Detailed patient information
according to GDPR


1.    Art. 13 GDPR

1.1.    Description of the processing activity
This privacy policy serves to fulfil the treatment contract between you and your doctor and the associated duties.
The collection of health data is a precondition for your treatment. If the necessary information is not provided, careful treatment cannot take place.

1.2.    Name and contact details of the responsible person
Responsible for the data collection is
Dr. Stefan Palm , Managing Director of MVZ PAN Institut GmbH, Zeppelinstr. 1, 50667 Cologne, email:

1.3.    Contact details of the data protection officer
The data protection officer is
Dr. iur. Andreas Pinheiro, LL.M.
Berrenrather Str. 274, 50937 Cologne
Company ap-datenschutz

1.4.    Origin of personal data MVZ PAN Institut GmbH
processes personal data that it receives from you in the course of its business relationship. 
In addition, it processes - insofar as necessary for the fulfilment of the hospital contract with you - personal data which it has received from the doctors treating you (affiliated doctors) (e.g. name and date of the surgery appointment). 

1.5.    Purposes and legal bases of processing
1.5.1.    The following categories of data are processed:  

  • Patient data (name, address, telephone number, email)
  • Sensitive data (treatment data, health data)
  • Sensitive data (religious affiliation, racial or ethnic origin)
  • Sensitive data (biometric data, genetic data)
  • Sensitive data (sex life or sexual orientation)
  • Bank details
  • Social security data
  • Social data (e.g. when exchanging data with KVs)
  • Payment data 
  • Advertising and sales data
  • Employee data 
  • Supplier data (including laboratories, doctors, technical service providers)

1.5.2.    Your data is collected
in order to fulfil the treatment contract between you and your doctor and the associated duties. The data includes your personal data (name, address, etc.), but also medical histories, diagnoses, treatment suggestions and findings that we or other doctors collect. For these purposes, other doctors or psychotherapists with whom you are receiving treatment may also transmit data to us (e.g. in doctor's letters).

1.5.3.    Legal basis for processing
If sensitive data under Art. 9 GDPR are processed in the course of administrative activities, this is based in principle on Art. 9 (2) h GDPR. In this respect, disclosure is only permissible if it is made to specialist personnel who are subject to a duty of confidentiality within the meaning of the Federal Data Protection Act. §§203 of the Criminal Code (CC).  

Your health data (e.g. doctor's reports, admissions, findings) are also processed by MVZ PAN Institut GmbH in special cases on the basis of your consent in accordance with Art. 9 Para. 2 lit. a GDPR (consent). This includes the transfer of health data to other doctors not involved in the treatment (if no legal basis exists) or to billing services for private patients or when using the appointment software, the transfer of tissue samples or the transfer of data from the laboratory findings system.

The processing of your data is based on Art. 6 (1) lit. a GDPR (consent) or, in the case of health data, on Art. 9 (2) lit. a GDPR (consent). This also includes the disclosure of data for advertising purposes for which consent is required.

Your data will also be processed on the basis of Art. 6 para. 1 lit. b GDPR (contract performance), e.g. for billing and accounting purposes.
The processing of your data is also based on Art. 6 (1) lit. c GDPR (statutory duty). Records of the findings of a radiological examination must be kept for 30 years. Incidentally, a 10-year period from the HGB and the AO often applies. X-ray or CT scans may be referred to a treating doctor under a legal order to spare you unnecessary radiation exposure.

Beyond the actual performance of the contract, MVZ PAN Institut GmbH processes personal data in accordance with Art. 6 para. 1 sentence 1 letter f GDPR. This is permitted insofar as the processing is necessary to protect our legitimate interests or the interests of a third party, unless your interests or fundamental rights and freedoms require the protection of personal data. Such a legitimate interest will be deemed to exist in the case of -

a) measures taken in the context of receivables management. The "outsourcing" of receivables management corresponds to the general traffic expectations in legal transactions, in particular for small and medium-scaled enterprises.
b) Reporting and data exchange with credit agencies (e.g. SCHUFA) for the reporting of a documented inability or unwillingness to pay for certain business transactions. This only takes place if the debtor's inability or unwillingness to pay is proven, e.g. by an authority.
c) Assertion of legal claims and defence in legal disputes
d) For advertising our own products within the permissible statutory framework, but not to patients (e.g. existing customer advertising or recommendation advertising not relevant under data protection law (flyers))
e) To ensure IT security and the IT operation of the company, insofar as no health data must be disclosed.
f) For the prevention and clarification of criminal offences. For the prevention and investigation of criminal offences. For the prevention and investigation of criminal offences, we use data analyses in particular to identify indications of fraud or misuse.

1.6.    Recipients or categories of recipients of the personal data
Within MVZ PAN Institut GmbH, those offices will receive access to your data that require it to fulfil the contractual duties of MVZ PAN Institut GmbH. Processors used by MVZ PAN Institut GmbH (Art. 28 GDPR) may also receive data for these purposes. 
A list of contractors and service providers with whom we have more than temporary business relationships can be found in the Annex to this text.

  • Other treating doctors, if the transmission of the examinations is regulated by law (e.g. §28 para. 6 RöV) or you have consented. 
  • Regulatory and licensing authorities
  • The Association of Statutory Health Insurance Doctors (KV)
  • Your statutory health insurance
  • Medical service of the health insurance companies (MDK)
  • Employer's Liability Insurance Associations (BG) within the context of §§201, 203 SSC VII
  • Private clearing houses
  • Medical societies
  • Treatment doctors and anesthesiologists involved in the treatment
  • External Service Providers.

1.7.    Transfer of personal data to a third country
There are no plans to transfer your personal data to a third country/international organisation.

1.8.    Duration of storage of personal data
We delete your personal data as soon as they are no longer required for the above purposes. It may happen that data is stored for the time in which legal claims are asserted against us regular limitation period 3 years §195 BGB, up to 30 years §197 BGB. 
In addition, we store your data insofar as we are legally required to do so. Corresponding duties of proof and storage result for us from this:

  • the tax code (§147 AO 6 or 10 years)
  • 10 years retention period for the patient file (§630f para. 3 BGB)
  • the Commercial Code (§257 CC 6 or 10 years)
  • the X-ray Regulation (§28 RöV, 30 years)

1.9.    Data Subject
Rights Under the General Data Protection Regulation you have the following rights:
If your personal data is processed, you have the right to obtain information about the data stored about you (Art. 15 GDPR).
If incorrect personal data is processed, you have a right to rectification (Art. 16 GDPR).

If the legal requirements are met, you can request the deletion or restriction of processing and object to processing (Art. 17, 18 and 21 GDPR).

If you have consented to the data processing or if a contract for data processing exists and the data processing is performed using automated procedures, you may have a right to data portability (Art. 20 GDPR).

Should you make use of your above rights, the controller will check whether the legal requirements for this are met.
If you believe that the data processing violates applicable data protection law, you have the right to complain to a data protection supervisory authority. You can reach the supervisory authority responsible for our company at the following contact details:

North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information, PO Box 20 24 44, 40102 Düsseldorf

1.10.    Obligation to provide data MVZ PAN
Institut GmbH requires your data in order to perform your treatment, to invoice you and, if necessary, to transmit diagnoses and findings to doctors providing further treatment.
Without this data, MVZ PAN Institut GmbH will usually have to refuse to conclude a contract or will no longer be able to execute an existing contract and may have to terminate it.
In addition, you are contractually required within the context of the supply contract to provide MVZ PAN Institut GmbH with your patient master data (name, address, telephone, email). If you do not provide the information, we will not be able to treat you.

1.11.    Special case: Duty to provide information in the event of a subsequent change of purpose

1.12.    Reference to the existence of an automatic decision including profiling
MVZ PAN Institut GmbH processes your data partly automatically with the aim of evaluating certain personal aspects (profiling). We use profiling in the following cases:  
Art. Annex 1: Service providers acting on our behalf by way of commissioned processing (from SEP 2020):


Service provider

Aim/purpose of the assignment

MVZ PAN Institut GmbH

Pan-Praxis-Clinic at the Neumarkt

Billing, website and Soc-Med channel support; marketing.

MVZ PAN Institut GmbH

AmbulApps GmbH

Software maintenance

MVZ PAN Institut GmbH


Central IT service provider; data media destruction;

MVZ PAN Institut GmbH

Company Niesen

Data storage

MVZ PAN Institut GmbH

Pelz Zeit- und Datenerfassung OHG

Software maintenance

MVZ PAN Institut GmbH

CGM Medistar Systemhaus GmbH

Software maintenance

MVZ PAN Institut GmbH


Online appointment selection


Declaration of consent


2. Information about your right to object according to Art. 21 DS-GVO




1. You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is performed on the basis of Article 6(1)(1)(f) DS-GVO (processing of data on the basis of a balance of interests). 
MVZ PAN Institut GmbH will no longer process your personal data in the event of the objection, unless MVZ PAN Institut GmbH can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the assertion, exercise or defence of legal claims.





2. In individual cases, MVZ PAN Institut GmbH processes your personal data for the purpose of direct advertising. You have the right to object at any time to the processing of data concerning you for the purpose of such advertising. If you object to processing for the purposes of direct advertising, MVZ PAN Institut GmbH will no longer process your personal data for these purposes. 
The objection may be made informally and should preferably be
addressed to:



MVZ PAN Institut GmbH, Zeppelinstr. 1, 50667 Cologne,, 0221 2776-610