jameda and data protection – What belongs in the privacy policy

If a website operator embeds jameda on a medical practice or business website, it typically processes web server log data, device data, browser information, coarse location data and – in the case of online appointment booking – user content (booking form data and possibly health data) for the purposes of displaying ratings and arranging appointments. Depending on the form of integration, the legal bases range from third-party content consent through pre-contractual processing to explicit consent for processing sensitive data under Art. 9(2)(a) GDPR. This page explains which data processing operations jameda triggers according to the provider's public statements and which mandatory information the privacy policy of the embedding website must contain.

A. Purpose and functionality of jameda

jameda is a German online directory for physicians, dentists and other healthcare professionals, combining a rating portal with an online appointment booking system. The service is operated by jameda GmbH, Munich, a 100% subsidiary of the DocPlanner Group. Patients use jameda to find practitioners, read reviews and book appointments; practices maintain their profile and can use the tool for patient acquisition and appointment scheduling.

For website operators – typically medical practices, dental practices, therapy practices, MVZ – three integration features are relevant which are embedded directly into the website:

• jameda rating seal/widget: A JavaScript-loaded component that displays the current rating and star count from the jameda profile on the practice website.
• Online appointment booking iframe ("Book appointment online"): A booking dialog embedded into the website in which the visitor enters appointment, reason for treatment and contact details. The entries are transmitted to the jameda infrastructure and synchronized with the practice calendar.
• Direct link to the jameda profile: A simple hyperlink (button "Rate on jameda" or similar). Without an active click no data is transferred to jameda; the following description therefore focuses on the first two integration types.

Functions that jameda offers beyond the website integration (e.g. the public jameda portal, profile administration in the practice area praxis.jameda.de, video consultation, app) are not the subject of this tool page.

B. Mandatory information in the privacy policy when using jameda

For tool-related processing, the GDPR requires the privacy policy of the embedding website to include – in addition to general information – the purposes of processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR) and – where reliance is placed on Art. 6(1)(f) GDPR – the specific legitimate interests pursued (Art. 13(1)(d) GDPR).

Further mandatory items include the recipients or categories of recipients (Art. 13(1)(e) GDPR), information on any third-country transfers (Art. 13(1)(f) GDPR), the storage period or the criteria used to determine it (Art. 13(2)(a) GDPR) and – where data is not collected directly from the data subject – the categories of personal data processed (Art. 14(1)(d) GDPR). These points are broken down for jameda below.

In practice it has become customary to include each tool – including jameda – with its own dedicated text block in the privacy policy. This is not required and produces lengthy, unwieldy documents that repeat themselves and tend to undermine the transparency requirement of Art. 12(1) GDPR. A topic-oriented approach is more appropriate: it describes processing operations across themes (third-party content, appointment booking, ratings) and lists the specific service providers used – including jameda – in the recipients annex of the privacy policy.

C. Provider of jameda

According to the publicly available information, the contractual partner for German website operators that embed jameda is:

• Company: jameda GmbH
• Address: Balanstraße 71a, 81541 Munich, Germany
• Country of registration: Germany (EU)
• Commercial register: Local Court Munich, HRB 168659
• Group: since 2022 a 100% subsidiary of the DocPlanner Group (parent company seated in Warsaw, Poland)
• Data protection contact: datenschutz@jameda.de
• Provider's privacy policy: https://www.jameda.de/datenschutz/

As the provider is seated within the EU, a third-country transfer within the meaning of Art. 44 et seq. GDPR is not apparent for the direct embedding of the jameda components on the website. Processing by group-affiliated companies of the DocPlanner Group (Poland, EU) is possible; whether and to what extent sub-processors outside the EU are used must be examined by the website operator on a case-by-case basis. DPF certification (EU-US Data Privacy Framework) is not relevant in the absence of a US connection.

D. Data processing at jameda – step by step

E. Data collected by jameda

When the jameda widget and the online appointment booking iframe are used, the following specific data are collected according to the provider's publicly available information: IP address, date and time of the request, URL of the embedding page, referrer, browser type and version, operating system, device type, screen size, and – with the appointment iframe – the data entered in the booking form (name, contact details, desired appointment, reason for treatment and possibly further patient information). jameda may also set cookies.

The data can be classified into the following standardized data categories:

• Web server log data: Data that the jameda server receives with each request, in particular IP address, date/time/time zone, URL of the requested content, referrer, information about browser, operating system and device, and supplementary technical metadata such as response status code and amount of data transferred.
• Device data: Information about the end device, e.g. device type, operating system, screen resolution, orientation, touch support.
• Browser information: Browser name and version and any installed extensions.
• Coarse location data: Coarse location at city or municipality level derived from the IP address.
• User content: Content entered by the user in the appointment booking form, e.g. name, date of birth, contact details, selected appointment, reason for treatment, notes.
• Conversion events: User interactions defined as relevant by the website operator, in particular appointment booking and contact request.

F. Purposes when using jameda

The website operator typically uses jameda to display ratings from the jameda profile prominently on its own website, to build trust and to offer website visitors a low-threshold online appointment booking. The data collected through the widget and iframe directly serves the display of current ratings and the execution and documentation of the booking.

These purposes can be classified into the following standardized purpose categories:

• Function provision: Provision of the functionality of the website components, in particular display of the rating widget and provision of the online appointment booking dialog.
• Contract performance: Preparation and performance of the treatment contract between practice and patient, in particular appointment booking, appointment reminders and possible cancellation.
• Security and abuse prevention: Detection and defense against abusive use, bot and spam protection in the booking form.
• Communication: Communication with the patient as part of the appointment booking (booking confirmation, reminder).
• General product improvement: Reach analysis of the operator's own website based on the use of the jameda components, optimization of patient acquisition.

G. Legal bases for using jameda

With regard to website embedding, jameda primarily falls into the tool categories third-party content (rating widget) and appointment booking (online appointment booking iframe). The classification can vary depending on the specific integration and must be examined by the website operator on a case-by-case basis.

The following legal bases typically come into consideration:

• Rating widget (third-party content): Since the widget triggers a direct connection to jameda servers when the page is loaded, transferring web server log data to a third party and regularly setting cookies, consent of the website visitor pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG (third-party content consent via the consent banner) regularly comes into consideration. Some sources alternatively discuss a legitimate interest in efficiency (Art. 6(1)(f) GDPR); this is contested – consent is the more practical route.
• Online appointment booking iframe: For the entries required for the booking (master data, requested appointment), pre-contractual or contractual processing under Art. 6(1)(b) GDPR comes into consideration. To the extent that the embedding of the iframe itself (technical reloading, cookies) is consent-relevant, consent under Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG additionally applies.
• Processing of health data: To the extent that health data is collected in the booking form (reason for treatment, practice context), explicit consent under Art. 9(2)(a) GDPR is regularly required. In the treatment context, Art. 9(2)(h) GDPR (preventive health care, medical diagnosis, care) may also apply.
• Display of ratings (purely presentational, without tracking): With a data-minimal local embedding without third-server requests, a legitimate interest in efficiency (Art. 6(1)(f) GDPR) may apply.

H. Specifics and notes on jameda

• DPA (data processing agreement): According to the publicly available information, jameda GmbH does not offer a data processing agreement within the meaning of Art. 28 GDPR for the rating widget. The provider's role is described in the literature as that of an independent controller for its own data processing (delivery of the widget, reach measurement). For online appointment booking, the role must also be examined by the website operator on a case-by-case basis; processor status (Art. 28 GDPR) for managing the practice calendar as well as independent controller status for platform use come into consideration. A DPA must be requested directly from jameda GmbH (datenschutz@jameda.de).
• Joint controller: A joint-controller arrangement (Art. 26 GDPR) is, according to the publicly available information, not expressly agreed for the rating widget. Depending on the design of the online appointment booking – in particular where purposes and means are jointly determined between practice and jameda – joint controllership may come into consideration; this must be examined by the website operator on a case-by-case basis.
• Third-country transfer: Since the provider is seated in Munich (Germany, EU) and the parent DocPlanner in Warsaw (Poland, EU), no third-country transfers within the meaning of Art. 44 et seq. GDPR are apparent according to the publicly available information. Sub-processors (e.g. for hosting, e-mail dispatch, telephony) should be requested from the provider.
• Cookies: According to the publicly available information, jameda may set cookies in the website visitor's browser. Website operators should control the embedding of the widget via a consent management system so that the widget is only loaded after consent has been granted.
• Patient data / professional law: When using online appointment booking, in addition to the GDPR, medical confidentiality (§ 203 StGB), professional law (e.g. § 9 MBO-Ä) and the requirements of the respective State Medical Association must be observed. The integration should be designed so that only data required for the appointment is collected (data minimization, Art. 5(1)(c) GDPR).
• Settings for the website operator: Booking form fields, mandatory entries and reasons for treatment can be configured in the practice area praxis.jameda.de. A restrained configuration of mandatory fields is recommended to avoid unnecessary collection of health data.
• BGH case law: In February 2022, the German Federal Court of Justice ruled that jameda's business model as such – i.e. the portal-side data processing vis-à-vis physicians – can be based on legitimate interests (judgment of 15 February 2022, ref. VI ZR 692/20). This decision concerns the relationship doctor/jameda and is not readily transferable to the question of whether the embedding of the widget on the practice website is permissible without the website visitor's consent – there the general principles for third-party content and § 25 TDDDG apply.

I. FAQ on jameda and data protection

J. Conclusion on jameda and call to action

For practice websites, jameda is an established tool for displaying ratings and online appointment booking, but it brings several layers of data protection considerations: third-party content (widget) with cookie and tracking components, pre-contractual processing (booking) and – particularly sensitive – the possible processing of health data under Art. 9 GDPR. Website operators must therefore reflect both the technical data flow to the provider and the substantive sensitivity of booking data cleanly in the privacy policy.

It is rarely useful to include each tool – including jameda – with its own text block in the privacy policy. Such collections of text blocks become long, unwieldy, hard to maintain and tend to contradict the transparency requirement of Art. 12(1) GDPR. A structured, topic-oriented approach is more appropriate: it explains processing operations across themes (third-party content, appointment booking, ratings, tracking) and refers to individual tools such as jameda only in the recipients annex. This is precisely the methodology used by the matterius privacy policy generator.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com