Data protection notice
I. NAME AND ADDRESS OF THE DATA CONTROLLER
The data controller within the meaning of the General Data Protection Regulation and other national data protection laws of the EU member states as well as other data protection regulations is the:
Universitätsklinikum Hamburg-Eppendorf (UKE)
(University Medical Center Hamburg-Eppendorf - UKE)
Tel: +49 (0) 40 7410 - 0
The University Medical Center Hamburg-Eppendorf is a public organization with legal capacity and a member organization of the University of Hamburg. The responsible supervisory authority is the Ministry of Science, Research and Equality (BWFG), Hamburger Straße 37, 22083 Hamburg.
Board of Directors:
Prof. Dr. Burkhard Göke, Medical Director and Chairman of the Executive Board
Prof. Dr. Dr. Dr. Uwe Koch-Gromus, Dean
Joachim Prölß, Director for Patient and Nursing Management
Marya Verdel, Commercial Director
Tax identification number (USt-ID): DE 218618948
II. DATA PROCESSING IN GENERAL
1. Scope of the personal data processing
In principle, we will process personal data of our users only to the extent necessary for us to provide a functional website including our contents and services. We usually process our users’ personal data only following the user’s consent, except in cases where prior user consent cannot be obtained for genuine reasons and where processing the data is permitted by law.
2. Legal basis for the processing of personal data
Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR) will apply to cases where we obtain the consent of the data subject prior to processing the personal data.
Art. 6 (1) (b) GDPR constitutes the legal basis for cases where processing of personal data is necessary for the performance of a contract to which the data subject is a party including processing operations required to carry out pre-contractual actions.
Art. 6 (1) (c) GDPR serves as the legal basis for cases where processing of personal data is required so that our company is able to meet a binding legal obligation.
Art. 6 (1) (d) GDPR will apply in the event that personal data processing becomes necessary to protect the vital interests of the data subject or any other natural person.
Art. 6 (1) (f) GDPR serves as the legal basis in the event processing becomes necessary in order to protect the legitimate interests of our company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
3. Data erasure and data retention
The personal data of the data subject will be erased or disabled as soon as the purposes expire for which the data was collected. However, such retention may be subject to European or national legislations such as EU regulations, laws or other regulations to which the controller is bound. Disabling or erasure of data will ensue once the prescribed retention period as per the standards mentioned expires, unless the conclusion of a contract or fulfillment of a contract would require an extended retention of the data.
III. WEBSITE USE AND CREATING LOGFILES
1. Description and scope of data processing
Each time our website is accessed, our system automatically collects data and information from the computer system of the calling machine. The user’s IP address is collected. The data is also stored in log files on our system. This piece of data is not stored together with other personal data of the User.
2. Legal basis for the processing of data
Art. 6 (1) (f) GDPR applies for the short-term storage of data and log files.
3. Purpose of data processing
The short-term storage of the IP address collected by the system is necessary to allow delivery of the website to the user’s computer. The user's IP address will hereby be retained for the duration of the session.
The data is stored in log files to ensure the website’s functionality. The data is also used to optimize the website and to ensure the security of our information technology systems. The data is not assessed for marketing purposes within this context.
These purposes reflect our legitimate interest in the processing of data pursuant to Art. 6 (1) (f) GDPR.
4. Retention period
The data will be deleted as soon as the purpose expires for which the data was collected. Accordingly, data collected for reasons of website use is deleted once this particular session is closed.
Data stored in log files will be deleted after no more than seven days. Longer retention is possible. In such a case, the user’s IP address will be deleted or masked, so that it can no longer be associated with the calling client.
5. Right to object and erasure options
The collection of data for website use and the storage of the data in log files are indispensable for the operation of the website. Accordingly, the user cannot raise an objection.
1. Description and scope of data processing
- Language preferences
- Login data
Thus, the following data may be communicated:
The following is a list of data collected and may include:
- Search terms entered
- Frequency of page views
- Use of website functions
User data collected in this way are pseudonymised using technical precautionary measures. Therefore, assigning the data to the calling user is no longer possible. This piece of information about the user will not be stored together with other personal data of the user.
2. Legal basis for data processing
Art. 6 (1) (f) GDPR forms the legal basis for processing personal data using cookies.
Art. 6 (1) (a) GDPR forms the legal basis for processing personal data using cookies for analysis purposes after the User has granted consent.
3. Purpose of data processing
The user data collected through these technically necessary cookies are not used to create user profiles.
The use of analysis cookies are intended to improve the quality of our website and its contents. We learn how the website is used through such analysis cookies, and can therefore continuously optimize our offer.
These purposes reflect our legitimate interest in processing personal data in line with Art. 6 (1) (f) GDPR.
4. Duration of retention, objection and erasure options
V. RIGHTS OF THE DATA SUBJECT
1. Right to be informed
You may request a confirmation from the data controller whether personal data concerning you is processed by us.
If processing takes place, you may request from the data controller the following information:
- the reasons why the personal data is processed;
- the categories under which personal data is being processed;
- the recipients or categories of recipients of the personal data, with whom the personal data concerned was shared or will be shared;
- the intended storage duration of your personal data; and in the case that specific data is not available, the criteria for establishing the retention period;
- about the right to rectify or the right to the erasure of personal data concerning you, the right to restrict processing by the controller or the right to object to such processing;
- about the right to appeal to a supervisory body;
- all information available on the origin of the data, if the personal data was not collected from the data subject;
- about automated decision-making including profiling as per Article 22 (1) and (4) GDPR and, at least in these cases, convincing information about the logic involved, and the consequences as well as the desired impact of such processing vis-à-vis the data subject.
You have the right to be informed about whether your personal information is shared with a third country or an international organization. In this context, you can demand information on appropriate safeguards in connection with the transfer pursuant to Art. 46 GDPR.
2. Right to rectification
You have the right to rectification and/or completion against the controller, provided the personal data processed concerning you is incorrect or incomplete. The data controller must make the correction without delay.
3. Right to restriction of processing
You may request to limit the processing of your personal data under the following conditions:
- for a period of time that enables the controller to verify the accuracy of your personal data, if you challenge the accuracy of your personal data;
- if processing is unlawful and you refuse the erasure of the personal data and demand to restrict use of the personal data instead;
- if the controller no longer needs the personal data for the purposes of processing, but you need it to assert, exercise or defend legal claims; or
- if you have objected to processing pursuant to Art. 21 (1) GDPR and are still waiting for the verification, whether the controller’s legitimate grounds may outweigh yours.
If processing of personal data concerning you is subject to restrictions, this data may only be used with your consent – except for retention - or to assert, exercise or defend legal claims or to protect the rights of other natural or legal persons or for reasons of important public interest of the Union or a Member State.
If processing was restricted by reason of above mentioned requirements, the controller will inform you before a restriction is lifted.
4. Right to erasure
a) Obligation to erase
You may request from the controller the erasure of your personal data without delay. The controller is required to delete the data immediately if one of the following is true:
- Personal data concerning you is no longer necessary for the purposes for which they were collected or otherwise processed.
- You revoke your consent, which formed the legal base for processing in accordance with Art. 6 (1) (a) or Art. 9 (2) (a) GDPR and no other legal basis supports processing.
- You raise objection to the processing in accordance with Art. 21 (1) GDPR and there are no overriding reasons that would justify processing, or you raise objection to the processing in accordance with Art. 21 (2).
- Your personal data was processed unlawfully.
- Erasure of personal data concerning you is required to meet a legal obligation of a Union law or a law of the Member States to which the controller is subject.
- The personal data concerning you was collected in connection with offers of the information society services pursuant to Article 8 (1) of the GDPR.
b) Information to third parties
If the controller has made personal data concerning you public, and the data controller is bound to erase the data as per Art. 17 (1) GDPR, the controller will take the appropriate measures, including technical means, while taking into account available technology and implementation costs and inform the data processors tasked with processing the personal data that you as the data subject have requested the erasure of any links to such personal data or of copies or duplicates of such personal data.
There is no right to erasure, if data processing is necessary
- to exercise the right to freedom of expression and information;
- to meet a legal obligation, which requires processing, under Union or Member State law to which the controller is subject or to carry out a task of public interest or because it is associated with the exercise of official authority delegated to the controller;
- for reasons of public interest in the field of public health pursuant to Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR;
- for archiving purposes in the public interest, scientific or historical research or for statistics pursuant to Article 89 (1) GDPR, to the extent referred to under subparagraph (a) in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes of processing;
- to assert, exercise or defend legal claims.
5. Right to be informed
Once you made use of your right to rectification, erasure or restriction of processing, the controller will be under the obligation to notify all recipients with whom your personal data was shared about the correction or erasure of the data or restriction on processing, unless: this proves to be impossible or involves disproportionate efforts.
You have the right to obtain information about these recipients from the controller.
6. Right to data portability
You have the right to obtain the personally identifiable information you provided in a structured, common and machine-readable format from the controller. You are also entitled to transfer this data to any other person without being hindered by the controller to whom the personal data was provided as long as
- processing is based on consent as laid out in auf Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR and
- processing is handled by automated means.
In exercising this right, you are also entitled to require that your personal data is directly send from the data controller to another controller, provided this is technically feasible. Freedoms and rights of other persons may not be affected.
The right to data portability will not apply to the processing of personal data necessary for carrying out a task in the public interest or in the exercise of official authority delegated to the controller.
7. Right to object
You have the right to object at any time to the processing of your personal data, which was collected pursuant to Art. 6 (1) (e) or (f) GDPR for reasons that arise from particular situations; this is also true for profiling subject to these provisions.
The controller will cease to process the personal data concerning you, unless the controller is able to establish compelling legitimate grounds for continuing processing that outweigh your interests, rights and freedoms, or unless the processing serves the purpose of asserting, exercising or defending legal claims.
If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for marketing use; this is also true for profiling that is associated with direct marketing.
Your personal data will no longer be processed for these purposes following your objection to processing for direct marketing use. In relation to the use of information society services, you have the option to use automated procedures consistent with technical specifications to exercise your right to object - regardless of Directive 2002/58/EC.
8. Right to withdraw consent related to data privacy
You have the right to revoke your consent regarding data protection laws at any time. Your consent withdrawal will not affect the legality of processing that was carried out based on consent prior to the consent withdrawal.
9. Automated decision on a case-by-case basis, including profiling
You have the right not to be subjected to a decision based solely on automated processing - including profiling, which produces legal effects concerning you or similarly significantly affects you in a similar manner
This will not apply if the decision
- is necessary for performance of the contract between you and a data controller,
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
- is based on your explicit consent.
However, these decisions must not be based on special categories of personal data laid out in Art. 9 (1) GDPR, unless Art. 9 (2) (a) or (g) GDPR applies and reasonable measures have been taken to protect the rights and freedoms and your legitimate interests.
With regard to the cases referred to in (1) and (3), the controller will implement suitable measures to safeguard your rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express one’s point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Regardless of any other administrative or legal remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your place of residence, employment or the place of the alleged breach, if you believe that the processing of the personal data concerning you violates the GDPR.
The supervisory authority where the complaint was issued will inform the complainant about the status and the results of the complaint, including the option of a legal remedy pursuant to Article 78 GDPR.