Doctolib and Data Protection – What Belongs in the Privacy Policy

When a website operator – typically a medical or therapy practice – embeds Doctolib on its website, loading the embedded content regularly involves processing web server log data, device data, browser information, coarse location data and – during the booking flow – user-supplied content from the booking form and conversion events for the purpose of online appointment scheduling on the basis of pre-contractual measures, consent and legitimate interests. This article explains which data processing typically accompanies a Doctolib integration, which role the provider takes on, and which mandatory information belongs in the privacy policy of the practice website.

A. Purpose and Functioning of Doctolib

Doctolib is a French-German online platform for appointment scheduling with doctors, dentists, psychotherapists and other healthcare professionals. Patients can view available slots, book, reschedule and cancel online; practices manage calendars, patient communication and, in part, video consultations through the Doctolib practice management interface.

On a practice website, Doctolib is typically integrated in two ways:

1. Link to the Doctolib profile: A button or link points to the practice profile on doctolib.de or doctolib.fr. The user leaves the practice website at that point; further data processing takes place on the Doctolib domains.
2. Embedded booking widget (iframe): Doctolib provides embed code that integrates an <iframe> with the booking calendar directly into the practice website. Loading and booking technically take place inside the Doctolib iframe; the surrounding practice website remains visible.

This entry page focuses on the integration function "Doctolib on the practice website" – i.e. linking and iframe embedding. The use of Doctolib as a pure practice back office (calendar, patient record, video consultation in the closed Doctolib portal) is not the subject of this page.

B. Mandatory Information in the Privacy Policy When Using Doctolib

The GDPR requires the privacy policy, in addition to general information (controller, data subject rights, supervisory authority), with respect to tools such as Doctolib in particular:

• the purposes of processing (Art. 13(1)(c) GDPR),
• the legal bases for processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests (Art. 6(1)(f) GDPR), the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients (Art. 13(1)(e) GDPR),
• whether and on what basis data is transferred to third countries (Art. 13(1)(f) GDPR),
• the storage period or the criteria for determining it (Art. 13(2)(a) GDPR),
• where data is not collected directly from the data subject, additionally the categories of personal data (Art. 14(1)(d) GDPR).

The following sections break these mandatory items down for Doctolib.

It is not necessary to list every individual tool such as Doctolib in the privacy policy with its own, named text block – even though this practice has become widespread. Such "tool-by-tool" texts are often formulaic, repeat themselves and bloat the privacy policy, which tends to run counter to the requirement of precise, transparent and intelligible information under Art. 12(1) GDPR. A more appropriate approach is topic-oriented: processing is described across the board by topic blocks (e.g. server operation, third-party content, online appointment booking) and concrete service providers such as Doctolib are listed in an annex of recipients.

C. Provider of Doctolib

For practices based in Germany, the contractual partner is, according to publicly available information, generally Doctolib GmbH, headquartered in Berlin:

• Doctolib GmbH, Mehringdamm 51, 10961 Berlin, Germany
• Parent company: Doctolib SAS, Levallois-Perret, France
• According to provider information, processing takes place on servers within the EU (Amazon Web Services, Frankfurt am Main region).

Which group entity is the contractual partner in the specific practice contract and which processing operations are performed by which corporate entity should be verified by the website operator in the practice contract and the DPA with Doctolib. Since Doctolib SAS is based in France and Doctolib GmbH in Germany, processing is primarily carried out within the EU; a classic third-country transfer is generally not to be expected here – but sub-processors should be reviewed.

• Privacy notice (B2C, German version): legal.doctolib.fr/privacy-policy-B2C-DE
• Security and data protection information: doctolib.de/gesundheit/privatsphaere
• Imprint: doctolib.de/impressum

D. Data Processing in Doctolib – Step by Step

E. Data Collected by Doctolib

When the Doctolib widget is embedded or the Doctolib profile of the practice is opened, according to publicly available information the following data is typically processed: IP address, date and time of the request, requested URL, referrer, browser and operating-system information, device and screen details, coarse location and – upon booking – the patient's input in the booking form (last name, first name, date of birth, contact email or mobile number, insurance status, reason for treatment) and the conversion event "appointment booked".

This data can be classified into the following standardised data-type categories:

• Web server log data – IP address, date/time, URL of the requested content, referrer, browser, operating system and device identifiers, and technical metadata of the connection when the Doctolib widget is loaded.
• Device data – device type, operating system, screen resolution and size, touch support.
• Browser information – browser name, browser version, possibly installed extensions.
• Coarse location data – location at city or regional level derived from the IP address.
• User content – entries in the booking form such as name, date of birth, insurance, reason for the appointment and any free-text fields filled in by the patient.
• Conversion events – booking, confirmation, cancellation or rescheduling of an appointment.

F. Purposes of Using Doctolib

The practice as the website operator typically uses Doctolib in order to enable patients to book appointments online 24/7, to relieve the telephone line, to send automatic appointment reminders and to make the utilisation of the consultation hours more plannable.

The purposes that the website operator typically pursues with Doctolib can be classified into the following standardised purpose categories:

• Function provision – making the booking widget available, displaying free slots, transferring appointment data to the practice calendar, sending confirmations and reminders.
• Contract performance – initiation and performance of the treatment relationship between patient and practice (appointment scheduling, identification, preparation of the consultation).
• Security and abuse prevention – protecting the booking function from misuse, bot detection, spam prevention.
• General product improvement – evaluation of booking statistics (e.g. frequently requested time slots) for needs-based scheduling of consultation hours.
• Communication – contacting the patient regarding appointments, changes and reminders.
• Compliance with retention obligations / compliance – fulfilling professional and social-law documentation obligations.

G. Legal Bases for Doctolib

Doctolib falls into the tool category third-party content / appointment booking: the practice embeds an external widget of a service provider that triggers requests directly to Doctolib servers and is used to process booking and pre-contractual data.

Several legal bases typically come into consideration, partly overlapping:

• Third-party content consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG): Where the widget is embedded as an iframe in the practice website and the mere page load already triggers server requests to Doctolib, prior consent to loading the third-party content is regularly indicated according to publicly available views. Alternative: a placeholder with a click-to-load mechanism ("two-click solution").
• Pre-contractual measures / contract performance (Art. 6(1)(b) GDPR): As soon as the user fills in the booking form and requests an appointment, processing serves the initiation and performance of the treatment relationship and is based on Art. 6(1)(b) GDPR to that extent.
• Legitimate interests (Art. 6(1)(f) GDPR): For accompanying processing (security, abuse prevention, efficiency of practice organisation), legitimate interests in efficiency, security, abuse prevention and business management come into consideration.
• Art. 9 GDPR (health data): Where health data is processed, an additional permissive basis under Art. 9(2) GDPR is required – regularly explicit consent (lit. a) and/or the basis for healthcare provision (lit. h) in conjunction with § 22 BDSG.

The applicable legal basis depends on the specific use case, the embedding technique and the consent architecture of the practice website and is to be examined by the website operator on a case-by-case basis.

H. Particularities and Notes on Doctolib

• Provider's role: The legal classification of Doctolib vis-à-vis the practice is, according to publicly available information, layered: For the provision of the platform and the practice back office, Doctolib regularly acts as a processor under Art. 28 GDPR with regard to the practice. For its own purposes (the patient's user account on Doctolib, platform-wide functions), Doctolib also acts as an independent controller. Joint controllership (Art. 26 GDPR) cannot be ruled out depending on the constellation – for example for platform-side reminder and marketing functions – and is to be examined in the individual case.
• DPA: Practices conclude a data processing agreement with Doctolib as part of the contractual relationship. The DPA is accessible via the Doctolib practice account; the sub-processor list should be reviewed regularly for changes.
• Sub-processors: According to publicly available information, Doctolib uses AWS (Amazon Web Services), Frankfurt am Main region, as its hosting provider, as well as service providers for email and SMS dispatch. AWS is covered by a separate DPA path between Doctolib and AWS.
• Third-country transfer: Since Doctolib GmbH is based in Germany and Doctolib SAS in France and the servers are located in the EU, no classic third-country transfer is generally envisaged according to provider information. For individual sub-processors (e.g. telecommunications providers, support tools), the specific data flow should be verified against the sub-processor list.
• Certifications: According to publicly available information, Doctolib holds certifications under ISO/IEC 27001 (information security) and ISO/IEC 27701 (privacy management) as well as BSI C5 Type 2; for health data, the French HDS certification (Hébergeur de Données de Santé) is relevant.
• Widget integration: Anyone embedding the booking widget directly via iframe should consider whether a two-click solution (placeholder with explicit consent before the Doctolib content is loaded) can be used. Mere linking to the Doctolib profile (doctolib.de/...) is less intrusive from a data protection perspective, since the user leaves the practice website at the moment of clicking.
• Patient rights: Doctolib provides patients with their own account with rights of access, rectification and deletion. The practice nevertheless remains the controller for the data it collects in the treatment context.

I. FAQ on Doctolib and Data Protection

J. Conclusion and Call-to-Action

Doctolib is a widespread tool for online appointment booking in medical practices and is typically integrated on the practice website by linking or by iframe widget. From a data protection perspective, three aspects are central: embedding the external widget is third-party content processing, the booking itself is a pre-contractual / contract action, and the health data that regularly arise are additionally subject to Art. 9 GDPR. Doctolib's role vis-à-vis the practice is layered – processor for the back office, independent controller for user accounts – and is to be traced in the individual case in the DPA.

For website operators, it is rarely sensible to include each individual tool with its own dedicated text block in the privacy policy. Such blocks repeat themselves, make the policy long and hard to maintain – and that runs counter to the transparency requirement of Art. 12(1) GDPR. A structured, topic-oriented approach is more appropriate: processing is explained across the board by topic blocks (server operation, third-party content, online appointment booking, newsletter, tracking …), and an annex of recipients lists specific service providers such as Doctolib. This is the methodology of the matterius privacy policy generator.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com