Patient Data Privacy Notice pursuant to Art. 13, 14 GDPR in connection with the recording and storage of medical consultations

For the purposes of efficient documentation of medical consultations, we employ the software "meda". This is software that records the medical consultation between you and the treating physician and subsequently creates an AI-assisted summary. Below we inform you about the processing of your personal data that takes place in connection with "meda".

1. Who is responsible for processing my data and whom can I contact?

The responsible entity is the medical practice of the treating physician. In this regard, reference is made to the general data protection declaration of the medical practice.

Additionally, you can also contact our data processor "meda" at the following contact details:

meda AI GmbH
Distlhofweg 18, 81369 Munich
support@mymeda.ai
Phone: +49 162 2171920

2. Which of my data is processed and how?

Using "meda", we record – only with your consent (see Section 6) – the spoken word during the medical consultation between you and the treating physician or the signed consent at registration in the practice, in order to create an AI-assisted summary of the medical consultation for the purpose of medical documentation of the treatment.

The recording begins from the time the treating physician indicates that the conversation is being recorded, in any case only after you have given your consent. The recording ends with the indication that the recording is terminated.

The recorded conversation is summarized during the recording and displayed to the treating physician in digital form on their device. In this regard, "meda" employs artificial intelligence in the form of so-called Large Language Models (see Section 3 for details).

An AI-assisted, automated diagnosis or suggestion for a diagnosis based on the recording explicitly does not take place. After the medical consultation, but no later than 30 days, the recording of the spoken word is deleted. Thereafter, only the summary of the medical consultation remains stored.

We therefore process – in summary – all personal data mentioned during the medical consultation with you, and thus potentially in particular:

• Personal master data (e.g.: first name, surname, birth name, address, gender, age, date of birth, place of birth, marital status, nationality);

• Administrative data (e.g.: email address, type of insurance (privately or statutorily insured), health insurance/health insurance company, health insurance number, family doctor/pre- and post-treating physicians);

• Treatment data (e.g., data from your medical history, diagnosis, treatment and rehabilitation measures);

• Other health-related data (e.g., pre-existing conditions, allergies, previous treatments and procedures);

• Your voice

Furthermore, we use the data – also only with your consent (see Section 6) – from the recording to improve the AI models used in the "meda" software and thus the software as a whole. Before we use the data for this purpose, it is pseudonymized. An explanation of which processing processes take place can be found below under Section 4.

Moreover, we process your signature (either scanned, digital, or in original form) for the purpose of proving your consent, if applicable.

3. Which processing steps are supported by artificial intelligence?

While the medical consultation is being recorded, artificial intelligence processes the spoken word in real-time. The AI employed belongs to the category of "Large Language Models" (LLM), which are capable of understanding spoken or written language and immediately summarizing it. An AI-assisted evaluation of the spoken word in the sense of a potential diagnosis does not take place.

4. Which processing steps occur when the data is used for the purpose of improving the AI?

First, the data is pseudonymized by our data processor "meda" and converted into machine-readable datasets that are fed into the AI system. The AI system analyzes this data, recognizes patterns, and learns to better understand medical terminology, context, and relationships in order to create even more precise summaries of medical consultations in the future. This training occurs iteratively, meaning the AI models used in the software are continuously improved through repeated learning on new and updated data. When necessary, human expert review supports the fine-tuning of the AI models. The entire data processing cycle is protected by technical and organizational measures. The data is used exclusively for the purpose of the described improvement of the AI. No transfer from "meda" to third parties or re-identification of the data takes place.

5. For which purposes and on what legal basis is my data processed?

We process your data for the purposes of documenting the medical consultation.

As legal basis for the processing, we rely on:

• Regarding the recording of the medical consultation and the AI-assisted summary of this recording on Art. 9 Para. 2 lit. a) GDPR (consent);

• Regarding the subsequent storage of the summary on Art. 9 Para. 2 lit. h), Para. 3, Para. 4 GDPR in conjunction with §§ 630a ff, 630f BGB (German Civil Code).

You can revoke the consent you have given at any time without affecting the lawfulness of the processing carried out on the basis of the consent until the revocation.

We process your digital signature for the purpose of proving the given consent. In this regard, we rely on Art. 7, 5 Para. 2 GDPR.

6. Am I obligated to consent to the recording of the conversation and the use of my data for improving AI models?

No. The recording of the medical consultation, the summary of the spoken word, as well as the use of the recorded data for the purpose of improving the AI models used in "meda" is voluntary. You can revoke the consent you have given at any time – even during treatment – without affecting the lawfulness of the processing carried out on the basis of the consent until the revocation. You will not suffer any disadvantages as a result, particularly with regard to medical treatment.

7. How long is my data stored?

The recorded spoken word is deleted – regardless of a revocation of consent – immediately after the creation of the written summary of the medical consultation. In this respect, only the written summary of the medical consultation remains after the end of the medical consultation. We generally retain this for a period of 10 years (see § 630f Para. 3 BGB). In individual cases, particularly if the data is needed for the exercise or defense of legal claims, we retain the data for up to 30 years (see § 199 Para. 3 No. 2 BGB).

8. To whom is my data transferred? Is my data also processed outside the EU/EEA?

Your data only reaches internal departments that need it for their respective task fulfillment (particularly for purposes of documenting the medical consultation and subsequently for purposes of medical treatment).

External entities receive your data only insofar as this is legally required, you have consented to it, or this is necessary for the fulfillment of our contractual obligations. External recipient here is particularly the provider of the "meda" software as data processor. Insofar as we transfer your data to "meda" for the purpose of improving the AI models used in "meda", "meda" acts as an independent, responsible entity within the meaning of data protection law.

Your personal data is fundamentally not transferred to recipients who have their seat in countries outside the European Union (EU) and the European Economic Area (EEA), whose laws may not guarantee an adequate level of data protection comparable to the EU/EEA. Insofar as in exceptional cases a transfer of your personal data to so-called third countries takes place, we will comply with the corresponding requirements of the GDPR according to Art. 44 ff.

9. What rights do I have and how can I exercise them?

You have the right:

• To request information about the personal data processed about you as well as a copy of this data (right to information according to Art. 15 GDPR);

• To demand the correction of incorrect data and, taking into account the purposes of processing, the completion of incomplete data (right to rectification according to Art. 16 GDPR);

• To demand the deletion of your data if legitimate reasons exist (right to erasure according to Art. 17 GDPR);

• To demand the restriction of processing of your data, provided the legal requirements are met (right to restriction of processing according to Art. 18 GDPR);

• If the legal requirements are met, to receive the data you have provided in a structured, common, and machine-readable format and to transfer this data to another controller or, insofar as this is technically feasible, to have it transferred by us (right to data portability according to Art. 20 GDPR); as well as

• Not to be subject to a decision based solely on automated processing, provided the legal requirements for this are not met (Art. 22 GDPR).

You also have the right to object to processing of your data that is carried out to protect our legitimate interests or those of third parties, for reasons arising from your particular situation, in accordance with legal provisions (right to object according to Art. 21 Para. 1 GDPR).

Insofar as the processing of your data is based on consent, you have the right to revoke your consent at any time without affecting the lawfulness of the processing of your data carried out on the basis of the consent until the revocation.

Please contact us at the contact details listed in Section 1 to exercise your rights and to revoke any consent declaration. Furthermore, regardless of other legal remedies, you have the right at any time to file a complaint with a supervisory authority:

The Bavarian data protection authority, the State Office for Data Protection Supervision (BayLDA)
Promenade 18, 91522 Ansbach
+49 (0) 981 180093-0

Status: September 2025