The protection of your personal data is very important to us, therefore we would like to list here all the information about the processing and storage of your data when you visit our website and in our company.

In order to be able to use all the functions and services of our site, it is necessary to collect your personal data. However, processing and storage only takes place in accordance with the legal guidelines and requirements of the General Data Protection Regulation (GDPR) and the Telecommunications Act (TKG 2021).

Responsible Body

Michaela Liedler – Center for Postoperative Scar Therapy
Garnisongasse 3 Top 21
1090 Vienna
Austria

Email: office@narbenzentrum.at
Further information can be found in the Imprint.

Collection and Processing of Personal Data on this Website

Note: In order to protect your data as comprehensively as possible from unwanted access, we take so-called technical and organizational measures and use an encryption method on our website. Your data is transmitted over the Internet from your computer to our computer and vice versa using so-called TLS encryption. TLS stands for “Transport Layer Security” and is an encryption protocol for data transmission on the Internet. You can usually recognize “TLS” by the fact that the lock symbol in the status bar of your browser is closed and the address begins with https://.

1. Collection of Access and Log Data

This website automatically collects and stores server log file information that your browser transmits to us as part of hosting. These are:

the page accessed (URL)
the browser or the browser version
the operating system used
the referrer URL (the previously visited page)
Hostname and IP address of the accessing computer
the time of the server request

The legal basis for this data processing is the legitimate interest according to Art. 6 Para. 1 lit. f) GDPR. This is justified by being able to determine indications of illegal use of the website. This anonymous data is stored separately from any personal data provided and thus does not allow any conclusions to be drawn about a specific person.

Your personal data will generally not be transmitted to third parties. We have concluded a data processing agreement in accordance with Art. 28 GDPR with the provider of this website, SiteGround Spain S.L., based in Madrid, Spain.

The collected data is stored for a maximum of 30 days in server log files that your browser automatically transmits to us. Only in the event of attacks on our server infrastructure or other legal violations do we store the server log files for longer than 30 days. This longer storage period is based on the legitimate interest according to Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in securing evidence.

2. Inquiries via the Contact Form, Email and Telephone

Any information about you that you voluntarily provide to us will of course be treated confidentially. We use your provided personal data exclusively to process and answer your request. The legal basis for data processing is our legitimate interest according to Art. 6 Para. 1 lit. f) GDPR. This arises from our interest in answering inquiries from our customers, business partners and interested parties and in promoting or maintaining customer satisfaction. A further legal basis for natural persons is the initiation or fulfillment of a contract according to Art. 6 Para. 1 lit. b) GDPR.

All personal information that you send to us with your request will be deleted or anonymized by us no later than 2 years after the final answer has been given to you, unless a contract is concluded. The retention of 2 years results from the fact that it may occasionally happen that you contact us again on the same matter after an answer and refer to the previous correspondence. Experience has shown that no further questions follow our answers after 2 years.

3. Sending Newsletters

On our website you can subscribe to various newsletters to receive information about offers or promotions. When you subscribe to the newsletter, we collect and store the data that you enter in the input mask. Only your email address is mandatory. All other information, such as salutation, first name, last name, is provided on a voluntary basis. After submitting the registration form, you will receive an email from us with a confirmation link. As soon as you click on the link contained therein, you give us your consent to receive our newsletter and have successfully registered for it. This will be communicated to you by another email. You also give us your consent to process your email address and, if applicable, your other data. This ensures that no unauthorized person registers for our newsletter (compliance with the double opt-in procedure).

You can end the receipt of the newsletter at any time by clicking on the “unsubscribe” link at the end of each newsletter. If you revoke your consent, your data will be deleted immediately; we will store proof of the revocation for a further three years so that we can fulfill our accountability obligation under Art. 5 Para. 2 GDPR. This retention is based on our legitimate interest according to Art. 6 Para. 1 lit. f) GDPR. The legal basis for the confirmation email is our legitimate interest according to Art. 6 Para. 1 lit. f) GDPR, which is justified by being able to prove that you have given your consent. The obligation to provide proof for the controller is set out in Art. 5 Para. 2 GDPR.

The legal basis for sending the newsletter is your consent according to Art. 6 Para. 1 lit. a) GDPR and § 174 Para. 3 TKG 2021.

We exclude the transfer of data to third parties. The newsletter is sent by our processor (still being searched for) based in Germany.

4. Use of Technically Necessary Cookies

We use technically necessary cookies to make the use of our website easier and to improve it. Cookies are small text information that can be stored on your computer or smartphone via the browser when you visit a website. Cookies can also provide us with information about how you use our website, so that we can continuously improve the design of the website.

Cookies themselves do not contain any personal data about users; they only serve for unique identification, which our customers find interesting and useful on our website.

We only use technically necessary cookies. Without these cookies, our services cannot be used, for example for the correct display of our website or the use of functions you want. The data processed by necessary cookies is necessary for the initiation of a contract according to Art. 6 Para. 1 lit. b) GDPR.
Name of the cookie Purposes Storage duration Third-party provider Data transfer to third countries
Wp-wpml_current_language

Saves the language selection.

Max. 1 minute – –

5. Registration for Events and Seminars

If you register for events or seminars via our website or elsewhere, we require the information marked as mandatory in the booking form.

Your information provided for booking will be used by us exclusively for the purpose of carrying out the events, for communication and for issuing certificates of participation. The legal basis for this data processing is the fulfillment of the contract according to Art. 6 Para. 1 lit. b) GDPR.

Your data will not be passed on for registration. We store the data of participants in events, as far as necessary, for the duration of the statutory retention obligations. Afterwards and otherwise, the data will generally be deleted.

6. Integration of External Content

On this website, we embed external content that is not stored on our servers. So that calling up our websites with embedded maps does not automatically lead to the content of the third-party provider being reloaded, we initially only show locally stored preview images of the maps. This means that the third-party provider does not receive any information.

Only after clicking on the preview image or when consent is given via the cookie consent tool will content from the third-party provider be reloaded. This gives the third-party provider the information that you have accessed our site and the usage data technically required in this context. We have no influence on the further data processing by the third-party provider.

By clicking on the preview image, you give us your consent to reload content from the third-party provider. The embedding takes place on the basis of your consent according to Art. 6 Para. 1 lit. a) GDPR.

Provider of external content:

Doctify: We integrate ratings of our patients via “doctify” from the provider Doctifiy Limited, based in Berkeley Square, London, W1J 5FJ United Kingdom, on our website. This displays patient reviews on our website. The data transfer to the United Kingdom takes place on the basis of the adequacy decision. Further information and opt-out options can be found in the privacy policy of “doctify”: https://www.doctify.com/de-at/info/privacy-policy
Google Maps: We integrate external map content from Google Ireland Limited/Google LLC (USA). Please note that embedding the Google Maps map service means that your data will be processed outside the EU or the EEA. In some countries, there is a risk that authorities will access the data for security and surveillance purposes without you being informed or being able to take legal action. If we use providers in insecure third countries and you consent, the transfer to an insecure third country takes place on the basis of Art. 49 Para. 1 lit. a) GDPR.

Withdrawal of consent

If you have clicked on a preview image, the content of the third-party provider will be reloaded immediately. If you do not want such reloading on other pages, please do not click on the preview images or revoke your consent via the cookie consent banner.

7. Arranging Appointments

For simplified booking of appointments, we use an online appointment booking tool, using which you can book an appointment directly. After booking, you will receive an appointment confirmation by email.

The legal basis for booking is the implementation of pre-contractual measures in accordance with Art. 6 Para. 1 lit. b) GDPR.

For technical processing, we use the online appointment booking option of the practice software provider “synaptos” of the company Synaptos GmbH, based in Klagenfurt am Wörthersee. There is a contract with synaptos for order processing in accordance with Art. 28 GDPR.

The booked appointments will be deleted after xx.

Sending Direct Marketing Mailings for Existing Customers

If the legal requirements are met in accordance with § 174 Para. 4 TKG, we regularly send our existing customers product recommendations by email, regardless of whether they have subscribed to the newsletter. In this way, we will send you information about products from our range that you may still be interested in based on your most recent purchases of goods or services from us.

The legal basis for this is our legitimate interest according to Art. 6 Para. 1 lit. f) GDPR and § 174 Para. 4 TKG 2021. The legitimate interest lies in informing our existing customers about further goods or services from us. In doing so, we strictly adhere to the legal requirements and carry out checks of the § 7 E-Commerce Act list. You can object to this at any time (Art. 21 GDPR). Of course, you will also find an unsubscribe link in every email.

We generally exclude the transfer of data to third parties. We have commissioned the service provider Brevo (formerly Sendinblue), based in Germany, to send our newsletter. There is a contract with for order processing in accordance with Art. 28 GDPR.

Data Processing in the Context of Physiotherapy

As part of the services as a physiotherapist, necessary personal data, including health data, is processed manually for the purpose of documentation, providing information and billing and stored securely.

The legal basis for data processing is the fulfillment and processing of the treatment contract according to Art. 6 Para. 1 lit. b) GDPR and Art. 9 Para. 2 lit.) h and Para. 3 GDPR in conjunction with § 1c MTD Act (Federal Act on the Regulation of Higher Medical-Technical Services). As part of my work as an occupational therapist, I am subject to a statutory duty of confidentiality under § 11C MTD Act.

For documentation, we use the practice software of the provider “synaptos” of the company Synaptos GmbH, based in Klagenfurt am Wörthersee. There is a contract with synaptos for order processing in accordance with Art. 28 GDPR.

§ 11 Para. 3 MTD Act obliges me to create records of the physiotherapeutic measures taken and to keep them for 10 years from the end of the service.

Data Processing in the Context of Osteopathy

As part of the services as osteopathy, necessary personal data, including health data as far as necessary, is processed manually for the purpose of documentation, providing information and billing and stored securely.

The legal basis for data processing is the fulfillment and processing of the treatment contract according to Art. 6 Para. 1 lit. b) GDPR. Health data is processed on the basis of your voluntary consent according to Art. 9 Para. 2 lit.) a GDPR.

Analogous to § 11 Para. 3 MTD Act, records of the osteopathic measures taken are kept for 10 years from the end of the service.
Data processing of business partners and customers

1. Fulfillment of Contractual Obligations (Art. 6 Para. 1 Lit. B) GDPR)

The purposes of data processing result from the implementation of pre-contractual measures and the fulfillment of the obligations from the concluded contract.

A) Processing of Contracts

To process the contract with you, we process master data such as first and last name, your billing address and your billing and payment data. We use your email address to send our outgoing invoices digitally. In this context, personal data may be transmitted to our commissioned tax advisor and commissioned office service provider.

2. To Fulfill Legal Obligations (Art. 6 Para. 1 Lit. C) GDPR)

The purposes of data processing result in individual cases from legal requirements. These legal obligations include, for example, the fulfillment of storage and identification obligations, e.g. within the framework of requirements for tax control and reporting obligations and data processing within the framework of official inquiries.

3. To Fulfill our Legitimate Interests (Art. 6 Para. 1 Lit. F GDPR)

We process the contact details of contact persons at customers, interested parties, suppliers and other business partners for communication by email, telephone and post. The legal basis for data processing is the legitimate interest according to Art. 6 Para. 1 f) GDPR. The legitimate interest arises from the interest in carrying out or initiating the business relationship with customers, interested parties, suppliers and other business partners and the personal contact with contact persons.

Personal data is stored for the purpose of carrying out business relationships for as long as there is a legitimate interest in this. It may be necessary to process the personal data you have provided beyond the actual fulfillment of the contract with business partners. The legitimate interests here are in particular the selection of suitable business partners, assertion of legal claims, defense against liability claims, prevention of criminal offenses and the regulation of damages resulting from the business relationship.

4. Who Receives the Personal Data You Have Provided?

Within the framework of contractual relationships, we may also commission processors or service providers who may receive access to your personal data. Compliance with data protection regulations is contractually ensured.

5. Storage Period

The personal data will be stored for as long as this is necessary to fulfill the above-mentioned purposes or to fulfill legal obligations.

6. Data Processing for the Documentation of Compliance with the GDPR

If your data is processed based on consent according to Art. 6 Para. 1 lit. a) GDPR or Art. 9 Para. 2 lit. a) GDPR, we process your data exclusively for specific purposes and after separate information, in order to be able to prove within the scope of our accountability according to Art. 5 Para. 2 GDPR that you have consented to the data processing in question.

If you assert data subject rights from the GDPR against us, we also process and store your data in order to be able to prove within the scope of the accountability according to Art. 5 Para. 2 GDPR that we have complied with the GDPR when processing your request.

Operating Social Media Presences

We maintain the following social media presences:

Facebook: https://www.facebook.com/narbenbehandeln
Instagram: https://www.instagram.com/liedlerkonzept/
XING: https://www.xing.com/profile/Michaela_Liedler
LinkedIn: https://www.linkedin.com/in/michaela-liedler-msc-d-o-5a5084142/

Facebook is a product of Meta Platforms Inc. (formerly Facebook Inc.): facebook.com/help/1561485474074139/?helpref=related

“XING” is operated by New Work SE, based in Hamburg.

“LinkedIn” is operated by the European subsidiary LinkedIn Ireland Unlimited Company, based in Ireland. The parent company LinkedIn Inc. is based in the USA.

Data Processing by Us:

A) Maintaining the Social Media Pages Mentioned Above

The personal data entered on social media pages, such as comments, videos, images, likes, public messages, etc., are published by the respective social media platform. We reserve the right to delete content if this should be necessary. We may share content on our page and contact you via the social media platform, for example via the messengers offered. The legal basis for this data processing is the legitimate interest pursuant to Art. 6 Para. 1 lit. f) GDPR, which lies in the interest of our public relations and communication.

B) Page Insights

The social media platforms provide anonymized statistics and insights that help us gain insights into the types of actions people take on our page (so-called “Page Insights”). These page insights are created based on certain information about people who have visited our page.

The legal basis for this data processing is our legitimate interest pursuant to Art. 6 Para. 1 lit. f) GDPR, which is based on obtaining information about the actions and visitors of our pages.

This processing of personal data is carried out by the social media platform and us as so-called joint controllers according to Art. 26 GDPR. In the case of joint responsibility, a separate agreement must be concluded.

LinkedIn: https://legal.linkedin.com/pages-joint-controller-addendum

Instagram and Facebook: https://www.facebook.com/legal/terms/page_controller_addendum

XING: https://privacy.xing.com/de/datenschutzerklaerung

If you would like to object to a specific data processing that we have an influence on (e.g. deleting comments), please contact the contact details listed above.

Note: The provision of your data is neither required by law nor by contract, nor is it necessary for the conclusion of a contract. You are not obliged to provide your personal data. The consequence of not providing it is that you will not be able to communicate with us via our social media pages, interact or participate in the competition. To contact us, please use the e-mail address mentioned above.

Data Processing by the Operator of the Social Media Platform:

In addition to us, there is also the operator of the social media platforms themselves. From a data protection perspective, this is also regarded as another controller who carries out their own data processing. This means that the operator is also an own responsible body according to the GDPR. However, we only have limited influence on the data processing by the operator. In the areas where we can exert influence (e.g. through parameterization), we work within our means to ensure that the operator handles data in a manner that complies with data protection regulations. In many places, however, we cannot influence the data processing by the operator of the social media platform and we also do not know exactly which data they process. The respective operator informs you about the processing of personal data in its own privacy policy:

LinkedIn: https://de.linkedin.com/legal/privacy-policy

Facebook: www.facebook.com/help/568137493302217

Instagram: help.instagram.com/519522125107875

XING: https://privacy.xing.com/de/datenschutzerklaerung

As part of the platform use, your personal data is usually also processed by the respective platform operator on servers in third countries, especially in the USA and the United Kingdom. For TikTok also in China. Certain third countries are certified by the European Commission with a so-called adequacy decision. This means that the legal situation for the protection of privacy in these countries is comparable to that in the EU or the EEA. You can find more information about the current countries with an adequacy decision here. In all other cases, we conclude so-called standard contractual clauses with the platform operators for the transfer of personal data to third countries.

Note: The operator of the social media platform uses web tracking methods. Web tracking can also take place regardless of whether you are logged in or registered with the social media platform. As already shown, we can hardly influence the web tracking methods of the social media platform. For example, we cannot switch this off. Please be aware of the following: It cannot be ruled out that the provider of the social media platform uses your profile and behavioral data, for example to evaluate your habits or personal relationships and preferences, etc. We have no influence on the processing of your data by the provider of the social media platform.

Communication via the Zoom Video Conferencing System

We use the “Zoom” tool from Zoom Video Communications Inc. to conduct telephone conferences, online meetings and video conferences. You will receive access to the agreed dates via a link provided by e-mail. By clicking on the link you can enter the video room. Before joining, you can decide whether to activate the transmission of your video. You are muted by default and you must manually unmute your microphone if you wish. If you turn on your camera and/or your microphone, this data will be processed as part of the meeting.

The following additional data can be processed depending on the type and scope of the specific use:

Information about you (e.g. first and last name, e-mail address, profile picture)
Meeting metadata (e.g. date, time and duration of communication, name of the meeting, participant IP address)
Device/hardware data (e.g. IP addresses, MAC addresses, client version)
Text, audio and video data (e.g. chat logs, video, audio and presentation recordings)
Connection data (e.g. telephone numbers, country names, start and end times, IP addresses)

Furthermore, your personal data can be processed. This also depends specifically on your use, such as the use of the chat or the whiteboard. I would like to explicitly point out that information you provide during the current meeting will be processed at least for the duration of the meeting.

Legal Basis

The legal basis for data processing for direct contractual partners is Art. 6 Para. 1 lit. b) GDPR, for business partners or contact persons at external bodies the legitimate interest according to Art. 6 Para. 1 lit. f) GDPR. The legitimate interest lies in the organization of virtual communication.

I cannot rule out that the routing of data also takes place via Internet servers that are located outside the EU or the EEA. In some countries, e.g. in the USA, there is a risk that authorities will access the data for security and surveillance purposes without you being informed about this or being able to lodge an appeal. We have agreed EU standard contractual clauses with Zoom as the legal basis for data transmission.

Recipient

The provider Zoom necessarily receives knowledge of the above data, insofar as this is contractually regulated within the framework of our order processing agreement according to Art. 28 GDPR. There are no other recipients.

You are not obliged to communicate with me via Zoom. Alternatively, you can also communicate by e-mail or telephone.

We generally delete personal data when there is no need for further storage.

Rights of Data Subjects

Your Rights as a Data Subject

You have the right under Art. 15 Para. 1 GDPR to receive information free of charge upon request about the personal data stored about you. Furthermore, if the legal requirements are met, you have a right to correction (Art. 16 GDPR), deletion (Art. 17 GDPR) and restriction of processing (Art. 18 GDPR) of your personal data. If you have provided the processed data yourself, you have a right to data portability under Art. 20 GDPR.

If the data processing is based on Art. 6 Para. 1 e) or f) GDPR, you have the right to object according to Art. 21 GDPR. If you object to data processing, this will not take place in the future, unless the controller can demonstrate compelling legitimate grounds for further processing that outweigh the data subject’s interest in objecting.

You also have the right to lodge a complaint with a data protection supervisory authority. The complaint can be lodged in particular with a supervisory authority in the EU member state of your place of residence, workplace or the place of the alleged violation.

Contact details for the responsible data protection authority in Austria: dsb@dsb.gv.at

No Automated Decision-Making

Automatic decision-making or profiling does not take place by us.

Provision

Unless otherwise stated in the previous chapters, the provision of personal data is neither required by law nor by contract, nor is it necessary for the conclusion of a contract. The non-provision of your personal data may mean that, for example, we cannot answer your inquiries.

These data protection notices were created in collaboration with the consulting company SCALELINE. The legal texts are subject to copyright.