Legal Notice and Privacy Statement
Contents
I. Disclaimer
II. Copyright Information
III. Name and Address of the Responsible Controller
IV. Name and Address of the Data Protection Officer
V. General Information on Data Processing
VI. Provision of Website and Creation of Log Files
VII. Use of Cookies
VIII. Rights of the Data Subject
I. Disclaimer
The information on this website has been carefully researched and implemented. Despite these efforts towards accuracy, the possibility of errors cannot be excluded. Please send any remarks or corrections to the web managing editor:
Christoph Döllinger
NCT Tissue Bank IT Administration
Institute of Pathology
Im Neuenheimer Feld 224
D-69120 Heidelberg
Germany
Phone: +49 6221 56-35837
Email:
This disclaimer is to be regarded as part of the internet publication which you were referred from. If sections or individual terms of this statement are not legal or correct, the content or validity of the other parts remain uninfluenced by this fact.
II. Copyright Information
Copyright ©, NCT Tissue Bank at the Heidelberg University Hospital, all rights reserved.
Any and all information published on this website (layout, texts, images, figures and tables, etc.) is protected by copyright. Any use of this information prohibited by copyright laws is subject to prior explicit consent by Heidelberg University Hospital. This applies in particular to the copying, processing, translation, inputting, alteration or reproduction of the information in databases or other electronic media and systems. Photocopies and downloads from web pages for personal, scientific, or non-commercial use are permitted.
III. Name and Address of the Responsible Controller
The responsible controller as defined in the EU General Data Protection Regulation (GDPR) and other national data protection laws of the EU member states as well as other data protection-related provisions is the Heidelberg University Hospital. It is represented by its steering committee:
Vorstand des Universitätsklinikums Heidelbergs
Universitätsklinikum Heidelberg
In Neuenheimer Feld 672
69120 Heidelberg
Germany
VAT Reg No: DE 143 293 939
IV. Name and Address of the Data Protection Officer
The data protection officer, appointed by the responsible controller, is:
Dr. iur. Regina Mathes
In Neuenheimer Feld 672
D-69120 Heidelberg
Germany
Phone: +49 6221 56-7036
Email:
V. General Information on Data Processing
1. Scope of processing personal data
We collect and use the personal data of our users insofar as necessary for operating a functional website and delivering our content and services. The personal data of our users is collected and used only after obtaining consent from the user. The only exception to this is where it is actually impossible for us to obtain prior consent and processing of the data is legally allowed.
2. Legal Basis for Processing Personal Data
Whenever we obtain consent from a data subject to process personal data, Art. 6 (1 a) GDPR serves as the legal basis. For processing personal data required to fulfil a contract to which the data subject is a party, Art. 6 (1 b) GDPR serves as the legal basis. This also applies to the processing necessary to accommodate preparations for entering into a contract.
Where processing of personal data is necessary for compliance with a legal regulation to which our organisation is subject, Art. 6 (1 c) GDPR serves as the legal basis.
Where processing of personal data is necessary to protect the vital interests of the data subject or of another natural person, Art. 6 (1 d) GDPR serves as the legal basis.
Where processing is necessary to protect the legitimate interests of Heidelberg University Hospital or of a third party, and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Art. 6 (1 f) GDPR serves as the legal basis.
3. Deletion of Data and Data Storage Period
The data subject’s personal data will be deleted or locked as soon as the purpose for which it has been collected has been fulfilled. Data may remain on record beyond this period if such is specified in European or national legislation from European Union Regulations, laws or other provisions to which the controller is subject. Data will also be locked or deleted if a storage period specified in the above standards expires unless conclusion or fulfilment of a contract requires the data to remain on record further.
VI. Provision of Website and Creation of Log Files
1. Description and Scope of Data Processing
Any time our website is accessed, our system automatically records data and information concerning the accessing computer.
The following data is recorded:
- Information on the browser type and version used
- the user's operating system
- the user's IP address
- date and time of access
- websites from which the user's system was directed to our website
- websites which the user's system accesses via our website.
The data is compiled in log files on our system, whereby the IP address is truncated immediately after collection, i. e. an IPv4 address is truncated to the first two bytes, an IPv6 address to the first 32 bits. Personal profiles cannot be generated based on truncated IP addresses. This data is not stored with other personal data of the user.
2. Legal Basis for Data Processing
The legal basis for temporarily recording data and log files is Art. 6 (1 f) GDPR.
3. Purpose of Data Processing
The temporary storage of the IP address on our server is necessary for granting the user’s system access to our website. For this purpose, the user’s IP address must remain stored on our server for the duration of the session. Data storage in log files is required to ensure the functionality of the website. Furthermore, the data enables us to optimise the website and guarantee the security of our IT systems. Data analysis for marketing-related purposes is not performed in this context.
The above purposes also constitute our legitimate interests in data processing under Art. 6 (1 f) GDPR.
4. Data Storage Period
The data is erased as soon as it is no longer required for the purpose it was requested. Data collected for website availability is deleted when the respective session has ended. All data stored in log files is deleted within seven days. Data can be stored for longer. In such cases, the user's IP address is truncated so that the querying client cannot be identified.
5. Right to Object and Options for Avoidance
The website cannot be provided without recording the data, and the operation of the site on the internet is impossible without storing the data in log files. There is correspondingly no option for the user to object.
VII. Use of Cookies
1. Description and Scope of Data Processing
Our website uses cookies. Cookies are text files saved in or by the web browser on the user’s computer system. When a user accesses a website, a cookie may be stored in the user’s operating system. This cookie contains a unique character string that allows the website to identify the browser when it accesses the website again.
We use cookies to make our website more user-friendly. Some of our website’s elements need to be able to identify the accessing browser, even after it has left the site. When a user visits our website, he or she is notified that we use cookies for such purposes; the user's permission to process personal data used in this context is obtained. This Data Protection Declaration is also referenced at this time.
2. Legal Basis for Data Processing
The legal basis for processing personal data is Art. 6 (1 f) GDPR.
3. Purpose of Data Processing
Cookies are technically necessary to simplify using websites. Several of our website’s functions will not work without using cookies. These functions require the browser to be recognised again after leaving and returning to our website. User data collected via technically required cookies is not used to create user profiles.
The above purposes also constitute our legitimate interests in data processing under Art. 6 (1 f) GDPR.
4. Data Storage Period, Right to Object, and Options for Avoidance
Cookies are stored on the user's computer and transferred to our site. Consequently, you as the user have complete control over how cookies are used. By changing the settings in your web browser, you can deactivate or restrict the transmission of cookies to external websites. You can also delete all saved cookies on your system at any time. Restrictions on cookie usage can be managed automatically by your browser. If you disable cookies for our website, you may no longer be able to use the site’s full range of functions.
VIII. Rights of the Data Subject
1. Right of Access
You are entitled to request information from the controller on whether we are processing any personal data related to yourself.
If we do, you can further request information from the controller on the following:
(1) the purposes for which the personal data is being processed;
(2) the categories of personal data processed;
(3) the recipients or categories of recipients to whom your personal data is or will be disclosed;
(4) the period for which your personal data is intended to remain on record or, if this cannot be specified, the criteria for defining the storage period;
(5) whether you are entitled to demand correction or deletion of your personal data , to demand limitation of processing by the controller, or to object to processing;
(6) whether you are entitled to file a complaint with a supervisory authority;
(7) everything available on the data’s source if the entity you are enquiring with did not obtain it themselves;
(8) whether there was any automated decision-making and profiling as per Art. 22 (1) and (4) GDPR and – at least where such was the case – useful information on the underlying logic and the impact and desired effects of this processing on the data subject.
You are entitled to request information on whether your personal data will be transmitted to a non-EU member state or international organisation. You are entitled in this context to request information on suitable safeguards according to Art. 46 GDPR related to the transmission.
Where data is processed for research or statistical purposes, the right of access can be restricted, if it may prevent or seriously impede the achievement of the specific purposes and if the restriction is required to fulfil the research and statistical purposes.
2. Right to Rectification
You are entitled to request that the controller corrects and/or completes your personal data if this data is incorrect or incomplete. The controller is obliged to do so without delay.
Where data is processed for research or statistical purposes, the right of rectification can be restricted if it may prevent or seriously impede the achievement of the specific purposes and if the restriction is required to fulfil the research and statistical purposes.
3. Right to Restriction of Processing
You can request limits to the processing of your personal data if the following applies:
(1) If you contest the correctness of your personal data for a period that allows the controller to check the data's correctness
(2) Processing of the data is illegal and you object to deletion of the data in favour of restricting the personal data’s use;
(3) The controller no longer requires the personal data for the purposes of processing, but you need it to assert, exercise, or defend a legal claim; or
(4) You have objected to processing in accordance with Art. 21 (1) GDPR and it has not yet been established whether the controller’s legitimate interests outweigh your own.
If the processing of your personal data has been restricted, such data may be processed - apart from its storage - only with your consent, or for the purpose of asserting, exercising, or defending rights, or protecting the rights of another individual or legal entity, or on grounds of important public interest of the European Union or any Member State.
If processing has been restricted in accordance with the above conditions, you will be notified by the controller before the restriction is lifted.
Where data is processed for research or statistical purposes, the right to limitation of processing can be restricted if it may prevent or seriously impede the achievement of the specific purposes and if the restriction is required to fulfil the research and statistical purposes.
4. Right to Erasure
a. Obligation to Delete
You can request that the controller delete your personal data immediately; the controller is then obliged to delete the data immediately, provided one of the following conditions applies:
(1) Your personal data is no longer required to achieve the purposes for which it was collected or otherwise processed.
(2) You withdraw your consent under which processing became legitimate as per Art. 6 (1 a) or Art. 9 (2 a) GDPR, and there is no other legal basis for processing.
(3) You object to processing as per Art. 21 (1) GDPR and your objection is not overridden by legitimate reasons for processing, or you object to processing as per Art. 21 (2) GDPR.
(4) Your personal data has been processed unlawfully.
(5) Deletion of your personal data is necessary for the controller to fulfil a legal obligation imposed by European Union law or the national laws of European Union member states.
(6) Your personal data has been collected in connection with the offer of information society services as per Art. 8 (1) GDPR.
b. Notification of Third Parties
If the controller has published your personal data and has become obliged to delete it as per Art. 17 (1) GDPR, the controller will take action, including technical measures, using the available technology and at appropriate expense with the aim of notifying any controllers processing your personal data that you as the data subject have requested deletion of all links to said personal data or to copies or reproductions thereof.
c. Exceptions
The right to erasure becomes void, if processing is necessary
(1) to exercise of the right to free expression and information;
(2) to fulfil a legal obligation requiring the controller to process the data imposed by European Union law or the national laws of a European Union member state, or to complete a duty in the public interest or to perform executive duties appointed to the controller;
(3) in the interests of public health and safety as per Art. 9 (2 h and i) and Art. 9 (3) GDPR;
(4) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes as per Art. 89 (1) GDPR, provided that the right described in section a) can be reasonably assumed to prevent or seriously impede achievement of the processing purposes;
(5) to assert, exercise, or defend legal claims.
5. Notification Obligation
If you have asserted your right to rectification, erasure or restriction of processing against the controller, the controller is under obligation to notify all recipients to whom your personal data has been disclosed of the corresponding rectification or erasure of data or of the restriction of their processing. The controller is exempted from this obligation where such notification proves impossible or unreasonable.
You have the right to be informed of who these recipients are.
6. Right to Data Portability
You have the right to receive the personal data concerning yourself that you have provided to a controller in a structured, commonly used and machine-readable format. You are also entitled to transmit this data to another controller without the controller to whom you have provided the data hindering you from doing so and if
(1) you have consented to processing as per Art. 6 (1 a) GDPR or Art. 9 (2 a) GDPR or processing is governed by a contract as per Art. 6 (1 b) GDPR and
(2) processing occurs using automated methods.
When exercising this right, you can further request a controller to send your personal data directly to another controller, provided this is technically feasible. This must not adversely affect the liberties and rights of others. The right to data portability does not extend to the processing of personal data where such processing is necessary for fulfilling a duty in the public interest or for exercising executive duties appointed to the controller.
7. Right to Object
You are entitled to object for reasons arising from your own personal situation at any time against processing of your personal data where processing is legitimised by Art. 6 (1 e or f) GDPR; this applies in equal measure to profiling legitimised by these provisions.
The controller will cease to process your personal data unless the controller can prove compelling legitimate reasons for processing that override your interests, rights, and liberties, or processing pursues the assertion, exercise, or defence of legal claims. If your personal data is processed for the purpose of direct advertising, you are entitled to object at any time to the processing of your personal data for this purpose; this applies equally to profiling, where it occurs in connection with such direct advertising.
If you object to processing for direct advertising, your personal data will no longer be processed for this purpose.
You may, in connection with the use of information society services – Directive 2002/58/EC notwithstanding – exercise your right to object by means of automated methods that are subject to technical specifications.
You are entitled to object for reasons arising from your own personal situation at any time against processing of your personal data collected for scientific or historical research or statistical purposes pursuant to Art. 89 (1) GDPR.
Where data is processed for research or statistical purposes, the right to object can be restricted if it may prevent or seriously impede the achievement of the specific purposes and if the restriction is required to fulfil the research and statistical purposes.
8. Right to Withdraw Your Consent Under Data Protection Law
You are entitled to withdraw your consent under data protection law at any time. Your withdrawing consent does not affect the legitimacy of any processing that has occurred with your consent prior to withdrawal.
9. Automated Individual Decision-Making, Including Profiling
You have the right not to be subject to any decision that entails legal implications for yourself or has similar, substantially adverse effects on yourself if said decision is based solely on automated processing; this includes profiling. You do not have this right if the decision
(1) is necessary to allow conclusion or fulfilment of a contract between yourself and the controller,
(2) is legitimate under the legal provisions of the European Union or its member states to which the controller is subject and these legal provisions include appropriate measures safeguarding your rights, liberties, and legitimate personal interests, or
(3) is made with your express consent.
However, such decisions may have been made based on personal data of special categories as per Art. 9 (1) GDPR unless Art. 9 (2 a or g) GDPR also apply and appropriate measures have been taken to protect your rights, liberties, and legitimate personal interests.
With respect to cases (1) and (3), the controller shall take appropriate precautions to protect your rights, liberties, and legitimate personal interests; such precautions will include at least the right to enforce intervention by a human individual at the controller’s, to put forward your own opinion, and to contest the decision.
10. Right to Complain to a Supervisory Authority
If you believe that processing of your personal data is in breach of the GDPR, you have the right to lodge a complaint with a supervisory authority, particularly in the EU member state where you, your place of work, or the locale of the alleged infringement are located. This does not affect your recourse to other administrative or judicial remedies. The supervisory authority receiving the complaint will keep the appellant up to date on the status and results of the complaint, including on recourse to judicial remedies as per Art. 78 GDPR.
The responsible supervisory authority is the state officer for data protection and freedom of information:
Staatsbeauftragter für Datenschutz und Informationsfreiheit Baden-Württemberg
Königstraße 10a
D-70173 Stuttgart
Germany
Phone: +49 711 615541-0
Email: