Good health is a Gift.
Share it with your loved ones this Valentine’s
Gift Aware
Gift health thisValentine’sDay

myon.clinic - Data privacy policy for video consultation

Privacy Policy for the Use of Video Consultations

Status March 2026

If you have successfully registered on the platform of myon clinic GmbH ("We"), you can also participate in video consultations with your doctor via your myoncare account, provided that he or she offers this service via the myoncare platform. All you need to do is arrange a video consultation with your doctor. After your doctor has successfully set up an appointment, you will automatically receive an e-mail with an appointment confirmation with a dial-in link to the e-mail address specified in your myoncare account.

We have developed the myon.clinic video consultation in such a way that it complies with the data protection principle of "Privacy by Design", i.e. when using the video consultation, you will only process the personal data that is necessary for the use of the video consultation. In particular, we do not use any "tracking technologies" that evaluate your user behavior during video consultations and do not create user profiles or the like.

The processing of special categories of personal data (in particular health data) — insofar as the video consultation forms part of medical treatment — is based on Art. 9(2)(h) GDPR (health care) in conjunction with Art. 6(1)(b) GDPR. In such cases, consent is generally not required. Explicit consent may be necessary only for optional additional functions or processing outside a treatment relationship.

In the following privacy policy, you will find out why and how your personal data is processed for the implementation of the video consultation. In particular, you will find a description of the personal data that we collect and process, as well as the purpose and basis on which we process the personal data and the rights to which you are entitled as a data subject.

In addition, we would like to point out that health data may also be processed by external device manufacturers (e.g. measuring devices for recording vital signs) or laboratory service providers (e.g. blood analyses) within the framework of the platform, provided that you actively use such services through your treating physician. In this case, additional data protection information applies (see section "Processing by equipment manufacturers and laboratory service providers").

Please read the Privacy Policy carefully and do not hesitate to contact us if you have any questions about the processing of your personal data.

I. CONTACT DATA MYON clinic GmbH

Controller for medical treatment

The respective treating healthcare provider (e.g. physician, clinic or medical center) is the controller within the meaning of Art. 4(7) GDPR for the medical treatment carried out during the video consultation.

Responsibility of myon.clinic GmbH

myon.clinic GmbH acts as controller for the provision and operation of the technical platform and for related organizational and security-related data processing, unless such processing is carried out on behalf of a healthcare provider.

Where myon.clinic processes personal data on behalf of a healthcare provider, it acts as a processor pursuant to Art. 28 GDPR under appropriate contractual arrangements.

myon clinic GmbH, Balanstraße 71a, 81541 Munich, Phone: +49 89 444 51156, E-Mail: info@myon.clinic

II. Contact details of the Data Protection Officer

You can contact our Data Protection Officer at the following contact information:

Dr. Sebastian Kraska

E-Mail: privacy@myon.clinic

III. Description of data processing when conducting the video consultation

1.1 Data Processing Prior to the Video Consultation

Before a video consultation takes place, you and your treating physician agree on an appointment. Once the physician has scheduled the appointment via the myoncare platform, you will receive a confirmation containing the necessary access details for participation, typically via email.

For this purpose, the contact information stored in the platform (e.g., email address) will be used.

The processing of this data is carried out solely for the organization and conduct of the video consultation.

Legal basis:
Processing is lawful pursuant to Art. 6(1)(b) GDPR as it is necessary for the performance of the treatment contract with your physician or for pre-contractual measures.

1.2 Data Processing During the Video Consultation

To conduct the video consultation, certain data must be transmitted between the participating parties as a technical prerequisite. myon.clinic GmbH provides the necessary technical infrastructure.

To protect medical confidentiality and professional secrecy, communication is transmitted using end-to-end encryption. Data is encrypted on your device and decrypted only on the physician’s device (and vice versa).

Accordingly, only the participants in the consultation can access the content in plain text. As platform provider, we generally do not have access to the communication content.

The following data is processed in particular:

  • Audio and video data (real-time transmission of camera and microphone recordings)
  • Patient’s name and participant ID
  • Date, time, and duration of the consultation (timestamps)
  • Title or purpose of the consultation
  • Technical connection data and metadata (e.g., IP address, device and operating system information, network data)

If the consultation forms part of medical treatment, health data will be exchanged directly between you and your physician for treatment purposes.

For reasons of data minimization and system security, file transfer (e.g., documents or images) via the video connection is currently not provided.

Temporary connection data required for technical operation (e.g., video stream and session data) is deleted by the technical service provider after the session ends, unless legal or contractual retention obligations apply.

This does not affect medical documentation retained by the treating physician or billing data.

Legal basis:

Processing during the consultation is lawful pursuant to Art. 6(1)(b) GDPR as it is necessary for the performance of the medical treatment contract.

Where health data is processed, such processing is carried out by your healthcare provider as controller on the basis of Art. 9(2)(h) GDPR in conjunction with Section 22(1) No. 1 lit. b BDSG, as the processing is necessary for the purposes of healthcare and treatment carried out by medical staff subject to the obligation of professional secrecy.

Separate consent is generally not required for treatment purposes.

Where additional optional features beyond treatment are used or processing occurs outside a treatment relationship, separate consent under Art. 6(1)(a) and Art. 9(2)(a) GDPR may be required. Consent may be withdrawn at any time with effect for the future.

1.3 Data Processing After the Consultation (Billing and Documentation)

Following the consultation, personal data may be processed for billing and documentation purposes, including:

  • Names of patient and physician
  • Date, time, and duration of the consultation
  • Title or reason for the consultation

Depending on the individual case, additional data may be required, including:

  • Health insurance or payer information
  • Referring physician or primary care physician
  • Diagnoses and indications
  • Treatment details and treatment period
  • Other data required for reimbursement

This processing does not occur via the video connection itself but via the myoncare platform or the physician’s systems.

Further information can be found in the general myon.clinic privacy policy.

Legal basis:

  • Art. 6(1)(b) GDPR (performance of contract)
  • Art. 6(1)(c) GDPR (legal obligations)
  • Art. 9(2)(h) GDPR (healthcare purposes)

Physicians are legally required to transmit billing data and retain medical documentation under applicable regulations.

Processing by Medical Device Manufacturers and Laboratories

If medical devices or laboratory diagnostics are used via the myoncare platform, partner companies may process personal data, including health data.

Typical data processed includes:

  • Vital parameters (e.g., heart rate, blood pressure, temperature)
  • Laboratory results
  • Measurement timestamps
  • Device information

Processing is carried out for medical evaluation, documentation, and monitoring of treatment progress by the treating physician.

Where these services are part of medical treatment, processing is based on Art. 9(2)(h) GDPR in conjunction with Art. 6(1)(b) GDPR and applicable professional regulations.

Separate consent is generally not required in such cases.

Where optional services beyond treatment are involved or processing is performed by external providers in their own capacity, separate consent may be required.

Use of external devices or laboratory services is voluntary and not required for participation in the video consultation.

Additional privacy notices from respective providers may be supplied during the medical information or consent process.

IV. Right to withdraw your consent

You have the right to withdraw any consent you have given for the processing of personal data — in particular special categories of personal data such as health data — at any time with effect for the future.

The withdrawal does not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal.

To the extent that processing is based on other legal grounds — in particular for the performance of a medical treatment, to fulfill legal obligations, or to protect legitimate interests — such processing remains unaffected by the withdrawal.

V. Recipients of the data

Personal data and health data collected during the video consultation are disclosed only to the extent necessary for the provision of medical treatment, technical operation, or where required by law.

Recipients may include in particular:

  • The treating healthcare provider (e.g. physician, clinic, medical center) responsible for the consultation
  • myon.clinic GmbH as operator of the platform, insofar as required for organization, support and service provision
  • ONCARE GmbH as technical platform provider (myoncare app/portal/PWA), processing data as a processor pursuant to Art. 28 GDPR depending on the specific context
  • Technical service providers (e.g. hosting or video service providers) acting solely on behalf of and under instructions
  • Billing entities or payers, where required for reimbursement
  • Public authorities or courts, where disclosure is legally required

Data are disclosed only to the extent necessary and subject to appropriate technical and organizational safeguards.

VI. Storage period

Video stream: The video and audio stream of the consultation is not stored and ends immediately once the session is terminated. Recording takes place only if you have explicitly consented in advance.

Log and connection data: Those are stored only as long as necessary for the stated purposes and are deleted no later than six months, unless longer statutory retention obligations apply.

Billing and medical documentation data: Billing data (e.g., payer information, invoices, billing codes) as well as medically relevant content of the video consultation (e.g., anamnesis, findings, therapy recommendations) are stored in accordance with statutory retention requirements. In Germany, the retention period is at least 10 years (§ 630f BGB, § 147 AO, § 257 HGB). For services falling under the U.S. healthcare system, HIPAA requires a minimum retention period of 6 years (45 CFR § 164.530(j)).

VII. PLACE OF DATA PROCESSING

Processing generally takes place within the EU/EEA. In certain cases, however, access from third countries or storage in the United States may occur, particularly where services are provided by U.S. service providers. In such cases, appropriate safeguards pursuant to Art. 44 et seq. GDPR are implemented (e.g., Standard Contractual Clauses or the EU-US Data Privacy Framework).

For users who receive services through a U.S. healthcare provider (e.g., physician, clinic, or healthcare institution in the United States), personal data (including health data) is hosted on servers in the U.S. in order to comply with the legal requirements of the U.S. healthcare system (HIPAA). If, however, a person residing in the United States accesses the services of European healthcare providers via the myon.clinic/oncare platform, the personal data will be hosted within the EU/EEA.

Remote access to U.S.-hosted data from Europe may occur:
– by authorized employees of Oncare GmbH solely for the purpose of providing second-level support in case of technical issues,
– and by authorized employees of myon.clinic GmbH solely for the purpose of providing first-level support in case of application-related issues.

Use of Google Firebase (via subcontractor Oncare GmbH)
For certain technical functions of the platform (e.g., synchronization, stability, notifications), Oncare GmbH, as the technical operator, uses the service Google Firebase (Google Ireland Limited).Data processing generally takes place within the European Union (EU) or the European Economic Area (EEA). Access from the United States by Google LLC (the parent company) cannot be fully excluded, for example in the context of support or maintenance services. Re-identification of individual persons by Google is not intended according to the current technical design and is largely prevented by appropriate technical and organizational measures. Should access from the United States occur, it is based exclusively on the Standard Contractual Clauses (SCCs) adopted by the European Commission, which are part of the Google Data Processing Terms.

VIII. AUTOMATED DECISIONS IN INDIVIDUAL CASES

We do not use purely automated processing to make decisions.

IX. Rights of data subjects

We would like to inform you about your rights as a data subject. These rights include, in particular:

  • Right of access (Art. 15 GDPR):  You have the right to request information about whether and how your personal data is being processed, including information about the purposes of processing, recipients, storage period and your rights to rectification, erasure and objection. You also have the right to receive a copy of any personal data we hold about you;
  • Right to rectification (Art. 16 EU GDPR): You can request that we update or correct inaccurate personal data or complete incomplete personal data;
  • Right to erasure / right to be forgotten (Art. 17 GDPR): You can demand that we delete your personal data collected and processed by us without undue delay. Please note, however, that we can only delete your personal data after the expiry of the statutory retention periods.
  • Right to restriction of data processing (Art. 18 GDPR): You can ask us to "restrict" the use of your data if the accuracy of the data is contested, the processing is unlawful, the data is needed for legal claims, or an objection to the processing is being examined, so that we can only continue to use your data with restrictions;
  • Right to data portability (Art. 20 GDPR): In general, you can request that we provide you with personal data that you have provided to us and that is processed by machine based on your consent or the performance of a contract with you, in a machine-readable form, so that it can be "ported" to a substitute service provider;
  • Right to object to data processing (Art. 21 GDPR): You have the right to object at any time to the processing of personal data concerning you that is carried out on the basis of Article 6 (1) (e), (f) GDPR. In this case, the controller will no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing that outweigh the interests, rights and freedoms of the data subject, or the processing serves to establish, exercise or defend legal claims.
  • Right to lodge a complaint (Art. 77 GDPR): In addition, you have the option of complaining to a competent data protection authority about our data processing.

X. SUPPLEMENT FOR US USERS – HIPAA COMPLIANCE

Where services are provided within the United States healthcare system and Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act (HIPAA) is processed, the applicable HIPAA provisions also apply.

The role of myon.clinic under HIPAA depends on the specific use case and the contractual arrangements with the involved healthcare providers:

  • In most cases, the respective U.S. healthcare provider (e.g., physician, clinic, healthcare organization) remains the responsible entity (“Covered Entity”) under HIPAA.
  • Where contractually agreed, myon.clinic may act as a technical service provider or as a “Business Associate” under HIPAA.
  • myon.clinic does not act as an independent Covered Entity unless expressly agreed otherwise.

Processing of PHI by myon.clinic is carried out solely for the purpose of providing the agreed services and in accordance with any applicable Business Associate Agreement (BAA).

PHI is not used by myon.clinic for its own independent purposes unless required by law or expressly agreed.

Where services are provided through a U.S. subsidiary or partner entity (e.g., myoncare Inc.), their respective privacy and HIPAA provisions may additionally apply.

***

myon.clinic is a full-service solution for digital medicine, consisting of a superior platform and dedicated care pathways.

Make Health Digital!​

Book your personal appointment.
Book an appointment

myon.clinic​

Company

Legal​

© 2026 myon clinic GmbH – all Rights reserved.​
myon.clinic is not available for sale or distribution in all markets. Please contact sales@myon.clinic for information about your market. myon.clinic is not intended for use in medical emergencies. myon.clinic must not be used by patients under the age of 18. As a service provider, we assume no liability for monitoring the transmitted or stored information of third parties or the resulting consequences.