FindelMedic – Legal

Privacy Policy

Data subjects and data controller

This Data Protection Policy applies to all individuals concerned by the processing activities implemented, including, but not limited to, website visitors, patients, associated physicians, hosted healthcare companies and professionals, as well as suppliers and service providers to communicate information to the association of doctors without legal personality between Dr Philippe Wilmes and Dr Alain Schmit (the “Association Drs Wilmes & Schmit”), managing the medical center operating under the trade name “FindelMedic”, including medical data where applicable. For the purposes of this Policy, these individuals are referred to as “data subjects.”

The following information is provided pursuant to data protection legislation, in particular Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (the “GDPR”), as well as applicable Luxembourg legislation, including the law of 1 August 2018, as well as the law of 24 July 2014 relating to patients’ rights and obligations . Unless otherwise stated, the terms used in this Policy have the same meaning and scope as those defined in the GDPR.

For the data processing activities listed in this Policy, the data controller is the Association Drs Wilmes & Schmit. This refers to the entity that determines the purposes and means of processing, or more simply, the entity that decides how and why your data are collected and processed.

The data controller can be contacted at the following details:

For any request to exercise your rights under applicable legislation, please use these contact details.

Data collected

We collect the following data:

  • Identification data: nationality, gender, telephone number, email address, last name, first name, identification numbers assigned by organizations, postal address, languages spoken, date and place of birth, social security number, age, family and marital status, dependent children , if these data are provided to us via this website, when making an appointment, or during an interaction with FindelMedic. These data are referenced below under the symbol: [1].
  • Browsing data: IP address, browser type, pages visited, cookies. These data are collected during your use of this website. These data are referred to below by the following abbreviation: [2]. 
  • Health data: Disability rate, medical certificates, information relating to long-term illnesses, data concerning fitness for work, proposals for job adaptation or reassignment made by the occupational physician, contraceptive methods, use of hormonal treatments, genetic diseases, weight, height, medical and surgical history, medical procedures performed and their results, prescribed treatments, only if voluntarily provided in the context of making an appointment or interacting with FindelMedic. These data are referenced below under the symbol: [3].
  • Banking and financial data: bank details, VAT number, bank identity identifiers payment terms and conditions, fee notes. These data are referenced below under the symbol: [4].

Methods of collection

Your data are collected in several ways:

  • Via forms and during your medical history intake (anamnesis) by the physician or healthcare professional (appointment booking, contact forms, questionnaires, etc.).
  • During your browsing of the website (cookies and other similar technologies).
  • Through third-party services (for example, traffic analysis tools such as “Google Analytics”).

Legal bases for processing

The processing of your data is based on:

  • Your consent (newsletter subscription, acceptance of cookies)
    [Article 6(1)(a) GDPR]. This legal basis is referenced below using the following acronym: [A].
  • Performance of a contract (appointment booking) [Article 6(1)(b) GDPR]. This legal basis is referenced below using the following acronym: [B].
  • Our legal and regulatory obligations [Article 6(1)(c) GDPR]. This legal basis is referenced below using the following acronym: [C].
  • Our legitimate interests (service improvement, security, and defense of our rights and interests in judicial or pre-litigation proceedings) [Article 6(1)(f) GDPR]. This legal basis is referenced below using the following acronym: [D].

Data retention periods

Data are retained for periods appropriate to their purpose:

  • 3 years after the data subject’s last appointment. This legal basis is referenced below using the following acronym: [*].
  • Maximum 1 year from the installation of the relevant cookie or similar technology. This legal basis is referenced below using the following acronym: [**].
  • 10 years from the last intervention by a doctor or healthcare professional or interaction (email or phone call) with a member of the data controller’s administrative staff. This legal basis is referenced below using the following acronym: [***].
  • 10 years after issuance of the relevant invoice. This legal basis is referenced below using the following acronym: [****].

Purposes of processing

The collected data are used for:

  • Patient care, management of appointments and medical records, medical examinations and follow-ups, issuing prescriptions, sending correspondence to colleagues, and preparing/transmitting care sheets.
    This concerns the data categories [1], [3].
    This concerns the legal bases [A], [B].
    This concerns the retention period [*].
  • Improvement of the user experience on the website
    This concerns the data categories [2].
    This concerns the legal basis [A].
    This concerns the retention period [**].
  • Security and maintenance of the website
    This concerns the data categories [2].
    This concerns the legal bases [C], [D].
    This concerns the Retention period [**].
  • Compliance with legal and regulatory obligations
    This concerns all of the data categories.
    This concerns the legal basis [C].
    This concerns the retention period [***].
  • Management, monitoring, and payment of invoices
    This concerns the data categories [1], [4].
    This concerns the legal bases [C], [D].
    This concerns the retention period [****].
  • Defense, exercise, or enforcement of our rights and interests in judicial or pre-litigation proceedings
    This concerns all of the data categories.
    This concerns the legal basis [D].
    This concerns the retention period [***].

Data sharing

We do not sell or share your data with unauthorized third parties. However, some data may be shared with:

  • Our technical providers (hosting, website maintenance).
  • The competent authorities, in the event of a legal obligation, where such authorities are entitled to request the relevant data and make an explicit request, or where we are required to proactively disclose it to them (e.g., the CNS), and in the event of litigation. 

Your data are not transferred outside the European Economic Area unless you expressly request it, or the destination country is covered by a European Commission adequacy decision, or appropriate safeguards have been put in place, such as suitable contractual clauses.

User rights

In accordance with applicable law, you have the following rights regarding your personal data:

  • Right of access: obtain a copy of your data and the information listed in Article 15 GDPR.
  • Right of rectification: correct inaccurate data.
  • Right to erasure: request the deletion of your data, under certain conditions, in particular if it is no longer strictly necessary for processing purposes.
  • Right to object: object to processing and be informed of the consequences.
  • Right to restriction: limit the processing of your data and be informed of the consequences.
  • Right to withdraw consent: withdraw your consent to the processing of your data for purposes based on this separate legal basis [A].
  • Right to data portability: receive and transfer your data to another data controller in a structured format.

You also have the right to lodge a complaint with a competent supervisory authority, in the event of disagreement regarding how the data controller processes your data. In Luxembourg, the authority usually responsible is the National Commission for Data Protection (CNPD), which can be contacted at the following address:

CNPD

Complaints Department

15, Boulevard du Jazz

L-4370 Belvaux
Or directly online via the link below:

https://cnpd.public.lu/fr/particuliers/faire-valoir/formulaire-plainte.html

Exercising your rights

For any request, you may contact us at: privacy@findelmedic.lu.

Please note that we may sometimes refuse or limit the exercise of one or more of the rights listed above, in particular where such exercise is restricted by law, subject to strict conditions that are not met, or where the rights of third parties prevail.

Changes to the policy

This policy may be updated at any time. In the event of significant changes, we will inform you via the website or by email.

FM-PP_V3.0, valid since April 1, 2026.