As of: August 28, 2019
Table of Contents
The person responsible for the collection, processing, and use of your personal data within the meaning of Article 4(7) of the GDPR and other national data protection laws of the Member States and other data protection legislation shall be:
Health Innovation Hub & Holding GmbH
Frau Dr. Katharina Ladewig
Authorized persons: Dr. Katharina Ladewig
Overview of processing
The table below summarises the types of data processed and the purposes for which they are processed and refers to the data subjects.
Types of data processed
- Inventory data (names, addresses, etc.).
- Content data (e.g. text input, photographs, videos).
- Contact data (e.g., email address, phone numbers).
- Meta/communication data (e.g. device information, IP addresses).
- Usage data (e.g., websites visited, interest in content, access times).
Categories of data subjects
- Communication partner
- Users (website visitors, users of online services).
Purposes of processing
- Providing online services and user-friendliness.
- Office and organisation procedures.
- Behavioural and interest-based marketing.
- Contact requests and communication.
- Profiling (creating profiles for users).
- Range measurement (access statistics, recognition of recurring visitors).
- Security measures.
- Tracking (interest/behavioural profiling, cookies).
- Contractual services.
- Managing and responding to requests.
Applicable legal bases
Below, we provide the legal bases of the Basic Data Protection Regulation (DSM) on which we process personal data.
Please note that, in addition to the rules of the DSM, the national data protection rules may apply in your or our country of residence.
- Consent (Art. 6 para. 1 p. 1 lit. a. GDPR)– The data subject has given his or her consent to the processing of personal data concerning him or her for one or more specific purposes.
- Contract performance and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b. GDPR)– Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the request of the data subject.
- Legitimate interests (Art. 6, Para. 1 p. 1 lit. f. GDPR)– Processing is necessary to safeguard the legitimate interests of the officer or of a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data outweigh those of the data subject.
National data protection regulations in Germany: In addition to the data protection provisions of the General Data Protection Regulation, national rules on data protection apply in Germany. This includes, in particular, the Law on the Protection against the Abuse of Personal Data in the Processing of Data (Federal Data Protection Law – BDSG-new).
In particular, the BDSG-new contains special rules on the right of access, the right of erasure, the right of appeal, the processing of specific categories of personal data, the processing for other purposes, and the transmission and automated decision-making in individual cases, including profiling. It also regulates the processing of data for the purposes of the employment relationship (Paragraph 26 of the BDSG-new), in particular, the creation, performance or termination of employment and the consent of employees. In addition, national laws on data protection can be applied in the individual federal states.
Wir treffen nach Maßgabe der gesetzlichen Vorgaben unter Berücksichtigung des Stands der Technik, der Implementierungskosten und der Art, des Umfangs, der Umstände und der Zwecke der Verarbeitung sowie der unterschiedlichen Eintrittswahrscheinlichkeiten und des Ausmaßes der Bedrohung der Rechte und Freiheiten natürlicher Personen geeignete technische und organisatorische Maßnahmen, um ein dem Risiko angemessenes Schutzniveau zu gewährleisten.
Zu den Maßnahmen gehören insbesondere die Sicherung der Vertraulichkeit, Integrität und Verfügbarkeit von Daten durch Kontrolle des physischen und elektronischen Zugangs zu den Daten als auch des sie betreffenden Zugriffs, der Eingabe, der Weitergabe, der Sicherung der Verfügbarkeit und ihrer Trennung. Des Weiteren haben wir Verfahren eingerichtet, die eine Wahrnehmung von Betroffenenrechten, die Löschung von Daten und Reaktionen auf die Gefährdung der Daten gewährleisten. Ferner berücksichtigen wir den Schutz personenbezogener Daten bereits bei der Entwicklung bzw. Auswahl von Hardware, Software sowie Verfahren entsprechend dem Prinzip des Datenschutzes, durch Technikgestaltung und durch datenschutzfreundliche Voreinstellungen.
Kürzung der IP-Adresse: Sofern es uns möglich ist oder eine Speicherung der IP-Adresse nicht erforderlich ist, kürzen wir oder lassen Ihre IP-Adresse innerhalbvon Mitgliedstaaten der Europäischen Union oder in anderen Vertragsstaaten des Abkommens über den Europäischen Wirtschaftsraumkürzen. Im Fall der Kürzung der IP-Adresse, auch als „IP-Masking“ bezeichnet, wird das letzte Oktett, d.h., die letzten beiden Zahlen einer IP-Adresse, gelöscht (die IP-Adresse ist in diesem Kontext eine einem Internetanschluss durch den Online-Zugangs-Provider individuell zugeordnete Kennung). Mit der Kürzung der IP-Adresse soll die Identifizierung einer Person anhand ihrer IP-Adresse verhindert oder wesentlich erschwert werden.
SSL-Verschlüsselung (https): Um Ihre via unser Online-Angebot übermittelten Daten zu schützen, nutzen wir eine SSL-Verschlüsselung. Sie erkennen derart verschlüsselte Verbindungen an dem Präfix https:// in der Adresszeile Ihres Browsers
Transmission and disclosure of personal data
As part of our processing of personal data, the data is transferred to or disclosed to other entities, undertakings, legally independent organisational units or persons. Recipients of this data may include payment institutions in connection with payment transactions, service providers entrusted with IT tasks or service and content providers included in a website. In the event that we outsource certain parts of data processing (“order processing”), we contractually oblige contractors to use personal data only in accordance with the requirements of data protection laws and to ensure the protection of the rights of the data subject.
Data Transfer within the Organization: We may transfer personal data to other entities within our organization or grant them access to it. Where such disclosure is made for administrative purposes, the transfer of data shall be based on our legitimate commercial and business interests or shall take place where it is necessary to fulfil our obligations under the contract or where consent or legal authorisation is obtained from the data subject.
Data transfer to a third country: In principle, transfers of your personal data which we have received in the context of our business relationship to countries outside the EU or the EEA will only take place if you have given us consent to do so or if this is a condition necessary for the performance of a contract. If personal data is transferred to a third country or an international organisation, you have the right to be informed of the appropriate guarantees in accordance with Art. 46 GDPR in connection with the transfer.
When contacting us (e.g. via contact form, e-mail, telephone or social media), the information provided by the requesting persons is processed, if you agree to do so, or if necessary to respond to the contact requests and any measures requested.
Responses to contact requests in the context of contractual or pre-contractual relations shall be given either for the fulfilment of our contractual obligations or for the purpose of answering (pre)contractual requests and also on the basis of the legitimate interests in answering the questions.
- Processed data types: inventory data (names, addresses, etc.), contact details (e-mail, phone numbers), content data (text entries, photographs, videos).
- Individuals concerned:
- Processing purposes: contact requests and communication.
- Legal bases: contract performance and pre-contractual requests (Art. 6 para. 1 p. 1 lit. a GDPR), legitimate interests (Article 6 para. 1 p. 1 lit. f. GDPR).
Provision of online services and web hosting
In order to provide our online services safely and efficiently, we are using one or more web hosting providers whose servers (or servers they manage) can access the online services. For these purposes, we can use infrastructure and platform services, computing capacity, storage and database services, as well as guarantees and technical maintenance.
The data processed in the context of the provision of the hosting services may include any information related to the users of our online service arising from use and communication. These include:
- name and URL of file(s) you retrieve/access
- Date and time of the access
- The amount of data transferred
- Message about successful retrieval (HTTP response code)
- Browser type and browser version
- Operating system
- Referrer URL (i.e. the previously visited page)
- Websites accessed by the user’s system via our website
- The user’s Internet service provider
- IP address and the requesting provider
E-mail delivery and hosting: The web hosting services we have used also include the sending, reception and storage of e-mails. For these purposes, the addresses of the recipients and senders are processed, as are other information concerning e-mail (e.g. the providers involved) and the content of each e-mail.
The above data may also be processed for the purpose of detecting SPAM. Please note that e-mails are not encrypted on the Internet. Typically, while e-mails are encrypted by transport, they are not encrypted on the servers from which they are sent and received (unless the end-to-end encryption method is used). We cannot therefore take responsibility for the transmission of e-mails between the sender and the reception on our server.
- Processed data types: content data (text input, photographs, videos), usage data (web pages visited, content interest, access times), meta/communication data (device information, IP addresses).
- Individuals concerned: users (site visitors, users of online services).
- Legal basis: legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR in conjunction with Art. 28 GDPR).
Presence in social networks
We maintain online presences within social networks in order to communicate with the users active there or to provide information about us there.
User data is usually processed within social networks for market research and advertising purposes. For example, user profiles can be created on the basis of user behaviour and the resulting interests of users. The usage profiles can in turn be used, for example, to display advertisements that presumably correspond to the interests of the users both within and outside of the platforms. For these purposes, cookies are usually stored on the computers of the users in which the user behaviour and the interests of the users are stored (see also above under “Cookies”). Furthermore, data can also be stored in user profiles separate from the devices used by the users (especially if the users are members of the respective platforms and are logged in).
For a detailed description of the respective forms of processing and the possibilities for objection (opt-out), we refer to the data protection declarations and information of the operators of the respective networks.
We would like to point out that requests for information and the assertion of user rights are also directed most effectively to the providers. Only the providers have access to the user data and can directly take appropriate measures as well as provide information. If you still need further assistance, you can contact us.
- Processed data types: inventory data (names, addresses, etc. ), contact data (e-mail, telephone numbers), content data (text input, photographs, videos), usage data (visited websites, interest in content, access times), meta/communication data (device information, IP addresses).
- Individuals concerned: users (site visitors, users of online services).
- Purposes of processing: contact enquiries and communication, tracking (interest / behaviour related profiling, cookies), remarketing, range measurement (access statistics, recognition of returning visitors).
- Legal basis: legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).
Services and service providers used:
- Facebook: Social Network; Service Provider: Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website: https://www.facebook.com; Privacy Statement: https://www.facebook.com/about/privacy; Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active; Opt-Out: Advertisement Settings: https://www.facebook.com/settings?tab=ads; Additional Privacy Notice: Agreement on the Shared Processing of Personal Information on Facebook Pages: https://www.facebook.com/legal/terms/page_controller_addendum; Privacy Notice for Facebook Pages: https://www.facebook.com/legal/terms/information_about_page_insights_data.
Plug-ins and embedded functions and content
Our online services include functional and content elements that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may, for example, be graphics, videos or social media buttons as well as contributions (hereinafter uniformly referred to as “Content”).
The integration always presupposes that the third party providers of this content process the IP address of the user, since they could not send the content to their browser without the IP address. The IP address is therefore required for the presentation of this content or functions. We strive to only use content whose respective provider uses the IP address solely for the delivery of content. Third parties may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. “Pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain technical information about the browser and operating system, websites to be referred to, visiting times and other information about the use of our online services, as well as may be linked to such information from other sources.
- Processed data types: usage data (visited websites, interest in content, access times), meta/communication data (device information, IP addresses), contact data (e-mail, telephone numbers), content data (text input, photographs, videos), inventory data (names, addresses, etc. ).
- Persons concerned: Users (website visitors, users of online services), communication partners.
- Purposes of processing: provision of our online services and user-friendliness, contractual services and support, contact enquiries and communication, direct marketing (by e-mail or post), tracking (interest / behaviour profiling, cookies), interest based and behaviour based marketing, profiling (creation of user profiles), security measures, administration and response to enquiries.
- Legal basis: legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDOR), consent (Art. 6 para. 1 p. 1 lit. a GDPR), Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b. GDPR).
Services and service providers used:
When using the social media plug-ins, we use the so-called two-click solution.
In other words, when you visit our site, initially no personal data is passed on to the providers of the plug-ins. You can recognize the provider of the plug-in by the marking on the box above its initial letter or the logo. We offer you the possibility to communicate directly with the provider of the plug-in via the button. Only if you click on the marked field and thereby activate it, the plug-in provider receives the information that you have accessed the corresponding website of our online service. In addition, data such as the dynamic IP address, browser type and browser version are transmitted. By activating the plug-in, your personal data is transferred to the respective plug-in provider and stored there (in the case of US providers in the USA). Since the plug-in provider collects data mainly via cookies, we recommend that you delete all cookies using your browser’s security settings before clicking on the greyed-out box.
We have no influence on the data collected and data processing, nor are we aware of the full extent of data collection, the purposes of processing, the storage periods. We also have no information on the deletion of the data collected by the plug-in provider.
The plug-in provider stores the data collected about you as user profiles and uses these for the purposes of advertising, market research and/or demand-oriented design of its website. Such evaluation is also made for users who are not logged in, to display customised advertising and to inform other users of the social network about your activities on our website. You have a right to object to the creation of these user profiles. You must contact the respective plug-in provider to exercise this right. Through plug-ins, we provide you with the possibility to interact with social networks and other users, so that we can improve our service and make it more interesting for you as a user. The legal basis for the use of the plug-ins is Art. 6 para. 1 clause 1 f) GDPR.
The data transfer takes place regardless of whether you have an account with the plug-in provider or are logged in there. If you are logged in with the plug-in provider, your data collected with us will be directly assigned to your existing account with the plug-in provider. When activating the button and link, for example, the plug-in provider also stores this information in your user account and communicates this to your contacts publicly. We recommend that you log out regularly after using a social network, especially before activating the button, as this way you can avoid being assigned to your profile with the plug-in provider.
For more information on the purpose and extent of the data collection and its processing by the plug-in provider, please refer to the privacy statements of these providers provided below. There you will also find further information about your rights and setting options to protect your privacy.
We have included YouTube/Vimeo/Alugha videos in our online service, which are available at http://www.youTube.com/ or https://vimeo.com/de/ or https://alugha.com/ and can be played directly from our website. These are all integrated in the “extended data protection mode”, i.e. no data about you as a user will be transmitted to YouTube/Vimeo/Alugha if you do not play the videos. Only when you play the videos will the following data be transmitted. We have no influence on this data transfer.
By visiting the website YouTube/Vimeo/Alugha receive the information that you have accessed the corresponding subpage of our website. In addition, the access data mentioned above will be transmitted. This occurs regardless of whether YouTube/Vimeo/Alugha provides a user account that you are logged in to, or whether no user account exists. If you are logged into Google, your information will be directly associated with your account. If you do not want your profile to be assigned to YouTube/Vimeo/Alugha, you must log out before activating the button. YouTube/Vimeo/Alugha store your data as user profiles and use them for the purposes of advertising, market research and/or the need-based design of its website. Such evaluation also takes place (even for users who are not logged in) for the purposes of providing customised advertising and to inform other social network users about activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact YouTube to exercise this right.
Further information on the purpose and scope of data collection and processing by YouTube/Vimeo/Alugha can be found in their privacy statements. There you will also find further information about your rights and setting options to protect your privacy.
Google will use this information on behalf of the operator of this website to evaluate your use of the website, to compile reports on website activity, and to provide other services regarding website activity and internet usage for the website operator.
The IP address provided by your browser as part of Google Analytics will not be combined with other data from Google.
This website uses Google Analytics with the extension “_anonymizeIp()”. As a result, IP addresses are further processed in truncated form, so that reference to individuals can be ruled out. If the data collected about you is personally identifiable, it will be blocked immediately and the personal data deleted as soon as possible.
We use Google Analytics to analyse and regularly improve the function of our website. We can improve our service and make it more interesting for you as a user. Google has agreed to comply with the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework, with regard to any personal data which are transferred to the USA. The legal basis for the use of Google Analytics is Art. 6 para. 1 p. 1 lit. f. GDPR.
Third party information: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. User conditions, overview of data protection, as well as the data protection declaration.
This website also uses Google Analytics for an analysis of visitor flows across all devices, that is carried out via a user ID (Google Universal Analytics). You can disable the cross-device analysis of your use in your customer account under “My Data”, “Personal Information”.
Data subject’s rights
The data processed by us will be deleted in accordance with the statutory provisions as soon as their consent permitted for processing is revoked or other permissions lapse (e.g. if the purpose of processing this data has lapsed or it is not necessary for the purpose).
If the data is not deleted because it is required for other and legally permissible purposes, its processing is limited to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons or whose storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.
Further information on the deletion of personal data can also be found in the individual data protection notices of this data protection declaration.
Rechte der betroffenen Personen
As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 18 and 21 GDPR:
- You have the right, for reasons arising from your specific situation, to object to the processing of personal data concerning you at any time, which is carried out in accordance with Paragraph 6 Sec. 1 lit. e or f GDPR (Art. 21 GDPR), including profiling based on those provisions. If the personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such marketing; this also applies to profiling insofar as it is associated with such direct marketing.
- Right of revocation for consent: You have the right to revoke consent given at any time.
- Right of access: You have the right to obtain confirmation as to whether the data in question will be processed and to request access to this data and further information and a copy of the data in accordance with the provisions of the law(Art. 15 GDPR).
- Right of rectification: You have the right, in accordance with the provisions of the law, to request the completion of data concerning you or the rectification of inaccurate data concerning you (Art. 16 GDPR).
- Right to deletion and limitation of processing: You have the right, in accordance with the statutory provisions, to demand that data concerning you be deleted immediately or, alternatively, to demand a limitation of data processing in accordance with the statutory provisions (Art. 17 GDPR).
- Right to data transfer: You have the right to receive data concerning you which you have provided to us in a structured, common and machine-readable format in accordance with the legal requirements, or to demand that it be transferred to another responsible party (Art. 20 Abs. 1 GDPR).
- Complaint to the supervisory authority: You also have the right, in accordance with the statutory provisions, to complain to a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place where the alleged infringement was committed, if you are of the opinion that the processing of your personal data violates the GDPR (Art. 77 GDPR). This also includes the data protection supervisory authority responsible for the person responsible: The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
PO BOX 10 29 32, 70025 Stuttgart
Königstraße 10a, 70173 Stuttgart, 0711/61 55 41 – 0, email@example.com.