Detailed patient information
according to GDPR

1.    Art. 13 GDPR

1.1.    Description of the processing activity
This data protection information is provided in order to fulfil the treatment contract between you and your doctor and the associated obligations.
The collection of health data is a prerequisite for your treatment. If the necessary information is not provided, careful treatment cannot take place.

1.2.    Name and contact details of the responsible person
The person responsible for data collection is
Dr Stefan Palm, Managing Director of MVZ PAN Institut GmbH, Zeppelinstr. 1, 50667 Cologne, e-mail:

1.3.    Contact details of the data protection officer
The data protection officer is
Dr iur. Andreas Pinheiro, LL.M.
Hohenstaufenring 8, 50674 Cologne
Company ap-datenschutz

1.4.    Origin of the personal data
MVZ PAN Institut GmbH processes personal data that it receives from you as part of its business relationship. 
It also processes personal data that it has received from the doctors treating you (attending physicians) (e.g. name and date of the surgery appointment), insofar as this is necessary for the fulfilment of the hospital contract with you.

1.5.    Purposes and legal bases of processing
1.5.1.   The following categories of data are processed:

  • Patient data (name, address, telephone number, e-mail)
  • Sensitive data (treatment data, health data)
  • Sensitive data (religious affiliation, racial or ethnic origin)
  • Sensitive data (biometric data, genetic data)
  •  Sensitive data (sex life or sexual orientation)
  • Bank details
  • Social security data
  • Social data (e.g. when exchanging data with KVs)
  • Payment data 
  • Advertising and sales data
  • Employee data 
  • Supplier data (e.g. laboratories, doctors, technical service providers)

1.5.2.    Your data is collected in order to
to fulfil the treatment contract between you and your doctor and the associated obligations. The data includes your personal data (name, address, etc.) but also medical histories, diagnoses, therapy suggestions and findings that we or other doctors collect. For these purposes, other doctors or psychotherapists with whom you are being treated may also provide us with data (e.g. in doctor's letters).

1.5.3.    Legal bases of the processing
If sensitive data pursuant to Art. 9 GDPR is processed in the course of administrative activities, this is generally based on Art. 9 para. 2 lit. h GDPR. In this case, disclosure is only permitted if it is made to specialised personnel who are subject to a confidentiality obligation within the meaning of Section 203 of the German Criminal Code (StGB).
Your health data (e.g. medical reports, admissions, findings) will also be processed by MVZ PAN Institut GmbH in special cases on the basis of your consent in accordance with Art. 9 para. 2 lit. a GDPR (consent), this includes the transfer of health data to other doctors who are not involved in the treatment (if there is no legal basis) or to billing services for private patients or when using the appointment scheduling software, the transmission of tissue samples or the transfer of data from the laboratory findings system.
Your data is processed on the basis of Art. 6 para. 1 lit. a GDPR (consent) or, in the case of health data, on the basis of Art. 9 para. 2 lit. a GDPR (consent); this includes the transfer of data for advertising purposes, for which consent is required, but also consent to the transfer of data to the German IVF Register (DIR)

Your data will also be processed on the basis of Art. 6 para. 1 lit. b GDPR (fulfilment of the contract), e.g. for billing and accounting purposes.

Your data will also be processed on the basis of Art. 6 para. 1 lit. c GDPR (legal obligation). Diagnostic documents from a radiological examination must be kept for 30 years. Otherwise, a 10-year period from the HGB and the AO often applies. X-ray or CT examinations may be passed on to an attending physician on the basis of a legal order in order to spare you unnecessary exposure to radiation. Furthermore, we are subject to a number of statutory reporting obligations, e.g. in the context of prenatal diagnostics, reproductive medicine and in the event of serious adverse events (e.g. Section 4 (1) PIDG NRW, Section 63i AMG, Section 8 (2) and (3) Preimplantation Genetic Diagnosis Ordinance)

In addition to the actual fulfilment of the contract, MVZ PAN Institut GmbH processes personal data in accordance with Art. 6 para. 1 sentence 1 letter f GDPR. This is permissible insofar as the processing is necessary to safeguard our legitimate interests or those of a third party, unless your interests or fundamental rights and freedoms, which require the protection of personal data, prevail. Such a legitimate interest exists in the case of

a) Acting within the scope of receivables management. The "outsourcing" of receivables management is in line with general expectations in legal transactions, especially for small and medium-sized companies.
b) Notification and data exchange with credit agencies (e.g. SCHUFA) to report a documented inability or unwillingness to pay for specific business transactions. This only takes place if the debtor's inability or unwillingness to pay is documented, for example by a government agency.
c) Assertion of legal claims and defence in legal disputes
d) To advertise our own products within the permitted legal framework, but not to patients (e.g. existing customer advertising or recommendation advertising (flyers) that is not relevant under data protection law)
e) Ensuring the company's IT security and IT operations as long as no health data needs to be disclosed.
f) To prevent and investigate criminal offences, in particular we use data analyses to identify indications of fraud or abuse.

1.6.    Recipients or categories of recipients of the personal data
Within MVZ PAN Institut GmbH, those departments that require your data to fulfil the contractual obligations of MVZ PAN Institut GmbH will have access to it. Processors engaged by MVZ PAN Institut GmbH (Art. 28 GDPR) may also receive data for these purposes. 
A list of the contractors and service providers we use with whom we have business relationships that are not merely temporary can be found in the appendix to this text.

  • Doctors providing further treatment, if the forwarding of the examinations is regulated by law (e.g. Section 28 (6) RöV) or you have given your consent. 
  • Supervisory and authorisation authorities
  • The Association of Statutory Health Insurance Physicians (KV)
  • Your statutory health insurance company
  • Medical service of the health insurance funds (MDK)
  • Professional associations (BG) within the scope of § 201, 203 SGB VII
  • Private clearing centres
  • Medical associations
  • Paul Ehrlich Institute and the District Government of Cologne (e.g. to fulfil our reporting obligation for adverse events (AEs) under the AMG), Robert Koch Institute (for infectious diseases under the IfSG), 
  • North Rhine Medical Association / Ethics Committee (e.g. legally required disclosure of statistical data as part of the PIDG NRW)
  • DIMDI (notification of pregnancies in accordance with §6 SaRegG)
  • Attending physicians and anaesthetists involved in the treatment
  • External service providers.

1.7.    Transfer of personal data to a third country
There are no plans to transfer your personal data to a third country or an international organisation.

1.8.    Duration of storage of personal data
We delete your personal data as soon as it is no longer required for the above-mentioned purposes. Data may be stored for the period in which legal claims are asserted against us statutory regular limitation period 3 years § 195 BGB, up to 30 years § 197 BGB. 
We also store your data insofar as we are legally obliged to do so. Corresponding proof and retention obligations arise for us from:

  • the German Fiscal Code (§ 147 AO 6 or 10 years)
  • 10-year retention period for the patient file (Section 630f (3) BGB)
  • the German Commercial Code (§ 257 HGB 6 or 10 years)
  • the X-Ray Ordinance (§ 28 RöV, 30 years)

1.9.    Rights of data subjects
According to the General Data Protection Regulation, you have the following rights:

If your personal data is processed, you have the right to obtain information about the personal data stored about you (Art. 15 GDPR).

If incorrect personal data is processed, you have the right to rectification (Art. 16 GDPR).

If the legal requirements are met, you can request the erasure or restriction of processing and object to processing (Art. 17, 18 and 21 GDPR).

If you have consented to the data processing or a contract for data processing exists and the data processing is carried out using automated procedures, you may have a right to data portability (Art. 20 GDPR).

If you make use of your above-mentioned rights, the controller will check whether the legal requirements for this are met.

If you are of the opinion that data processing violates applicable data protection law, you have the right to lodge a complaint with a data protection supervisory authority. You can reach the supervisory authority responsible for our company using the following contact details
State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia, P.O. Box 20 24 44, 40102 Düsseldorf

1.10.    Obligation to provide the data
MVZ PAN Institut GmbH requires your data in order to carry out and invoice your treatment and, if necessary, to transmit diagnoses and findings to doctors providing further treatment.

Without this data, MVZ PAN Institut GmbH will generally have to refuse to conclude the contract or will no longer be able to fulfil an existing contract and may have to terminate it.

You are also contractually obliged under the care contract to provide MVZ PAN Institut GmbH with your patient master data (name, address, telephone number, e-mail address). If you do not provide the data, we will not be able to provide treatment.

1.11.    Special case: Obligation to provide information in the event of a subsequent change of purpose

1.12.    Indication of the existence of automated decision-making including profiling
MVZ PAN Institut GmbH processes some of your data automatically with the aim of evaluating certain personal aspects (profiling). We use profiling in the following cases: 
Art. Appendix 1: Service providers who work for us by way of order processing (as of SEP 2020):


Service provider

Aim/purpose of the assignment

MVZ PAN Institut GmbH

Pan-Praxis-Clinic at the Neumarkt

Billing, website and Soc-Med channel support; marketing.

MVZ PAN Institut GmbH

AmbulApps GmbH

Software maintenance

MVZ PAN Institut GmbH


Central IT service provider; data media destruction;

MVZ PAN Institut GmbH

Company Niesen

Data storage

MVZ PAN Institut GmbH

Pelz Zeit- und Datenerfassung OHG

Software maintenance

MVZ PAN Institut GmbH

CGM Medistar Systemhaus GmbH

Software maintenance

MVZ PAN Institut GmbH


Online appointment selection


Declaration of consent


2. Information about your right to object in accordance with Art. 21 GDPR

1. you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (f) of Article 6(1) GDPR (data processing on the basis of a balancing of interests). 
If you object, MVZ PAN Institut GmbH will no longer process your personal data unless MVZ PAN Institut GmbH can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

2. in individual cases, MVZ PAN Institut GmbH processes your personal data for the purpose of direct advertising. You have the right to object at any time to the processing of data concerning you for the purpose of such advertising. If you object to processing for direct marketing purposes, MVZ PAN Institut GmbH will no longer process your personal data for these purposes. 
The objection can be made informally and should preferably be addressed to
be addressed to:

MVZ PAN Institut GmbH, Zeppelinstr. 1, 50667 Köln,, 0221 2776-610