Privacy Policy

Privacy Policy

The protection of your privacy as well as the security of all patient and business data during the processing of personal data is an important concern for us, which we take into account in our processes. Here we inform you in detail about how we handle your data.

Controller according to Art. 4 para. 7 EU-General Data Protection Regulation (GDPR)

Universitätsklinikum Frankfurt
Theodor-Stern-Kai 7
60590 Frankfurt
Telephone: +49 69 63 01 – 0

Data protection officer of the controller
The data protection officer can be reached at:
Telephone: +49 69 / 6301-7235

1. Rights of the data subject (Art. 15. GDPR)
In the following, we will inform you about your data subject rights. You
can exercise these rights at any time and contact us directly for this
purpose. If you request these rights from us, we will examine them in
detail, considering the associated legal requirements and conditions. If
necessary, we will request further information from you. We will explain
the results of our examination and our procedure for fulfilling your
request to you in detail. It is possible that we will not be able to
fully comply with your requests in the way you would like. This should
not prevent you from claiming your rights from us or from inquiring with
us in this regard. We will be happy to answer any questions you may

a) Right of access (Art. 15 GDPR)
In accordance with the law, you have the right to request information
from us at any time as to whether and which of your personal data is
being processed by us. This also includes information on the purposes of
processing, if applicable, recipients to whom we have disclosed your
data, the planned storage period and, if applicable, information on the
origin of this data if we have not collected it directly from you. In
addition, you have the right to a one-time free copy of your personal
data stored by us. We reserve the right to charge a reasonable
administrative fee for making the following copies.

b) Right of rectification (Art. 16 GDPR)
You have the right to request us to correct any inaccurate data we have
stored about you. This also includes the right to have incomplete
personal data completed.

c) Right to erasure (Art. 17 GDPR)
You have the right to request us to delete data that we have stored
about you. If we have published data about you, this also includes our
obligation, within the framework of the “right to be forgotten” pursuant
to Article 17 (2) of the GDPR, to forward your request to delete all
links to this data and copies or replications of this data to other
controllers of this published personal data, considering available
technology and implementation costs.

d) Right to restriction of processing (Art. 18 GDPR)
You have the right to demand that we restrict the processing of data
that we have stored about you. After that, processing of this data is
only possible with your consent or for a few legally defined purposes.

e) Right to object to processing (Art. 21 GDPR)
Insofar as we base the processing of your personal data on the balance
of interests, you can object to the processing. This is the case if the
processing is not necessary, in particular, for the performance of a
contract with you, which is shown by us in each case in the following
description of the functions. When exercising such an objection, we ask
you to explain the reasons why we should not process your personal data
as we have done. In the event of your justified objection, we will
review the situation and either discontinue or adjust the data
processing or show you our compelling legitimate grounds on the basis of
which we will continue the processing. Of course, you can object to the
processing of your personal data for purposes of advertising and data
analysis at any time. You can inform us about your advertising objection
via the contact channels listed above.

f) Right to revoke consent under data protection law (Art. 7 GDPR)
If you have given your consent to the processing of your data, you may
revoke it at any time in accordance with Article 7 (3) of the GDPR. Such
revocation affects the permissibility of processing your personal data
after you have expressed it to us.

g) Right to data portability (Art. 20 GDPR)
You have the right to receive from us personal data that you have
provided to us in a structured, common and machine-readable format for
the purpose of transferring it to another controller. At your request
and taking into account the available technical possibilities, this also
includes direct transfer from us to the other responsible party.

h) Right of appeal to a supervisory authority (Art. 13 GDPR)
You have the right to lodge a complaint about our processing of data
relating to you with a data protection supervisory authority at any
time. You can reach the responsible data protection authority at: Der
Hessische Beauftragte für Datenschutz und Informationsfreiheit, Postfach
3163, 65021 Wiesbaden

i) Automated decision-making including profiling (Art. 22 GDPR)
You have the right to obtain information about the existence of
automated decision-making, including profiling, pursuant to Article
22(1) and (4) of the GDPR and – at least in these cases – meaningful
information about the logic involved and the scope and intended effects
of such processing for the data subject.

2. legal basis for the processing of personal data (Art. 6 GDPR)

(1) Insofar as we obtain the consent of the data subject for
processing operations involving personal data, this shall be based on
the legal basis of Art. 6 (1) a of the EU General Data Protection
Regulation (GDPR).

(2) When processing personal data that is necessary for the
performance of a contract to which the data subject is a party, Art. 6
(1) lit. b GDPR serves as the legal basis. This also applies to
processing operations that are necessary for the performance of
pre-contractual measures.

(3) Insofar as processing of personal data is necessary for compliance
with a legal obligation to which our company is subject, Art. 6 (1) c
GDPR serves as the legal basis.

(4) In the event that vital interests of the data subject or another
natural person make processing of personal data necessary, Art. 6 (1)
(d) GDPR shall serve as the legal basis.

(5) If the processing is necessary to protect a legitimate interest of
our company or a third party and the interests, fundamental rights and
freedoms of the data subject do not override the first-mentioned
interest, Art. 6 (1) (f) GDPR shall serve as the legal basis for the

3. information about the collection of personal data

(1) In the following, we inform you about the collection of personal
data when using our website. Personal data is all data that can be
related to you personally, e.g., name, address, e-mail addresses, user

(2) When you contact us by e-mail or via a contact form, the data you
provide (your e-mail address, name and telephone number, if applicable)
will be stored by us in order to answer your questions. We delete the
data accruing in this context after the storage is no longer necessary
or restrict the processing if there are legal retention obligations.

(3) If we use contracted service providers for individual functions of
our offer or would like to use your data for advertising purposes, we
will inform you in detail about the respective processes below. In doing
so, we will also state the defined criteria for the storage period.

Collection of personal data when visiting our website
In the case of mere informational use of the website, i.e., if you do
not register or otherwise transmit information to us, we only collect
the personal data that your browser transmits to our server. If you wish
to view our website, we collect the following data, which is technically
necessary for us to display our website to you and to ensure stability
and security (legal basis for this is Art. 6 para. 1 p. 1 lit. f GDPR):

  • IP-Address
  • Hostname
  • Date & Time of the request
  • Time zone difference from Greenwich Mean Time (GMT)
  • Content of the request (concrete page)
  • Access status/HTTP status code
  • Amount of data transferred in each case
  • Website from which the request comes (referrer)
  • The specific pages of our website that you called up
  • Browser: Type, version and set language
  • Operating system: type and version
  • With JavaScript enabled moreover:
  • Screen resolution
  • Color depth
  • Browser window size
  • Installed browser plugins

4. Data deletion and storage duration

(1) The personal data of the data subject shall be deleted or blocked
as soon as the purpose of the storage expires.

(2) Storage may also take place if this has been provided for by the
European or national legislator in Union regulations, laws or other
provisions to which the controller is subject.

(3) Data shall also be blocked or deleted if a storage period
prescribed by the standards expires, unless there is a need for further
storage of the data for the conclusion or performance of a contract.

5. Cookie usage
Cookies are small files that are stored on your hard drive associated
with the browser you are using and through which certain information
flows to the entity that sets the cookie. Cookies cannot execute
programs or transfer viruses to your computer. They serve to make the
Internet offer more user-friendly and effective. A detailed list of the
cookies used can be found below this privacy statement.

6. Further functions & offers of our company website

(1) In addition to the purely informational use of our website, we
offer various services that you can use if you are interested. For this
purpose, you must usually provide additional personal data that we use
to provide the respective service and for which the data processing
principles apply. Mandatory data is marked with an asterisk. Information
in fields not marked in this way is purely voluntary.

(2) When you contact the service provider by e-mail, your e-mail
address and, if you so indicate, your name, telephone number and […]
will be stored by us to answer your questions.

(3) In some cases, we use external service providers to process your
data. These have been carefully selected and commissioned by us, are
bound by our instructions, and are regularly monitored.

(4) Furthermore, we may pass on your personal data to third parties if
we offer promotions, competitions, contracts or similar services
together with partners. You will receive more information about this
when you provide your personal data or below in the description of the

(5) If our service providers or partners are based in a country
outside the European Economic Area (EEA), we will inform you about the
consequences of this circumstance in the description of the offer.

6.1 Teleradiology Upload Portal (JiveX Connect Upload)

(1) Via the upload portal (JiveX Connect), personal data, findings and
image files can be transmitted to the KGU in the file formats .dicom or

(2) When the upload portal website is called up, each access to the
upload portal and each retrieval of a file stored on this website is
logged. The storage serves internal system-related and statistical
purposes. The following are logged: Name of the retrieved file, date and
time of retrieval, amount of data transferred, notification of
successful retrieval, web browser and requesting domain. In addition,
the IP addresses of the requesting computers are logged.

(3) The above-mentioned data are collected by VISUS in order to enable
a smooth connection setup as well as a comfortable use of the portal. In
addition, VISUS uses the above-mentioned data to evaluate system
security and stability.

(4) Furthermore, additional personal data is collected via the upload
of data containing personal information (e.g., metadata in DICOM
objects, PDF files with personal content, file names) or if the user of
the website voluntarily enters data via the forms of the website (or
does so via the settings of his browser).

(5) In accordance with the various purposes, the persons involved
within the hospital have access to your images and data, which also
includes, for example, all medical staff in other departments who
participate in an interdisciplinary exchange or the administration,
which carries out the accounting.

(6) Legal basis: The upload and processing of special categories of
personal data, in particular health data, is based on Art. 9 (2) lit. a
GDPR in conjunction with. Art. 6 para. 1 lit. a GDPR.

(7) Archiving and deletion: Insofar as your transmitted images and
findings serve your care or the care of your patient in the university
hospital, selected images and findings will be transferred to the
archive. This does not result in an archiving obligation for uploaded
images and findings. The data accruing in this context will be deleted
after storage is no longer necessary or restrict processing if there are
legal retention obligations. Legal regulations such as the X-ray
Ordinance, the Radiation Protection Ordinance, the Pharmacy Operating
Regulations or the Transfusion Act prescribe different retention
periods. For liability reasons, your patient file is kept for up to 30
years. This follows from the fact that claims for damages asserted by
patients against the hospital become statute-barred in 30 years at the
latest pursuant to Section 199 (2) of the German Civil Code. On the part
of the appointed processor and its appointed subcontractor, all personal
data collected are automatically deleted after successful forwarding to
the recipient (teleradiology of the University Hospital Frankfurt). If
the data cannot be successfully forwarded to the recipient, the data
will be automatically deleted from the systems after a maximum of 2
weeks. Non-personal data (statistics on transmission duration or size of
upload, etc.) are deleted manually.

(8) Service provider: The upload portal is operated and provided by
MedEcon Telemedizin GmbH, Gesundheitscampus-Süd 29, 44801 Bochum,
Germany and its subcontractor VISUS Health IT GmbH,
Gesundheitscampus-Süd 15-17, 44801 Bochum, Germany.

7. Third-party services
The legal basis for the use of locally deployed web analysis tools is
Art. 6 para. 1 p. 1 lit. f GDPR, i.e., the protection of our legitimate
interests in consideration of the interests of our website visitors. Our
interest is the analysis of the use of our website by our website
visitors, to improve our offer and to make it more interesting for you
as a user. If the analysis tool used also serves other purposes or we
use it for other interests, we will inform you about this directly in
the explanations for the respective analysis tool. The legal basis for
the use of third-party providers to perform web analytics is based on
Art. 6 para. 1 p. 1 lit. a.

a) Google Maps

(1) On this website, we use the Google Maps service by displaying
interactive maps directly on our website and enabling you to use the map
function conveniently. The legal basis for the use of the plug-in is
Art. 6 para. 1 p. 1 lit. a GDPR. Consent is given through your selection
in the cookie banner.

(2) By visiting the website, Google receives the information that you
have called up the corresponding sub-page of our website. This occurs
regardless of whether Google provides a user account through which you
are logged in or whether there is no user account. If you are logged in
to Google, your data will be directly assigned to your account. If you
do not want the assignment with your profile at Google, you must log out
before activating the button. Google stores your data as usage profiles
and uses them for the purposes of advertising, market research and/or
demand-oriented design of its website. Such an evaluation is carried out
in particular (even for users who are not logged in) to provide
needs-based advertising and to inform other users of the social network
about your activities on our website. You have the right to object to
the creation of these user profiles, whereby you must contact Google to
exercise this right.

(3) For more information on the purpose and scope of data collection
and its processing by the plug-in provider, please refer to the
provider’s privacy policy. There you will also find further information
on your rights in this regard and setting options for protecting your
privacy: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street,
Dublin 4, Ireland;

b) Google Web Fonts

(1) This site uses so-called web fonts provided by Google for the
uniform display of fonts. When you call up a page, your browser loads
the required web fonts into its browser cache in order to display texts
and fonts correctly. For this purpose, the browser you are using must
connect to Google’s servers. This enables Google to know that our
website has been accessed via your IP address. Google Web Fonts are used
in the interest of a uniform and appealing presentation of our online
offers. This represents a legitimate interest within the meaning of Art.
6 para. 1 lit. f GDPR.

(2) If your browser does not support web fonts, a standard font from
your computer will be used. For more information on Google Web Fonts,
please visit and Google’s
privacy policy at:

8. Definitions

a) Personal Data

Any information relating to an identified or identifiable natural person
(‘data subject’); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of
that natural person

b) Processing
Any operation or set of operations which is performed on personal data
or on sets of personal data, whether or not by automated means, such as
collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction.

c) Restriction of Processing
The marking of stored personal data with the aim of limiting their
processing in the future.

d) Profiling
Any form of automated processing of personal data consisting of the use
of personal data to evaluate certain personal aspects relating to a
natural person, in particular to analyse or predict aspects concerning
that natural person’s performance at work, economic situation, health,
personal preferences, interests, reliability, behaviour, location or

e) Pseudonymisation
The processing of personal data in such a manner that the personal data
can no longer be attributed to a specific data subject without the use
of additional information, provided that such additional information is
kept separately and is subject to technical and organisational measures
to ensure that the personal data are not attributed to an identified or
identifiable natural person.

f) Controller
The natural or legal person, public authority, agency or other body
which, alone or jointly with others, determines the purposes and means
of the processing of personal data; where the purposes and means of such
processing are determined by Union or Member State law, the controller
or the specific criteria for its nomination may be provided for by Union
or Member State law

g) Processor
A natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller.

h) Consent
The data subject any freely given specific, informed and unambiguous
indication of his or her wishes in the form of a statement or other
unambiguous affirmative act by which the data subject signifies his or
her agreement to personal data relating to him or her being processed.

State: 28.04.2021