eTermin and Data Protection – What Belongs in the Privacy Policy

When a website operator deploys eTermin, they typically process booking-form data (e.g. name, email, phone number, requested time slot) as well as web-server log data for the purpose of online appointment scheduling – the relevant legal basis may be third-party-content consent, pre-contractual / contractual necessity or legitimate interests, depending on the integration. This page explains, based on publicly accessible provider information, what data eTermin processes, what a website operator uses it for and what should be addressed in the privacy policy of the website operator's own site.

The presentation is based on publicly researchable provider sources (privacy notice, terms, DPA references, help center); it does not replace a case-by-case assessment.

A. Purpose and Functionality of eTermin

eTermin is a web-based online appointment booking system used in particular by medical practices, public authorities, car repair shops, hairdressers and beauty studios, as well as in consulting and service businesses. End users select free time slots via a booking interface, fill in a form and book an appointment; the website operator manages staff, services, availabilities, confirmation and reminder messages, and optionally online payment in the eTermin back-office.

For website operators, eTermin offers several integration variants: an embedded iframe (booking widget directly on the operator's site), a booking button/link to an eTermin-hosted booking page, a pop-up booking as well as API integrations. This page focuses on the typical integration function – the embedding of the booking widget or booking button into a German-language website. Functions that take place exclusively in eTermin's internal back-office (e.g. staff and resource planning) are not covered in depth.

B. Mandatory Information on eTermin in the Privacy Policy

The GDPR requires the privacy policy – in addition to general information on the website operator, data subject rights and supervisory authorities – to provide the following specific mandatory information in relation to the use of tools such as eTermin:

• the purposes of the processing (Art. 13(1)(c) GDPR),
• the legal bases of the processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests, the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients (Art. 13(1)(e) GDPR),
• whether data is transferred to an unsafe third country and on what basis (Art. 13(1)(f) GDPR),
• the storage period or the criteria for determining it (Art. 13(2)(a) GDPR),
• where data is not collected directly from the data subject, additionally the categories of personal data processed (Art. 14(1)(d) GDPR).

These mandatory items are broken down for eTermin below. It is not necessary to list eTermin in the privacy policy with a separate, named text block – even though this practice has become widespread. The "text-block-per-tool" approach has established itself as bad practice: it produces long, repetitive sections that are hard to maintain and barely readable, and is in tension with Art. 12(1) GDPR. A more appropriate approach is topic-oriented, describing processing operations across tools (server operation, third-party content, appointment booking, newsletter …) and listing the specific service providers used – such as eTermin – in an annex of recipients.

C. Provider of eTermin

According to publicly accessible provider information, the contracting party for German website operators using the eTermin software is:

• eTermin Limited (eTermin Ltd.), Stylianou Lena 8, 8201 Paphos Geroskipou, Cyprus (seat within EU/EEA).
• Affiliated with eTermin GmbH, Mättivor 3, 6430 Schwyz, Switzerland (Switzerland: third country covered by an EU adequacy decision under Decision 2000/518/EC).

According to the help center and the data protection notice, the provider acts as a processor within the meaning of Art. 28 GDPR for the website operator when supplying the booking software; a DPA can be concluded with eTermin. The final allocation of roles is to be assessed by the website operator on a case-by-case basis.

• Privacy notice: https://www.etermin.net/online-terminbuchung-datenschutz
• Imprint: https://www.etermin.net/impressum
• Help center on data protection: https://support.etermin.net/hc/de

D. Data Processing by eTermin – Step by Step

E. Data Collected by eTermin

When eTermin is used, the following data is typically processed depending on the function used and the booking-form configuration: IP address and standard web-server log data on widget load, device and browser information, and the content entered by the user in the booking form (e.g. first and last name, email address, phone number, address, requested service, requested time slot, comments). Confirmation or reminder links generate additional web-server log data; if conversion measurement is enabled (e.g. "booking completed"), the corresponding events are recorded.

These data points fall into the following standardized data-class categories:

• Web-server log data: data the web server receives with each request from the user's device, e.g. IP address, date/time, URL of the requested resource, referrer, browser, operating system and device information, and technical metadata.
• Device data: information about the device used, e.g. device type, operating system, screen resolution, touch support.
• Browser information: browser name and version and, where applicable, installed extensions.
• User content: content entered by the user in the booking form, e.g. name, salutation, email, phone, request, comments and other mandatory or optional fields.
• Conversion events: user interactions defined as relevant by the website operator – here in particular the completed appointment booking as well as follow-up events such as booking confirmation or cancellation.

F. Purposes when Using eTermin

The website operator uses eTermin primarily to provide visitors with an efficient, time-saving way of booking appointments, manage incoming bookings in a structured manner, avoid double bookings and automate reminder messages. The booking data also serves both the provision of the booking function and the initiation and performance of the underlying contractual or treatment relationship (e.g. consultation, medical treatment, workshop appointment).

These purposes fall into the following standardized categories:

• Functionality provision: provision of online booking with eTermin on the website, including display of available slots, creation of the booking, dispatch of confirmation and reminder messages, and error detection/correction.
• Contract performance: preparation and execution of the underlying contractual or treatment relationship, including bookings and delivery of the booked service.
• Security and abuse prevention: detection and prevention of abusive bookings, bot and spam protection and protection of the booking infrastructure.
• Communication: communication with the user in connection with the appointment, e.g. confirmations, reminders and cancellations.
• Compliance with retention obligations: where the booking forms part of a contract subject to statutory retention requirements.
• Enforcement of legal claims: assertion, exercise or defence of legal claims, e.g. evidence of a booking having taken place.

G. Legal Bases for eTermin

According to the tool taxonomy, eTermin falls primarily into the third-party content / appointment booking category: when the booking widget or button is used, requests are sent directly to eTermin servers, transmitting personal data to a third-party provider.

The following legal bases typically come into consideration, depending on the specific integration:

• Art. 6(1)(a) GDPR (third-party-content consent) – if the widget is loaded only after active consent in the cookie/consent banner.
• Art. 6(1)(b) GDPR (pre-contractual / contractual necessity) – where the booking serves the initiation or performance of a contract between user and website operator (e.g. consultation, treatment, service appointment).
• Art. 6(1)(f) GDPR (legitimate interests) – with the interests in efficiency (automated, end-to-end booking), security and abuse prevention (e.g. bot/spam mitigation) and enforcement of rights (proof of the booking).
• Where the booking process uses cookies or similar non-essential technologies, Section 25(1) TDDDG (consent) must additionally be observed.

Which legal basis applies depends on the specific integration (e.g. with/without a consent gate), the function (booking widget vs. mere link) and the underlying contractual relationship; this must be assessed by the website operator on a case-by-case basis.

H. Particular Aspects and Notes on eTermin

• DPA / Processing on behalf: According to the publicly accessible provider information, eTermin acts as a processor when providing the booking software; a DPA pursuant to Art. 28 GDPR can be concluded with the provider. Website operators should sign the DPA and document it in their record of processing activities. Access via the eTermin help center or sales team.
• Sub-processors: eTermin names Zendesk Inc. (USA) as a sub-processor for support services, among others. The provider's documentation is authoritative for the current, complete sub-processor list.
• Third-country transfer: According to the provider, booking data is stored in a data center in Frankfurt am Main. The Zendesk sub-processor results in a transfer to the USA; standard contractual clauses (Art. 46 GDPR) are stated as a safeguard. A potential DPF certification of sub-processors should be checked individually.
• Group structure Switzerland: eTermin GmbH, an affiliate of eTermin Ltd., is based in Switzerland. Switzerland is recognized as a safe third country under an EU adequacy decision; transfers to a Swiss group company are generally permissible on this basis but should be reviewed case by case.
• Settings for the website operator: The operator should (i) limit the booking form to data strictly necessary (Art. 5(1)(c) GDPR – data minimization), (ii) clearly distinguish mandatory and optional fields, (iii) configure retention and deletion rules in the back-office, (iv) when embedding as an iframe, place a consent gate in front where the integration should only occur after consent and (v) for sensitive booking contexts (e.g. medical specialism revealed in the form) assess Art. 9 GDPR separately.
• End-user opt-out: End users may refrain from booking or contact the website operator directly; a booking without data entry is by design not possible.

I. FAQ on eTermin and Data Protection

J. Conclusion on eTermin and Recommendation

eTermin is an online appointment booking system widely used in the DACH region, typically embedded by website operators as a booking iframe or booking button on their own site. The data processed mainly includes web-server log data, device data, browser information, the user content from the booking form and conversion events around the booking. The contracting party for German website operators is, according to publicly accessible information, eTermin Limited based in Cyprus; booking data is stored in a data center in Frankfurt am Main, with selected sub-processors located in third countries (e.g. Zendesk in the USA).

For website operators, it is usually of little benefit to add a separate text block for every individual tool – including eTermin – to the privacy policy. This makes the policy long, cluttered and hard to maintain and is in tension with the transparency requirement of Art. 12(1) GDPR. A structured, topic-oriented approach is more appropriate: tools are explained generically by topic (server operation, third-party content, appointment booking, newsletter, sales …); eTermin then appears merely in the "Recipients" annex as a specific service provider, with corporate seat, role and third-country note. This is precisely the methodology pursued by the matterius generator.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com