As of: August 28, 2019
Table of Contents
Data protection officer
The person responsible for the collection, processing, and use of your personal data within the meaning of Article 4(7) of the GDPR and other national data protection laws of the Member States and other data protection legislation shall be:
EIT Health Germany GmbH Dr. med. Katharina Ladewig Sandhofer Str. 116 68305 Mannheim
Authorized persons: Katharina Ladewig
Overview of processing
The table below summarises the types of data processed and the purposes for which they are processed and refers to the data subjects.
Types of data processed
Categories of data subjects
Purposes of processing
Applicable legal bases
Below, we provide the legal bases of the Basic Data Protection Regulation (DSM) on which we process personal data.
Please note that, in addition to the rules of the DSM, the national data protection rules may apply in your or our country of residence.
National data protection regulations in Germany: In addition to the data protection provisions of the General Data Protection Regulation, national rules on data protection apply in Germany. This includes, in particular, the Law on the Protection against the Abuse of Personal Data in the Processing of Data (Federal Data Protection Law – BDSG-new).
In particular, the BDSG-new contains special rules on the right of access, the right of erasure, the right of appeal, the processing of specific categories of personal data, the processing for other purposes, and the transmission and automated decision-making in individual cases, including profiling. It also regulates the processing of data for the purposes of the employment relationship (Paragraph 26 of the BDSG-new), in particular, the creation, performance or termination of employment and the consent of employees. In addition, national laws on data protection can be applied in the individual federal states.
We shall take appropriate technical and organisational measures, taking into account the cost of implementation and the nature, extent, circumstances and purposes of processing, the different probabilities of entry and the extent of the threat to the rights and freedoms of natural persons, in accordance with the legal requirements, to ensure a level of protection in accordance with the risk.
Measures shall include, in particular, ensuring the confidentiality, integrity and availability of data through control of physical and electronic access to the data, as well as access to the data relating to them, input, transfer, securing availability and separation. We have also put procedures in place to ensure the exercise of rights of data subjects, the erasure of data and the response to data threats. In addition, we take the protection of personal data into account as early as the development or selection of hardware, software and procedures, in accordance with the principle of data protection through technology design and data protection-friendly defaults.
Shortening the IP address: If we are able to do so, or if it is not necessary to store the IP address, we shall shorten your IP address in compliance with Member States of the European Union or other States Parties to the European Economic Area Agreement. In the case of IP address shortening, also known as IP masking, the last octet, i.e. the last two numbers of an IP address, is deleted (the IP address in this context is a unique identifier associated with an internet connection by the online access provider). The shortening of the IP address is intended to prevent or make it much more difficult to identify a person on the basis of their IP address.
SSL encryption (https): We use SSL encryption to protect your data transmitted via our online services. You can recognise encrypted connections by the prefix “https://” in the page link in the address line of your browser.
Transmission and disclosure of personal data
As part of our processing of personal data, the data is transferred to or disclosed to other entities, undertakings, legally independent organisational units or persons. Recipients of this data may include payment institutions in connection with payment transactions, service providers entrusted with IT tasks or service and content providers included in a website. In the event that we outsource certain parts of data processing (“order processing”), we contractually oblige contractors to use personal data only in accordance with the requirements of data protection laws and to ensure the protection of the rights of the data subject.
Data Transfer within the Organization: We may transfer personal data to other entities within our organization or grant them access to it. Where such disclosure is made for administrative purposes, the transfer of data shall be based on our legitimate commercial and business interests or shall take place where it is necessary to fulfil our obligations under the contract or where consent or legal authorisation is obtained from the data subject.
Data transfer to a third country: In principle, transfers of your personal data which we have received in the context of our business relationship to countries outside the EU or the EEA will only take place if you have given us consent to do so or if this is a condition necessary for the performance of a contract. If personal data is transferred to a third country or an international organisation, you have the right to be informed of the appropriate guarantees in accordance with Art. 46 GDPR in connection with the transfer.
“Cookies” are small files stored on users’ devices. Cookies can be used to store different information. Such information may include language settings on a web page, login status, a cart, or the location where a video was viewed.
Cookies are usually used when the interests of a user or his behaviour (e.g. viewing specific content, using functions, etc.) are stored on individual websites in a user profile. Such profiles are used to provide users with information, such as content that is appropriate to their potential interests. This is also referred to as “tracking”, i.e. tracking of the potential interests of users. The term cookies also includes other technologies that perform the same functions as cookies (e.g. if user information is stored using pseudonym online identifiers, also known as “user IDs”).
Our website uses the following types of cookies, the scope and functionality of which are explained below:
Transient cookies are automatically deleted when you close the browser. This especially includes session cookies. These store a so-called session ID with which various requests from your browser can be assigned to the common session. This allows your computer to be recognised when you return to our website. Session cookies are deleted when you log out or close the browser.
Persistent cookies are automatically deleted after a specified period, which may differ depending on the cookie in question. You can delete the cookies in the security settings of your browser at any time.
Withdrawal and opposition (opt-out): Whether the processing is carried out on the basis of consent or legal authorisation, you have the option at any time of withdrawing consent granted in accordance with Article 7 para. 3 GDPR or of contradicting the processing of your data by cookie technologies under Article 21 of the GDPR (collectively referred to as “opt-out”).
You may declare your opposition by using your browser settings, such as disabling cookies (which can also limit the functionality of our online services).
When contacting us (e.g. via contact form, e-mail, telephone or social media), the information provided by the requesting persons is processed, if you agree to do so, or if necessary to respond to the contact requests and any measures requested.
Responses to contact requests in the context of contractual or pre-contractual relations shall be given either for the fulfilment of our contractual obligations or for the purpose of answering (pre)contractual requests and also on the basis of the legitimate interests in answering the questions.
Provision of online services and web hosting
In order to provide our online services safely and efficiently, we are using one or more web hosting providers whose servers (or servers they manage) can access the online services. For these purposes, we can use infrastructure and platform services, computing capacity, storage and database services, as well as guarantees and technical maintenance.
The data processed in the context of the provision of the hosting services may include any information related to the users of our online service arising from use and communication. These include:
E-mail delivery and hosting: The web hosting services we have used also include the sending, reception and storage of e-mails. For these purposes, the addresses of the recipients and senders are processed, as are other information concerning e-mail (e.g. the providers involved) and the content of each e-mail.
The above data may also be processed for the purpose of detecting SPAM. Please note that e-mails are not encrypted on the Internet. Typically, while e-mails are encrypted by transport, they are not encrypted on the servers from which they are sent and received (unless the end-to-end encryption method is used). We cannot therefore take responsibility for the transmission of e-mails between the sender and the reception on our server.
We send newsletters, emails and other electronic notifications (hereinafter referred to as “newsletters”) only with the express consent of recipients or with statutory permission. If registration for the newsletter involves a specific description of its content, then this description is the basis on which users agree to receive newsletters. In addition, our newsletters contain information about our services and us.
To subscribe to our newsletters, it is generally enough to enter your e-mail address. However, we may ask you to provide a name to address you with in the newsletter, or other information if it is necessary for the purposes of the newsletter.
Double-Opt-In-Procedure: Our newsletter will be registered in principle in a double-opt procedure. This means that upon registration, you will receive an email requesting confirmation of the subscription. The confirmation is required to ensure that no one can subscribe using another person’s email address. A record of subscriptions to the newsletter is kept in order to account for the subscription process in accordance with legal requirements. The record contains the time of subscription and confirmation as well as the relevant IP address. Any changes to your data registered with the newsletter distribution platform will also be recorded.
Deletion and Limitation of Processing: We can store the e-mail addresses issued for up to three years on the basis of our legitimate interests before we delete them in order to demonstrate previous consent. The processing of this data is limited to the purpose of a possible defence against claims. An individual request for deletion can be expressed at any time, provided that, at the same time, the existence of prior consent is confirmed.
Logging of the notification procedure is based on our legitimate interests for the purpose of demonstrating that it is properly conducted. If we hire a service provider to send e-mails, we do so on the basis of our legitimate interests in an efficient and secure delivery system.
Notes on legal bases: The newsletter is sent on the basis of the recipient’s consent or, if consent is not required, on the basis of our legitimate interests in direct marketing, provided and to the extent that this is permitted by law, e.g. in the case of existing customer advertising. If we commission a service provider to send e-mails, this is done on the basis of our legitimate interests. The registration process is recorded on the basis of our legitimate interests to demonstrate that it has been conducted in accordance with the law.
Information about us and our partners, our services, campaigns and offers in the field of activity of EIT Health.
Success measurement: The newsletters contain a so-called “web-beacon”, i.e. a pixel-sized file, which is retrieved from our server or, if we use a dispatch service provider, from its server when the newsletter is opened. During the download, technical information such as your browser and operating system, as well as your IP address and the time of the download, are collected.
This information is used for the technical improvement of our newsletter on the basis of technical data or target groups and their reading behaviour on the basis of their retrieval locations (which can be determined with the help of the IP address) or access times. This analysis also includes determining whether newsletters are opened, when they are opened and which links are clicked. Although this information technically allows the tracking of individual newsletter recipients. Neither we nor the shipping provider, if involved, are interested in watching the behaviour of individual users. Data analysis is used to recognise patterns in the reading behaviour of users, and to adapt content accordingly or send different content according to the interests of our users.
The evaluation of the newsletter and the performance measurement are carried out, subject to the express consent of the user, on the basis of our legitimate interests for the purposes of providing a user-friendly and secure newsletter system which serves both our business interests and the expectations of the user.
A separate revocation of performance measurement is unfortunately not possible. To do this, the entire newsletter subscription must be cancelled.
Presence in social networks
We maintain online presences within social networks in order to communicate with the users active there or to provide information about us there.
User data is usually processed within social networks for market research and advertising purposes. For example, user profiles can be created on the basis of user behaviour and the resulting interests of users. The usage profiles can in turn be used, for example, to display advertisements that presumably correspond to the interests of the users both within and outside of the platforms. For these purposes, cookies are usually stored on the computers of the users in which the user behaviour and the interests of the users are stored (see also above under “Cookies”). Furthermore, data can also be stored in user profiles separate from the devices used by the users (especially if the users are members of the respective platforms and are logged in).
For a detailed description of the respective forms of processing and the possibilities for objection (opt-out), we refer to the data protection declarations and information of the operators of the respective networks.
We would like to point out that requests for information and the assertion of user rights are also directed most effectively to the providers. Only the providers have access to the user data and can directly take appropriate measures as well as provide information. If you still need further assistance, you can contact us.
Services and service providers used:
Plug-ins and embedded functions and content
Our online services include functional and content elements that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may, for example, be graphics, videos or social media buttons as well as contributions (hereinafter uniformly referred to as “Content”).
The integration always presupposes that the third party providers of this content process the IP address of the user, since they could not send the content to their browser without the IP address. The IP address is therefore required for the presentation of this content or functions. We strive to only use content whose respective provider uses the IP address solely for the delivery of content. Third parties may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. “Pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain technical information about the browser and operating system, websites to be referred to, visiting times and other information about the use of our online services, as well as may be linked to such information from other sources.
Services and service providers used:
When using the social media plug-ins, we use the so-called two-click solution.
In other words, when you visit our site, initially no personal data is passed on to the providers of the plug-ins. You can recognize the provider of the plug-in by the marking on the box above its initial letter or the logo. We offer you the possibility to communicate directly with the provider of the plug-in via the button. Only if you click on the marked field and thereby activate it, the plug-in provider receives the information that you have accessed the corresponding website of our online service. In addition, data such as the dynamic IP address, browser type and browser version are transmitted. By activating the plug-in, your personal data is transferred to the respective plug-in provider and stored there (in the case of US providers in the USA). Since the plug-in provider collects data mainly via cookies, we recommend that you delete all cookies using your browser’s security settings before clicking on the greyed-out box.
We have no influence on the data collected and data processing, nor are we aware of the full extent of data collection, the purposes of processing, the storage periods. We also have no information on the deletion of the data collected by the plug-in provider.
The plug-in provider stores the data collected about you as user profiles and uses these for the purposes of advertising, market research and/or demand-oriented design of its website. Such evaluation is also made for users who are not logged in, to display customised advertising and to inform other users of the social network about your activities on our website. You have a right to object to the creation of these user profiles. You must contact the respective plug-in provider to exercise this right. Through plug-ins, we provide you with the possibility to interact with social networks and other users, so that we can improve our service and make it more interesting for you as a user. The legal basis for the use of the plug-ins is Art. 6 para. 1 clause 1 f) GDPR.
The data transfer takes place regardless of whether you have an account with the plug-in provider or are logged in there. If you are logged in with the plug-in provider, your data collected with us will be directly assigned to your existing account with the plug-in provider. When activating the button and link, for example, the plug-in provider also stores this information in your user account and communicates this to your contacts publicly. We recommend that you log out regularly after using a social network, especially before activating the button, as this way you can avoid being assigned to your profile with the plug-in provider.
For more information on the purpose and extent of the data collection and its processing by the plug-in provider, please refer to the privacy statements of these providers provided below. There you will also find further information about your rights and setting options to protect your privacy.
We have included YouTube/Vimeo/Alugha videos in our online service, which are available athttp://www.youTube.com/ or https://vimeo.com/de/ or https://alugha.com/ and can be played directly from our website. These are all integrated in the “extended data protection mode”, i.e. no data about you as a user will be transmitted to YouTube/Vimeo/Alugha if you do not play the videos. Only when you play the videos will the following data be transmitted. We have no influence on this data transfer.
By visiting the website YouTube/Vimeo/Alugha receive the information that you have accessed the corresponding subpage of our website. In addition, the access data mentioned above will be transmitted. This occurs regardless of whether YouTube/Vimeo/Alugha provides a user account that you are logged in to, or whether no user account exists. If you are logged into Google, your information will be directly associated with your account. If you do not want your profile to be assigned to YouTube/Vimeo/Alugha, you must log out before activating the button. YouTube/Vimeo/Alugha store your data as user profiles and use them for the purposes of advertising, market research and/or the need-based design of its website. Such evaluation also takes place (even for users who are not logged in) for the purposes of providing customised advertising and to inform other social network users about activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact YouTube to exercise this right.
Further information on the purpose and scope of data collection and processing by YouTube/Vimeo/Alugha can be found in their privacy statements. There you will also find further information about your rights and setting options to protect your privacy.
Google will use this information on behalf of the operator of this website to evaluate your use of the website, to compile reports on website activity, and to provide other services regarding website activity and internet usage for the website operator.
The IP address provided by your browser as part of Google Analytics will not be combined with other data from Google.
This website uses Google Analytics with the extension “_anonymizeIp()”. As a result, IP addresses are further processed in truncated form, so that reference to individuals can be ruled out. If the data collected about you is personally identifiable, it will be blocked immediately and the personal data deleted as soon as possible.
We use Google Analytics to analyse and regularly improve the function of our website. We can improve our service and make it more interesting for you as a user. Google has agreed to comply with the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework, with regard to any personal data which are transferred to the USA. The legal basis for the use of Google Analytics is Art. 6 para. 1 p. 1 lit. f. GDPR.
Third party information: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. User conditions, overview of data protection, as well as the data protection declaration.
This website also uses Google Analytics for an analysis of visitor flows across all devices, that is carried out via a user ID (Google Universal Analytics). You can disable the cross-device analysis of your use in your customer account under “My Data”, “Personal Information”.
Deletion of Data
The data processed by us will be deleted in accordance with the statutory provisions as soon as their consent permitted for processing is revoked or other permissions lapse (e.g. if the purpose of processing this data has lapsed or it is not necessary for the purpose).
If the data is not deleted because it is required for other and legally permissible purposes, its processing is limited to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons or whose storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.
Further information on the deletion of personal data can also be found in the individual data protection notices of this data protection declaration.
Data subject’s rights
As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 18 and 21 GDPR: