Privacy Policy

1. Data controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Telephone

+49 69 507758-0

Email

info@kopfklinik-frankfurt.de

Website

https://kopfklinik-frankfurt.de

Management

PLEASE FILL IN: Name(s) of the directors as listed in the Companies Register

Company Register

PLEASE FILL IN: Local Court and HRB number

VAT number

PLEASE COMPLETE: VAT registration number in accordance with Section 27a of the German VAT Act

2. Data Protection Officer

Our company data protection officer is:

PLEASE FILL IN: Name of the DSB
PLEASE COMPLETE: company name and address of the DPO (if applicable)

Email: PLEASE FILL IN: datenschutz@kopfklinik-frankfurt.de or an external address

3. Collection and processing of personal data when visiting the website

3.1 Server log files

When you visit our website, the following data is automatically recorded in log files and stored temporarily via the hosting panel (CloudPanel) we use:

• IP address of the requesting device
• Date and time of the enquiry
• URL accessed
• HTTP status code and amount of data transferred
• User-Agent (browser and operating system information)
• Referrer URL (referring page, if provided)

Only the standard web server log files (nginx access.log and error.log) are collected. No additional logging is carried out.

Purpose: Ensuring the stable and secure operation of the website, detecting and defending against attacks, and analysing technical faults.

Legal basis: Article 6(1)(f) of the GDPR (legitimate interest in the secure and trouble-free operation of the website).

Retention period: The log files are rotated daily and automatically deleted after 7 days (CloudPanel default configuration). This data is not linked to any other data sources.

3.2 Cookies

No cookies are set when you visit the public section of our website. Cookies are used exclusively in the internal editorial backend when an authorised member of staff logs in:

These cookies are technically necessary within the meaning of Section 25(2)(2) of the TTDSG and are set without consent.

We do not use any tracking, analytics or marketing cookies. We do not track users, collect analytics data or create user profiles.

3.3 Hosting

Our website is hosted on a virtual server (vServer) in a data centre in Germany. We use the CloudPanel server management system to manage our web services.

The technical provision and maintenance of the server is currently carried out by an external IT service provider on behalf of Kopfklinik Frankfurt GmbH. A contract for data processing has been entered into with this service provider in accordance with Article 28 of the GDPR.

Planned migration: In the medium term, the website infrastructure is to be transferred to the practice’s own management. We will keep you informed here of any changes to the hosting arrangements.

Transfers to third countries: No personal data is transferred to third countries outside the EU/EEA.

4. Patient contact

4.1 Contact by telephone and email

You can contact us by telephone on +49 69 507758-0 or by email at info@kopfklinik-frankfurt.de. When you contact us, we collect the following data:

• Name
• Contact details (telephone, email)
• Your enquiry (e.g. appointment request, query regarding treatment)
• For medical enquiries: details of symptoms, pre-existing conditions, and health insurance

Purpose: Processing your enquiry, arranging and implementing the treatment contract.

Legal basis:

• Article 6(1)(b) of the GDPR (pre-contractual measures) for administrative data
• Article 9(2)(h) of the GDPR in conjunction with Section 22(1)(1)(b) of the BDSG for health data (treatment in the healthcare sector)

Professional confidentiality: All doctors and medical staff working at our practice are bound by medical confidentiality in accordance with Section 203 of the German Criminal Code (StGB) and the Code of Conduct of the Hesse Medical Association. Patient data is only disclosed to parties involved in the treatment process (e.g. referring doctors, laboratories, insurance providers) or where there is a legal obligation to provide such information.

Retention period: Patient records are retained for a period of at least 10 years following the completion of treatment, in accordance with Section 10(3) of the German Medical Act and Section 630f of the German Civil Code. In certain cases, longer statutory retention periods may apply (e.g. 30 years under the Radiation Protection Ordinance, 3 years for records under the German Narcotics Act).

Emails that do not contain medical information (e.g. general enquiries) will be deleted as soon as the process is complete and provided there are no legal retention requirements to the contrary.

4.2 Security of email communication

Please note: Communicating via unencrypted email poses security risks. For sensitive medical data, we recommend contacting us by telephone or post.

5. Data processing security

We implement technical and organisational measures in accordance with Article 32 of the GDPR to protect your data:

• TLS encryption across the entire website (HTTPS, HSTS preload)
• Security headers (Strict Transport Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Content-Security-Policy)
• Hidden WordPress login (no public /wp-login.php endpoint)
• Brute-force protection for login attempts (Limit Login Attempts Reloaded)
• Blocking WordPress REST endpoints for unauthenticated requests
• Regular updates to WordPress, themes and plugins
• Daily backups
• Access to the backend is restricted to authorised users with individual logins

6. Software and plugins used

Our website uses the following WordPress plugins:

In addition, we use our own hardening plugin (kopfklinik-hardening.php) to block WordPress user enumeration and to disable Gravatar requests to external servers.

7. External content

No external content (e.g. Google Maps, YouTube, Vimeo, social media plugins) is embedded on our website. Links to Google Maps only open after you click on them, and only then do they transmit data to Google. A link to the HNO Rüsselsheim practice website (hno-zentrum-frankfurt.de) as a partner also does not transmit any data to third parties without a click.

8. Texts and images

Fonts and images are served exclusively from our own server. No connection is made to external font services (e.g. Google Fonts).

9. Your rights as a data subject

Under the GDPR, you have the following rights:

• Right of access (Art. 15 GDPR): Information about the personal data held about you
• Right to rectification (Art. 16 GDPR): Correction of inaccurate data
• Right to erasure (Art. 17 GDPR): Erasure of your data, provided there are no legal obligations to retain it
• Right to restriction of processing (Article 18 of the GDPR)
• Right to data portability (Article 20 of the GDPR)
• Right to object (Art. 21 GDPR) to processing based on legitimate interests
• Right to withdraw consent (Article 7(3) of the GDPR) with effect for the future

To exercise your rights, please contact: PLEASE FILL IN: datenschutz@kopfklinik-frankfurt.de or the DSB’s address

10. Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data (Article 77 of the GDPR). The competent authority for us is:

Telephone

+49 611 1408-0

Email

poststelle@datenschutz.hessen.de

Web

https://datenschutz.hessen.de

11. Automated decision-making

No fully automated decision-making, including profiling as defined in Article 22 of the GDPR, takes place.

12. Up-to-date information and changes

This privacy policy is dated 5 May 2026. Further development of our website or changes to legal requirements may necessitate amendments to this privacy policy. The latest version can be found at https://kopfklinik-frankfurt.de/datenschutz/.