With regard to the terms used, reference is made to the definitions of Article 4 of the General Data Protection Regulation (GDPR).
The person responsible for data processing within the meaning of Art. 13 I DSGVO is:
Care-for Rare Foundation
Direktion der Kinderklinik
Dr. von Haunersches Kinderspital
Telefon: +49 89-4400-57700
Telefax: +49 89-4400-57702
Prof. Dr. Dr. med. Christoph Klein
Prof. Dr. jur. Andreas Staudacher
Visitors and users of our online offer are affected by the data processing carried out by us.
Types of data processed
In the case of merely calling up our online offer, i.e. without registering or providing any other information, only the data transmitted to our server by the browser of the respective user (so-called “server log files”) are collected. The following data is affected by this:
– Date and time at the time of access
– Amount of data sent in bytes
– Source/reference from which you reached the page
– IP Adress used (if applicable: in anonymized form)
– Usage data (e.g. so-called cookies, web pages visited, interest in content, access times)
Meta/communication data (e.g. software information, IP/MAC addresses, operating system used and browser).
If the respective user also submits a registration or other information, the following data will also be processed
– Inventory data (e.g. personal master data, names or addresses)
– Contact data (e.g. e-mail addresses, telephone numbers)
– Content data (e.g. text input, photo and video material)
Purpose of processing
The processing of the data takes place
– for the provision of the online offer including its functions and contents
– to respond to contact requests and communication with users
– to ensure security measures
– for range measurement and
– for marketing purposes
“Personal data” is, according to Art. 4 No. 1 GDPR, “any information relating to an identified or identifiable natural person (hereinafter ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
“Processing” is, according to Art. 4 No. 2 GDPR, “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
According to Art. 4 No. 4 GDPR, “profiling” means “any automated processing of personal data which consists in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location.
“Pseudonymization” is, according to Art. 4 No. 5 GDPR, “the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures which ensure that the personal data are not attributed to an identified or identifiable natural person”.
A “filing system” is, according to Art. 4 No. 6 GDPR, “any structured collection of personal data accessible according to specified criteria, whether such collection is maintained on a centralized, decentralized, or functional or geographical basis.”
“Controller” is, according to Art. 4 No. 7 GDPR, “the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or Member State law, the controller or may determine the specific criteria for its designation may be provided for by Union law or Member State law”.
“Processor” is, according to Art. 4 No. 8, “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
“Recipient” is, according to Art. 4 No. 9 GDPR, “a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific investigative task under Union or Member State law shall not be considered as recipients; the processing of such data by the said authorities shall be carried out in accordance with the applicable data protection rules, in accordance with the purposes of the processing.”
“IP address” means a combination of numbers assigned to a device by an Internet Service Provider in order to grant the device access to the Internet.
– Art. 6 (1) lit. a and Art. 7 DSGVO is the legal basis for the processing of data covered by consent.
– Art. 6 (1) lit. b DSGVO is the legal basis for the processing of data for the fulfillment of our owed services, for the implementation of pre-contractual measures as well as answering inquiries.
– Art. 6 para. 1 lit. c DSGVO is the legal basis for processing to fulfill our legal obligations.
– Art. 6 (1) lit. d DSGVO is the legal basis for processing of personal data that is necessary due to vital interests of the data subject or another natural person.
– Art. 6 (1) (e) DSGVO is the legal basis for processing for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller to the extent necessary for that purpose.
– Art. 6 (1) lit. f DSGVO is the legal basis for processing to protect our legitimate interests.
– Art. 6 (4) DSGVO concerns the processing of data for purposes other than those for which they were collected. Such processing is only possible under the conditions stated here.
– Art. 9 (2) DSGVO sets out specific requirements for the processing of special categories of data (corresponding to Art. 9 (1) DSGVO).
In order to ensure a level of protection commensurate with the risk, we ensure in accordance with
– the legal requirements, taking into account the state of the art,
– the implementation costs, the nature, scope, circumstances and purposes of the processing, as well as
– the varying likelihood and severity of the risk to the rights and freedoms of natural persons
– for appropriate technical and organizational measures.
These measures shall include, in particular, ensuring the confidentiality, integrity and availability of data through
– controlling physical access to the data,
– control of access to the data,
– controlling the input and transfer of data, ensuring their availability, and separating them.
In addition, we have established procedures that guarantee the exercise of data subjects’ rights, deletion of data, and response to data compromise.
Cooperation with processors, jointly responsible parties as well as third parties
For certain services, it is necessary in the course of our processing of the data to disclose it to other persons (usually companies), i.e. to transmit data to them or otherwise grant them access to the data. These companies are, on the one hand, processors or jointly responsible parties, and on the other hand, third parties such as payment service providers. Such disclosure is only made on the basis of a legal permission or obligation, consent by the user or on the basis of our legitimate interests, which exist, for example, in the use of agents or web hosts. Such a legitimate interest also exists in particular in the processing of data for administrative purposes.
In the event that we make data available to other companies in our group of companies (through disclosure, transmission or granting of access in any other form), this is done in particular for administrative purposes. This constitutes a legitimate interest within the meaning of Art. 6 Para. 1 lit. f DSGVO. In addition, making data accessible may also be based on a legal requirement.
Transfers of the data to third countries
A disclosure, transfer or other making available of the data to a person (this also includes a company) in a third country (i.e. outside the EU, EEA or the Swiss Confederation) takes place if the legal requirements are met. This is particularly the case when processing is carried out to fulfill our contractual or pre-contractual obligations. Otherwise, the processing must be based on your consent, a legal obligation or our legitimate interests. In addition, we are obligated to ensure the required minimum standards in this constellation as well. This includes, for example, that the respective third country has been officially granted a level of data protection equivalent to that of the EU or that officially recognized special contractual obligations are observed.
Rights of the data subjects
– You have the right, upon a corresponding request, to receive information as to whether data concerning you is being processed. In addition, you have the right to receive further information and a copy of the data in accordance with the law.
– You have the right to have the data concerning you completed and to have incorrect data concerning you corrected.
– You have a right to the immediate deletion of the data concerning you in accordance with the legal requirements. Alternatively, you have the right to restrict the processing of the data within the scope of the legal requirements. (see also right of objection)
– In accordance with the legal requirements, you have a right to be provided with the data relating to you that you have made available to us and may also request that it be transferred to other data controllers.
– You have the right to file a complaint with the competent supervisory authority.
Right of revocation
You can revoke your consent at any time with effect for the future.Right to object:
You have the right to object to future processing of data concerning you in accordance with the law. In particular, the objection may also be directed against processing for direct marketing purposes.
Right of objection
You have the right to object to the future processing of data relating to you in accordance with the statutory provisions. In particular, the objection may also be directed against processing for direct marketing purposes.
We offer the use of temporary and permanent cookies. If you do not agree with this use, we ask you to disable the corresponding option in the system settings of your browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.
Cookies are small files that are stored on your computer. These files contain different information. Primarily, cookies are used to store information about a user of an online offer. In particular, for example, login data, the contents of a shopping cart, as well as called articles in an online store or also generally called websites are stored.
First of all, a distinction must be made between temporary and permanent cookies. Temporary cookies are also called “session cookies” or “transient cookies”. These are cookies that are deleted after you leave the online offer. This usually happens when the browser is closed.
Permanent cookies (or “persistent cookies”) are files that remain stored even after the browser is closed. Thus, the above-mentioned information can persist beyond the respective browser session.
This is particularly relevant for cookies that contain information about users’ interests. This data is often used for range measurement or marketing purposes.
Furthermore, a distinction must also be made between so-called “third-party cookies”, which are offered by providers other than the responsible party that operates the online offering, and so-called “first-party cookies”, which are present in all other cases.
In addition, the storage of cookies can also be prevented by deactivating them in the browser settings. However, this option may not allow the use of all functions of this online offer.
Deletion of data
In accordance with the legal requirements, we delete the data we have collected or restrict its processing.
We delete the data stored by us as soon as the purpose on which the storage is based has ceased to exist and there are no legal storage obligations to the contrary and no deviating regulations have been made in this data protection declaration.
If the data is not deleted due to its necessity for other, legally permissible purposes (e.g. storage for reasons of commercial or tax law), its processing will be restricted. In this case, the data is processed exclusively for this purpose and is otherwise blocked.
As part of the administration of your donations to our foundation, the following data is processed: Salutation, first name, last name, address and in some cases email address, as well as information that we need to process the donation (e.g. bank data for a SEPA direct debit) The personal data is stored on an in-house server and is password protected. Donors are affected by the data processing. Personal data is collected and stored for the purpose of administering the donation and issuing donation receipts. The legal basis for data processing is Art. 6 Para. 1 lit. b DSGVO. The data will not be transferred to third countries. The data is stored for 10 years in accordance with § 147 AO. For donor support, the data is processed in accordance with Art. 6 Para. 1 lit. f DSGVO in order to express our appreciation to existing donors and, in this context, to invite them to our events or to inform them about the specific projects supported. This communication has no advertising character. Contact data in this regard will be deleted after 5 years.
Our donation form is provided by “Twingle”. We have chosen this provider to always ensure the highest data security for your data. The transfer of your data entered in the donation form to twingle takes place in order to be able to process your donation in accordance with Art. 6 Para. 1 lit. b DSGVO. The data is processed by twingle exclusively in ISO27001-certified data centers in Germany and transmitted to us via a secure connection. The payment data is also transferred directly to the respective payment service provider using this encrypted connection. Information on this can be found at: https://www.twingle.de/datenschutz/.
Administration, financial accounting, office organization, contact management
Within the performance of administrative tasks as well as the organization of our operations, financial accounting and compliance with legal obligations, such as archiving, we process data.
These data are the same data that we process to provide our contractual services. This processing is carried out pursuant to Art. 6 para. 1 lit. c. DSGVO, Art. 6 para. 1 lit. f. DSGVO.
Customers, interested parties, business partners and website visitors are affected by the processing. The purpose and our interest in the processing lies in the administration, financial accounting, office organization, archiving of data, i.e. tasks that serve the maintenance of our business activities, performance of our tasks and provision of our services. The deletion of data with regard to contractual services and contractual communication corresponds to the information mentioned in these processing activities.
In this context, we disclose or transfer data to the tax authorities, consultants, such as tax advisors or auditors, as well as other fee offices and payment service providers.
Furthermore, based on our business interests, we store information on suppliers, event organizers and other business partners, e.g. for the purpose of contacting them at a later date. This data, most of which is company-related, is generally stored permanently.
Provision of our statutory and business services
The processing of the data of our members, supporters, interested parties, customers or other persons for the purpose of offering or fulfilling contractual services is carried out in accordance with Art. 6 para. 1 lit. b. DSGVO. The same applies in the case of activity within the framework of an existing business relationship or the receipt of services and benefits.
Otherwise, the data of data subjects will be processed in accordance with Art. 6 para. 1 lit. f. DSGVO processed on the basis of our legitimate interests. This is particularly the case when it comes to administrative tasks or public relations.
Decisive for the type, scope and purpose of the processed data as well as the necessity of their processing is the underlying contractual relationship.
In principle, the data include
– Inventory and master data of persons (e.g., name, address, etc.),
– contact data (e.g., e-mail address, telephone, etc.),
– contractual data (e.g., services used, content and information provided, names of contact persons) and
– payment data (e.g., bank details, payment history, etc.), if we offer services or products that require payment.
We delete data that is no longer required to fulfill our statutory and business purposes.
The respective tasks and contractual relationships are decisive here.
We retain data of business relevance for as long as is necessary for comprehensive business processing. Any warranty or liability obligations are also relevant here. We review the necessity of retaining the data every three years. Otherwise, the statutory retention obligations apply.
Data protection information in the application process
We process applicant data only for the purpose of and within the application procedure within the framework of the legal requirements. Applicant data is processed to fulfill our contractual or pre-contractual obligations within the application procedure pursuant to Art. 6 para. 1 lit. b. DSGVO Art. 6 para. 1 lit. f. DSGVO, insofar as the data processing becomes necessary for us, e.g. within the scope of legal procedures, whereby § 26 BDSG must additionally be observed here.
The application procedure is only opened by the applicant notifying us of all necessary applicant data. If we offer an online form, these are expressly identified. Otherwise, they result from our job descriptions, whereby personal details, postal and contact addresses as well as the documents belonging to the application, such as cover letter, curriculum vitae and certificates are recorded. Applicants may also voluntarily provide us with additional information.
If special categories of personal data are voluntarily disclosed within the application process pursuant to Art. 9 (1) DSGVO, their processing will additionally be carried out pursuant to Art. 9 (2) lit. a DSGVO. This concerns in particular health data or information on ethnic origin.
Insofar as special categories of personal data within the meaning of Art. 9 (1) DSGVO are requested from applicants as part of the application process, their processing is additionally carried out in accordance with Art. 9 (2) (b) DSGVO. This is particularly the case for health data, insofar as this is necessary for the exercise of the profession.
If available, applicants can submit their applications to us using an online form on our website. This transmission is encrypted in accordance with the state of the art.
Applicants can also send us their applications by e-mail. However, it should be noted that e-mails are generally not encrypted and that applicants themselves are responsible for encryption. For this reason, we recommend using an online form or sending the application by mail, which is probably the most secure method in terms of data protection.
The data provided by applicants within their application may be further processed by us for the purposes of the employment relationship in the event of a successful application. If, on the other hand, the application for a job offer was not successful, the applicants’ data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time.
Subject to a justified revocation by the applicant, the data will be deleted after a period of six months so that we can answer any follow-up questions about the application and fulfill our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses are archived in accordance with tax law requirements.
As part of the application process, we offer applicants the opportunity to be included in our “talent pool” for a period of two years on the basis of consent pursuant to Art. 6 Para. 1 lit. a. and Art. 7 DSGVO.
The application documents in the talent pool are processed exclusively in the context of future job advertisements and employee searches. The documents will be destroyed at the latest after expiry of the deadline.
Applicants are informed that their consent to inclusion in the talent pool is voluntary, has no influence on the current application process and that they can revoke this consent at any time for the future and declare their objection within the meaning of Art. 21 DSGVO.
In the context of contacting us, which is possible via contact form, e-mail, telephone, fax or social media, the user’s details are processed for the purpose of handling and processing the contact request. The legal basis with regard to contractual/pre-contractual relations results from Art. 6 para. 1 lit. b. DSGVO. With regard to other inquiries, Art. 6 para. 1 lit. f. DSGVO is relevant. The information provided by users is generally stored in a customer relationship management system (“CRM system”) or comparable inquiry organization.
We delete the data obtained with regard to the request if it is no longer necessary. The review of the necessity takes place every two years. Otherwise, the statutory archiving obligations apply.
By ordering our newsletter, you simultaneously declare your consent to its receipt and the explained procedures.
Content of the newsletter: We send newsletters in the form of e-mails and other electronic notifications with promotional information only with the prior consent of the recipient or a legal permission.
If the contents of the newsletter are specifically described in the course of registration, they are decisive for the user’s consent. Otherwise, our newsletters contain information about our services and us.
Double opt-in and logging: Registration for our newsletter is carried out in a so-called double opt-in process.
This means that a message is sent to the e-mail address you provide, requesting confirmation of the registration by clicking on a specific link. This confirmation is necessary to ensure that users can only register with e-mail addresses that they can access themselves and do not misuse third-party e-mail addresses.
In order to be able to prove the registration process in accordance with the legal requirements, every registration for the newsletter is logged. For this purpose, the time of registration and confirmation as well as the IP address of the user are recorded.
In addition, changes to your data stored with the dispatch service provider are recorded.
Registration data: To register for our newsletter, it is sufficient to provide your e-mail address. In order to be able to address you personally in the newsletter, we ask you to additionally provide a name.
Legal basis: The legal permissibility of sending newsletters results from the above-mentioned consent by the respective recipient in accordance with Art. 6 para. 1 lit. a, Art. 7 DSGVO in conjunction with. § Section 7 (2) No. 3 UWG or, if consent is not required, on the basis of our legitimate interests in direct marketing pursuant to Art. 6 (1) lt. f. DSGVO in conjunction with. § Section 7 (3) UWG.
The logging of the registration process is based on the exercise of our legitimate interests pursuant to Art. 6 para. 1 lit. f DSGVO.
These interests consist in the establishment and maintenance of a user-friendly and secure newsletter system for business purposes, which further enables us to prove consent.
Cancellation/revocation: You have the right to cancel our newsletter service at any time. By doing so, you revoke your consents at the same time. You will find a link to unsubscribe from our newsletter at the end of each newsletter. In order to be able to prove a given but later revoked consent, we are entitled to store the unsubscribed email addresses for up to three years after the revocation based on our legitimate interests. This data is processed exclusively for the purpose of a possible defense against claims. Provided that you confirm to us the former existence of consent, you have the option to submit an individual deletion request at any time.
Hosting and e-mail dispatch
We rely on external hosting services to operate our online services. This concerns:
– Infrastructure and platform services,
– computing capacity, storage space and database services,
– e-mail dispatch services as well as
– security services and technical maintenance services.
In the context of the exercise of our legitimate interests in an efficient and secure provision of this online offer pursuant to Art. 6 para. 1 lit. f DSGVO in conjunction with. Art. 28 DSGVO (conclusion of order processing contract), the following data in particular will be processed by us or our hosting provider:
– Inventory and contact data,
– content data and contract data as well as
– usage, meta and communication data.
This data processing concerns our customers as well as interested parties and visitors to our online offer.
Collection of access data and log files
On the basis of the exercise of our legitimate interests pursuant to Art. 6 para. 1 lit. f. DSGVO, we or also our hosting provider collect data about each access to the server on which this service is located (so-called server log files). This data includes
– name of the accessed website and, if applicable, specific files,
– date and time of the retrieval,
– amount of data transferred,
– notification of successful retrieval,
– browser type and version, the user’s operating system,
– referrer URL (the previously visited page),
– IP address and
– the requesting provider.
Log file information is stored for security reasons for up to seven days and then deleted. This serves in particular to clarify acts of abuse or fraud. If data is suitable as evidence for the clarification of a matter, it is excluded from deletion until the final clarification of the respective incident.
Integration of third-party services and content
Within the scope of our online offer, we use content or service offers of third parties on the basis of the exercise of our legitimate interests, which in this case primarily consist of the interest in the analysis, optimization and economic operation of our online offer pursuant to Art. 6 para. 1 lit. f. DSGVO, we use content or services offered by third-party providers in order to integrate their content and services. This concerns, for example, the integration of videos or fonts.
For an integration of content and services of the third-party providers, they must know the IP address of the user, otherwise no transmission to their browser can take place. The IP address is therefore essential for the display of this content and integration of services.
We endeavor to integrate only such content and services whose respective providers use the IP address exclusively for the provision of the content and services. Third-party providers may also use so-called pixel tags for statistical or marketing purposes. A pixel tag, also referred to as a “web beacon”, is an invisible pixel-sized graphic. They can be used to determine visitor traffic on the individual websites of an online offering. The pseudonymized information can also be stored on the user’s device in the form of so-called cookies. These contain, in particular, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer. In addition, this information may also be linked to such information from other sources. This is particularly the case if the users are logged in to the respective platforms on different devices as members of these platforms.
When participating in the contest, various personal data are collected. This is the data that is provided as part of the registration process.
The data is processed in order to organize your participation in the contest and to provide you with information about the contest before, during and after the contest, which should enable you to participate in the best possible way and allow us to plan and ensure a smooth implementation. Without this data, you will not be able to participate in the Contest. The data processing is carried out at the request of the interested participants and is required pursuant to Art. 6 para. 1 lit. b DSGVO for the aforementioned purposes for the fulfillment of the contract for contest participation and the pre-contractual measures. The data will be deleted after the end of the competition.
Within the scope of events in connection with competitions, audio, photo and video recordings are also made for the purpose of internal and external documentation as well as press and public relations work. A mention by name will be made in this context. We will also use the recordings made for external presentation on our website and, if applicable, on our social media profiles (Facebook, Instagram, Twitter) as well as in offline publications. For this purpose, we first edit the recordings (e.g. by selecting the image crop) and post the edited recordings online. The respective websites are freely accessible on the Internet and thus worldwide. We point out that the subpages including any photo and video recordings can be found via search engines. The providers of the social media platforms may process and use data posted on the platforms for their own purposes. This data processing is beyond our direct control. The legal basis for the data processing associated with the creation of the recordings is your consent pursuant to Art. 6 (1) lit. a DSGVO. You can revoke your consent at any time with effect for the future. This does not apply to printed products that have already been produced.