This privacy policy (the “Privacy Policy”) outlines the policy of the general medical group practice MG Echternach, hereafter referred to as “MGE,” concerning personal data and cookies that MGE collects from you or that you provide to it.

The purpose of the Privacy Policy is to inform you, in accordance with the applicable personal data protection regulations (the “Applicable Regulations”), in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “GDPR”), as well as the Luxembourg national law of August 1, 2018, organizing the National Commission for Data Protection and the general data protection regime, about the conditions under which MGE collects your personal data, the reasons for collecting such data, how it is used, and your respective rights as a data subject.

This Privacy Policy applies to all information provided by you or collected by MGE during your interaction(s) with us. As a medical practice, MGE processes particularly sensitive personal data and, as data controller, places the highest importance on protecting your personal data and respecting your privacy.

MGE asks that you read the entire Privacy Policy carefully to understand how your personal data is processed and to be fully aware of your rights.

The Privacy Policy applies in its entirety throughout your relationship with MGE, whether through the website https://mgechternach.lu/ (the “Site”), at the medical center (5, Place du Marché L-6460 Echternach), or by any other means.

Since MGE reserves the right to modify all or part of this Privacy Policy at any time, in accordance with Article 10 below, you are encouraged to consult it regularly.

ARTICLE 1. DATA CONTROLLER

The data controller is the entity that determines the purposes and means of processing your personal data, i.e., the purpose and the method of processing. The individuals responsible for processing your personal data under the GDPR are:

• Dr. Philippe Hoffmann, General Practitioner
• Dr. Daniel Lampach, General Practitioner
• Dr. Anne-Catherine Vervoort, General Practitioner

The general practitioners are partners who use a shared digital patient file. The patients’ personal data is processed using a shared medical software system that is accessible only to doctors within this group practice (MGE). This group also employs the MGE secretarial staff.

ARTICLE 2. TYPES OF PERSONAL DATA PROCESSING

2.1) Medical Consultation

a) Type and Purpose of Data Processing

The MGE staff who provide care to you as a Patient during a consultation collect data regarding your identity and health. “Patient” refers to any individual seeking or receiving healthcare services from one of the MGE physicians. Consultations may take place in person at MGE or via information and communication technologies (e.g., phone, smartphone, computer).

These details are compiled into your medical file (the “Patient File”), in a durable and usable format (e.g., paper or digital), in accordance with the Applicable Regulations and the law of July 24, 2014, concerning the rights and obligations of patients (the “2014 Law”). The Patient File, maintained in compliance with medical confidentiality (Art. 458 of the Penal Code and the Medical Code of Ethics), is regularly updated by your treating physician.

The Patient File, which faithfully records the Patient’s state of health and its development, may include the following personal data:

Patient identification data:

• First name(s) and last name
• Luxembourg personal identification number (“matricule”), or foreign ID number or European Health Insurance Card number (for billing and reimbursement)
• Date of birth
• Nationality
• Sex
• Postal address
• Email address,
• Phone number

If applicable, details of the trusted person or legal representative: name, sex, contact information

Patient’s family situation (e.g., marital status, number of children)

Patient’s professional situation (e.g., occupation, work conditions)

Medical and care-related data:

• Reason, date, start and end time of the consultation
• Weight, height, vital signs (blood pressure, heart rate, respiratory rate, temperature, oxygen saturation)
• Family/personal history (medical, surgical, obstetric)
• Ongoing treatments
• Individual risk factors (e.g., allergies, intolerances)
• Relevant data from prior consultations and hospitalizations (e.g., lab tests, imaging, or recent medical reports)
• History of the current health issue
• Lifestyle habits, if collected with patient consent and relevant to diagnosis/care
• Identified problems and planned treatment/care
• Reports of diagnostic and therapeutic interventions during the consultation
• Medical opinions of the treating doctor
• Diagnostic, therapeutic, and monitoring prescriptions, dated and validated by the doctor
• Advance directives or end-of-life arrangements, if applicable
• Any other health-related data deemed relevant by the doctor

Purpose:
The processing of this personal data is intended to uniquely identify you and to create your Patient File to facilitate your medical care.

b) Legal Basis

The data processing is based on Article 6(1)(b) of the GDPR, as part of the execution of the care agreement between you (the Patient) and the treating physician, who is bound by medical confidentiality under the Luxembourg Medical Code of Ethics and Article 458 of the Penal Code.
Moreover, maintaining a patient file is a legal obligation under the 2014 Law and the Medical Code of Ethics. Therefore, data processing is also justified under Article 6(1)(c) of the GDPR.

c) Data Retention Period

Under the 2014 Law, MGE is legally required to retain your Patient File for a minimum of ten (10) years. The retention period may be extended if the nature of the illness warrants it. The retention period starts from the most recent date between your last consultation at MGE or your last contact (e.g., the date of the last prescription issued). After this period, the data will be deleted or archived in anonymized form.

2.2) Online Prescription Renewal

a) Type and Purpose of Data Processing

To submit an online prescription renewal request to MGE, you must meet the conditions outlined in Article 8 of the General Terms of Use (“GTU”), available here, and provide the following personal data:

• Title (Mr., Mrs., Other)
• First name(s)
• Last name
• Phone number
• Email address
• Social security number ("matricule")
• Reason for the request
• Preferred delivery method for the prescription (by mail, pick-up at MGE reception, or mailbox)
• Treating physician
• Medication(s) to be prescribed

As per Article 8 of the GTU, you must already have had a consultation with an MGE physician in order to request a prescription renewal online. Therefore, your Patient File already exists, and MGE already holds the identifying and medical data you previously submitted.

The purpose of processing the personal data mentioned in this article is to manage your online prescription renewal request. This includes verifying your identity, updating your Patient File, and issuing the prescription in accordance with Article 8 of the GTU.

Your phone number and email address allow:

• Your treating physician to contact you, particularly if further information is needed.
• MGE administrative staff to inform you when the prescription will be ready for pick-up.

If you selected home delivery and your address has changed since your last consultation, you must enter your new address in the “Medication” field of the online request form. If you forget, please contact MGE by email (XXX) or phone (+352 26 72 19 75) promptly so your address can be updated.

b) Legal Basis

Processing of the above-mentioned personal data is based on your declaration of consent, in accordance with Article 6(1)(a) of the GDPR.

When submitting your online prescription renewal request, a link to the GTU and this Privacy Policy is provided for you to give informed consent. By submitting the request, you consent to MGE processing your personal data in accordance with this Privacy Policy.

c) Data Retention

All personal data processed in connection with an online prescription renewal is included in your Patient File. Under the 2014 Law, MGE is legally required to retain your Patient File for at least ten (10) years. This period may be extended if the nature of your illness requires it. The period starts from the most recent date between your last consultation and the last contact with MGE (e.g., the date your last prescription was issued).

After this period, the data will be deleted or archived in anonymized form.

2.3) Contacting MGE via Phone or Email

a) Type and Purpose of Data Processing

For questions, specific requests, or complaints, you can contact MGE by phone (+352 26 72 19 75). Appointments can only be made by phone, not via email or the website. Medical questions will not be handled via email.

To respond to your inquiries and manage your requests and complaints, we may process the following personal data (not exhaustive):

• First name(s)
• Last name(s)
• Phone number
• Email address

b) Legal Basis

Data processing for contact purposes is carried out under Article 6(1)(f) of the GDPR, based on our legitimate interest in handling your inquiries and complaints appropriately.

If your question, request, or complaint relates to a consultation with an MGE physician (past or future), data processing is necessary for the performance of the care contract between you and your treating physician (Article 6(1)(b) GDPR).

If your inquiry relates to the exercise of your rights under Article 5 of this Privacy Policy, we must process your data to comply with legal obligations (Article 6(1)(c) GDPR).

c) Data Retention

Personal data received in this context will be retained only as long as necessary to handle your inquiry, request, or complaint.

If the personal data is related to a consultation, it will be included in your Patient File and retained according to section 2.1 of this Privacy Policy.

ARTICLE 3. TRANSFER OF YOUR DATA

Within MGE, only physicians, medical trainees, and secretarial staff process your personal data.

Your treating physician primarily accesses your Patient File. However, because MGE operates as group practice, your file may also be accessed by other MGE physicians when substituting. In specific cases allowed by the Luxembourg Medical Code of Ethics, your treating physician may share parts of your file with a colleague to request a second opinion.

Medical trainees access your data only under the supervision of an MGE physician.

Secretarial staff, under medical supervision and in accordance with professional secrecy rules, access only the information needed to perform their tasks—primarily appointment and administrative management, and only minimal medical information as required.

Third-Party Processors (Subcontractors):
Personal data (excluding medical data) may be shared with third parties acting as data processors under Article 28 of the GDPR. These include:

• IT and technical service providers
• Postal delivery provider (e.g., Post Luxembourg, if a prescription is mailed to your home)

MGE requires all service providers to comply with applicable data protection laws and to maintain confidentiality and privacy.

In cases where a service provider needs access to personal data for system maintenance (e.g., medical software), this will be done in compliance with medical confidentiality rules. Physical and logical safeguards (such as encryption) are used to prevent unauthorized access.

Other Data Controllers:
MGE may transfer personal data to other independent data controllers for medical prescription execution purposes. This includes:

• Pharmacists (e.g., to fulfill prescriptions)
• Staff at retirement homes or care facilities (e.g., when sharing prescriptions or instructions for residents)

MGE will only transfer your personal data to third parties when:

• You have given explicit consent (Article 6(1)(a) GDPR),
• It is necessary to assert, exercise, or defend legal claims (Article 6(1)(f) GDPR),
• It is required by law (Article 6(1)(c) GDPR),
• Or it is necessary for contract performance (Article 6(1)(b) GDPR).

In Certain Legal Exceptions, MGE May Disclose Data Without Consent, such as:

• Reporting crimes against patients or urgent danger to others
• Mandatory reporting of crimes against minors (Art. 140, Penal Code)
• Testimony or defense in court
• Death registration (Art. 77 et seq., Civil Code)
• Reporting infectious diseases (Art. 17, Law of April 29, 1983)
• Responding to requests from the Social Security Medical Review Board (Art. 421, Social Security Code)
• Reporting at-risk children to youth protection authorities (Art. 7, Amended Law of August 10, 1992)

International Transfers:
MGE does not transfer your personal data outside the European Union (EU) or European Economic Area (EEA), unless:

• It is necessary to share data with healthcare professionals outside the EU/EEA for your care,
• A judicial or administrative authority requires it,
• A legal or regulatory provision requires it,
• Or you have provided prior consent.

In such cases, appropriate safeguards will be implemented to protect your data and confidentiality.

ARTICLE 4. COOKIES

Cookies are text files containing small amounts of information, automatically created by your browser when you visit a website and are downloaded to your device (computer, mobile phone, tablet, etc.) via a web server. The information is stored in the cookie and is linked to the specific device used. However, this does not mean your identity is known to the website owner when you access or use the site.

There are two types of cookies: session cookies and persistent cookies.

• Persistent cookies remain in one of your browser's subfolders until you manually delete them or your browser deletes them based on the duration specified in the cookie file.
• Session cookies are temporary files automatically deleted when you close your browser. When you visit the site again, you’ll need to reselect your preferences (such as language). A new cookie will be generated and will track your navigation until you leave the site and close your browser.

MGE only uses session cookies, which are strictly necessary for the proper functioning of the site and are intended to ensure optimal user experience. These cookies are temporary and are deleted when you leave the site and close your browser.

The processing of your data through these strictly necessary cookies is based on legitimate interest (Article 6(1)(f) of the GDPR).

Each time you navigate the site, cookies may collect information. By using the site, you agree to the placement of cookies on your device as described in this privacy policy. Most browsers automatically accept cookies, but you can block them by configuring your browser not to store cookies or to alert you before one is created. Note that deleting or blocking cookies may affect your user experience and some site features may not function properly or be fully accessible.

ARTICLE 5. RIGHTS OF DATA SUBJECTS

Under the GDPR, you have several rights regarding your personal data. You may exercise these rights at any time by contacting MGE by phone (+352 26 72 19 75) or by mail at Médecine Générale Echternach, 5 Place du Marché, L-6460 Echternach, stating the reason for your request and the right you wish to exercise.

To protect your privacy, MGE may request a copy of your ID if your identity is in doubt. This ID will only be stored as long as necessary to verify your identity.

You can also contact the secretariat for further questions on data protection.

Your rights include:

1. Right of Access (Article 15 GDPR):

You may request information about the personal data MGE processes about you, including a copy of the data. If your request is unfounded or abusive, MGE may charge a fee. Refer to section 5.1 for specific rules regarding access to your Patient File.

2. Right to Rectification (Article 16 GDPR):

You can request the correction of inaccurate or incomplete personal data. MGE reminds you to ensure the accuracy and currency of the information you provide and to notify any changes. If you provide inaccurate or incomplete information, you are solely responsible for any resulting damage.

You should only submit your own personal data. If you submit someone else's data, you must:

• Either have their prior consent and inform them of this privacy policy, or
• Be acting as their legal representative.

3. Right to Erasure ("Right to be Forgotten", Article 17 GDPR):

You may request deletion of your data if:

• It’s no longer needed for its original purpose,
• You’ve withdrawn consent and there’s no other legal basis,
• You’ve validly objected,
• The processing is unlawful, or
• It must be erased to comply with a legal obligation.

However, this right doesn’t apply when processing is necessary for freedom of expression, legal obligations, legal claims, public interest archiving/statistics, or scientific/historical research.

4. Right to Restriction of Processing (Article 18 GDPR):

You may request limited processing if:

• You dispute the data’s accuracy,
• The processing is unlawful and you prefer restriction over deletion,
• MGE no longer needs the data but you require it for legal claims, or
• You’ve objected under Article 21 and a review is pending.

5. Right to Data Portability (Article 20 GDPR):

If the processing is based on consent or contract and is automated, you may request to receive your data in a structured, commonly used, machine-readable format, and have it transferred to another healthcare provider—where technically feasible.

6. Right to Object (Article 21 GDPR):

You may object, for reasons related to your particular situation, to the processing of your data based on MGE’s legitimate interest. MGE will stop processing unless it can demonstrate compelling legitimate grounds (see section 5.2).

7. Right to Withdraw Consent (Article 7(3) GDPR):

If processing is based on consent, you may withdraw it at any time. MGE may not continue processing based on that consent in the future.

8. Right to Lodge a Complaint (Article 77 GDPR):

You may lodge a complaint with a supervisory authority in your place of residence, work, or the place where a violation occurred. In Luxembourg, the authority is:

Commission nationale pour la protection des données (CNPD)
1, Avenue du Rock’n’Roll, L-4361 Esch-sur-Alzette
Phone: (+352) 26 10 60 -1

5.1 Right of Access to the Patient File

Your Patient File includes all records and evaluations concerning your health and its development during consultations.

You—or your legal representative—have the right to access your file under the 2014 Law and may request a full or partial copy. You may also authorize a third party to access your file. If the third party is not a health professional, they must have a signed and dated authorization from you.

Requests must be addressed to MGE’s secretariat and should include:

• Your personal contact details
• The specific data requested
• The name(s) of your treating physician(s)
• The relevant time period(s)
• Justification for the request

Barring medical emergencies, MGE has 30 working days to respond. You may pick up the documents at the MGE secretariat. Reproduction costs are at your expense.

Exceptions:
Certain parts of your file may be withheld, such as:

• Personal notes: For the physician’s personal use (e.g., impressions, thoughts) not directly related to care.
• Therapeutic exception: Your physician may withhold access if disclosure could seriously harm your health. These notes may still be reviewed by another doctor. Once the risk is gone, access may be granted.

MGE reserves the right to deny access if legal conditions are not met—without justification or compensation.

5.2 Right to Object

If your personal data is processed based on MGE’s legitimate interest (Article 6(1)(f) GDPR), you may object based on your particular situation.

If valid, MGE will cease processing unless it can prove compelling legitimate grounds.

To exercise your right to object or withdraw consent, contact MGE by phone (+352 26 72 19 75) or by mail (Médecine Générale Echternach, 5 Place du Marché, L-6460 Echternach), stating your reason.

Note: Exercising your right to object may make it impossible for MGE to provide certain services. However, this right cannot override MGE’s legal obligations.

ARTICLE 6. SECURITY MEASURES AND DATA SECURITY

As part of their duties, the medical team and the MGE secretariat have access to your data. They are bound by medical or professional confidentiality and must comply with applicable data protection regulations.

MGE is committed to protecting and securing your personal data to ensure its confidentiality and to prevent destruction, loss, alteration, or disclosure through physical, technical, organizational, and procedural safeguards, which are regularly improved and updated based on technological developments.

MGE specifically uses the commonly accepted SSL (Secure Socket Layer) method with the highest level of encryption supported by your browser—typically SSL 256-bit encryption. If your browser does not support that, SSL 128-bit encryption is used. You can recognize whether a specific page on the site is encrypted by the closed padlock or key symbol displayed in your browser’s status bar.

ARTICLE 7. DATA RETENTION PERIOD

Your data is initially retained in accordance with current legislation and only for as long as necessary to fulfill the purposes for which it was collected. These retention periods are detailed in Article 2 of the Privacy Policy.

After this initial phase, your data is archived securely with restricted access, meaning it is no longer accessible in MGE’s main database system, and retained until the legal statute of limitations expires—the maximum general limitation period being thirty (30) years.

Once the legal retention and limitation periods have passed, your personal data will be permanently deleted or anonymized.

ARTICLE 8. LINKS TO OTHER WEBSITES

The MGE website may contain third-party services and hyperlinks to other websites not operated by MGE. These may be helpful to you or necessary for the proper functioning of the site and/or MGE’s activities.

However, MGE is not responsible for the compliance of these third parties with applicable data protection laws and cannot be held liable for any violations committed by them.

MGE encourages you to consult the privacy policies of those third-party sites to understand how they handle your personal data.

ARTICLE 9. PERSONAL DATA POLICY REGARDING MINORS

Any non-emancipated individual under the age of 18 (a “Minor”) must obtain prior consent from their legal guardian before transmitting any personal data to MGE.

Therefore, MGE does not knowingly collect personal data from Minors and has no intention to do so without legal guardian authorization. When making an appointment for a Minor, it is mandatory to indicate the full name of the responsible adult.

MGE asks legal guardians to help enforce this Privacy Policy by ensuring that Minors do not use the website and do not submit personal data without prior consent.

If information about a Minor has been collected without guardian authorization, the legal guardian may contact MGE to request correction, modification, or deletion of the data. Similarly, if MGE learns that such data has been collected without proper consent, and unless prevented by legal, regulatory, or medical confidentiality obligations, it may directly inform the legal guardian and allow them to object to the collection, use, or storage of that data.

ARTICLE 10. CHANGES TO THE PRIVACY POLICY

MGE may update this privacy policy at any time, without notifying you through any means other than by changing the update date shown at the top of the page.

You acknowledge and accept that it is your responsibility to review this policy regularly and stay informed of any changes.

The most current version of the Privacy Policy can always be viewed and printed from the bottom of the website under the “Privacy Policy” tab.