Disclaimer/Data Privacy

Data Protection Information

This document contains information about which item of personal data we process, its purpose, the basis on which we process it and for how long.

Overview / Contents

You will find the following information in our Data Protection Information

A. Our contact data and general matters relating to our data processing
A.1 Name and contact data of the controller
A.2 Contact data of the data protection officer
A.3 General information about legal basis for the processing of personal data
A.4 General information about Data deletion and duration of archiving
A.5 General information about the sources of personal data
A.6 Recipients and categories of recipients of the personal data
A.7 Newsletter circulation for members
A.8 Contacting by email, fax and phone call

B. The scope of the processing of personal data via our web-site
B.1 Provision of the web-site and creation of log files
B.2 Members’ log-in to the web-site
B.3 Contact form and email contact
B.4 Use of cookies
B.5 Use of the analysis tool “Matomo” (previously PIWIK) in the members’ area
B.6 Use of Google G Suite for data processing
B.7 Use of Google reCAPTCHA
B.8 Use of videos via the Platform Vimeo
B.9 Encryption of the web-site and communication
B.10 Transmission of personal data to a third country (countries outside Germany but in the EU)

C. Your rights as the data subject
C.1 The right to be informed
C.2 The right to rectification
C.3 The right to erasure
C.4 The right to restrict processing
C.5 The right to information
C.6 The right to data portability
C.7 The right to object to processing because of a legitimate interest and direct mail
C.8 The right to revoke consent
C.9 Automatic decision-making including profiling
C.10 Voluntary provision of data
C.11 The right to complain to a supervisory authority


A. Our contact data and general matters relating to our data processing

A.1 Name and contact data of the controller
The controller within the meaning of data protection legislation for the collection and use of personal data is

DOG Deutsche Ophthalmologische Gesellschaft e.V.

Offices:
Platenstrasse 1
80336 Munich
Phone: + 49 89 – 5505 7680
Fax: + 49 89 – 5505 76811

General Manager:
Dr Philip Gass

Statutory registered office of the DOG in Heidelberg
Deutsche Ophthalmologische Gesellschaft e.V.
Klingenteich Strasse 2
D-69117 Heidelberg

Association registration number Heidelberg District Court, VR 33105
Value Added Tax registration number: DE143294894
E-Mail: geschaeftsfuehrer@dog.org
Website: https://www.dog.org

You can find further information about our Association in the imprint of our web-site http://www.dog.org/?page_id=1266.

A.2 Contact data of the controller’s Data Protection Officer

Our Data Protection Officer is Thomas Heimhalt, DATENSCHUTZ perfect GbR, Wilhelm-Kolb-Straße 1a, D-76187 Karlsruhe, Phone +49 (0)721 / 966 388 3, Fax +49 (0)721 / 966 388 4, E-Mail info@datenschutz-perfect.de

A.3 General information about legal basis for the processing of personal data

In general, the following applies when we process personal data:

  • In so far as we obtain your consent for processing procedures of personal data, Article 6, Paragraph 1, Letter a) of the EU General Data Processing Regulation (GDPR) acts as the legal basis for the processing of personal data.
  • In the case of the processing of personal data which is needed for the performance of a contract with you, Article 6, Paragraph 1, Letter b) of the GDPR acts as the legal basis. This also applies already if the processing for the performance of pre-contractual measures is necessary, also e.g. for orders, quotations, contractual negotiations.
  • In so far as the processing of personal data is necessary for the performance of a legal obligation to which we are bound, Article 6, Paragraph 1, Letter c) of the GDPR acts as the legal basis.
  • In the event that the vital interests of yours or another natural person render the processing of personal data necessary, Article 6, Paragraph 1, Letter d) of the GDPR acts as the legal basis.
  • If it is necessary to process your personal data for the performance of a task carried out in the public interest or in the exercise of any official authority vested in us, this is done on the basis of Article 6, Paragraph 1, Letter e of the GDPR.
  • If the processing is necessary for the protection of a legitimate interest of us or of a third party and your interests, fundamental rights and freedoms do not override this interest, Article 6, Paragraph 1, Letter f) of the GDPR acts as the legal basis.

A.4 General information about Data deletion and duration of archiving

Generally we delete or block the personal data as soon as the purpose of the archiving no longer applies. Data can also be archived if this was stipulated by the European or national legislative body in EU regulations, laws or other provisions to which we, as the controller, are subject. Data is also blocked or deleted if a retention period required by the above-mentioned regulations etc. expires unless it is necessary that the data continues to be archived for the conclusion or performance of a contract

In specific terms this means:
If we are processing the personal data on the basis of consent for data processing (Article 6, Paragraph 1, Letter a) of the General Data Protection Regulation (GDPR), the processing is ended when you revoke your consent unless a further legal basis for processing the data exists. This is e.g. the case if, at the time of the revocation, we are still entitled to process your data for the purpose of the performance of a contract (on this point see also below).

If we are processing the data by reason of our legitimate interests (Article 6, Paragraph 1, Letter f) of the GDPR as part of a previous assessment, we will save this data until the legitimate interest no longer exists, the assessment comes to a different conclusion, or you have lodged a valid objection pursuant to Article 21 of the GDPR (on this point see the highlighted “Note on a particular right to object” under C.).

If we are processing the data for the purpose of the performance of a contract we will save the data until the contract has been finally performed and brought to a conclusion and no further claims can asserted under the contract, in other words until the matter becomes time-barred. The general period of prescription according to § 195 of the German Civil Code is three (3) years. However, certain claims, for example claims for compensation, only become time barred after 30 years (cf. § 197 German Civil Code). If there is a legitimate reason for assuming that this is relevant in a particular case, we will save the personal data during this period of time. The above-mentioned periods of prescription commence at the end of the year (therefore on December 31) in which the claim arose and the obligee becomes aware or should have become aware of the circumstances giving rise to the claim and the person of the liable party becomes or should have become aware of the foregoing without gross negligence.

We wish to point out that we are also subject to statutory retention obligations for reasons associated with commercial law, taxation and book-keeping. These oblige us to archive certain data as evidence for our orderly business activity respectively book-keeping which can include personal data for a period which can range from six (6) to ten (10) years. These retention periods take precedence over the above-mentioned deletion obligations. The retention periods also commence at the end of the year in question, and therefore December 31.

A.5 General information about the sources of personal data

The personal data we process originates primarily from the data subject himself or herself, for example by these persons

  • as users of our web-site via their browser and terminal (e.g. a PC, smartphone, tablet or notebook) transmitting information such as their IP address to us respectively our web-server,
  • as interested parties requesting information material or quotation
  • as members of our Association informing us about their contact data or other items,
  • as participants of an event concluding a contract with us,
  • as representatives of the press asking for press releases, a statement or similar,
  • as suppliers delivering goods to us which we have ordered or business partner performing services or similar for us.

As a rare exception, the personal data we process may also come from third parties, for example if a person is acting on behalf of another person.

A.6 Recipients and categories of recipients of the personal data

Your personal data is only passed or transmitted to third parties if this is absolutely essential for the relevant purpose and is permissible. We explain to whom and why we pass data in connection with the data processing described below; at the end of Section B of this Data Protection Information we also provide further information on data transmitted to EU countries outside Germany.

Categories of recipients can basically be:

  • service providers,
  • supplier, business partner,
  • tax advisers.

Depending on the category of the data involved we process personal data for the following purposes on the legal basis specified in the General Data Protection Regulation (GDPR):

User data: We do not collect and process data about users of our web-site in personal form. We cannot attribute this data to a particular persons The IP address is only processed in an anonymised form. On the other hand in so far as personal data is involved in exceptional cases, we process this data for the protection of our legitimate interests on the basis of Article 6, Paragraph 1, Letter f) of the GDPR. Our legitimate interests in this sense are our interest in the security and integrity of our web-site and the data on our web-servers (particularly the detection of disturbances and malfunctions as well as the tracking of unauthorised access) plus marketing interests and interests in statistical surveys for the improvement of our web-site, our services and what we have to offer). After giving the matter our due consideration we came to the conclusion that the processing of data to protect the above legitimate interests is necessary and overrides your fundamental rights and freedoms requiring the protection of personal data.

Data of interested parties/data of representatives of the press: In so far as we process the data of parties interested in our services or of the representatives of the press, this is only done if they enter this data in an input field and send it to us or enter this data in an email for the purpose of a query which is then sent to us. These entries are voluntary. We then only process this data in order to deal with their enquiry. This data which is voluntarily sent to us for the purpose of the supply of information about our services is processed as pre-contractual processing in accordance with Article 6, Paragraph 1, Letter b) of the GDPR and/or on the basis of the consent you grant by sending the consent you give in accordance with Article 6, Paragraph 1, Letter a) of the GDPR.

Members’ data: We process our members’ data for the purposes of the management of the Association, support for members and the fulfilment of objectives as set out in the statutes of our Association in accordance with Article 6, Paragraph 1, Letter b) of the GDPR (this also applies to processing procedures which are necessary before the member is admitted to the Association, for example as part of an enquiry about new membership or processing an application for membership) and/or on the basis of a legitimate interest of the Association pursuant to Article 6, Paragraph 1, Letter f) of the GDPR if the Association has a legitimate interest in a particular item of data processing which overrides the fundamental rights and freedoms of the member.

Suppliers’ and business partners’ data: We process the data of the our suppliers and business partners for the purpose of the performance of a contract as set out in Article 6, Paragraph 1, Letter b) of the GDPR and/or on the basis of consent which is granted pursuant to Article 6, Paragraph 1, Letter a) of the GDPR. This also applies to processing procedures which are necessary for pre-contractual activities (for example as part of the preparation and negotiation of offers).

A.7 Newsletter circulation for members

An Association Newsletter is sent free of charge to our members. The Newsletter contains information about the Association and its activities and events as well as pointers, tips and similar.

On joining the Association the member has the opportunity to consent explicitly to the transmission of the Newsletter. However, the member is not obliged to give his/her consent.

Subscribing to the Newsletter uses what is called a “double opt-in process”. This means that after subscribing, the member receives an email which asks for confirmation of the subscription This confirmation is necessary to ensure that we have recorded the correct email address.

The purposes of data processing: The purpose of collecting and processing the member’s email address is to send the Newsletter. We use the email address for the purpose of providing information about news, events and topics related to the Association.

The legal basis for the data processing: The legal basis for processing the data after the user subscribes to the Newsletter is the grant of consent by the member in accordance with Article 6, Paragraph 1, Letter a) of the GDPR.

Duration of the archiving: The user’s email address is archived as long as the subscription to the newsletter is active, that is to say that the member has not cancelled the subscription or the membership has been terminated.

The right to object and the right to erasure: The subscription to the Newsletter can be cancelled in any form, at any time and free of charge. There is a link for this purpose in every Newsletter.

A.8 Contacting by email, fax and phone call

If you wish you can contact us in several ways. You will find our email address, phone number and fax number for this purpose on our website. If you send us an email, call us or send a fax we will also inevitably process your personal data as the personal data transmitted with the email, fax or your phone will be saved by us or our systems. As a minimum we save or our system saves the personal data transmitted to us by email, fax or your phone call.

The data is not passed to third parties in this context. The data is only used for the distribution of the Newsletter.

The purposes of data processing: The processing of the personal data when contacting us by email, fax or phone is so that we can deal with your request and the approach you made to us. It is essential that we have your email address, fax or phone number so that we can respond. This also constitutes the legitimate interest in processing the data.

The legal basis for data processing: If we have received your consent, the legal basis for the processing of the data is Article 6, Paragraph 1, Letter a of the GDPR.
If the purpose of the contact or your request is the conclusion of a contract, the legal basis for the processing is Article 6, Paragraph 1, Letter b) of the GDPR (execution of pre-contractual measures).

Duration of the archiving: The data is deleted as soon as it is no longer needed to achieve the purpose for which it was collected.

For the personal data which was sent by email, this is the case if the relevant exchange with you is at an end and we have then waited for a period of up to 3 months to establish whether we must refer again to your request and the details of the exchange. The conversation is at an end if it can be gathered from the circumstances that the matter in question has been definitely settled.

Fax data is stored separately from printed data in the fax machine’s memory. After the fax has been printed out the memory space which was used is released so that the next fax can be received and saved there. After being printed out, parts of the fax can remain temporarily in the fax machine’s memory until it is overwritten by the next fax to be received. This normally leads to the automatic deletion of the data after about 1 – 2 weeks. If the fax is a computer fax we receive the fax as an email and the information we have provided on emails applies accordingly.

In the case of an incoming or outgoing phone call your phone number or your name / company name which you have registered with your telephone provider as well as the date and time of the call are stored in what is called a “ring memory” in our phone system. This memory overwrites the oldest data with the new data. In normal circumstances this means that the data is automatically deleted in the phone system after about 3-4 months.

It may happen that due to commercial or fiscal law the exchange is subject to a retention obligation which then comes into play (cf. the information above in the section “Data deletion and retention period”) .

The right to object and the right to erasure: You may at any time revoke consent given for the processing of the personal data and object to further data processing because of a legitimate interest (cf. the advice on a particular right to object under C of this Data Protection Information). In such a case the conversation cannot be continued.
You can revoke the consent and object to further data processing without any need for a specific form (e.g. you can use email).
In this case all personal data which was saved in the course of the contact with you is deleted.


B. The scope of the processing of personal data via our web-site

As a matter of principle we only collect and use the personal data of users during the use of our web-site in so far as this is necessary for the provision of a functioning web-site, its content and our services. Normally the personal data of our users is collected and used only after the user has granted his/her consent. The exception is such cases in which it is not factually possible to obtain consent in advance and/or the processing is permitted by the provisions of law.

B.1 Provision of the web-site and creation of log files

Every time the web-site is accessed our system automatically collects data and information for technical reasons. This is saved in the server’s log files. This information is:

  • the data and time of access,
  • the URL of the web-site from which access was made (the referrer),
  • the web-sites which were accessed by the user’s system via our web-site,
  • the user’s screen resolution,
  • the file(s) accessed and a report of the success of the access,
  • the amount of data sent,
  • the user’s Internet service-provider,
  • the browser, browser type and version, the browser engine and engine version,
  • the operating system, operating system version and type, and
  • the user’s anonymised IP address and Internet service-provider.

This data is processed separately from other data. This data is not processed in combination with the user’s other personal data. We cannot attribute this data to a particular person.

The purposes of data processing: The temporary processing of the data by the system is necessary so that it is possible to send the contents of our web-site to the user’s computer. The user’s IP address must be saved for the duration of the session to achieve this.
Data is saved in log files to ensure the functionality of the web-site. The data also enables us to optimise our offering and the web-site, and to protect the security of our computer system. The data is not evaluated for marketing purposes in this connection.

The legal basis for the data processing: The data and the log files are temporarily saved on the legal basis of Article 6, Paragraph 1, Letter f) of the GDPR Our overriding legitimate interest in this data processing is to be found in the purposes stated above.

Duration of the archiving: The data is deleted as soon as it is no longer needed to achieve the purpose for which it was collected. In the case of data capture for the provision of the web-site, the data is deleted when the session is terminated. The data saved in the log files is deleted after no more than seven days. It is not possible to save the data for longer. In this case the users’ IP addresses are deleted or distorted so that it is no longer possible to attribute them to the client accessing the web-site.

The right to object and the right to erasure: The capture of data is essential for the provision of the web-site, and the saving of data in log files is necessary for the operation of the web-site. As a consequence the user has no right to object to this practice. However, the user may terminate the use of the web-site at any time and therefore prevent the continued collection of the data specified above.

B.2 Members’ log-in to the web-site

In our web-site we offer members the facility of logging into a protected members’ area by entering personal access data. By entering his/her name and membership number a new member can have information sent to him/her which enables the new member to enter the members’ area. During the course of this procedure, consent to the processing of this data for the purpose of checking the entitlement to enter the members’ area and for the management of the members’ area is obtained.

The data which is entered in this way is sent to us or our members’ data-base for checking and is processed for this purpose. If the information agrees with the member’s data we hold in our records, the member receives unique access data by email sent to the member’s email address in our records.

So that the member can log on, the access data is then entered into an input mask which is then sent to us to verify the access data and approve access to the members’ area. The data is not passed to third parties.

The members’ area is operated as a separate sub-domain (mydog.dog.org).
The member’s email address and password have to be entered to log onto the members’ area.

All the above data transmissions are, of course, encrypted.

The purposes of data processing: The purpose of registration is for the provision of certain content and services on our web-site which is intended exclusively for members of the Association.

The legal basis for data processing: The legal basis for processing the data is the grant of consent by the member in accordance with Article 6, Paragraph 1, Letter a) of the GDPR.

Duration of the archiving: The data is saved until the member revokes his/her consent or ceases to be a member.

The right to object and the right to erasure: You can terminate your registration for the members’ area at any time by revoking your consent. You can do this by informing us accordingly. You can also have the data we hold about you amended at any time.

B.3 Contact form and email contact

Our web-site contains a contact form which can be used for contacting us by electronic means. if you take advantage of this facility the data you enter in the mask is sent to us and saved.

This data consists of:

• form of address, family name, given name, email (mandatory fields),
• street, post code, town/city, country, phone number, fax number, subject heading, message (optional inputs)
The following data is also saved when the message is sent:

• the user’s IP address,
• the date and time of the transmission.

In order to process the data your consent is obtained as part of the transmission process and your attention is drawn at the same time to our legitimate interest in processing the data. At this time you are informed once again about the processing of data and referred to this Data Protection Statement.

Alternatively you can contact us via the email address we provide. In this case the personal data transmitted with the email is saved..

In this case the data is not passed to third parties. The data is only used for the distribution of the Newsletter.

Please never send any form of personal data by email because the transmission is not encrypted.

The purposes of data processing: The only purpose for processing the personal data in the input mask is to be able to contact you and deal with your suggestion. Contacting you also constitutes the legitimate interest in processing the data.
The purpose of processing the other personal data during the transmission procedure is to prevent misuse of the contact form and to ensure that out information system remains secure.

The legal basis for data processing: If consent has been granted, the legal basis for processing the data is Article 6, Paragraph 1, Letter a) of the GDPR and also our legitimate interest in the data processing as set out in Article 6, Paragraph 1, Letter f) of the GDPR.
If the purpose of the contact or your request is the conclusion of a contract (for example membership), the additional legal basis for the processing is Article 6, Paragraph 1, Letter b) of the GDPR (execution of pre-contractual measures).

Duration of the archiving: The data is deleted as soon as it is no longer needed to achieve the purpose for which it was collected.
For the personal data in the input mask of the contact form and the personal data sent by email, this is the case if the conversation in question with you is at an end. The conversation is at an end if it can be gathered from the circumstances that the matter in question has been definitely settled.
The additional data also collected during the transmission process is deleted after a period not exceeding seven days.

The right to object and the right to erasure: You may at any time revoke consent given for the processing of the personal data and object to further data processing because of a legitimate interest (cf. the above advice on a particular right to object). In such a case the conversation cannot be continued.
You can revoke the consent and object to further data processing without any need for a specific form (e.g. you can use email).
In this case all personal data which was saved in the course of the contact with you is deleted.

B.4 Use of cookies

When accessing individual web pages we use so-called cookies. Cookies are small text files which are installed on the terminal (PC, smartphone or tablet etc.). If a user accesses a web page a cookie may be saved in the user’s operating system. This cookie includes a characteristic sequence of characters which enable the browser to be unmistakeably identified if the page is accessed again.

It can also happen that cookies are used by third party service-providers. If this is the case, we inform you about this point separately in this Data Protection Information in the part dealing with the relevant third party service-provider tools (for example, analysis tools, plug-ins, or similar).
We use cookies to make our web-site more user-friendly. Some parts of our web-site require that the browser accessing our site can also be identified after switching to a different page. The following data is saved in the cookies and transmitted at this time:
• the language settings:
• in the members’ area: the user’s session is saved so that it is possible to allocate the data to the relevant user.

The purposes of data processing: The purpose of using cookies needed for technical reasons is to simplify the use of the web-site for users. Some of the functions of our web-site cannot be provided without the use of cookies. For these it is necessary that the browser is re-identified after switching to a different page.

We need cookies for the following application:
• the transfer of language settings

The user data collected by the cookies needed for technical purpose is not used for creating user profiles.

The legal basis for the data processing: The legal basis for the processing of personal data by means of cookies is Article 6, Paragraph 1, Letter f) of the GDPR, and is therefore a legitimate interest on our part. Our legitimate interest is to be found in the purposes stated above.

Duration of the archiving: Some of the cookies we use are deleted again at the end of the browser session, in other words when you close your browser (these are called “session cookies”). Other cookies remain on your terminal and enable us to recognise your browser on your next visit (“permanent cookies”).

The right to object and right of erasure: Cookies are saved on your computer and transmitted from there to our site. You therefore have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies which have already been saved can be deleted at any time. This can also be done automatically. We understand a “Do not track” setting of your browser of this nature to be an objection to the further collection and use of your personal data. Note: If cookies for our web-site are deactivated, it is possible that all functions of the web-site can no longer be used to their full extent.

B.5 Use of the analysis tool “Matomo” (previously PIWIK) in the members’ area

In the members’ area of this web-site Matomo (Piwik), an open-source web analysis tool of InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand (https://matomo.org), is used to collect and save data for marketing and optimisation purposes. User profiles with a pseudonym can be compiled from this data. Cookies can be used for this purpose. Cookies are small text files which are saved in the cache of the Internet browser of the visitor to the site. The cookies enable the Internet browsers to be identified on a further visit. The data collected by Matomo (Piwik) is not used to identify the visitor to this web-site and is also not merged with personal data about the owner of the pseudonym without consent by the data subject given separately.

The purposes of data processing: Analysis tools and analysis cookies are used for the purpose of improving the quality of our web-site and its contents. In this way we learn how the web-site is used and can therefore continuously optimise our offering.

The legal basis for the data processing: The legal basis for the processing of personal data by means of cookies is Article 6, Paragraph 1, Letter f) of the GDPR, and is therefore a legitimate interest on our part. Our legitimate interest is to be found in the purposes stated above.

Duration of the archiving: The cookies are saved on the user’s computer from where they are transmitted to our site. The IP is anonymised immediately after processing and before it is saved. As a user, you therefore have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies which have already been saved can be deleted at any time. This can also be done automatically. We understand a “Do not track” setting of your browser of this nature to be an objection to the further collection and use of your personal data. Note: If cookies for our web-site are deactivated, it is possible that all functions of the web-site can no longer be used to their full extent.

The right to object and the right to erasure: You can prevent the installation of cookies by making a corresponding setting in your browser software. If you do this we must point out that in this case you will not be able to use all functions of this web-site to their full extent. You can also prevent the capture of the data created by the cookie relating to your use of the web-site (including your IP address) and the processing of this data by us by using the opt-out option.

B.6 Use of Google G Suite for data processing

We use the cloud-based Office solution “G Suite” of Google, Inc., USA to process personal data.
Google, Inc. (Google) has acceded to the EU-US Privacy Shield and therefore warrants that it will maintain a level of data protection which complies with European data protection legislation. Google offers users of G Suite data protection measures which guarantee appropriate security for personal data (cf. https://cloud.google.com/security/security-design/?hl=de).

A Zusatz zur Datenverarbeitung (Data Processing Supplement) is offered for G Suite and Cloud Identity as well as Standardvertragsklauseln (Standard contractual clauses) (available in English as a download) which are required by the EU for this purpose in order to meet the adequacy and security requirements of the General Data Protection Regulation (GDPR). We have concluded these agreements with Google.

The purposes of data processing: The purpose of this use is the processing of the data of members, participants, speakers and course leaders in a cloud-based Office solution to achieve an effective and collaborative processing of the data, and therefore to facilitate the rapid execution of the relevant processes involving the data subjects.

The legal basis for the data processing: The legal basis for processing the personal data is our legitimate interest for the data processing pursuant to Article 6, Paragraph 1, Letter f) of the GDPR.
Our legitimate interest is that an effective opportunity for processing the personal data of the above-mentioned data subjects is necessary and is sometimes not available locally in a form able to match the particular requirements of the organisational structure and the events taking place in different locations (particularly basic courses, awards presentation and certification).
Google Inc. has joined the „EU-U.S.-Privacy Shield“ so that data transmission to the USA is permitted.

Duration of the archiving: We save the data collected on the basis of our legitimate interest until the legitimate interest no longer exists, the assessment of the individual interests comes to a different conclusion, or you have lodged a valid objection pursuant to Article 21 of the GDPR (cf. the special note in Section C in this Data Protection Information).
Our legitimate interest in this respect extends beyond the end of a course because we, as the organiser, are under an obligation towards the Medical Association to archive data relating to the certification of the course. Under the requirements of the Bavarian State Medical Association we are under an obligation for documentation purposes to archive lists of participants in which the name and the attendance of the participants are recorded for a period of six months after the end of the course (e.g. in case of any random checks by the Medical Association).
In this connection we wish to point out that we are only able to issue certificates relating to course attendance within these 6 months as we are no longer able to confirm attendance after the data has been deleted.
We wish to point out that we are also subject to statutory retention obligations for reasons associated with taxation and book-keeping. These oblige us to archive certain data as evidence for our book-keeping which can include personal data for a period which can range from six (6) to ten (10) years. These retention periods take precedence over the above-mentioned deletion obligations. The retention periods commence at the end of the year in question, and therefore December 31.

The right to object and the right to erasure: Under Article 21 of the GDPR you have the right to lodge an objection to the processing of your personal data in the future provided that there are grounds for such an objection arising from your personal situation or if the data is processed for the purpose of direct marketing (cf. the special note in Section C of this Data Protection Information).

B.7 Use of Google reCAPTCHA

For protection during the transmission of forms (e.g. contact forms, registration for the internal members’ area) we use the services of reCAPTCHA of Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA in selected cases.

This service includes sending your IP address and, if appropriate, additional information needed by Google for the reCAPTCHA service. The data protection provisions of Google, which are different from our own, apply to this data.

By the use of Google reCAPTCHA information about your use of this web-site (including your IP address) can be sent to a Google server in the USA and saved there. Google may pass the information obtained by reCAPTCHA to third parties in so far as this is required by law or in so far as third parties process this data on behalf of Google. In no case will Google combine your IP address with other Google data. Nevertheless, it would be technically feasible that, based on the data it has received, Google could identify at least individual users. It would be possible that personal data and personality profiles of users of Google’s web-site could be processed for other purposes over which we neither have nor can have any influence.

The purposes of data processing: Google reCAPTCHA is also used for the purpose of excluding what are called bots which are small malware programs which compromise the security and integrity of our web-site and web servers. We wish to ensure the functionality of the web-site. The data also serves to underpin the security of our IT systems.

The legal basis for the data processing: The legal basis for the processing of personal data by means of reCAPTCHA is Article 6, Paragraph 1, Letter f) of the GDPR, and is therefore a legitimate interest on our part. Our legitimate interest is to be found in the purposes stated above. Google Inc. has joined the “EU-US-Privacy Shield“ so that data transmission to the USA is permitted.

The right to object and the right to erasure: You have the possibility of not using the services of Google reCAPTCHA by not clicking on the service’s button. You can then contact us by other means, for example by email or phone.
You can also deactivate Java Script and thus prevent the transfer of data to Google. In order to prevent the execution of Java Script code totally, you can also install a Java Script-blocker, for example the browser plugin NoScript (e.g. www.noscript.net or www.ghostery.com)

Note: If Java Script is deactivated, you cannot use the reCAPTCHA service, you are also unable to use our contact and web forms which use reCAPTCHA.

You will find Google’s data protection policy at >https://policies.google.com/privacy?hl=de

B.8 Use of videos via the Platform Vimeo

On our website we use, among other things, plug-ins from the provider Vimeo for the integration of videos. Vimeo is operated by Vimeo, Inc. which has its headquarters at 555 West 18th Street, New York, New York 10011. If you access pages of our web-site which are provided with a plug-in of this nature, a connection is made to the Vimeo servers. This connection transfers information on which of our pages you have visited. If you are logged in at this time to Vimeo as a member, Vimeo assigns this information to your personal user account. If you use the plug-in, for example by clicking on the Start button of a video, this information is also assigned to your user account.

Using an iFrame in which the video is accessed, Vimeo also accesses the Google Analytics tracker. This is Vimeo’s own tracking operation to which we have no access. You can prevent tracking by Google Analytics by using the deactivation tool which Google offers for some Internet browsers. You can also prevent the capture of the data created by Google Analytics relating to their use of the web-site (including your IP address) by Google and the data being processed by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de

You can find further information on data processing and data protection by Vimeo at https://vimeo.com/privacy. Vimeo’s cookie policy can be found here: https://vimeo.com/cookie_policy

The purposes of data processing: Vimeo’s videos are incorporated so we can offer multi-media content on the website to users and thus upgrade and enhance the user experience of the website. As this makes our website more attractive, the use of Vimeo also serves our marketing and promotional purposes.

The legal basis for the data processing: The legal basis for the processing of personal data is Article 6, Paragraph 1, Letter f) of the GDPR, and is therefore a legitimate interest on our part. In this respect our legitimate interest consists of the purposes mentioned above.

Duration of the archiving: Vimeo itself saves your data if you are logged into Vimeo as a member for so long as you have a Vimeo account (cf. Vimeo’s Data Protection Statement: https://vimeo.com/privacy). If you are not logged into Vimeo we assume that your personal data is not saved by accessing a video. Unfortunately Vimeo itself does not provide any information on this point. However, Vimeo does state that its services comply with European data protection legislation. Thus at all events, Vimeo deletes the data in this case as soon as the purpose for which the data is collected no longer exists.
We ourselves do not save your data in connection with the use of Vimeo videos on our website.

The right to object and the right to erasure: If you have a Vimeo user account and do not want Vimeo to collect data about you via this website and link it with your membership data saved by Vimeo, you must log off from Twitter before visiting our website. You can also delete the corresponding Vimeo cookies via your browser.
If you do not want Vimeo to process any of your data, do not click on Vimeo cookies on our website.

B.9 Encryption of the web-site and communication

All the protected areas and forms on the web-site and therefore the data transmissions using these forms are encrypted to the SSL standard.

B.10 Transmission of personal data to a third country (countries outside Germany but in the EU)
We intend to send personal data to the United States of America. There is an adequacy decision of the EU Commission which states that personal data may be sent to the USA if the recipient has joined the EU-US Privacy Shield. Therefore personal data is only sent to recipients in the USA which demonstrate that they have joined the EU-US Privacy Shield.

The specific intention relates to a transmission of data to the following company:

• Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (”Google“) as provider of the services reCAPTCHA and the office solutions Google GSuite,
• Vimeo, Inc., 555 West 18th Street, New York, New York 10011, USA as provider of the video streaming services Vimeo

The companies mentioned have joined the EU-US Privacy Shield and have submitted to a regulatory framework comparable to the EU data protection standard. The transmission of data to these companies is therefore unquestionably permitted. In addition, in the case of data processing, appropriate data processing contracts were concluded with these companies to protect the data and our rights to issue instructions.


C. Rights of data subjects

If your personal data is processed you are a “data subject” and you are entitled to the following rights in respect of us as the controller.

C.1 The right to be informed

You have the right to receive a confirmation from us free of charge whether we are processing personal data relating to you. In this case you have the right to information about this personal data and other information which you can see in Article 14 of the GDPR. You can contact us for this purpose by post or email.

C.2 The right to rectification

You have the right to require that we immediately correct inaccurate personal data relating to you. You also have the right, for the purposes set out above, to require additions to incomplete personal data, including by means of a supplementary declaration. You can contact us for this purpose by post or email.

C.3 The right to erasure

You have the right to require the immediate deletion of personal data relating to you if one of the conditions of Article 17 of the GDPR is met. You can contact us for this purpose by post or email.

C.4 The right to restrict processing

You have the right to require the restriction of processing if one of the conditions of Article 18 of the GDPR is met. You can contact us for this purpose by post or email.

C.5 The right to information

If you have asserted the right to the correction, deletion or restriction of the processing to the controller, the latter is obliged to inform all recipients to which the personal data relating to you was disclosed about the correction or deletion of the data or about the restriction of the processing unless this proves to be impossible or is associated with disproportionate effort.
You have the right to be informed by the Controller about these recipients.

C.6 The right to data portability

You have the right to receive the personal data you sent to us relating to you in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller without hindrance from us if the conditions of Article 20 of the GDPR are met. You can contact us for this purpose by post or email.

C.7 The right to object to processing because of a legitimate interest and direct mail

In so far as we process personal data on by way of exception the basis of Article 6, Paragraph 1, Letter f) of the GDPR (therefore for reason of a legitimate interest,) you have the right, for reasons arising from your particular situation, to object at any time to our processing of the personal data relating to you. We will cease processing your data if we can demonstrate no compelling reasons worthy of protection for the further processing which override your interests, rights and freedoms or if we are processing your data for the purposes of direct advertising (cf. Article 21 of the GDPR). You can contact us for this purpose by post or email.

A technical process which you use, for example an unambiguous statement sent by technical means by your browser (a “do not track” message) is also deemed to be objections in within these meanings.

If personal data is processed for the purpose of direct marketing, you have the right at any time to lodge an objection to the processing of personal data relating to yourself for the purposes of this type of advertising. This also applies to profiling to the extent that it is in connection with this type of direct advertising.

C.8 The right to revoke consent

You have the right at any time to revoke an agreement you have given for the collection and use of personal data with effect for the future. You can contact us for this purpose by post or email. The lawfulness of the processing undertaken by reason of the consent you gave up to the time of its revocation is not affected.

C.9 Automatic decision-making including profiling

You have the right not to be subject to a decision based exclusively on automated processing (including profiling) which has a legal effect on you or which is significantly to your detriment in a similar manner unless the decision is necessary for the conclusion of an agreement between you and us, is admissible by reasons of provisions of law of the European Union or member states to which we are subject and these provisions of law contain reasonable measures to protect your rights, freedoms and legitimate interests, or the decision is taken with your express consent.
We do not take automated decisions of this nature.

C.10 Voluntary provision of data

If the provision of the personal data is stipulated by law or a contract, we will always point this out when the data is collected. The data we collect is sometimes necessary for the conclusion of a contract, to be specific, if we are unable to meet our contractual obligation to you or cannot adequately meet them in any other way. You are under no obligation to provide personal data. However, the failure to provide such information can mean that we are unable to perform or offer the service, action, measure or similar you require, or that it is impossible to conclude a contract with you.

C.11 The right to complain to a supervisory authority

Notwithstanding other rights, if you are of the opinion that the processing of personal data relating to you infringes data protection law, you have the right at all times to complain to a supervisory authority for data protection, particularly in the member state where you reside, where you work or the place of the alleged infringement.

Data Protection Information version: 06.03.2020