Controller within the meaning of the GDPR
Dr. Christian Pizzera
Specialist in General & Visceral Surgery
Practice Graz: Peter Rosegger Straße 101, 8052 Graz, Austria
Practice Schladming: Martin-Luther-Straße 32, 8970 Schladming, Austria
Phone: +43 670 555 95 35
Email: ordination@pizzera.at
For any questions regarding data protection, you may contact the address above at any time.
Data Collected & Purposes of Processing
Each time this website is accessed, your browser automatically transmits data to our server (Hetzner Online GmbH, Germany). These server log files contain: IP address (anonymised), date and time of access, the URL requested, the volume of data transferred, the HTTP status code, and your browser and operating-system type.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring the security and stability of our systems).
If you contact us by email or telephone, the data you transmit (name, email address, telephone number, content of your message) is processed in order to handle your enquiry.
Legal basis: Art. 6(1)(b) GDPR (steps prior to entering into a contract) or Art. 6(1)(a) GDPR (consent).
To book an appointment, you are redirected to the platform latido.at. As soon as you access this external site, its own privacy policy applies. Please note that the data protection terms of latido govern any data you enter on latido.at. We recommend reading them before booking.
Legal basis for the redirect: Art. 6(1)(b) GDPR.
Third-Party & Embedded Services
| Service | Purpose | Server location | Legal basis |
|---|---|---|---|
| Hetzner Online GmbH | Web hosting, email hosting | Germany | Art. 6(1)(f) GDPR; DPA under Art. 28 GDPR |
| latido.at (LATIDO GmbH, Vienna) | Online appointment booking (external redirect) | Austria | Art. 6(1)(b) GDPR; controlled independently by latido |
| Fonts (Cormorant Garamond, DM Sans) | Font rendering — served locally on our server via the plugin “OMGF – Host Google Fonts Locally” | Germany (Hetzner) | Art. 6(1)(f) GDPR; no data transfer to Google |
| Imagify (WP Media) | Compression of uploaded images (once at upload only; no processing when the page is viewed) | EU | Art. 6(1)(f) GDPR; DPA |
| Complianz (Complianz B.V., Netherlands) | Cookie consent management; stores your consent choice on your device | EU | Art. 6(1)(c) GDPR (legal obligation) |
| Google Tag Manager (Google Ireland Ltd., Dublin) | Tag-management system used to load measurement and marketing scripts (in particular Google Analytics 4); loads only after your consent | EU / USA (Google LLC) | Art. 6(1)(a) GDPR (consent); transfer to the USA based on the EU-US Data Privacy Framework (Google is DPF-certified) |
| Google Analytics 4 (Google Ireland Ltd., Dublin) | Reach and usage analytics (page views, session duration, device type); sets the cookies _ga and _ga_<container-ID>; IP anonymisation enabled by default in GA4 |
EU / USA (Google LLC) | Art. 6(1)(a) GDPR (consent); transfer to the USA based on the EU-US Data Privacy Framework |
DPA = Data Processing Agreement under Art. 28 GDPR.
This website uses the fonts Cormorant Garamond and DM Sans. Both are hosted locally on our server in Germany (via the plugin “OMGF – Host Google Fonts Locally”). When the page loads, no connection to Google servers is made and no IP addresses are transmitted to Google.
The addresses of our practices are embedded as plain text links to Google Maps (search URL), not as an embedded map. Data is transmitted to Google only when you actively click the link — in which case the privacy policy of Google LLC applies.
For reach and usage analytics, this website uses Google Tag Manager with Google Analytics 4. Both are served under consent-gated control via the cookie banner: as long as you have not consented to the “Statistics” category, neither GTM nor GA is loaded — no data is transmitted to Google until then. Once consent is given, GA4 collects anonymised reach data (page views, session duration, approximate location at city level, device type). The IP address is anonymised by default in GA4.
EU provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. Data is transmitted to Google servers, including in the USA (Google LLC). Legal basis: Art. 6(1)(a) GDPR (consent); the transfer to the USA is additionally based on the EU-US Data Privacy Framework, under which Google is certified.
You can withdraw your consent at any time — via the small cookie icon at the bottom-left of every page. Withdrawal takes effect immediately: GTM and GA are stopped and any analytics cookies already set are removed. Further information on data processing by Google: policies.google.com/privacy.
Cookies & Tracking Technologies
This website uses cookies. Cookies are small text files stored on your device. We distinguish between:
| Category | Consent | Examples & status |
|---|---|---|
| Necessary | Not required | WordPress session, security cookies (CSRF), cookie-consent cookie (Complianz) |
| Statistics | Required | Google Analytics 4 via Google Tag Manager — cookies _ga (2 years), _ga_<container-ID> (13 months). Set only after your consent. |
| Marketing | — | Currently not used |
On your first visit to our website, a cookie banner appears through which you can grant or refuse your consent for non-essential cookies. You can withdraw your consent at any time — cookie consent management is handled by the Complianz plugin.
Retention Periods
| Data category | Retention period | Basis |
|---|---|---|
| Server log files | 7 days | System security (legitimate interest) |
| Email enquiries | 3 years after completion | Civil-law limitation period |
| Patient records (practice) | 30 years | § 51 Austrian Medical Act 1998 (statutory obligation) |
| Cookie consents | 1 year | Obligation to provide proof, Art. 7(1) GDPR |
| Google Analytics cookies | _ga: 2 years · _ga_<ID>: 13 months | Reach analytics (consent, Art. 6(1)(a) GDPR) |
After the respective retention periods have expired, your data is routinely deleted, unless there is a statutory obligation to retain it further.
Your Rights as a Data Subject
Under the GDPR, you have the following rights:
- Art. 15Right of access to the data stored about you
- Art. 16Right to rectification of inaccurate personal data
- Art. 17Right to erasure of your data, provided no statutory retention obligation applies
- Art. 18Right to restriction of processing
- Art. 20Right to data portability in a machine-readable format
- Art. 21Right to object to processing based on legitimate interests
- Art. 7(3)Right to withdraw consent given — without affecting the lawfulness of processing carried out beforehand
To exercise your rights, please contact: ordination@pizzera.at
Datenschutzbehörde (Austrian Data Protection Authority)
Barichgasse 40–42, 1030 Vienna, Austria
www.dsb.gv.at | dsb@dsb.gv.at
Data Security
This website uses SSL/TLS encryption (HTTPS) for the transmission of all data. In addition, we apply the following technical and organisational measures (TOMs) pursuant to Art. 32 GDPR:
Access restrictions to the content management system, regular software updates and security patches, password protection for the administration area, and regular data backups. The web server is operated by Hetzner Online GmbH in Germany and is subject to German and European data protection standards.
Changes to this Privacy Policy
We reserve the right to amend this privacy policy as necessary, in order to keep it in line with current legal requirements at all times or to reflect changes to our services. The current version is always available on this page. The date of the last update is shown above.
In the event of material changes that affect your rights, we will inform you by appropriate means.