Dear patient,
we hold you as an individual as well as your personal data particularly in high esteem. In the course of the medical treatment and the corresponding processing of your personal data we constantly aim at making the data processing as “fair” and transparent as possible for you.

In order to get a better idea of how we process your personal data in the context of your medical treatment we inform you, amongst others, which of your personal data we process as part of your treatment. Further, we would like to inform you how and for which purposes we use the data you give us. We also want to provide you with information about your rights and other sort of information connected to your medical treatment that might be interesting for you.

In case you have any questions to any topics in this data protection notice, please let us know; we are at your disposal anytime.

The following information is based upon the statutory provision according to Article 13 of the General Data Protection Regulation (hereinafter “GDPR”).

Data protection

1. Controller of the Processing of Personal Data

The Controller of the processing of your personal data is:
Sophienklinik GmbH
Specialized Clinic for Plastic and Aesthetic Surgery
Sophienstrasse 41
D-70178 Stuttgart
phone +49 (711) 25 25 75 – 0
fax +49 (711) 25 25 75 – 45
info@sophienklinik-stuttgart.de

We appointed a data protection officer who is available for your questions via e-mail anytime under dsb@sophienklinik-stuttgart.de

2. Processing of Your Personal Data (Purpose) and Legal Basis

Personal data that you give us or that we collect in the context of your medical treatment is processed generally only for the following purposes:

  • Treatment / for the fulfillment of the contract about medical treatment (cf. Article 9 para. 2 (h) GDPR in connection with section 22 para. 1 (b) Federal Data Protection Act [Bundesdatenschutz-gesetz, BDSG] in connection with section 630a German Civil Code [Bürgerliches Gesetzbuch, BGB]). We would like to inform you that without your personal data we neither can treat you nor are in the position to fulfill the contract about medical treatment.,
  • Documentation of treatment (cf. Article 9 para. 2 (h) GDPR in connection with section 22 para. 1 (b) BDSG in connection with section 630f BGB),
  • Billing of medical treatment (cf. Article 9 para. 2 (h) GDPR in connection with section 22 para. 1 (b) BDSG in connection with section 630a BGB),
  • Duties to provide information with regard to health insurances and social insurance carriers cf. Article 9 para. 2 (h) GDPR in connection with section 22 para. 1 (b) BDSG in connection with sections 284 et seqq. Code of Social Law, Book V [Fünftes Buch Sozialgesetzbuch, SGB V],
  • Duties to provide information towards tax authorities (cf. Article Article 9 para. 2 (g) GDPR in connection with sections 38 et seqq. Income Tax Act [Einkommenssteuergesetz, EStG]),
  • Enforcing a claim or defending against a claim (cf. Article 9 para. 2 (f) GDPR).

We only process your personal data for the purposes listed above, unless you either give us your explicit, voluntary consent or to the extent statutory law allows.

3. Duration of the Processing:

As you can see we process your personal data for different purposes and based upon various statutory laws. As a consequence statutory law requires that we store your personal data for different periods which does not make it easy for us.

For instance, we are obliged to store the data about your medical treatment for (at least) 10 years due to laws connected to our profession as well as civil law or tax law.

4. Recipients of Your Personal Data

For a smooth performance of the above-mentioned activities around your medical treatment in specific cases we might need to transfer your data to other persons/ companies/ authorities, respectively persons/ companies might be granted the opportunity to take notice of your personal data when fulfilling their obligations towards us.

The potential recipients are:

  • association of statutory health insurance physicians [Kassenärztliche Vereinigung],
  • private / statutory health insurances,
  • courts,
  • authorities,
  • social insurance carriers,
  • evaluators,
  • if applicable, factoring companies,
  • third party laboratories,
  • other doctors/ hospitals/ non-medic therapists,
  • attorneys,
  • tax consultants,
  • producers of medical products who perform maintenance jobs,
  • suppliers who look after our IT.

We emphasize once more that these recipients are granted access to your data, respectively may take notice of your data on a case by case basis only. Also a taking notice of the data only happens on the grounds of legal legitimation. Furthermore, we pay attention that such recipients only receive the data on a need-to-know which they need in order to fulfill their purpose.

We took the respective technical and organizational measures in order to keep the risk of having “external” third parties involved within an adequate level.

5. Your Rights as the Data Subject Concerned

As we process “your” personal data as described above you are entitled by statutory law to certain rights towards us to the extent not limited or excluded by statutory law. In particular, such rights include the following:.

  • Right of access to personal data being processed by us according to Article 15 GDPR. In case of a non-written request we kindly ask you for your understanding that we might ask you for providing evidence in order to prove that you really are the person who you claim to be,
  • Right to obtain without undue delay the rectifica-tion of inaccurate personal data concerning you according to Article 16 GDPR,
  • Right to obtain the erasure of your personal data without undue delay according to Article 17 GDPR,
  • Right to obtain the restriction of processing of your personal data according to Article 18 GDPR,
  • Right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us according to Article 20 GDPR,
  • Right to withdraw your consent at any time according to Article 7 para. 3 GDPR. The with-drawal of consent shall have effect only on future data processing after withdrawal. It shall not affect the lawfulness of processing based on consent before its withdrawal,
  • Right to lodge a complaint with a supervisory authority according to Article 77 GDPR. Generally, you contact the data protection authority either of your habitual residence or the one competent for our clinic ; the latter is:
    The Commissioner for Data Protection of the Federal State of Baden-Württemberg [Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg]
    Postbox 10 29 32
    D-70025 Stuttgart
    phone: 0049-711/615541-0
    fax: 0049-711/615541-15
    e-mail: poststelle@lfdi.bwl.de

6. Right to Object

To the extent your personal data is processed on the basis of legitimate interests according to Article 6 para. 1 sentence 1 (f) GDPR you are entitled to object in accordance with Article 21 GDPR to the processing of personal data concerning you as far as reasons exist that derive from your specific situation.

In case you would like to execute your right to object or withdraw, a message to us is sufficient.

7. Data Security

It is our utmost endeavor to protect you, respectively your personal data as effective as possible. For this reason we took various measures in order to protect your data to the extent possible against unauthorized access. In this regard we implemented technical and organizational measures which we deem adequate, in order to protect your data against accidental or intentional manipulation, partial or full loss of data, destruction or unauthorized access by third parties. We constantly review our security measures and their effectiveness corresponding to the technological development and, as needed, improve them.

8. Up-to-Dateness of this Data Protection Notice and Changes

This data protection notice as of May 2018 is the currently valid version.

Due to changes of statutory law or instructions by authorities as well as changing circumstances of proces-sing it may become necessary to update this data protection notice from time to time.

We will inform you prominently about such changes. In addition, such changes will be highlighted in the next version of our data protection notice.

You can obtain the respective current data protection notice either in our clinic or on our website under www.sophienklinik-stuttgart.de/en/

I have received the data protection notice according to GDPR and understand it.

9. Analysis tools and advertising

Google Tag Manager

We use the Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

The Google Tag Manager is a tool that allows us to integrate tracking or statistical tools and other technologies on our website. The Google Tag Manager itself does not create any user profiles, does not store cookies, and does not carry out any independent analyses. It only manages and runs the tools integrated via it. However, the Google Tag Manager does collect your IP address, which may also be transferred to Google’s parent company in the United States.

The Google Tag Manager is used on the basis of Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the quick and uncomplicated integration and administration of various tools on his website. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TDDDG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TDDDG. This consent can be revoked at any time.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/participant/5780.

Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider of this service is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables the website operator to analyze the behavior patterns of website visitors. To that end, the website operator receives a variety of user data, such as pages accessed, time spent on the page, the utilized operating system and the user’s origin. This data is assigned to the respective end device of the user. An assignment to a user-ID does not take place.

Furthermore, Google Analytics allows us to record your mouse and scroll movements and clicks, among other things. Google Analytics uses various modeling approaches to augment the collected data sets and uses machine learning technologies in data analysis.

Google Analytics uses technologies that make the recognition of the user for the purpose of analyzing the user behavior patterns (e.g., cookies or device fingerprinting). The website use information recorded by Google is, as a rule transferred to a Google server in the United States, where it is stored.

The use of these services occurs on the basis of your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may revoke your consent at any time.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/participant/5780.

IP anonymization

Google Analytics IP anonymization is active. As a result, your IP address will be abbreviated by Google within the member states of the European Union or in other states that have ratified the Convention on the European Economic Area prior to its transmission to the United States. The full IP address will be transmitted to one of Google’s servers in the United States and abbreviated there only in exceptional cases. On behalf of the operator of this website, Google shall use this information to analyze your use of this website to generate reports on website activities and to render other services to the operator of this website that are related to the use of the website and the Internet. The IP address transmitted in conjunction with Google Analytics from your browser shall not be merged with other data in Google’s possession.

Browser plug-in

You can prevent the recording and processing of your data by Google by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

For more information about the handling of user data by Google Analytics, please consult Google’s Data Privacy Declaration at: https://support.google.com/analytics/answer/6004245?hl=en.

Contract data processing

We have executed a contract data processing agreement with Google and are implementing the stringent provisions of the German data protection agencies to the fullest when using Google Analytics.

Web analysis with Matomo (formerly PIWIK)

Our website uses the web analytics service Matomo, provided by InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand, which enables cross-page recognition of the user to analyze user behavior. This allows us to find out which page views were made when, which regions they came from and which actions the user performed (e.g. clicks or purchases).

The following usage data is processed: Two bytes of the IP address of your calling system, the accessed website and the website from which you were redirected to the accessed website (referrer URL), visited subpages of our website, location data (based on the anonymized IP address), user times, dwell time and visit frequencies and browser/device data.

The usage information collected (including your shortened IP address) is transmitted to our server and stored. Your IP address is anonymized so that the data cannot be assigned to an identifiable person and the individual user remains anonymous. The usage data collected is not passed on to third parties.

The use of this analysis tool is based on Art. 6 para. 1 lit. f DSGVO. The website operator has a legitimate interest in the anonymized analysis of user behavior in order to optimize both its website and its advertising. If a corresponding consent has been requested (e.g. consent to store cookies), the processing is based on Art. 6 (1) lit. a DSGVO; the consent can be revoked at any time.

The data is deleted as soon as it is no longer required for our recording purposes.

Google Ads

The website operator uses Google Ads. Google Ads is an online promotional program of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads enables us to display ads in the Google search engine or on third-party websites, if the user enters certain search terms into Google (keyword targeting). It is also possible to place targeted ads based on the user data Google has in its possession (e.g., location data and interests; target group targeting). As the website operator, we can analyze these data quantitatively, for instance by analyzing which search terms resulted in the display of our ads and how many ads led to respective clicks.

The use of these services occurs on the basis of your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may revoke your consent at any time.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://policies.google.com/privacy/frameworks and https://business.safety.google/controllerterms/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/participant/5780.

Google Conversion-Tracking

This website uses Google Conversion Tracking. The provider of this service is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

With the assistance of Google Conversion Tracking, we are in a position to recognize whether the user has completed certain actions. For instance, we can analyze the how frequently which buttons on our website have been clicked and which products are reviewed or purchased with particular frequency. The purpose of this information is to compile conversion statistics. We learn how many users have clicked on our ads and which actions they have completed. We do not receive any information that would allow us to personally identify the users. Google as such uses cookies or comparable recognition technologies for identification purposes.

The use of these services occurs on the basis of your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may revoke your consent at any time.

For more information about Google Conversion Tracking, please review Google’s data protection policy at: https://policies.google.com/privacy?hl=en

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/participant/5780.

Meta Pixel (formerly Facebook Pixel)

To measure conversion rates, this website uses the visitor activity pixel of Meta. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. According to Meta’s statement the collected data will be transferred to the USA and other third-party countries too.

This tool allows the tracking of page visitors after they have been linked to the website of the provider after clicking on a Meta ad. This makes it possible to analyze the effectiveness of Meta ads for statistical and market research purposes and to optimize future advertising campaigns.

For us as the operators of this website, the collected data is anonymous. We are not in a position to arrive at any conclusions as to the identity of users. However, Meta archives the information and processes it, so that it is possible to make a connection to the respective user profile on Facebook or Instagram and Meta is in a position to use the data for its own promotional purposes in compliance with the Meta Data Usage Policy (https://www.facebook.com/about/privacy/). This enables Meta to display ads on Facebook or Instagram and other advertising channels. We as the operator of this website have no control over the use of such data.

The use of these services occurs on the basis of your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may revoke your consent at any time.

Within the meta pixel, we are using the expanded alignment function.

The expanded alignment allows us to transfer to Meta different types of data (e.g., place of residence, federal state, zip code, hashed email addresses, names, gender, date of birth or phone number) of our customers and prospects we collect through our website. Herewith, we can tailor the offers presented in our advertising campaigns on Facebook and Instagram to individuals interested in what we offer even more precisely. Moreover, this expanded alignment optimizes the allocation of website conversions and expands custom audiences.

Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Meta, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 DSGVO). The joint responsibility is limited exclusively to the collection of the data and its forwarding to Meta. The processing by Meta that takes place after the onward transfer is not part of the joint responsibility. The obligations incumbent on us have been jointly set out in a joint processing agreement. The wording of the agreement can be found under: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the privacy information when using the Meta tool and for the privacy-secure implementation of the tool on our website. Meta is responsible for the data security of Meta products. You can assert data subject rights (e.g., requests for information) regarding data processed by Facebook or Instagram directly with Meta. If you assert the data subject rights with us, we are obliged to forward them to Meta.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

In Meta’s Data Privacy Policies, you will find additional information about the protection of your privacy at: https://www.facebook.com/about/privacy/.

You also have the option to deactivate the remarketing function “Custom Audiences” in the ad settings section under https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you first have to log into Facebook.

If you do not have a Facebook or Instagram account, you can deactivate any user-based advertising by Meta on the website of the European Interactive Digital Advertising Alliance: http://www.youronlinechoices.com/de/praferenzmanagement/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/participant/4452.