Privacy Policy and Consent
(pursuant to the General Data Protection Regulation – GDPR)
1. Data Controller
The entity responsible for the processing of personal and health-related data is:
Funke Center
Data Controller: Eldin Dzanko
Clemensstraße 75, 82927 Munich
Email: info@funke-center.com
2. Categories of Data Processed
Within the scope of the collaboration, the following data may be processed where necessary:
– Basic personal data (e.g., name, address, contact details)
– Data relating to the child (e.g., date of birth, development, behavior)
– Health and developmental data
– Information from medical histories, questionnaires, behavioral observations, and assessment tools
– Diagnostic results, findings, and progress documentation
– Appointment, billing, and payment data
– Communication data (email content, appointment coordination)
– Technical usage data (e.g., IP address when using website forms)
– Data from waiting list inquiries
Health data are considered special categories of personal data within the meaning of the GDPR.
3. Purposes of Data Processing
Data are processed exclusively for the following purposes:
– Provision of agreed diagnostic, counseling, therapeutic, and parent training services
– Professional documentation of treatment progress
– Appointment scheduling and organizational communication
– Billing and payment processing
– Compliance with statutory documentation and retention obligations
– Processing of contact inquiries and waiting lists
– Preparation of written findings and reports
– Quality assurance and professional documentation within the context of treatment
4. Legal Bases for Processing
Processing is carried out on the basis of:
– Art. 6(1)(b) GDPR (performance of the treatment agreement)
– Art. 9(2)(a) GDPR (explicit consent to the processing of health data)
– Art. 9(2)(h) GDPR (healthcare and treatment in the health sector)
– Art. 6(1)(c) GDPR (compliance with legal obligations, in particular tax and professional retention duties)
5. Recipients of Data
Personal and health-related data are processed only to the extent necessary and disclosed solely to recipients required for treatment, organization, or billing purposes. These include in particular:
– Mailbox.org (email communication, cloud storage, secure document storage where applicable)
– Appointmed (appointment management, video sessions, treatment and progress documentation)
– WIX (operation and hosting of the website, contact and registration forms)
– Banks / payment service providers (payment processing)
– Tax advisory / accounting services (tax and accounting obligations)
Where required, the above service providers are engaged as processors pursuant to Art. 28 GDPR and appropriate data processing agreements are in place. Data processing generally takes place within the European Union. Disclosure of personal or health-related data to additional third parties (e.g., physicians, therapists, schools, kindergartens, authorities, or other professional bodies) occurs only on the basis of a separate written confidentiality release or due to statutory obligations.
6. Remote Treatment, Electronic Communication, and Data Security
If sessions are conducted as video sessions (remote treatment), GDPR-compliant and privacy-friendly services are used (e.g., Appointmed, OpenTalk/Mailbox). The patient party acknowledges that, despite careful selection and technical security measures (e.g., encryption, access restrictions), technical risks in electronic data transmission cannot be completely excluded. Professional confidentiality remains unaffected. Organizational and professional communication may, after prior information, also take place via email (e.g., appointment coordination, invoices, transmission of documents). The patient party is informed that unencrypted emails may involve security risks; alternative, more secure communication channels are available upon request. Data storage and processing are carried out in compliance with appropriate technical and organizational measures pursuant to Art. 32 GDPR, in particular access restrictions, password protection, and encryption where available.
7. Storage Period and Deletion
Personal and health-related data are stored only for as long as necessary to provide treatment, document progress, and comply with statutory retention and documentation obligations. Health-related treatment records are subject to professional and tax retention requirements and are generally retained for at least 10 years after completion of treatment, unless longer statutory periods apply. After the applicable retention periods expire, data are deleted or anonymized in accordance with data protection regulations, provided no further legal grounds for retention exist.
8. Rights of Data Subjects
Under the GDPR, the patient party has the following rights at any time:
– Right of access to stored personal and health-related data (Art. 15 GDPR)
– Right to rectification of inaccurate or incomplete data (Art. 16 GDPR)
– Right to erasure of personal data, insofar as no statutory retention obligations apply (Art. 17 GDPR)
– Right to restriction of processing under the statutory conditions (Art. 18 GDPR)
– Right to data portability, where technically feasible and legally permissible (Art. 20 GDPR)
– Right to object to the processing of personal data for reasons arising from the individual situation (Art. 21 GDPR)
– Right to withdraw consent at any time with effect for the future (Art. 7(3) GDPR)
Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal. Statutory retention obligations remain unaffected by withdrawal or requests for deletion.
9. Contact Form
When using the contact form, the data entered therein (e.g., name, contact details, free-text information) are processed for the purpose of handling the inquiry and, where applicable, inclusion on a waiting list. Transmission takes place via the website operated by WIX. Received messages are forwarded to a GDPR-compliant email address at Mailbox.org and processed there. Providing health-related information in the contact form is voluntary. Any further medical or therapeutic assessment takes place only within the context of personal contact and/or after conclusion of a treatment agreement.
10. Supervisory Authority
Bavarian State Office for Data Protection Supervision (BayLDA), P.O. Box 606, 91511 Ansbach, Germany; www.lda.bayern.de.