case law on data protection law that were not known/foreseeable on 25 May 2018. We will announce any changes on our website, whereby changes of a particularly serious nature will be communicated individually (regularly by email) to all patients/other affected parties in a relevant form, whose contact details we still have at the relevant time.

July, 30th, 2025