+49 9131 93406-40 Rückruf Support Downloadbereich Kontakt Newsletter
| Kontakt | Thieme Gruppe

Data Protection Information – Patient app

Version: 27.10.2021 – This page is updated at irregular intervals. In order to ensure optimum transparency, we therefore recommend that you frequently visit this page.


The following provides information about how your personal data is handled when using our application and about your rights in this regard.

Important: The care provider is solely responsible for medical questions. They are the ones to contact if you have not received the email (link to the patient app) or SMS (token), not even in your spam folder. Please also take note of the data protection information provided by your care provider.

1. Responsibilities

The care provider (doctor’s office, clinic, other medical facility) is responsible for processing your personal and medical data.

As a user of the application, you are jointly responsible for ensuring that no unauthorized person can gain access to the data or device you are using

2. Purpose, type, legal basis and scope of the data processing

What is your data needed for and "are they allowed to do that"?

a) Purpose of data processing

The application enables the care provider to provide you, as a patient, with important information (on treatment, stay, etc.) in a modern electronic form, regardless of location or system, and to collect relevant data at an early stage and to incorporate it into the treatment process in order to initiate this and other relevant processes. The use of the patient app is voluntary. After the data on your device has been transmitted to the care provider, your previously recorded data will be deleted immediately. Incomplete data that you do not transmit to the care provider will be deleted after a maximum of 14 days.

b) Type of data processing

The patient app is a progressive web app. It is opened independently of an app store via a personal link sent on the especially secure Microsoft Azure Public Cloud (“Azure”) on the private device selected by the patient in the browser. It is also possible to install the application on the device.

The patient app can only be used if the patient can authenticate themself with the individual link sent to them personally by email and additionally with the token (PIN) sent via SMS.

A time-limited account is created for the patient on the Azure Cloud under a clearly identifiable identification number ("UUID") as a pseudonym. This ensures that only the authorized patient can log into the app and see and edit the information/data relevant to them.

The entire data processing in the Azure Cloud takes place on the basis of the UUID pseudonym and does not allow any conclusions to be drawn about the person. For even more security, all data except for the UUID is also effectively encrypted according to the current secure standard. Access is only given to the patient themself via the patient app and the care provider after the data has been transmitted to the medical facility.

Your answers will be saved in a separate folder on your chosen private device until you have successfully transferred them to your care provider.

If no transfer takes place, the data will be deleted after 14 days at the latest, as far as this is technically possible via the app (depending on the authorizations on the device). Therefore, please make sure that you  are careful in your choice of device. In an Internet café, not only can unauthorized people look over your shoulder, but you usually also have no control over whether your entries are spied on in the background or whether they can actually be deleted afterwards.

Your data is encrypted depending on the type of information and stored in separate databases on Azure based on your UUID. As soon as they have been completely and successfully transferred to your care provider (usually daily, depending on the configuration of your care provider’s system), they are automatically deleted by Azure.

Further processing of the data (review and completion in consultation with the doctor) takes place exclusively within your care provider’s system. To do this, it is saved in the patient's medical history. In addition, the data is archived as a PDF.

Logs and evaluations take place automatically in the background in the patient app, in the care provider’s system, and on Azure. This information is required by care providers and producers to ensure proper operation, to improve user-friendliness, to optimize the system, to defend against attacks and for verification purposes. A direct personal reference is not of concern. Even if, for example, the IP address of the connection used is contained in such log files by default, no possible inference about the data subject can be made. Azure only receives pseudonymized encrypted data.

Use of the app is free and voluntary.

c) Legal basis from the application producer's standpoint

We collect, save and use personal data only to the extent permitted. As the application producer, we follow the data protection principle of data minimization and avoid the processing of personal data as much as possible. Therefore, Thieme Compliance GmbH is not a processor in the traditional sense.

  • Fulfillment of the contract/contract-like relationship of trust (art. 6, para. 1, letter B of the GDPR)
    e.g. for the authentication of authorized users, for the provision of assigned information and for license management (only care providers). As the developer, we do not receive or process any patient data because we do not need it. If the care provider sends us such data without being asked, we will delete it in compliance with data protection regulations and the care provider will be advised not to do this.
  • Data procession on behalf (art. 28 of the GDPR)
    In individual cases, an in-depth error analysis by an external development team may be necessary, which may also affect patient data if necessary. Such an analysis is carried out exclusively on the basis of data processing on behalf of the care provider and with special protective measures for data transmission and processing. For details see chapter 4e.
  • Pursuit of the legitimate interests of our company (art. 6, para. 1, letter F of the GDPR)
    e.g. to ensure the proper functioning of the applications and functions on different end devices, for the security of personal data within the application as well as on the transmission path and to optimize the usability, provided that the serious interests of the data subjects do not outweigh them.

3. Data recipients

Subsequent recipients can receive or process data by using the app. Remember that you have an influence on this yourself and should conscientiously take responsibility for any especially sensitive data

a) The care provider as the responsible party (doctor’s office, clinic, other medical facility)

Your care provider will receive the data required for the contractually agreed treatment directly from you via the patient app. The data is encrypted and transmitted to the care provider via the Azure cloud interface and only decrypted in their system for further processing.

b) The data subject (patient)

As a patient, you will receive an email with the link to download and use the patient app. An access code is also sent via SMS. Both components are required for 2-factor authentication, without which the app cannot be used.

c) The owner or party in possession of the device chosen by the patient

If possible, please be sure to use your own device, on which you can control and, above all, restrict access to and delete your data. Otherwise you may allow unwanted third parties (household members, Internet café operators, etc.) to access your medical history.

d) Thieme Compliance GmbH (app developer, provider of the films in the app)

Only care providers can make use of our support in the event of technical problems. The patient app is not supported.

e) Other partners for contract fulfillment (outsourcing, order processing)

Either the care provider’s email server or a German email provider is used to send the link to the patient app.

The token is sent by SMS from the carefully selected German service provider SMS77 to the mobile number provided by the patient.

In the event of exceptional technical problems from the care provider, we use our development specialists. In individual cases, the personal or health data processed here may be required in order to isolate the error and work out a solution.

Data is only transferred when necessary, for a limited period of time, and via a data transfer platform in Germany that specializes in highly sensitive data.

There is no processing of personal data outside the European Union (EU) or the European Economic Area (EEA) and such is not planned, unless otherwise expressly described below. At Microsoft Azure, we use servers in the EU; according to Microsoft, this should become standard for all of their servers from autumn 2022. In addition, all data is transferred to Azure only using a pseudonym and is also effectively encrypted. Due to a strict separation of the functionalities, only a subset of the data is available at any time.

We do not pass on your data to unauthorized third parties and of course we do not sell it.

f) Services on your device

Please check the provider information and regularly check the data protection settings on your device. As a rule, the provider of your device or your telecommunications provider offers you the option of a backup in their cloud, if this option is activated on your device. Elements of the operating system or other installed apps usually also collect data about you, your location, apps used, search terms or even usage and communication data in the background. This is especially true for services with artificial intelligence such as voice assistants (Siri, Alexa, etc.).

4. Safeguarding of your rights as a "data subject" within the meaning of data protection law

a) Privacy by design and default

In accordance with the requirements of the GDPR with regard to the products and services that we offer on the European (German) market, we offer a variety of approaches for the corresponding data protection–compliant technology design and data protection–friendly default settings, as far as this – for example with regard to the integration in the care provider’s system – is possible.

The effectiveness and sustainability of the data protection measures we have implemented are ensured by management (as the responsible party), data protection and compliance (standardized procedure for the continuous optimization of our data protection level), as well as by external experienced data protection specialists.

b) Contacting us as the application developer

When you contact us, for example by email or telephone, we save and use your information to process your request and as part of our retention and verification obligations. If your request also concerns the care provider, we are obliged to forward it to the responsible party if there is a specific need for action so that they can fulfill their obligations.

c) Measures from the developer’s side to safeguard your rights as a data subject

  • Right to information/transparency (art. 13, 14 of the GDPR):
    You receive this from our side with this document
  • Right to access (art. 15 of the GDPR):
    We support the care providers with inquiries within the scope of our (limited) capacity
  • Right to rectification (art. 16 of the GDPR):
    It is the responsibility of the care provider, as we have no access to your data
  • Right to erasure (art. 17, para. 1 of the GDPR):
    Implemented on the system side, as far as possible; any further data deletion is the responsibility of the care provider
  • Right to restriction of processing (art. 18 of the GDPR):
    It is the responsibility of the care provider
  • Right to data portability (art. 20 of the GDPR):
    The care provider can export the data you have entered in the common XML format and make it available to you upon request
  • Right to object (art. 21 of the GDPR):
    You can revoke the use of mobile data collection at any time and engage in normal discussion, including the collection of your data, with the care provider

5. Contact for further questions about the app

Your care provider and their data protection officer are responsible for processing your patient data. Thieme Compliance is only responsible for the technical data of the app itself and can only provide you with information on this.

a) Developer und operator of the app

Thieme Compliance GmbH, Am Weichselgarten 30a, 91058 Erlangen
Telephone: +49 9131 93406-40, email: service@thieme-compliance.de

b) The responsible data protection officer

You can find our detailed data protection information and the latest version of this document at www.thieme-compliance.de/datenschutz. Our Data Privacy Officer (DPO) Ms. Blossey will be happy to answer any further data protection concerns you may have regarding the app, most conveniently by email at datenschutz@thieme-compliance.de.

c) The responsible supervisory authority

You can exercise your right to lodge a complaint with any supervisory authority regarding data processing by your care provider (medical facility) that is not in compliance with data protection regulations.

6. Affiliated partner data protection information

Microsoft Azure:

Adesso SE (development & testing):

EcpliseSource Group (Entwicklung & Test):


Here you can find the data protection information of the patient app as a download.

Stay informed:
The Thieme Compliance Newsletter