Privacy Policy

1. Data Controller

Dipl.-Psych. Dr. Lena Grieger
Licensed Psychotherapist
Am Hof 28
53113 Bonn
Germany

Phone: +49 178 316 3068
Email: grieger@psychotherapy-bonn.de


The protection of your personal data is very important to me. I process your personal data confidentially and in accordance with statutory data protection regulations (GDPR and German Federal Data Protection Act).

1a. Data Protection Officer

This practice does not have a data protection officer, as fewer than 10 persons are employed who are regularly engaged in the processing of personal data (Art. 37 GDPR).


2. General Information on Data Processing

2.1 Scope of Personal Data Processing

I generally process personal data of my users only to the extent necessary to provide a functional website as well as my content and services. The processing of personal data regularly takes place only after the user's consent. An exception applies in cases where prior consent is not possible for factual reasons and the processing of data is permitted by law.

2.2 Legal Basis for Processing Personal Data

  • Art. 6 para. 1 lit. a GDPR: Consent of the data subject
  • Art. 6 para. 1 lit. b GDPR: Processing for the performance of a contract or pre-contractual measures
  • Art. 6 para. 1 lit. f GDPR: Processing to protect legitimate interests
  • Art. 9 para. 2 lit. h GDPR in conjunction with § 22 German Federal Data Protection Act: Processing of health data for healthcare or treatment purposes


3. Hosting and Technical Infrastructure

3.1 IONOS Web Hosting

This website is hosted by IONOS SE (Elgendorfer Str. 57, 56410 Montabaur, Germany). IONOS automatically collects server log files (browser type, operating system, referrer URL, anonymized IP address, time of access). Data is deleted after 8 weeks and processed exclusively in data centers in Germany.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in a technically error-free website). A data processing agreement (DPA) pursuant to Art. 28 GDPR has been concluded with IONOS.

Further information: https://www.ionos.de/terms-gtc/terms-privacy

3.2 Email Communication

Emails are also processed via IONOS. Legal basis: Art. 6 para. 1 lit. b GDPR (contract initiation) or Art. 6 para. 1 lit. f GDPR (legitimate interest).

Important notice on email security: Email communication may involve security risks. Please do not send confidential treatment information via unencrypted email.


4. Appointment Booking and Invoicing (Tymia)

For online appointment booking and invoicing, I use the practice software Tymia GmbH (Franklinstraße 11, 10587 Berlin, Germany). Privacy policy: https://www.tymia.de/datenschutz

Data processed:

  • Personal data (name, email, phone)
  • Appointment bookings
  • Invoicing data (services, amounts)
  • In case of treatment: diagnoses, documentation

Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment), Art. 9 para. 2 lit. h GDPR in conjunction with § 22 German Federal Data Protection Act (health data).

Data security: All data is stored on Deutsche Telekom servers in Germany, end-to-end encrypted, and regularly tested by external security audits. A DPA pursuant to Art. 28 GDPR has been concluded with Tymia. No data is shared with third parties.

Storage duration: Treatment documentation and invoices: 10 years (§ 630f German Civil Code).


5. Contact Form and Inquiries

When using the contact form or sending email inquiries, your information (name, contact details, message) will be stored to process your inquiry. The data will not be shared with third parties.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract initiation) or Art. 6 para. 1 lit. a GDPR (consent).

You may withdraw your consent at any time – verbally, in writing, or by email. The withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

Deletion: Contact inquiries will be deleted after complete processing, at the latest after 3 months, unless retention obligations exist.


6. SSL Encryption

This website uses SSL/TLS encryption to protect the transmission of confidential content. You can recognize the encrypted connection by "https://" and the lock symbol in your browser address bar.


7. Cookies and Tracking

This website does not use non-essential cookies. Only technically necessary cookies required for operation are used.

No web analytics tools: I do not use tracking or analytics tools such as Google Analytics, Mouseflow, or similar services. Your data is not transmitted to third-party providers for analysis purposes.

No newsletter: This website does not offer a newsletter.

No user registration: There is no option to register a user account on this website.


8. Your Rights as a Data Subject

You have the following rights:

8.1 Right to Withdraw Consent (Art. 7 para. 3 GDPR)

You may withdraw your consent at any time with effect for the future.

8.2 Right of Access (Art. 15 GDPR)

You may request information about your processed data, in particular about:

  • The purposes of processing
  • The categories of personal data
  • The recipients or categories of recipients
  • The planned storage duration
  • The existence of a right to rectification, erasure, restriction, or objection
  • The existence of a right to lodge a complaint
  • The origin of the data, if not collected from you

8.3 Right to Rectification (Art. 16 GDPR)

You have the right to request the immediate rectification of inaccurate or completion of incomplete personal data.

8.4 Right to Erasure (Art. 17 GDPR)

You have the right to request the deletion of your personal data if:

  • The data is no longer necessary for the purposes for which it was collected
  • You have withdrawn your consent
  • You have objected to the processing
  • The data was processed unlawfully
  • There is a legal obligation to delete

The right to erasure does not exist insofar as legal retention obligations exist (e.g., 10 years for treatment documentation pursuant to § 630f German Civil Code).

8.5 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing if:

  • You contest the accuracy of the data
  • The processing is unlawful, but you object to deletion
  • I no longer need the data, but you need it to assert legal claims
  • You have objected and it is not yet clear whether my legitimate grounds override yours

8.6 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used, and machine-readable format or to request transmission to another controller.

8.7 Right to Object (Art. 21 GDPR)

You have the right to object to the processing of your personal data at any time on grounds relating to your particular situation.


9. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data.

The competent supervisory authority for me is:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
Kavalleriestraße 2-4
40213 Düsseldorf, Germany
Phone: +49 211 38424-0
Email: poststelle@ldi.nrw.de
Website: https://www.ldi.nrw.de


10. Data Protection in Psychotherapeutic Treatment

Important: This privacy policy applies only to the use of this website. For the processing of personal data in the context of psychotherapeutic treatment, separate regulations apply, about which you will be informed separately in writing at the beginning of treatment.

As a psychotherapist, I am bound by professional confidentiality under § 203 German Criminal Code (StGB). All information you entrust to me in the context of treatment is treated strictly confidentially.


11. No Warning Without Prior Contact

In the event of claims of any kind arising from copyright, competition law, trademark law, and data protection matters, I request prior contact in order to avoid unnecessary legal disputes, warnings, and costs. A cost notice for a legal warning without prior contact would be rejected due to failure to observe the obligation to minimize damages.


12. Severability Clause

If parts or individual formulations of this privacy policy do not, no longer, or do not fully comply with applicable law, the remaining parts of the document shall remain unaffected in their content and validity.



Last updated: May 2026