GDPR-Compliant Privacy Statement of INSTAND e.V.

A.      GDPR-Compliant Privacy Statement

I.          Name and address of the data controller

The data controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection provisions is:

 

INSTAND
Society for Promoting Quality Assurance in Medical Laboratories e.V.
Ubierstr. 20
40223 Düsseldorf

Tel.: +49 211 159213 0

E-mail: instand@instand-ev.de

Website: www.instand-ev.de

II.        Contact details of the data protection officer

The data protection officer of the data controller can be reached at:

Phone: 0049 211 15921376

E-mail: datenschutz@instand-ev.de

III.     General information on data processing

1.        Scope of the processing of personal data

We only collect and use the personal data of our users insofar as this is necessary to provide a functional website as well as our content and services. The personal data of our users is only collected and used with the consent of the user. An exception is made in such cases where prior consent cannot be obtained for real reasons and the processing of this data is permitted by law.

2.        Legal basis for the processing of personal data

Art. 6(1)(a) of the EU's General Data Protection Regulation (GDPR) shall serve as the legal basis insofar as we have obtained the consent of the data subject to process personal data.

Art. 6(1)(b) of the GDPR shall serve as the legal basis in the processing of personal data required for the performance of a contract to which the data subject is a party. This also applies to processing operations that are necessary to carry out pre-contractual measures.

Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6(1)(c) of the GDPR shall serves as the legal basis.

In the event that the vital interests of the data subject, or another natural person, require the processing of personal data, Article 6(1)(d) of the GDPR shall serve as the legal basis.

If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6(1)(f) of the GDPR shall serve as the legal basis for processing.

3.        Erasure of data and length of data storage

The personal data of the data subject shall be erased or blocked as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this has been provided for by the European or national legislators in Union regulations, laws or other provisions to which the data controller is subject. The data shall also be blocked or erased if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

IV.     Provision of the website and creation of log files

1.        Description and scope of the data processing

Every time our website is visited, our system automatically collects data and information about the computer system of the computer making the request.

 

The following data is collected:

·       Information about the type and version of the browser being used

·       The user’s operating system

·       The user’s internet service provider

·       The referrer URL (the previously visited site)

·       The host name of the accessing memory (IP address)

·       Date and time of access

·       Websites called up by the user's system via our website

The data are also stored in the log files of our system. This data is not stored together with the user’s other personal data.

2.        The legal basis for data processing

The legal basis for the temporary storage of the data and the log files is Art. 6(1)(f) of the GDPR.

3.        The purpose of the data processing

It is necessary for the system to temporarily store the IP address in order to deliver the website to the user's computer. This means the user’s IP address must be stored for the duration of the session.

 

The data is stored in log files to ensure the functionality of the website. Furthermore, the data enables us to optimize our website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

 

For these purposes, our legitimate interest also lies in the processing of personal data in accordance with Art. 6(1)(f) of the GDPR.

4.        Length of storage

The data shall be erased as soon as they are no longer necessary for achieving the purpose for which they were collected. If the data are collected for the purpose of providing access to the website, this is defined as being the time at which the respective session has ended.

 

If the data are stored in log files, this is deemed to be no later than seven days. Further storage is possible. In this case, the user’s IP addresses is deleted or pseudonymized so that it can no longer be assigned to the client called.

 

5.        Possibility of objection and removal

The collection of data for the provision of the website and the storage of data in log files are absolutely necessary for the operation of the website. Consequently, there is no possibility to object on the part of the user.

V.       Use of cookies

a) Description and scope of the data processing

Cookies are text files that are stored on the Internet browser or by the Internet browser on the user's computer system. If a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is visited again.

Cookies are stored on the user's computer and transmitted to our site. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings of your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to fully use all of our website’s functions.

We use a PHP session cookie to make our website more user-friendly. TYOP3 automatically uses a cookie on the form pages, which contains a hash value and serves to protect against CSRF.

 

We also use technically unnecessary cookies on our website, which enable the user's surfing behavior to be analyzed. You can find the necessary information on this under point IX.

b) The legal basis for data processing

The legal basis for the processing of personal data with respect to the use of cookies is Art. 6(1)(f) of the GDPR.

 

c) The purpose of the data processing

The purpose of using technically necessary cookies is to make it easier for users to use websites. Some functions of our website cannot be accessed without the use of cookies. This requires that the browser be recognized even after moving to another webpage.

The user data collected by technically necessary cookies are not used to create user profiles.

Analysis cookies are used to improve the quality of our website and its content. By analyzing cookies, we learn how the website is used and can thus continuously optimize our offer.

For these purposes, our legitimate interest also lies in the processing of personal data in accordance with Art. 6(1)(f) of the GDPR.

e) Length of storage, possibility of objection and removal

Cookies are stored on the user's computer and transmitted to our site. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings of your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If the cookies are deactivated for our website, it may no longer be possible to fully use all of the website's functions.

VI.     Newsletter

1.           Description and scope of the data processing

 

We do not send out a newsletter for which a registration of the user on our website would be necessary. Therefore, further explanation on the legal basis and the purpose of data processing, the duration of storage and the possibilities of objection and removal are unnecessary.

VII.   Participation in external quality assessment schemes ("EQA schemes")

1.        Description and scope of the data processing

The guideline of the German Federal Medical Association on quality assurance in medical laboratory testing – German: Richtlinie der Bundesärztekammer zur Qualitätssicherung laboratoriumsmedizinischer Untersuchungen, "Rili-BÄK" - prescribes internal and external quality controls for testing carried out within the framework of laboratory medicine. The latter of the two is conducted by participating in EQA schemes offered and organized by Instand e. V.

For the purposes of initiating, concluding and performing the contract for participation in an EQA scheme (including the issuance of certificates or certificates of participation), we process personal data of the EQA schemes participants, including prospective participants.

The data processed for the purposes of participating in EQA scheme is collected at the time of registration for participation. Registration takes place paper-based or via our website.

The provision of personal data is necessary for the conclusion and performance of the contract for participation in an EQA scheme. Failure to provide the data results in the impossibility of participating in an EQA scheme.

2.        The legal basis for the data processing  

 

a.       Where the participant is a natural person, the processing of his or her personal data is based on the performance of the contract to which the participant is party or on the steps taken at the participant's request prior to entering into a contract, Art. 6 (1)(b) GDPR. In this case, the following categories of data are processed: contact data (title, first and last name, company, business email address, address, phone number and fax number); financial data (bank details, credit institute, billing address) as well as all other data necessary for the performance of the EQA scheme (delivery address, billing address, certificate address; hash value of the Instand account's password, test results, EQA schemes orders, time of entry of results and orders, language, order number, number of desired certificates, information about the legitimation to participate in the EQA schemes). Where the participant is a legal person, we process the following categories of data: contact data of the respective contact person (title, first and last name, business email address, address, phone number, job title). The legal basis for the data processing in this case are the legitimate interests of Instand e.V. and the participant in the performance of the EQA scheme, Art. 6 (1)(f) GDPR.

 

b.       In addition, we process the analysis results sent in by the participant for the purpose of carrying out scientific evaluations in an anonymized way. This includes the transfer of the (anonymized) analysis results to the manufacturer of the test system used by the participant to carry out the measurements for quality assurance purposes. The legal basis for the anonymization of the measured values are the legitimate interests of Instand e.V. and the manufacturer in improving and promoting both their business and science, Art. 6(1)(f) GDPR.

3.        The purpose of the data processing

The processing of personal data in connection with the EQA schemes serves the purpose of initiating, concluding and performing the contract for participation in the EQA scheme. This includes the issuance of certificates and certificates of participation.

The anonymization of participant data for the purpose of carrying out scientific analyses in accordance with Section VII.2.b above serves the purposes of protecting the participants data as well as complying with data protection principles (inter alias, the data minimization principle).

4.        Storage period

The data are deleted as soon as they are no longer necessary for the purpose for which they were collected. Contractual and legal obligations are taken into account. Personal data are stored for a period of up to 10 years where the data has commercial law relevance (Sec. 257 of the German Commercial Code). Personal data with tax law relevance are stored for a period of up to 10 years (Sec. 147 of the German Tax Code). For other types of personal data, the standard storage period is 10 years from deactivation of the participant's account.

5.        International data transfers

The place of processing is the Federal Republic of Germany. In the context of and for the purpose of carrying out the EQA schemes international data transfers, i.e., transfers of personal data to countries outside of the European Economic Area, take place. In particular, personal data is transferred to the following countries:

·       Switzerland

For Switzerland an adequacy decision by the European Commission exists (2000/518/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland (notified under document number C(2000) 2304)).

6.       Recipients of personal data

The samples are sent to the participants via transport companies. In this context, personal data of the participants (first and last name, company, delivery address) are disclosed to the transport companies.

In addition, we engage the following service providers for the purposes of carrying out EQA schemes:

·       External EQA schemes supervisors (The list of external EQAS supervisors is available at https://www.instand-ev.de/en/eqas/eqa-experts/ );

·       Scanning of protocol forms: Saga Hard- und Software GmbH, Monschauer Straße 7, 40549 Düsseldorf, Germany;

·       Preliminary evaluation of the analysis results: Wormek Information Science and Technology in Medicine, Hofstattstrasse 48, 86919 Utting, Germany;

·       Sample shipment and evaluation of samples: ECAT, Foundation P.O. Box 107, 2250 AC, Voorschoten, the Netherlands;

·       Sample shipment:  Günter Keul GmbH, Von-Langen-Weg 10, 48565 Steinfurt, Germany;

·       Sample shipment: Maditec e.K., Dr. Hans-Dieter Kleine, Schlehdornweg 8, 18209 Bad Doberan, Germany;

·       Sample shipment: in.vent DIAGNOSTICA GmbH, Neuendorfstraße 24b, 16761 Hennigsdorf, Germany;

·       Logistics:

·       TNT Express GmbH – Zentrale, Haberstraße 2, 53842 Troisdorf, Germany;

·       United Parcel Service, Deutschland S.à r.l. & Co. OHG, Görlitzer Straße 1, 41460 Neuss, Germany;

·       Deutsche Post AG, Charles-de-Gaulle-Str. 20, 53113 Bonn, Germany

·       IT service provider:

·       Netzfactor GmbH, Springorumallee 10, 44795 Bochum, Germany;

·       MGGM Software GmbH, Elseyer Str. 79, 58119 Hagen, Germany

VIII.     Contact form and e-mail contact

1.             Description and scope of the data processing

A contact form on our website can be used to electronically contact us. If a user takes advantage of this option, the following data entered in the input field will be transmitted to us and stored.

·       Name

·       E-mail address, phone number

·       Participant number

·       Other information entered into the free text field provided for this purpose.

Your consent is obtained for processing the data as part of the submission process and reference is made to this data protection policy.

 

Alternatively, you can contact us via the e-mail address provided. In this case, the user's personal data transmitted by the e-mail will be stored.

 

In this context, the data will not be passed on to third parties. The data is used exclusively for processing the conversation.

 

2.        The legal basis for the data processing

The legal basis for the processing of the data is Art. 6(1)(a) of the GDPR if consent has been given by the user.

 

The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6(1)(f) of the GDPR.  

 

If the aim of the e-mail contact or the transmission of the contact form is the conclusion of a contract, then Art. 6(1)(b) of the GDPR forms the additional legal basis for processing.

 

3.        The purpose of the data processing

We only process the personal data entered into the input field to establish contact. In the event we are contacted by e-mail, this also constitutes a necessary legitimate interest for processing the data. The other personal data processed during the data submission process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.

4.        Length of storage

The data are erased as soon as they are no longer necessary for achieving the purpose for which they were collected. With respect to the personal data entered into the input field of the contact form and the data sent by e-mail, this is the case once the conversation with the user is finished. The conversation is terminated when it can be inferred from the circumstances that the matter in question has been conclusively resolved.

 

The personal data additionally collected during the form submission process shall be erased after a period of no later than seven days.

5.        Possibility of objection and removal

The user can revoke consent to the processing of personal data at any time. If the user contacts us via the contact form or e-mail, an objection to the storage of personal data can be made at any time. In such case, the conversation cannot be continued.

 

All personal data stored in the course of contacting us will be deleted in this case.

IX.     Matomo web analysis (formerly PIWIK)

1.        Scope of the processing of personal data

On our website we use the open source software tool Matomo (formerly PIWIK) to analyze the surfing behavior of our users. The software places a cookie on the user's computer (see above for information on cookies). When individual pages of our website are accessed, the following data is stored:

(1)   Two bytes of the IP address of the user’s system that is calling up

(2)   The website that is visited

(3)   The website from which the user accesses the visited website (referrer)

(4)   The subpages that are called up by the visited website

(5)   Time spent on the website

(6)   How often the website is visited

The software runs exclusively on the servers of our website. The personal data of users is only stored there. The data shall not be passed on to third parties.

 

The software is set up so that the entire IP address is not stored. Instead 2 bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). This makes it impossible to attribute the abbreviated IP address to the computer that is calling up.

 

2.        The legal basis for the processing of personal data

The legal basis for processing the personal data of the user is Art. 6(1)(f) of the GDPR.

3.        Purpose of the data processing

The processing of users' personal data enables us to analyze the surfing behavior of our users. We are in a position to compile information about the use of the individual components of our website by evaluating the data we obtain. This helps us to continuously improve our website and its user-friendliness. For these purposes, it is also in our legitimate interest to process the data in accordance with Art. 6(1)(f) of the GDPR. By anonymizing the IP address, users' interest in protecting their personal data is sufficiently taken into consideration.

4.        Length of storage

Automatic erasure is currently not activated due to the masking of the IP address.

5.        Possibility of objection and removal

Cookies are stored on the user's computer and transmitted to our site. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings of your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to fully use all of our website’s functions.

More information of the privacy settings of the Matomo Software can be found at the following link: https://matomo.org/docs/privacy/.

X.        Rights of the data subject

If your personal data are processed, you are the data subject within the meaning of the GDPR and you are entitled to the following rights vis-à-vis the data controller:

1.        Right of access

You have the right to ask the data controller to confirm whether we process the personal data concerning you.

If such processing is being conducted, you can request the following information from the data controller:

(1)         the purposes for which the personal data are being processed;

(2)         the categories of personal data being processed;

(3)         the recipients or categories of recipients to whom the personal data concerning you have been or are being disclosed;

(4)         the envisaged period for which the personal data concerning you will be stored, or, if specific information is not possible, criteria used to determine the storage period;

(5)         the existence of a right to rectify or erase personal data concerning you, a right to restrict processing by the data controller or a right to object to such processing;

(6)         the right to lodge a complaint with a supervisory authority;

(7)         any available information on the origin of the data if the personal data are not collected from the data subject;

(8)         the existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4) of the GDPR and - at least in these cases - meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 of the GDPR in connection with the transfer.

2.        Right to rectification  

You have a right to request that the data controller rectify and/or complete the personal data concerning that is being processed if these data are incorrect or incomplete. The data controller shall make the correction without delay.

3.        Right to restriction of processing

Under the following conditions, you may request that the processing of personal data concerning you be restricted:

(1)      if you contest the accuracy of the personal data concerning you for a period that enables the data controller to verify the accuracy of the personal data;

(2)      the processing is unlawful and you oppose the erasure of the personal data and instead request that the use of the personal data be restricted;

(3)      the data controller no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or

(4)      if you object to the processing pursuant to Art. 21(1) of the GDPR pending verification of whether the legitimate grounds of the data controller override yours.

If the processing of your personal data has been restricted, such data, with the exception of storage, may only be processed with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

If the processing restriction has been limited in accordance with the above conditions, you will be informed by the data controller before the restriction is lifted.

4.        Right to erasure

a)        Right to be forgotten

You may request that the data controller delete your personal data without delay, and the data controller shall be obliged to erase this data without delay if one of the following reasons applies:

(1) Your personal data are no longer necessary for the purposes for which they were collected or otherwise processed.

(2)   You revoke your consent on which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) of the GDPR, and there is no other legal ground for the processing.

(3)   You object to the processing pursuant to Art. 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) of the GDPR.

(4)   Your personal data have been processed unlawfully.

(5)   The erasure of your personal data is necessary to fulfil a legal obligation in Union or Member State law to which the data controller is subject.

(6)   Your personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) of the GDPR.

b)        Information to third parties

Where the data controller has made your personal data public and, in accordance with Art. 17(1) of the GDPR, the data controller, taking account of available technology and cost of implementation, shall take reasonable steps, including technical measures, to inform data controllers who are processing the personal data that you, as the data subject, have requested the erasure by such data controllers of any links to, or copy or replication of, those personal data.

c)         Exceptions

The right to erasure shall not apply insofar as the processing is necessary

(1)         for exercising the right of freedom of expression and information;

(2)         for compliance with a legal obligation that requires processing by Union or Member State law to which the data controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;

(3)         for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) of the GDPR;

(4)         for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89(1) of the GDPR, insofar as the right referred to under a) is likely to make it impossible or seriously impair the attainment of the objectives of such processing; or

(5)         for the assertion, exercise or defense of legal claims.

5.        Right to information

If you have exercised your right to have the data controller erase or restrict the processing of your data, the data controller is obliged to communicate any rectification or erasure of personal data or restriction of processing to every recipient to whom your personal data have been disclosed, unless this proves impossible or involves a disproportionate degree of effort.

You have the right to be informed of such recipients by the data controller.

6.        Right to data portability

You have the right to receive, in a structured, conventional and machine-readable format, the personal data concerning you that you have provided to the data controller. Furthermore, you have the right to pass this data on to another data controller without being obstructed by the data controller to whom your personal data was given, provided that

(1)      processing is based on consent pursuant to Art. 6(1)(a) of the GDPR or Art. 9(2)(a) of the GDPR, or on a contract pursuant to Art. 6(1)(b) of the GDPR and

(2)      the processing is carried out by automated means.

In exercising this right you shall have the right to have the personal data concerning you transmitted directly from one controller to another, provided this is technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to portability shall not apply to processing personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7.        Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6(1) (e) or (f) of the GDPR, including profiling based on those provisions. 

The data controller shall no longer process the personal data concerning you unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.

Where you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

8.        Right to revoke consent pertaining to data protection

You have the right to revoke your consent pertaining to data protection at any time. By revoking this consent, the legality of the processing carried out on the basis of this consent until it was revoked shall not be affected.

9.        Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision

(1)         is necessary for entering into, or performance of, a contract between you and the data controller;

(2)         is authorized by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard your rights and freedoms, as well as your legitimate interests; or

(3)         is based on your explicit consent.

However, these decisions may not be based on special categories of personal data referred to in Art. 9(1) of the GDPR unless Art. 9 (2) (a) or (g) applies and suitable measures are in place to safeguard your rights and freedoms as well as your legitimate interests.

With regard to the cases referred to in (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms, as well as your legitimate interests, not least the right to obtain human intervention on the part of the data controller, to express your point of view and to contest the decision.

10.    Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you are of the opinion that the processing of the personal data concerning you violates the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 of the GDPR.