Privacy Policy

Name and Contact Details of the Controller (Article 4(7) GDPR)

Privatpraxis Dr. med. Johannes Sturm
Rollnerstraße 8
90419 Nuremberg
Germany

Tel. +49 (0)911 – 937 55 838
Fax +49 (0)911 – 937 55 837

Security and Protection of Your Personal Data

As a private-sector company, we are subject to the provisions of the European General Data Protection Regulation (GDPR) and the regulations of the German Federal Data Protection Act (BDSG).
We have implemented technical and organisational measures to ensure that the data-protection requirements are complied with both by us and by our external service providers.

We consider it our primary responsibility to maintain the confidentiality of the personal data you provide and to protect it from unauthorised access. For this reason, we apply the utmost care and state-of-the-art security standards to ensure the maximum protection of your personal data.

The law requires that personal data be processed lawfully, fairly, and in a manner that is transparent to the data subject (“lawfulness, fair processing, transparency”).
To ensure this, we provide you with information on the relevant legal definitions that are also used in this privacy policy:

Definitions

Personal Data

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”). A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing

“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. This includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

Restriction of Processing

“Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future.

Profiling

“Profiling” means any form of automated processing of personal data that consists of using such data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s work performance, financial situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Pseudonymisation

“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Filing System

A “filing system” is any structured set of personal data that is accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.

Controller

“Controller” means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor

“Processor” means any natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient

“Recipient” means any natural or legal person, public authority, agency or another body to whom personal data are disclosed, whether a third party or not.
However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Third Party

“Third party” means any natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent

“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

Lawfulness of Processing

The processing of personal data is only lawful if there is a legal basis for the processing. According to Article 6(1)(a–f) GDPR, the legal basis for processing may in particular be:

  • the data subject has given their consent to the processing of their personal data for one or more specific purposes;
  • the processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract;
  • the processing is necessary for compliance with a legal obligation to which the controller is subject;
  • the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, particularly where the data subject is a child.

Information on the Collection of Personal Data

1. In the following, we inform you about the collection of personal data when using our website. Personal data includes, for example, your name, address, email addresses, and user behaviour.

2. If you contact us by email, the data you provide (your email address, and if applicable your name and telephone number) will be stored by us in order to answer your questions. We delete the data arising in this context once storage is no longer necessary, or restrict processing if statutory retention obligations apply.

Collection of Personal Data When Visiting Our Website

When you use our website for informational purposes only – meaning you do not register or otherwise provide information to us – we only collect the personal data that your browser transmits to our server. If you simply view our website, we collect the following data, which are technically necessary for us to display our website and ensure stability and security (the legal basis is Art. 6(1)(f) GDPR):

  • IP address
  • Date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status/HTTP status code
  • Amount of data transferred in each case
  • Website from which the request originates
  • Browser
  • Operating system and its interface
  • Language and version of the browser software

Rights of the Data Subject

1. Right to Withdraw Consent
If the processing of your personal data is based on consent you have given, you have the right to withdraw this consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of the consent before its withdrawal.

You may exercise your right of withdrawal at any time by contacting us.

2. Right to Confirmation
You have the right to obtain confirmation from the controller as to whether we are processing personal data concerning you. You may request this confirmation at any time using the contact details provided above.e Daten verarbeiten. Die Bestätigung können Sie jederzeit unter den oben genannten Kontaktdaten verlangen.

3. Right of Access
If personal data concerning you are being processed, you have the right to obtain access to this personal data and to request the following information:

  1. the purposes of processing;
  2. the categories of personal data that are processed;
  3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations;
  4. where possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria used to determine that duration;
  5. the existence of a right to request rectification or erasure of the personal data concerning you, or restriction of processing by the controller, or to object to such processing;
  6. the existence of a right to lodge a complaint with a supervisory authority;
  7. where the personal data are not collected from the data subject, any available information as to their source;
  8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

4. Right to Rectification
You have the right to obtain from us, without undue delay, the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

5. Right to Erasure (“Right to be Forgotten”
You have the right to demand from the controller that the personal data concerning you be erased without undue delay, and we are obliged to erase personal data without undue delay if one of the following reasons applies:

  1. The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
  2. The data subject withdraws their consent on which the processing was based according to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, and there is no other legal basis for the processing.
  3. The data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.
  4. The personal data have been unlawfully processed.
  5. The erasure of the personal data is required to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject.
  6. The personal data have been collected in relation to the offer of information society services pursuant to Article 8(1) GDPR.

If the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase them, then taking account of available technology and the implementation costs, he shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copies or replications of, those personal data.

The right to erasure (“right to be forgotten”) does not exist insofar as processing is necessary:

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR, insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing;
  5. for the establishment, exercise or defence of legal claims.

6. Right to Restriction of Processing
You have the right to request from us the restriction of the processing of your personal data if one of the following conditions applies:

  1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims,
    or
  4. the data subject has objected to processing pursuant to Article 21(1) GDPR, pending the verification whether the legitimate grounds of the controller override those of the data subject.

7. Right to Data Portability
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where:

  1. the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR, or on a contract pursuant to Article 6(1)(b) GDPR, and
  2. the processing is carried out by automated means.

In exercising your right to data portability under paragraph 1, you also have the right to have the personal data transmitted directly from one controller to another, where this is technically feasible.
The exercise of the right to data portability shall not adversely affect the rights and freedoms of others.
The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

8. Right to Object
You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is carried out on the basis of Article 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. The controller will then no longer process your personal data unless he can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

If personal data are processed for the purpose of direct advertising, you have the right to object at any time to the processing of personal data concerning you for such advertising purposes; this also applies to profiling insofar as it is related to such direct advertising. If you object to processing for direct advertising purposes, your personal data will no longer be processed for those purposes.

In connection with the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object via automated procedures that use technical specifications.

You also have the right, on grounds relating to your particular situation, to object to the processing of your personal data for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

You may exercise your right to object at any time by contacting the respective controller.

Automated Individual Decision-Making, Including Profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

  • is necessary for entering into, or the performance of, a contract between you and the controller,
  • is authorised by Union or Member State law to which the controller is subject, and that law lays down suitable measures to safeguard your rights, freedoms, and legitimate interests, or is based on your explicit consent.

The controller shall implement appropriate measures to safeguard your rights, freedoms, and legitimate interests, which shall include at least the right to obtain human intervention on the part of the controller, to express your point of view, and to contest the decision.

You may exercise this right at any time by contacting the respective controller.

10. Right to lodge a complaint with a supervisory authority
You also have the right, without prejudice to any other administrative or judicial remedy, to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes this Regulation.

11. Right to an effective judicial remedy
You have the right, without prejudice to any available administrative or extrajudicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 GDPR, to an effective judicial remedy if you consider that your rights under this Regulation have been infringed as a result of the processing of your personal data in non-compliance with this Regulation.

© 2025 Copyright Dr. med. Johannes Sturm
Imprint Privacy Policy