Center for Augmented Therapy

Privacy Policy

This privacy information explains how your personal data are processed when you visit our website and our medical practice (hereinafter “we” or “us”).

 

1. Scope of this privacy information

This privacy information applies to the use of the websites, the use of medical services, and ancillary activities related thereto (for example, appointment bookings).

 

2. Controller responsible for processing your personal data

Unless explicitly stated otherwise in this document, the controllers responsible under data protection law for processing your personal data are:

 

Dr Fabian Unterhofer

General practitioner

Email: unterhofer@augmentierte-therapie.at

 

Dr Claus Derganc

General practitioner

Email: derganc@augmentierte-therapie.at

 

Dr Erik Kakrik

Specialist in psychiatry

Email: kakrik@augmentierte-therapie.at

 

Address of all controllers:

 

Center for Augmented Therapy

Schmalzhofgasse 4/DG

1060 Vienna

 

Controller responsible for operating the website:

 

Derganc Unterhofer OG

Cost-sharing association and management company

Schmalzhofgasse 4/DG
1060 Vienna

Email: info@augmentierte-therapie.at

 

3. Definitions

This privacy information is based on the following key data protection terms, which we have set out below to make it easier to understand:

 

  • GDPR means the EU General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data, and repealing Directive 95/46/EC).
  • Recipient means a natural or legal person, public authority, agency, or other body to which personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

 

Examples of possible recipients: banks and payment service providers; logistics companies; shipping service providers; IT service providers.

 

  • Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
    Examples of personal data: name; contact details; bank and credit card details.
  • Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  • (Data) processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

 

4. Processing on our website and in the context of the contractual relationship

When you access our website to find out about our services or otherwise actively provide information, we process your personal data for the following purposes and on the basis of the following legal bases:

 

4.1 Processing for the purpose of IT security

When you visit our website, we process the personal data that are technically necessary for us to display our website to you and to ensure stability and security when you visit our website. For this purpose, we process the following personal data, where applicable:

  • IP address
  • Browser type and version
  • Operating system and platform
  • the full Uniform Resource Locator (URL)

 

Legal basis:

This data processing is necessary to provide our website (legal basis: Art. 6(1)(b) GDPR) and to safeguard our legitimate interest in ensuring IT security (legal basis: Art. 6(1)(f) GDPR).

 

Storage period:

The above data are stored for security purposes in server log files, which are automatically deleted after 7 days.

This data processing is necessary to safeguard our legitimate interest in the automated, needs-based provision of our website (legal basis: Art. 6(1)(f) GDPR).

 

Recipients:

The recipient of your data is Hetzner Online GmbH.

 

4.2 Processing for the purpose of concluding contracts or pre-contractual measures and contacting us, as well as for the provision of medical services

4.2.1 Treatment in our medical practice

If you visit our medical practice as a patient, we process personal data that are necessary for providing medical treatment. Processing is carried out via our web-based practice management system, which is hosted by Care01.

In particular, we process the following data:

  • Last name, first name
  • Address data
  • Date of birth
  • Social insurance data
  • Data relating to private health insurance
  • Billing data for private health insurers with whom we bill directly
  • Health data (e.g. medical history, diagnoses, psychometric data, laboratory diagnostics data, course of treatment, and the type and scope of diagnostic or therapeutic services, including the use of medicinal products)
  • Telephone number
  • Email address

 

Legal basis:
Processing of these data is necessary for the performance of the treatment contract and/or for carrying out pre-contractual measures (e.g. scheduling appointments) (Art. 6(1)(b) GDPR in conjunction with Art. 9(2)(h) GDPR).
Telephone number and email address are also processed on the basis of your consent if you expressly wish to be contacted via these channels (Art. 6(1)(a) GDPR in conjunction with Art. 9(2)(a) GDPR).

 

Recipients:

Recipients of your data are:

  • ELGA GmbH for e-card connectivity
  • Public health insurance funds: Austrian Health Insurance Fund, Social Insurance Institution for the Self-Employed, Insurance Institution for Public Service Employees, Railways and Mining.
  • Private health insurers with whom we bill directly: UNIQA Österreich Versicherungen AG, and possibly other private health insurance providers if you ask us to contact them.
  • External laboratory service provider labors.at (Mühl – Speiser – Bauer – Spitzauer und Partner Fachärzte für medizinische und chemische Labordiagnostik OG)

 

Storage period:
Health data and other records within the meaning of Section 51 of the Austrian Medical Act (ÄrzteG) are retained for at least 10 years. Longer retention may be necessary in individual cases for medical or legal reasons. Data processed solely on the basis of consent are stored only for as long as that consent remains in effect.

 

4.3 Data exchange within the group practice for purely organisational purposes

For organisational handling, it may be necessary for physicians within the group practice to access a patient’s master data.

In particular, the data exchange may concern the following data:

  • Master data (e.g. name, contact details),
  • Organisational data (e.g. appointment and administrative information),

Such data exchange takes place only if the legitimate interest of the respective controller outweighs the interest of the data subject. No health data are processed in this context.

 

Legal basis:

Legitimate interest pursuant to Art. 6(1)(f) GDPR.

 

Objection:

You may object to the controller. The controller will then no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or the processing serves the establishment, exercise, or defence of legal claims.

 

Recipients:

The recipients of the data are exclusively the physicians of the group practice and, where necessary, their practice staff who are bound by confidentiality.

 

Storage period:

The data processed in the course of treatment are stored in accordance with statutory retention obligations, in particular pursuant to Section 51 of the Austrian Medical Act (ÄrzteG).

 

4.4 Data exchange within the group practice with your consent

For organisational handling as well as medically appropriate and continuous treatment, it may be helpful for physicians within the group practice to exchange personal data with one another and/or to access them.

In particular, the data exchange may concern the following data:

  • Master data (e.g. name, contact details),
  • Organisational data (e.g. appointment and administrative information),
  • Health data (e.g. medical history, findings, diagnoses, course of therapy, medication).

Such data exchange takes place exclusively on the basis of your explicit consent, which you provide separately as part of patient intake. Without your consent, data exchange within the group practice takes place only insofar as it is mandatory by law or necessary to protect vital interests.

 

Legal basis:

Consent pursuant to Art. 6(1)(a) GDPR in conjunction with Art. 9(2)(a) GDPR.

 

Withdrawal:

You may withdraw this consent at any time with effect for the future. The lawfulness of the processing carried out up to the withdrawal remains unaffected. Please note that a withdrawal may have organisational implications for internal cooperation within the group practice.

 

Recipients:

The recipients of the data are exclusively the physicians of the group practice and, where necessary, their practice staff who are bound by confidentiality.

 

Storage period:

The data processed in the course of treatment are stored in accordance with statutory retention obligations, in particular pursuant to Section 51 of the Austrian Medical Act (ÄrzteG).

 

4.4.1 Appointment booking via Care01

For online appointment booking, we use a booking module from Care01. Via a corresponding link, you will be redirected to Care01’s booking system. There, you enter your data yourself for the first time. Care01 provides its own terms of use and privacy policy as part of this booking process.

As part of appointment booking, the following data are processed in particular:

  • Last name, first name
  • Email address
  • Telephone number
  • Appointment details
  • Patient master data (insurance, date of birth, address)

The data collected as part of appointment booking are subsequently transferred to our web-based practice management system hosted by Care01 and further processed there.

 

Legal basis:
Processing is carried out to implement pre-contractual measures and/or to initiate the treatment contract (Art. 6(1)(b) GDPR).

 

Recipients:

Peacequare GmbH

 

Storage period:
To the extent that the data are required for the performance of the treatment contract, they are stored for the duration of the contractual relationship and in accordance with statutory retention obligations. Any data beyond this will be deleted unless statutory retention obligations apply.

 

4.4.2 Video conference via Care01

It is possible to conduct video conferences as part of telemedicine via the booking module from Care01 .

As part of the video conference, the following data are processed in particular:

  • Last name, first name
  • Email address
  • Telephone number
  • Appointment details
  • Data from the video conference

 

Legal basis:
Processing is carried out for the performance of the treatment contract (Art. 6(1)(b) GDPR in conjunction with Art. 9(2)(h) GDPR).

 

Recipients:

Peacequare GmbH

 

Storage period:
To the extent that the data are required for the performance of the treatment contract, they are stored for the duration of the contractual relationship and in accordance with statutory retention obligations. Any data beyond this will be deleted unless statutory retention obligations apply. The video conference data themselves are not stored.

 

 

5. Storage period due to statutory requirements and for the defence of legal claims

We store your personal data, as necessary, for the duration of the entire business relationship (from initiation and performance through to termination of a contract) and beyond that, in accordance with statutory retention and documentation obligations and/or for the defence of legal claims. The retention period therefore results from statutory retention periods and/or limitation periods. These are, for example, 7 years under the Austrian Commercial Code (UGB) and the Federal Fiscal Code (BAO), and in certain cases “at least” 10 years under the Austrian Medical Act.

 

In certain cases, a longer retention period may also be required for the defence of legal claims and/or due to limitation periods.

 

6. Recipients of your data

We transmit personal data only to the extent necessary and only to recipients who are authorised to process them or who are engaged by us as processors.

 

6.1 List

Below, we provide a clear list of the recipients of data outside the group practice described above.

Recipient Note
Hetzner Online GmbH

Industriestr. 25

91710 Gunzenhausen

Germany

 Our website is hosted by an external service provider. A data processing agreement pursuant to Art. 28 GDPR has been concluded with the hosting provider.
Peacequare GmbH

Museumstraße 5/17

1070 Vienna

 For online appointment booking and telemedicine, we use a booking module from Care01 (Peacequare GmbH) and the video conferencing module. The data entered there are subsequently transferred to our web-based practice management system hosted by Care01 and processed there for appointment management and treatment preparation. The videos are not stored.

Care01, as a technical service provider, also processes technical log data (e.g. IP address, browser information, log files) for system security and error analysis. Further information can be found in Care01’s privacy policy, which is available during the booking process, or via contact@care01.com.
ELGA GmbH

Treustraße 35-43/ Stg. 4/ 1st floor

1200 Vienna

 ELGA GmbH is responsible for connectivity to the eCard system, the electronic health record, eMedication, and ePrescription.
Austrian Health Insurance Fund (ÖGK)

Wienerbergstraße 15-19

1100 Vienna

 ÖGK, SVS, and BVAEB are public health insurance funds to whose systems we must be connected. We can submit invoices to these funds on your behalf.
Social Insurance Institution for the Self-Employed (SVS)

Wiedner Hauptstraße 84-86

1051 Vienna
Insurance Institution for Public Service Employees, Railways and Mining (BVAEB)

Josefstädter Straße 80

1080 Vienna
UNIQA Österreich Versicherungen AG

Untere Donaustraße 21 1029 Vienna

 As part of the LARA programme, we bill UNIQA directly.
Mühl – Speiser – Bauer – Spitzauer und Partner Fachärzte für medizinische und chemische Labordiagnostik OG (labors.at)

Kürschnergasse 6 B

1210 Vienna

 If we require laboratory analyses for diagnostic purposes, we handle these via our partner labors.at.

 

6.2 Further recipients

At your request (e.g. billing questions with additional private health insurers) or due to medical necessity, data may be transmitted to further recipients in individual cases. In this case, we will discuss this with you in advance and inform you separately about the recipients of your data.

 

7. Your further data protection rights

7.1 Data subject rights

Below, we inform you about your data subject rights:

 

  • You have the right to know whether we process personal data concerning you. If so, you have the right to information about these data pursuant to Article 15(1) and (2) GDPR, including a copy of the data pursuant to Art. 15(3) and (4) GDPR.
  • You may request the correction or completion of inaccurate or incomplete data concerning you (Art. 16 GDPR).
  • You have the right to request the erasure of your data, provided there is no legal basis for further processing of your data (see Article 17 GDPR for details). Please note, however, that erasure is not possible in cases where processing (retention) is necessary to comply with a legal obligation (e.g. statutory retention obligations) or where we have overriding legitimate interests (e.g. for the establishment, exercise, or defence of specific legal claims).
  • You have the right, under certain conditions, to request restriction of the processing of your data (Art. 18 GDPR).
  • You may object to processing of your data that is necessary to safeguard our legitimate interests or those of a third party (Art. 6(1)(f) GDPR). In the event of an objection, we will no longer process your data unless the processing serves the establishment, exercise, or defence of legal claims, or we can demonstrate compelling legitimate grounds for the processing that override your interests (where applicable, taking into account your particular situation). If you object to processing for direct marketing purposes (including profiling insofar as it is related to such direct marketing), we will no longer process your personal data for these purposes (Art. 21 GDPR).
  • You may request that we transfer the data you have provided in a structured, commonly used, and machine-readable format. However, the right to data portability exists only where processing is based on your consent or on a contract (Art. 20 GDPR).

 

Please address your request to us by email or in writing, stating at least your first and last name.

 

We note that your rights may be restricted pursuant to Section 3b of the Austrian Medical Act (ÄrzteG). If we nevertheless provide you with information within the scope of Section 3b ÄrzteG, this is to be regarded as voluntary and without any claim to completeness.

 

If you assert your rights vis-à-vis us, we process the personal data collected in this context in order to respond to your request. This data processing is necessary to comply with a legal obligation (Art. 6(1)(c) GDPR).

 

Without prejudice to your rights described above vis-à-vis us, you may lodge a complaint with the competent data protection supervisory authority if you believe that the processing of personal data concerning you by us violates the GDPR (Art. 77 GDPR). In Austria, this is the Data Protection Authority. You may also lodge a complaint with another data protection supervisory authority in the European Union, in particular at your place of residence or work.

 

7.2 Withdrawal of consent

If you have given us consent to process your personal data, you may withdraw it at any time. Withdrawal of your consent takes effect for the future. The lawfulness of the processing of your personal data up to the time of withdrawal remains unaffected.

Please address your withdrawal to kontakt@augmentierte-therapie.at.

If you withdraw your consent, we process the personal data collected in this context in order to respond to your request. This data processing is necessary to comply with a legal obligation (Art. 6(1)(c) GDPR).

 

Status: 2026-02-03