Data Privacy

I. Concerning my psychotherapy practice

This declaration describes how I process your personal data. The declaration is aimed at my existing, former and potential future patients.

1. Purposes of data processing

I will process your personal data on the basis of legal requirements for the following purposes: (i) to fulfill the treatment contract, (ii) for psychotherapeutic training and supervision, (iii) for accounting, (iv) for payment processing, and (v) to fulfill legal obligations due to legal regulations or official orders to which I am subject as the person responsible, if these do not contradict my absolute statutory obligation of confidentiality. I collect the following personal data from you at the start of treatment: first name, family name, title, social insurance number, date of birth, gender, address, email address, telephone number. The provision of your data is fundamentally voluntary. However, if you do not provide your personal data, I will not be able to do my job, or treat you adequately. For the purpose of fulfilling the treatment contract, I also use the Latido patient database ( and the email provider ProtonMail ( each of which I have concluded a processor agreement. ProtonMail is a Swiss company and processes the data in Switzerland, which, according to the decision of the European Commission, is a safe third country. Among other things, you have the option of paying your bill by ATM or credit card. For these cases I use a SumUp terminal. They are themselves responsible for data processing under data protection law and are PCI-DSS certified. You can find your data protection declaration here (

2. Legal basis for processing
I process your personal data on the basis of Article 9 Paragraph 2 lit. h GDPR (health and social area) and because this is necessary in order to fulfill the treatment or training contract concluded with you (Art. 6 Paragraph 1 lit. b GDPR). In addition, I process your personal data on the legal basis of the protection of vital interests (Art. 6 Para. 1 lit.d GDPR).​

3. Transmission of your personal data
I will only transfer your personal data to the following recipients if this is required by law, if it is necessary for accounting purposes or in emergencies: (i) administrative authorities, courts and corporations under public law, (ii) tax advisors and legal representatives working for me, (iii) legal representatives, (iv) other recipients designated by patients (e.g. authorities, courts, insurance companies), (v) my supervisors. These recipients are based in Austria or in the EEA.

4. Storage period
I generally save your personal data until the contract and my obligations under the Psychotherapy Act have been fulfilled, which is ten years after the end of the psychotherapeutic services. In addition, I store your personal data until the end of any legal disputes in which this data is required as evidence. If you have sent me an e-mail as an interested party and there is no treatment contract, I will delete this e-mail after three months.

5. Your rights in relation to personal data
According to the Psychotherapy Act, the person being treated or their legal representative is to be given all information about the documentation as well as inspection of the documentation on request, with special attention to the therapeutic relationship, or to enable the production of copies for reimbursement of costs, provided this does not endanger the relationship of trust with the person being treated. As part of this, you are entitled, among other things, (i) to request information to check whether and which personal data I process about you, (ii) to request the correction, addition, or deletion of your personal data, insofar as these are incorrect or not legally compliant are processed, (iii) to require me to restrict the processing of your personal data insofar as this does not conflict with higher legal interests, (iv) under certain circumstances to object to the processing of your personal data, (v) to know the identity of third parties to whom your personal data will be transmitted, and (vi) to lodge a complaint with the data protection authority. Data that is processed on the basis of a legal obligation (e.g. contracts with members of the health professions) are not subject to the right to data portability.​

II. Concerning my website​​​​

This declaration is aimed at the visitors and users of my website.​

The protection of your personal data is very important to me. I therefore process your data exclusively on the basis of the statutory provisions (GDPR, TKG 2003). In this data protection information I inform you about the most important aspects of data processing within the framework of my website.

When you visit my website, your IP address and the beginning and end of the session are recorded for the duration of this session. This is due to technical reasons and thus represents a legitimate interest within the meaning of Art 6 Paragraph 1 lit f GDPR. Unless otherwise regulated in the following, I will not process this data further.

My website uses so-called cookies. These are small text files that are stored on your device with the help of the browser. They do no harm. I use cookies to make my offer more user-friendly. Some cookies remain stored on your device until you delete them. They enable me to recognize your browser the next time you visit. If you do not want this, you can set up your browser so that it informs you about the setting of cookies and you only allow this in individual cases. Deactivating cookies may restrict the functionality of my website.

For my website I use the Wix website builder from the Israeli company Ltd., 40 Hanamal Tel Aviv St., Tel Aviv 6350671, Israel. (You can find the privacy policy of here: Ltd. is headquartered in Israel. Israel is recognized by the European Commission as a country that offers adequate protection for personal data of EU citizens. Ltd. uses cookies, which enable an analysis of the use of the website by your users. The information generated in this way is transferred to the servers of Ltd. transferred and stored there. You can prevent this by setting up your browser so that no cookies are stored. The data processing takes place on the basis of the legal provisions of § 96 Abs 3 TKG as well as Art 6 Abs 1 lit a (consent) and / or f (legitimate interest) of the GDPR. My concern within the meaning of the GDPR (legitimate interest) is the improvement of my offer and my website.

You have the right to information, correction, deletion, restriction, data portability, revocation and objection with regard to your stored data. If you believe that the processing of your data violates data protection law or that your data protection claims have been violated in any other way, you can complain to me at or to the data protection authority.

III. My contact details​​​​​

If you have any questions about this declaration or would like to make requests, please contact:​

Peter Graff, MA, PhD
Psychotherapist in Training under Supervision
Ybbsstraße 22/9-10, 1020 Vienna
+43 1 399 9960