Data privacy information for patients pursuant to the requirements of Art. 13, Art. 14 General Data Protection Regulation (GDPR)

Dear Patient,

Our clinic attaches considerable importance to compliance with the requirements of data protection laws. We must process medical and personal data in order to provide the treatment and care you need. Below you will find information about the purposes for which our clinic collects, processes or transfers data.

Contact details for the clinic controller:

Städtisches Klinikum Görlitz gGmbH
Girbigsdorfer Straße 1 – 3, 02828 Görlitz;
Phone 03581/371552, email:

Hospital data protection officer:

RPM Datenschutz UG (haftungsbeschränkt)
Struve Str. 15, 02826 Görlitz

Purposes of processing

We need to record your personal details in order to ensure orderly administrative management of your treatment. Not included in this are exclusively cases of confidential births. In most cases it would not be lawful to provide treatment without being aware of your personal details. In particular, the processing of your data for preventative, diagnostic, therapeutic, curative and follow-up reasons is necessary to ensure you receive personal care and treatment. Moreover, processing takes place – for the assurance of optimised care – in connection with interdisciplinary panels to analyse and discuss diagnosis and treatment and for preparatory, ongoing and follow-up care within the framework of diagnostics, therapy, findings and disease/vital status. Discharge letters and reports are also written, and processing may take place furthermore to detect and fight hospital infections within the framework of quality assurance, as well as to provide pastoral and social care and discharge management. Your treatment must also be managed from an administrative perspective.
For the large part, this means processing your data for accounting and controlling purposes and for the establishment, exercise and defence of legal claims etc. It also takes place for compliance with legal reporting obligations (e.g. based on notification laws, due to infection protection and submissions to the Cancer Registry). Treatment data may also be associated for initial interventions in regard to hip and knee replacements.

Where do we obtain your data?

As a rule, we collect the data from you personally. It is possible, however, in individual cases that we will receive personal data about you from other hospitals that performed the initial treatment, from practising doctors, specialists, medical care centres and such like. This information will be associated with your other data at our hospital in order to ensure complete and uniform documentation.

Who has access to your data?

The persons involved in your treatment have access to your data, which includes doctors from other departments participating in interdisciplinary treatment (treatment team) or administrative employees who deal with accounting for your treatment. Our specialist staff members are either bound by a professional code of secrecy or have signed a confidentiality undertaking. Access is strictly controlled and is only enabled for fulfilment of relevant tasks.

Legal basis for the processing of your personal data

There are a variety of legal bases that allow a hospital operator to process data. Included in these are, in particular, the GDPR, Book Five of the German Social Code (SGB V), the Federal Data Protection Act (BDSG) and the German Civil Code (BGB), as well as the Rules of Professional Practice for Doctors and the Hospitals Act in Saxony (SächsKHG).

The following are named as examples of legal bases for the processing of health data:

  • Data processing for the purposes of treatment documentation (Art. 9 (2) (h) GDPR in conjunction with Section 630a et seq., 630f BGB),
  • Data processing for the purposes of communication about patients between doctors and professions in hospitals for the assurance of treatment (Art. 9 (2) (h) GDPR in conjunction with Section 630a et seq. BGB),
  • Transfer of data to hospital administration for the purposes of billing for on-call services (Art. 9 (2) (h) in conjunction with Art. 9 (3) GDPR),
  • Data transfer for the purposes of quality assurance (Art. 9 (2) (i)) GDPR in conjunction with Section 299 SGB V in conjunction with Section 136 SGB V, i.e. the regulations of the Federal Joint Committee (G-BA)) etc.

Possible recipients of your data

Your data can only be transferred to third parties where you have given your explicit consent or the hospital is required to do so for compliance with a legal obligation. Within the framework of your treatment, your data will only be transferred to authorised recipients in accordance with the aforementioned statutes.

The following in particular may be recipients in this regard:

  • statutory health insurance providers if you are insured in this way,
  • private health insurance providers if you are insured in this way,
  • accident insurance providers, pastoral counsellors
  • rehabilitation facilities,
  • GPs and doctors providing further or concomitant treatment,
  • other facilities within the healthcare system,
  • external data processors (contract processors), and
  • Institut für angewandte Qualitätsförderung und Forschung im Gesundheitswesen GmbH

The scope of data is strictly controlled and is only made available to recipients for fulfilment of relevant tasks.

Which data is transferred in each case?

Where data is transferred, the type of data will depend on the individual category of recipient.
Information transferred to your health insurance provider pursuant to Section 301 SGB V, for instance, will involve the following data:

  • name of the insured person, date of birth, address, insurance number and insurance status;
  • the date, time and reason for admission, as well as the initial and admissions diagnosis, the following diagnoses if there are changes, the probable duration of hospital treatment and, if this period is exceeded, the medical reasons if requested by the health insurance provider; weight on admission for infants aged 12 months and less;
  • date, time and reason for discharge or relocation, as well as the principal and secondary diagnoses determining the hospital treatment;
  • information concerning rehabilitation measures carried out at the hospital, as well as assessments of the patient's fitness for work and proposals for each treatment with statement of suitable facilities.
  • information transferred to the Institut für angewandte Qualitätsförderung und Forschung im Gesundheitswesen GmbH involves the following data: health insurance number, name of the health insurance provider and treatment data
  • (e.g. X-ray findings, duration of treatment, complications) regarding your surgery.

Exercise of legitimate interests

Where the hospital operator is compelled to seek legal or judicial assistance in order to exercise claims against you or your health insurance provider insofar as the hospital invoice is not settled, the hospital operator must disclose the data about you and your treatment that is necessary for the enforcement of these claims.

For how long will my data be stored?

The hospital operator is required, pursuant to Section 630f German Civil Code (BGB), to keep and store records documenting your treatment. The hospital may comply with this obligation by maintaining a patient file in a paper form or electronically. A large variety of specific legal provisions address the question of how long a hospital must keep the records in individual cases.
They include the X-ray Ordinance (RöV), the Radiation Protection Ordinance (StrlSchV), the Pharmacy Operations Ordinance (ApBetrO), the Transfusion Act (TFG) and many more. These legal provisions stipulate different storage periods. It is important to note furthermore that hospitals are required to keep patient files for up to 30 years for the purpose of furnishing evidence. Underlying this requirement is that the limitation period pursuant to Section 199 (2) German Civil Code (BGB) for claims to indemnification exercised by patients against the hospital is 30 years at most.

Your rights

You may exercise the following rights against us pursuant to GDPR, provided the legal requirements are satisfied:

  • the right to access your data, the right to rectification of your data, provided the data remains transparent once the changes are made,
  • the right to erasure of your data within the framework of the statutory storage periods,
  • the right to restriction of processing, with due consideration of the applicable documentation obligations,
  • the right to data portability concerning data made available to the clinic by you.

Withdrawal of prior consent

Where processing of your data is based on consent given by you to the hospital operator, you shall have the right to withdraw your consent at any time. You may withdraw your consent from us in writing/by post/by email. You are not obliged to provide reasons. However, your withdrawal of consent shall only apply from the time at which it is declared. It does not affect the lawfulness of processing carried out until your withdrawal of consent.

Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your data is unlawful under data protection rules. The competent supervisory authority in the Free State of Saxony is:

Commissioner for Data Protection and Freedom of Information in the Free State of Saxony
Postfach 11 01 32
01330 Dresden