This document contains information about which item of personal data we process, its purpose, the basis on which we process it and for how long.
Overview / Contents
You will find the following information in our privacy notice
A. Our contact data and general matters relating to our data processing
A.1 Name and contact data of the controller
A.2 Contact data of the privacy officer
A.3 General information about legal basis for the processing of personal data
A.4 General information about Data deletion and duration of archiving
A.5 General information about the sources of personal data
A.6 Recipients and categories of recipients of the personal data
A.7 Newsletter circulation for members
A.8 Contacting by email, fax and phone call
B. The scope of the processing of personal data via our website
B.1 Provision of the website and creation of log files
B.2 Members’ log in to the website
B.3 Contact form and email contact
B.4 Use of cookies by us and by third party provider
B.5 Use of Google Workspace for data processing
B.6 Use of videos via the Platform Vimeo
B.7 Use of Borland Cookie-Consent-Tools
B.8 Encryption of the website and communication
B.9 Transmission of personal data to a third country (countries outside Germany but in the EEA)
C. Your rights as the data subject
C.1 The right to be informed
C.2 The right to rectification
C.3 The right to erasure
C.4 The right to restrict processing
C.5 The right to information
C.6 The right to data portability
C.7 The right to object to processing because of a legitimate interest and direct mail
C.8 The right to revoke consent
C.9 Automatic decision-making including profiling
C.10 Voluntary provision of data
C.11 The right to complain to a supervisory authority
A. Our contact data and general matters relating to our data processing
A.1 Name and contact data of the controller
The controller for the collection and use of personal data within the meaning of the privacy laws is
DOG Deutsche Ophthalmologische Gesellschaft e.V.
Offices:
Platenstrasse 1
80336 Munich
Phone: + 49 89 – 5505 7680
Fax: + 49 89 – 5505 76811
General Manager:
Dr Philip Gass
Statutory registered office of the DOG in Heidelberg
Deutsche Ophthalmologische Gesellschaft e.V.
Klingenteich Strasse 2
D-69117 Heidelberg
Association registration number Heidelberg District Court, VR 33105
Value Added Tax registration number: DE143294894
E-mail: geschaeftsfuehrer@dog.org
Website: www.dog.org
You can find further information in the imprint of our website http://www.dog.org/?page_id=1266 .
A.2 Contact data of the controller’s Privacy Officer
Our privacy officer is Timo Schutt, MeinDatenschutzPartner.de GbR, E-mail: dsb@meindatenschutzpartner.de
A.3 General information about legal basis for the processing of personal data
In general, the following applies when we process personal data:
· In so far as we obtain your consent for processing procedures of personal data, Art. 6 para. 1 lit. a) of the EU General Data Processing Regulation (in the future only: GDPR) acts as the legal basis for the processing of personal data.
- In the case of the processing of personal data which is needed for the performance of a contract with you, Art. 6 para. 1 lit. b) of the GDPR acts as the legal basis. This also applies already if the processing for the performance of pre-contractual measures is necessary, also e.g. for orders, quotations, contractual negotiations.
- In so far as the processing of personal data is necessary for the performance of a legal obligation to which we are bound, Art. 6 para. 1 lit. c) of the GDPR acts as the legal basis.
- In the event that the vital interests of yours or another natural person render the processing of personal data necessary, Art. 6 para. 1 lit. d) of the GDPR acts as the legal basis.
- If it is necessary to process your personal data for the performance of a task carried out in the public interest or in the exercise of any official authority vested in us, this is done on the basis of Art. 6 para. 1 lit. e of the GDPR.
- If the processing is necessary for the protection of a legitimate interest of us or of a third party and your interests, fundamental rights and freedoms do not override this interest, Art. 6 para. 1 lit. f) of the GDPR acts as the legal basis.
A.4 General information about Data deletion and duration of archiving
Generally we delete or block the personal data as soon as the purpose of the archiving no longer applies. Data can also be archived if this was stipulated by the European or national legislative body in EU regulations, laws or other provisions to which we, as the controller, are subject. Data is also blocked or deleted if a retention period required by the above-mentioned regulations etc. expires unless it is necessary that the data continues to be archived for the conclusion or performance of a contract for another legal reason.
In specific terms this means:
If we are processing the personal data on the basis of consent for data processing (Art.6 para.1 lit. a) of the GDPR, the processing is ended when you revoke your consent unless a further legal basis for processing the data exists. This is the case for example if, at the time of the revocation, we are still entitled to process your data for the purpose of the performance of a contract (on this point see also below).
If we are processing the data by reason of our legitimate interests (Art. 6 para. 1 lit. f) of the GDPR as part of a previous assessment, we will save this data until the legitimate interest no longer exists, the assessment comes to a different conclusion, or you have lodged a valid objection pursuant to Art. 21 of the GDPR (on this point see the highlighted „Note on a particular right to object” under C.).
If we are processing the data for the purpose of the performance of a contract we will save the data until the contract has been finally performed and brought to a conclusion and no further claims can asserted under the contract, in other words until the matter becomes time-barred. The general period of prescription according to Section 195 of the German Civil Code is three (3) years. However, certain claims, for example claims for compensation, only become time barred after 30 years (cf. sec. 197 German Civil Code). If there is a legitimate reason for assuming that this is relevant in a particular case, we will save the personal data during this period of time. The above-mentioned periods of prescription commence at the end of the year (therefore on December 31), in which the claim arose and the obligee becomes aware or should have become aware of the circumstances giving rise to the claim and the person of the liable party becomes or should have become aware of the foregoing without gross negligence.
We wish to point out that we are also subject to statutory retention obligations for reasons associated with commercial law, taxation and book-keeping. These oblige us to archive certain data as evidence for our orderly business activity respectively book-keeping which can include personal data for a period which can range from six (6) to ten (10) years. These retention periods take precedence over the above-mentioned deletion obligations. The retention periods also commence at the end of the year in question, and therefore December 31.
A.5 General information about the sources of personal data
The personal data we process originates primarily from the data subject himself or herself, for example by these persons
- as users of our website via their browser and terminal (e.g. a PC, smartphone, tablet or notebook) transmitting information such as their IP address to us respectively our web-server,
- as interested parties requesting information material or quotation,
- as members of our Association informing us about their contact data or other items,
- as participants of an event concluding a contract with us,
- as representatives of the press asking for press releases, a statement or similar,
- as suppliers delivering goods to us which we have ordered or business partner performing services or similar for us.
As a rare exception, the personal data we process may also come from third parties, for example if a person is acting on behalf of another person.
A.6 Recipients and categories of recipients of the personal data
Your personal data is only passed or transmitted to third parties if this is absolutely essential for the relevant purpose and is permissible. We explain to whom and why we pass data in connection with the data processing described below; at the end of Section B of this Privacy Notice we also provide further information on data transmitted to EU countries outside Germany.
Categories of recipients can basically be:
- service providers,
- supplier, business partner,
- tax advisers.
Depending on the category of the data involved we process personal data for the following purposes on the legal basis specified in the General Data Protection Regulation (GDPR):
User data: In principle, we collect and process data from users of our website on a non-personal basis. We cannot attribute this data to a particular persons The IP address is only processed in an anonymised form. On the other hand in so far as personal data is involved in exceptional cases, we process this data for the protection of our legitimate interests on the basis of Art. 6 para. 1 lit. f) of the GDPR. Our legitimate interests in this sense are our interest in the security and integrity of our website and the data on our web-servers (particularly the detection of disturbances and malfunctions as well as the tracking of unauthorised access) plus marketing interests and interests in statistical surveys for the improvement of our website, our services and what we have to offer). After giving the matter our due consideration we came to the conclusion in these cases that the processing of data to protect the above legitimate interests is necessary and overrides your fundamental rights and freedoms requiring the protection of personal data.
Data of interested parties/data of representatives of the press: In so far as we process the data of parties interested in our services or of the representatives of the press, this is only done if they enter this data in an input field and send it to us or enter this data in an email for the purpose of a query which is then sent to us. These entries are voluntary. We then only process this data in order to deal with their enquiry. The processing of this data voluntarily transmitted to us for the purpose of providing information about our services is carried out as a pre-contractual transaction pursuant to Art. 6 para. 1 lit. b) of the GDPR and/or on the basis of the consent given by them through transmission pursuant to Art. 6 para. 1 lit. a) of the GDPR.
Members’ data: We process our members’ data for the purposes of the management of the Association, support for members and the fulfilment of objectives as set out in the statutes of our Association in accordance with Art. 6 para. 1 lit. b) of the GDPR (this also applies to processing procedures which are necessary before the member is admitted to the Association, for example as part of an enquiry about new membership or processing an application for membership) and/or on the basis of a legitimate interest of the Association pursuant to Art. 6 para. 1 lit. f) of the GDPR if the Association has a legitimate interest in a particular item of data processing which overrides the fundamental rights and freedoms of the member.
Suppliers’ and business partners’ data: We process the data of our suppliers and business partners for the purpose of the performance of a contract as set out in Art. 6 para. 1 lit. b) of the GDPR or on the basis of consent which is granted pursuant to Art. 6 para. 1 lit. a) of the GDPR. This also applies to processing procedures which are necessary for pre-contractual activities (for example as part of the preparation and negotiation of offers).
A.7 Newsletter circulation for members
An Association Newsletter is sent free of charge to our members. The Newsletter contains information about the Association and its activities and events as well as pointers, tips and similar.
On joining the Association the member has the opportunity to consent explicitly to the transmission of the Newsletter. However, the member is not obliged to give his/her consent.
Subscribing to the Newsletter uses what is called a „double opt-in process“. This means that after subscribing, the member receives an email which asks for confirmation of the subscription This confirmation is necessary to ensure that we have recorded the correct email address.
The purposes of data processing: The purpose of collecting and processing the member’s email address is to send the Newsletter. We use the email address for the purpose of informing about news, events and topics related to the Association.
The legal basis for the data processing: The legal basis for processing the data after the user subscribes to the Newsletter is the grant of consent by the member in accordance with Art. 6 para. 1 lit. a) of the GDPR.
Duration of the archiving: The user’s email address is archived as long as the subscription to the newsletter is active, that is to say that the member has not cancelled the subscription or the membership has been terminated.
The right to object and the right to erasure: The subscription to the newsletter can be cancelled at any time without formal notice to us in any form and free of charge. There is also a link for this purpose in every Newsletter.
A.8 Contacting by email, fax and phone call
If you wish you can contact us in several ways. You will find our email address, phone number and fax number for this purpose on our website. If you send us an email, call us or send a fax we will also inevitably process your personal data as the personal data transmitted with the email, fax or your phone will be saved by us or our systems. As a minimum we save or our system saves the personal data transmitted to us by email, fax or your phone call.
The data is not passed to third parties in this context. The data is only used for the distribution of the Newsletter.
We use Outlook for e-mail communication as part of the Microsoft 365 software package from Microsoft Inc, USA. We use Outlook to process and answer incoming e-mails quickly and clearly via this standard solution. We have concluded an order processing contract (Data Processing Addendum, DPA) with Microsoft. In it, Microsoft undertakes to take measures that meet the requirements of the GDPR for data security and privacy. You can view the content of this agreement here: https://www.microsoft.com/licensing/docs/view/Professional-Services-Data-Protection-Addendum-DPA. This data processing may take place on the basis of your consent (Art. 6 para. 1 sentence 1 lit. a) of the GDPR), on the basis of a contract concluded or to be concluded between you and us (Art. 6 para. 1 sentence 1 lit. b) of the GDPR) or on the basis of an overriding legitimate interest in data processing on our part (Art. 6 para. 1 sentence 1 lit. f) of the GDPR). E-mail communication with you may be routed through Microsoft servers. In doing so, Microsoft promises that all personal data processed via Microsoft 365 products for EU-based enterprise customers will be processed exclusively within the EU. This commitment applies to all central cloud services from Microsoft, thus also to Microsoft 365 (cf. the statement from Microsoft: https://news.microsoft.com/de-de/unsere-antwort-an-europa-microsoft-ermoeglicht-speicherung-und-verarbeitung-von-daten-ausschliesslich-in-der-eu/). This means that, in principle, there is no data transfer outside the EEA („third country transfer“). Should a third country transfer nevertheless take place, we have agreed the EU standard contractual clauses with Microsoft. In it, Microsoft undertakes to take and comply with measures that enable a privacy level that is almost equivalent to that in the EU. The agreement of the EU standard contractual clauses constitutes appropriate safeguards to carry out a third country transfer (Art. 46 para. 1 in conjunction with para. 2 lit. c) of the GDPR). Frequently asked questions about Microsoft and privacy are answered here: https://www.microsoft.com/de-de/trust-center/privacy/gdpr-faqs?market=de
The purposes of data processing: The processing of the personal data when contacting us by email, fax or phone is so that we can deal with your request and the approach you made to us. It is essential that we have your email address, fax or phone number so that we can respond.
The legal basis for data processing: The legal basis for processing the data is, in the case of consent pursuant to Art. 6 para. 1 lit. a) of the GDPR, which you have given by actively contacting us, or our overriding legitimate interest in processing the data, which we have in order to be able to respond to your active contact and to process your request (Art. 6 para. 1 lit. f) of the GDPR).
If the purpose of the contact or your request is the conclusion of a contract, the legal basis for the processing is Art.6 para. 1 lit. b) of the GDPR (execution of pre-contractual measures).
Duration of the archiving: The data is deleted as soon as it is no longer needed to achieve the purpose for which it was collected.
For the personal data which was sent by email, this is the case if the relevant exchange with you is at an end and we have then waited for a period of up to 3 months to establish whether we must refer again to your request and the details of the exchange. The conversation is at an end if it can be gathered from the circumstances that the matter in question has been definitely settled.
Fax data is stored separately from printed data in the fax machine’s memory. After the fax has been printed out the memory space which was used is released so that the next fax can be received and saved there. After being printed out, parts of the fax can remain temporarily in the fax machine’s memory until it is overwritten by the next fax to be received. This normally leads to the automatic deletion of the data after about 1 – 2 weeks. If the fax is a computer fax we receive the fax as an email and the information we have provided on emails applies accordingly.
In the case of an incoming or outgoing phone call your phone number or your name / company name which you have registered with your telephone provider as well as the date and time of the call are stored in what is called a „ring memory” in our phone system. This memory overwrites the oldest data with the new data. In normal circumstances this means that the data is automatically deleted in the phone system after about 3-4 months.
It may happen that due to commercial or fiscal law the exchange is subject to a retention obligation which then comes into play (cf. the information above in the section „Data deletion and retention period”).
The right to object and the right to erasure: You may at any time revoke consent given for the processing of the personal data and object to further data processing because of a legitimate interest (cf. the advice on a particular right to object under C of this Privacy Notice). In such a case, the conversation cannot be continued as we will delete your data immediately.
You can revoke the consent and object to further data processing without any need for a specific form (e.g. you can use email).
In this case all personal data which was saved in the course of the contact with you is deleted.
B. The scope of the processing of personal data via our website
In principle, we only collect and use the personal data of users during the use of our website in so far as this is necessary for the provision of a functioning website, its content and our services. Normally the personal data of our users is collected and used only after the user has granted his/her consent. The exception is such cases in which it is not factually possible to obtain consent in advance and/or the processing is permitted by the provisions of law.
The host provider hosting the website on its server is IONOS SE, Elgendorfer Str. 57, 56410 Montabaur. IONOS uses the „WebAnalytics“ service as standard, which collects data exclusively for statistical evaluation and for the technical optimisation of the website. The data is determined either by a pixel or by a log file. To protect personal data, WebAnalytics does not use cookies.
The IP of the visitor is transmitted during the transmission of a page request, anonymised directly after transmission and processed without personal reference. The IP is only used to indicate the country of access to the website as part of IONOS’ own analysis. IONOS does not store any personal data of website visitors so that no conclusions can be drawn about individual visitors. You can find more information here: https://www.ionos.de/hilfe/datenschutz/datenverarbeitung-von-webseitenbesuchern-ihres-11-ionos-produktes/webanalytics/
We have concluded an order processing contract with the host provider.
B.1 Provision of the website and creation of log files
Every time the website is accessed our system automatically collects data and information for technical reasons. These are processed in real time during the visit to our website and stored in the log files of the web server. This information is:
- the data and time of access,
- the URL of the website from which access was made (the referrer),
- the websites which were accessed by the user’s system via our website,
- the user’s screen resolution,
- the file(s) accessed and a report of the success of the access,
- the amount of data sent,
- the user’s Internet service-provider,
- the browser, browser type and version, the browser engine and engine version,
- the operating system, operating system version and type, and
- the (anonymised) IP address and Internet service-provider of the user.
This data is processed separately from other data. This data is not processed in combination with the user’s other personal data. We cannot attribute this data to a particular person.
The purposes of data processing: The temporary processing of the data by the system is necessary so that it is possible to send the contents of our website to the user’s computer. The user’s IP address must be saved for the duration of the session to achieve this.
Data is saved in log files to ensure the functionality of the website. The data also serves to underpin the security of our IT systems. The data is not evaluated for marketing purposes.
The legal basis for the data processing: The data and the log files are temporarily saved on the legal basis of Art. 6 para. 1 lit. f) of the GDPR Our overriding legitimate interest in this data processing is to be found in the purposes stated above.
Duration of the archiving: The data is deleted as soon as it is no longer needed to achieve the purpose for which it was collected. In the case of data capture for the provision of the website, the data is deleted when the session is terminated. The data saved in the log files is deleted after no more than seven days. It is not possible to save the data for longer. In this case, however, the IP addresses of the users are deleted or alienated so that an assignment of the calling client is no longer possible and a personal reference is therefore excluded.
The right to object and the right to erasure: The capture of data is essential for the provision of the website, and the saving of data in log files is necessary for the operation of the website. As a consequence the user has no right to object to this practice. However, the user may terminate the use of the website at any time and therefore prevent the continued collection of the data specified above.
B.2 Members’ log in to the website
In our website we offer members the facility of logging into a protected members’ area by entering personal access data. By entering his/her name and membership number a new member can have information sent to him/her which enables the new member to enter the members’ area. During the course of this procedure, consent to the processing of this data for the purpose of checking the entitlement to enter the members’ area and for the management of the members’ area is obtained.
The data which is entered in this way is sent to us or our members’ data-base for checking and is processed for this purpose. If the information agrees with the member’s data we hold in our records, the member receives unique access data by email sent to the member’s email address in our records.
So that the member can log on, the access data is then entered into an input mask which is then sent to us to verify the access data and approve access to the members’ area. The data is not passed to third parties.
The members’ area is operated as a separate sub-domain (mydog.dog.org).
The member’s email address and password have to be entered to log onto the members’ area.
All the above data transmissions are, of course, encrypted.
The purposes of data processing: The purpose of registration is for the provision of certain content and services on our website which is intended exclusively for members of the Association.
The legal basis for data processing: The legal basis for processing the data is the grant of consent by the member in accordance with Art. 6 para. 1 lit. a) of the GDPR.
Duration of the archiving: The data is saved until the member revokes his/her consent or ceases to be a member.
The right to object and the right to erasure: You can terminate your registration for the members’ area at any time by revoking your consent. You can do this by informing us accordingly. You can also have the data we hold about you amended at any time.
B.3 Contact forms and email contact
At least one contact form is available on our website, which can be used for electronic contact. If you take advantage of this facility the data you enter in the mask is sent to us and saved.
This is generally done via the Contact Form 7 plugin, which transmits the data you enter to us by e-mail. In this respect, the information above in section A.8 regarding e-mail communication with us applies accordingly. Especially in the case of registrations for events, the data transmitted in this way will then only be stored by us for the registration process on a sub-domain of our web server for a maximum period of 14 days and then deleted in order to obtain a list of all participants. There is no data processing by the provider of the plugin.
These data are usually:
- form of address, family name, given name, email (mandatory fields),
- street, post code, town/city, country, phone number, fax number, subject heading, message (optional inputs).
Otherwise, you can also easily see from the data fields displayed which data we ask for as mandatory or optional fields.
The following data is also saved when the message is sent:
- the user’s IP address,
- the date and time of the transmission.
In order to process the data your consent is obtained as part of the transmission process and your attention is drawn at the same time to our legitimate interest in processing the data. At this time you are informed once again about the processing of data and referred to this Privacy Statement.
Alternatively you can contact us via the email address we provide. In this case the personal data transmitted with the email is saved.
In this case the data is not passed to third parties. The data is only used for the distribution of the Newsletter.
We ask you to refrain from sending information that has a certain sensitivity by unencrypted e-mail.
The purposes of data processing: The only purpose for processing the personal data in the input mask is to be able to contact you and deal with your suggestion. Contacting you also constitutes the legitimate interest in processing the data.
The purpose of processing the other personal data during the transmission procedure is to prevent misuse of the contact form and to ensure that out information system remains secure.
The legal basis for data processing: If consent has been granted, the legal basis for processing the data is Art. 6 para. 1 lit. a) of the GDPR and also our legitimate interest in the data processing as set out in Art. 6 para. 1 lit. f) of the GDPR.
If the purpose of the contact or your request is the conclusion of a contract (for example membership), the additional legal basis for the processing is Art. 6 para. 1 lit. b) of the GDPR (execution of pre-contractual measures).
Duration of the archiving: The data is deleted as soon as it is no longer needed to achieve the purpose for which it was collected.
For the personal data in the input mask of the contact form or the personal data sent by email, this is the case if the conversation in question with you is at an end. The conversation is at an end if it can be gathered from the circumstances that the matter in question has been definitely settled.
The additional data also collected during the transmission process is deleted after a period not exceeding seven days.
The right to object and the right to erasure: You may at any time revoke consent given for the processing of the personal data with effect for the future and object to further data processing because of a legitimate interest (cf. the advice on a particular right to object under C of this Privacy Notice). In such a case the conversation cannot be continued.
You can revoke the consent and object to further data processing without any need for a specific form (e.g. you can use email).
In this case all personal data which was saved in the course of the contact with you is deleted.
B.4 Use of cookies by us and by third party provider
When using our website, so-called cookies may be used. Cookies are small text files which are installed on the terminal (PC, smartphone, tablet etc.). If you access a website a cookie can be saved in your browser. This cookie includes a characteristic sequence of characters which enable the browser to be unmistakeably identified if the page is accessed again. Cookies are used to make our website usable at all (essential cookies) or to make it more user-friendly (non-essential cookies).
It can also happen that cookies are used by third party service-providers. These cookies could also make it possible to analyse the way in which the user surfs the Internet. If this is the case we will inform you separately and directly about this in the information about third party provider tools (such as analysis tools, plugins or similar) of this or specific privacy notices.
When you access our website, you will be informed about the use of cookies that are not strictly necessary and your consent to the processing of personal data used in this context will be obtained.
The purposes of data processing: The purpose of the use of strictly necessary cookies is to enable the use of desired or expressly requested functions of the website for the users. Some of the functions cannot be provided without the use of cookies. For these it is necessary that the browser is re-identified after switching to a different page. The user data collected through strictly necessary cookies are not used to create user profiles.
The use of cookies that are not strictly necessary is generally for the purpose of improving the quality of our website and its content. By analysis cookies we learn, for example, how the website is used and can therefore continuously optimise our offering.
The legal basis for the data processing: In the case of non-essential cookies, the following applies: The legal basis for the storage of absolutely necessary cookies in your terminal device and access to them is Art. 25 para. 2 No. 2 of the TTDPA (Telecommunications and Telemedia Data Protection Act). The legal basis for the further processing of personal data by means of information stored in the cookie is Art.6 para.1 lit. f) of the GDPR, and is therefore a legitimate interest on our part. Our legitimate interest is to be found in the purposes stated above. In the case of non-essential cookies, the following applies: The legal basis for the storage of non-essential cookies in your terminal device and access to them is your consent in accordance with Art. 25 para. 1 of the TTDPA. The legal basis for the further processing of personal data using cookies that are not absolutely necessary is the consent given at the same time in accordance with Art. 6 para. 1 lit.a) of the GDPR.
Duration of the archiving: Some of the cookies we use are deleted again at the end of the browser session, in other words when you close your browser (these are called „session cookies“). Other cookies remain on your terminal and enable us or (third party providers to recognise your browser on your next visit (”permanent or statistic cookies”). If we have stored the cookies based on your consent, we will stop further data processing with your revocation. In all other respects we save the data collected on the basis of an overriding legitimate interest, until the legitimate interest no longer exists, the assessment comes to a different conclusion, or you have lodged a valid objection pursuant to Art. 21 of the GDPR (on this point see the highlighted „Note on a particular right to object“ in Section C). Whether or not the legitimate interest still exists is checked regularly.
The right to object and the right to erasure: The cookies are saved your computer from where they are transmitted to our site. You therefore have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies which have already been saved can be deleted at any time.
Note: If cookies for our website are deactivated, it is possible that all functions of the website can no longer be used to their full extent.
If you do not give your consent or revoke the consent you have given, you can also prevent the use of cookies that are not absolutely necessary.
B.5 Use of Google Workspace for data processing
We use the cloud-based software and office solution „Google Workspace“ from Google, Inc., USA, to process personal data of members, participants, speakers, course instructors and service providers or business partners.
Note: The USA is assessed by the European Court of Justice in principle as a country with an insufficient privacy level according to EU standards. There is a particular risk that your data may be processed by US authorities, for control and for monitoring purposes, possibly also without any legal remedy.
We have concluded an order processing agreement (Data Processing Amendment, DPA) with Google, Inc. (hereinafter referred to as „Google”), which you can view here: https://workspace.google.com/terms/dpa_terms.html. In this DPA, the current EU Standard Contractual Clauses (SCC) are agreed between us and Google. In addition, the DPA contains the agreement of additional data security measures, such as the encryption of data during transmission to and from the Google Cloud. (cf. Google’s security measures, which you can view here: https://cloud.google.com/security/security-design/?hl=de). Depending on the connection established, Google applies, for example, standard protection measures for the data that is transmitted. For example, Google secures communication between users and the Google Front End (GFE) using TLS. Accordingly, the data processing is to be considered sufficiently secure and permissible according to the criteria of the GDPR and the requirements of the European Court of Justice (ECJ).
The purposes of data processing: The purpose of this use is the processing of the data of members, participants, speakers and course leaders and service providers or business partners achieve an effective and collaborative processing of the data, and therefore to facilitate the rapid execution of the relevant processes involving the data subjects. The purpose of using a cloud solution is also to allow employees to access the data from their home and mobile offices and thus be able to carry out their work.
The legal basis for the data processing: The legal basis for the processing of personal data of members, participants, instructors and course leaders is the respective contractual agreement with the data subject and thus Art. 6 para. 1 lit. b) of the GDPR.
Duration of the archiving: We store the data until the purpose of their collection and processing ceases to exist, for example until the underlying contractual relationship or membership relationship ends, whereby we keep the data in any case until claims arising from this contractual relationship become time-barred, which is usually three years from the end of the year in which the contract ends.
In the case of course participants and instructors/course leaders, we continue to process the data beyond the end of a course to the extent that we, as organisers, are obliged to retain data as part of the certification of the course towards the Medical Association. Under the requirements of the Bavarian State Medical Association we are under an obligation for documentation purposes to archive lists of participants in which the name and the attendance of the participants are recorded for a period of six months after the end of the course (e.g. in case of any random checks by the Medical Association). In this connection we wish to point out that we are only able to issue certificates relating to course attendance within these 6 months as we are no longer able to confirm attendance after the data has been deleted.
We wish to point out that we are also subject to statutory retention obligations for reasons associated with taxation and book-keeping. These oblige us to archive certain data as evidence for our book-keeping which can include personal data for a period which can range from six (6) to ten (10) years. These retention periods take precedence over the above-mentioned deletion obligations. The retention periods commence at the end of the year in question, and therefore December 31.
The right to object and the right to erasure: Since the data processing here is mandatory due to the contractual agreements so that we can fulfil our contractual obligations, there is unfortunately no possibility here for the data subjects to object or avoid/eliminate the data processing operations.
B.6 Use of videos via the Platform Vimeo
On our website we use, among other things, plug-ins from the provider Vimeo for the integration of videos. Vimeo is operated by Vimeo, Inc. which has its headquarters at 555 West 18th Street, New York, New York 10011.
Note: The USA is assessed by the European Court of Justice in principle as a country with an insufficient privacy level according to EU standards. There is a particular risk that your data may be processed by US authorities, for control and for monitoring purposes, possibly also without any legal remedy.
If you access pages of our website which are provided with the plug-in, a connection is made to the Vimeo servers. This connection transfers information on which of our pages you have visited. If you are logged in at this time to Vimeo as a member, Vimeo assigns this information to your personal user account. If you use the plug-in, for example by clicking on the Start button of a video, this information is also assigned to your user account.
Using an iFrame in which the video is accessed, Vimeo also accesses the Google Analytics tracker. This is Vimeo’s own tracking operation to which we have no access. You can prevent tracking by Google Analytics by using the deactivation tool which Google offers for some Internet browsers. You can also prevent the capture of the data created by Google Analytics relating to their use of the website (including your IP address) by Google and the data being processed by Google by downloading and installing the browser plug-in available at the following link:. http://tools.google.com/dlpage/gaoptout?hl=de
You can find further information on data processing and privacy by Vimeo at https://vimeo.com/privacy. Vimeo’s cookie policy can be found here: https://vimeo.com/cookie_policy
The purposes of data processing: Vimeo’s videos are incorporated so we can offer multi-media content on the website to users and thus upgrade and enhance the user experience of the website. As this makes our website more attractive, the use of Vimeo also serves our marketing and promotional purposes.
The legal basis for the data processing: The legal basis for the storage of not absolute necessary cookies in your terminal device and access to them is your consent in accordance with Art. 25 para. 1 of the TTDPA. The legal basis for the further processing of personal data using technically unnecessary cookies is Art. 6 para. 1 lit. a) of the GDPR, i.e. your consent granted in accordance with GDPR, which we request from you at the beginning of the website use or before playing a Vimeo video and establishing a connection to Vimeo servers.
Duration of the archiving: Vimeo itself saves your data if you are logged into Vimeo as a member for so long as you have a Vimeo account (cf. Vimeo’s Privacy Statement: https://vimeo.com/privacy). If you are not logged into Vimeo we assume that your personal data is not saved by accessing a video. Unfortunately Vimeo itself does not provide any information on this point. However, Vimeo does state that its services comply with European privacy act. Thus at all events, Vimeo deletes the data in this case as soon as the purpose for which the data is collected no longer exists.
We ourselves do not save your data in connection with the use of Vimeo videos on our website.
The right to object and the right to erasure: If you have a Vimeo user account and do not want Vimeo to collect data about you via this website and link it with your membership data saved by Vimeo, you must log off from Twitter before visiting our website. You can also delete the corresponding Vimeo cookies via your browser.
You can also avoid data processing by refusing your consent or revoking it with effect for the future.
B.7 Use of Borland Cookie-Consent-Tools
Our website uses Consent technology of Borlabs Cookie. The provider of this tool is Borlabs GmbH, Rübenkamp 32, 22305 Hamburg (hereinafter Borlabs).
When you enter our website, a Borlabs cookie is stored in your browser, which stores the consents you have given or the revocation of these consents. This data is not shared with the Borlabs cookie provider.
Details on the data processing of Borlabs Cookie can be found at https://de.borlabs.io/kb/welche-daten-speichert-borlabs-cookie/.
The purposes of data processing: We use the tool to obtain your consent to the storage of certain cookies in your browser or to the use of certain technologies and to document this in a manner compliant with privacy.
The legal basis for the data processing: The use of the consent technology of Borlabs cookie is done in order to obtain the legally required consents for the use of cookies. The legal basis for this is Art. 6 para. 1 lit. c) of the GDPR.
Duration of the archiving: The data collected will be stored until you request us to delete it or delete the Borlabs cookie yourself, or until the purpose for storing the data no longer applies. Mandatory statutory retention periods remain unaffected.
The right to object and the right to erasure: You can delete the cookie set by the tool yourself at any time. However, our website will then not „remember“ that you have already given or refused consent and will ask you again.
B.8 Encryption of the website and communication
All the protected areas and forms on the website and therefore the data transmissions using these forms are encrypted to the SSL standard.
B.9 Transmission of personal data to a third country (countries outside Germany but in the EEA)
Personal data may be processed outside the EEA (European Economic Area). In particular, personal data may be transferred to the United States of America (USA) or other third countries by various third-party providers (see details above).
The USA in particular is assessed by the European Court of Justice as a country with an insufficient privacy level according to EU standards. There is a particular risk that your data may be processed by US authorities, for control and for monitoring purposes, possibly also without any legal remedy.
You can find out exactly which providers might transfer data to third parties, in particular to the USA, in Part B of this privacy statement under the respective tools.
All companies for which a third country transfer comes into consideration have provided sufficient guarantees for the transfer of data within the meaning of the GDPR and the European Court of Justice (ECJ) by binding agreement with us on the EU Standard Contractual Clauses (SCC, cf. Art. 46 para. 2 lit. c) of the GDPR) and by agreeing on additional data security measures and have subjected themselves to a level of regulation comparable in principle to the EU privacy level. The transfer of data to these companies is therefore permissible in principle (cf. Art. 44 et seqq. GDPR).
In addition, in the case of data processing, appropriate data processing contracts were concluded with these companies to protect the data and our rights to issue instructions.
C. Rights of data subjects
If your personal data is processed you are a „data subject“ and you are entitled to the following rights in respect of us as the controller.
C.1 The right to be informed
You have the right to receive a confirmation from us free of charge whether we are processing personal data relating to you. In this case you have the right to information about this personal data and other information which you can see in Art. 14 of the GDPR. You can contact us for this purpose by post or email.
C.2 The right to rectification
You have the right to require that we immediately correct inaccurate personal data relating to you. You also have the right – for the purposes set out above – to require additions to incomplete personal data – including by means of a supplementary declaration. You can contact us for this purpose by post or email.
C.3 The right to erasure
You have the right to require the immediate deletion of personal data relating to you if one of the conditions of Art. 17 of the GDPR is met. You can contact us for this purpose by post or email.
C.4 The right to restrict processing
You have the right to require the restriction of processing if one of the conditions of Art. 18 of the GDPR is met. You can contact us for this purpose by post or email.
C.5 The right to information
If you have asserted the right to the correction, deletion or restriction of the processing to the controller, the latter is obliged to inform all recipients to which the personal data relating to you was disclosed about the correction or deletion of the data or about the restriction of the processing unless this proves to be impossible or is associated with disproportionate effort.
You have the right to be informed by the Controller about these recipients.
C.6 The right to data portability
You have the right to receive the personal data you sent to us relating to you in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller without hindrance from us if the conditions of Art. 20 of the GDPR are met. You can contact us for this purpose by post or email.
C.7 The right to object to processing because of a legitimate interest and direct mail
In so far as we process personal data on by way of the basis of Art. 6 para. 1 lit. f) of the GDPR (therefore for reason of a legitimate interest,) you have the right, for reasons arising from your particular situation, to object at any time to our processing of the personal data relating to you.. We will cease processing your data if we can demonstrate no compelling reasons worthy of protection for the further processing which override your interests, rights and freedoms or if we are processing your data for the purposes of direct advertising (cf. Art. 21 of the GDPR). You can contact us for this purpose by post or email.
If personal data are processed for the purpose of direct marketing, you have the right at any time to lodge an objection to the processing of personal data relating to yourself for the purposes of this type of advertising; this also applies to profiling insofar as it is associated with such direct marketing.
C.8 The right to revoke consent
You have the right at any time to revoke an agreement you have given for the collection and use of personal data with effect for the future. You can contact us for this purpose by post or email. The lawfulness of the processing undertaken by reason of the consent you gave up to the time of its revocation is not affected.
C.9 Automatic decision-making including profiling
You have the right not to be subject to a decision based exclusively on automated processing – including profiling – which has a legal effect on you or which is significantly to your detriment in a similar manner unless the decision is necessary for the conclusion of an agreement between you and us, is admissible by reasons of provisions of law of the European Union or member states to which we are subject and these provisions of law contain reasonable measures to protect your rights, freedoms and legitimate interests, or the decision is taken with your express consent.
We do not take automated decisions of this nature.
C.10 Voluntary provision of data
If the provision of the personal data is stipulated by law or a contract, we will always point this out when the data is collected. The data we collect is sometimes necessary for the conclusion of a contract, to be specific, if we are unable to meet our contractual obligation to you or cannot adequately meet them in any other way. You are under no obligation to provide personal data. However, the failure to provide such information can mean that we are unable to perform or offer the service, action, measure or similar you require, or that it is impossible to conclude a contract with you.
C.11 The right to complain to a supervisory authority
Notwithstanding other rights, if you believe that the processing of personal data relating to you infringes on privacy rights, you have the right at all times to complain to a supervisory authority for privacy, particularly in the member state where you reside, where you work or the place of the alleged infringement.
Privacy Notice version: 30.01.2023