Datenschutzerklärung von INSTAND e.V. nach den Vorgaben der DSGVO

GDPR-Compliant Privacy Statement of INSTAND e.V.

A.      GDPR-Compliant Privacy Statement

I.          Name and address of the data controller

The data controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection provisions is:

 

INSTAND
Society for Promoting Quality Assurance in Medical Laboratories e.V.
Ubierstr. 20
40223 Düsseldorf

Tel.: +49 211 159213 0

E-mail: instand@instand-ev.de

Website: www.instand-ev.de

II.        Contact details of the data protection officer

The data protection officer of the data controller can be reached at:

Phone: 0049 5139 9720215

E-mail: datenschutz@instand-ev.de

III.     General information on data processing

1.        Scope of the processing of personal data

We only collect and use the personal data of our users insofar as this is necessary to provide a functional website as well as our content and services. The personal data of our users is only collected and used with the consent of the user. An exception is made in such cases where prior consent cannot be obtained for real reasons and the processing of this data is permitted by law.

2.        Legal basis for the processing of personal data

Art. 6(1)(a) of the EU's General Data Protection Regulation (GDPR) shall serve as the legal basis insofar as we have obtained the consent of the data subject to process personal data.

Art. 6(1)(b) of the GDPR shall serve as the legal basis in the processing of personal data required for the performance of a contract to which the data subject is a party. This also applies to processing operations that are necessary to carry out pre-contractual measures.

Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6(1)(c) of the GDPR shall serves as the legal basis.

In the event that the vital interests of the data subject, or another natural person, require the processing of personal data, Article 6(1)(d) of the GDPR shall serve as the legal basis.

If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6(1)(f) of the GDPR shall serve as the legal basis for processing.

3.        Erasure of data and length of data storage

The personal data of the data subject shall be erased or blocked as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this has been provided for by the European or national legislators in Union regulations, laws or other provisions to which the data controller is subject. The data shall also be blocked or erased if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

IV.     Provision of the website and creation of log files

1.        Description and scope of the data processing

Every time our website is visited, our system automatically collects data and information about the computer system of the computer making the request.

 

The following data is collected:

·       Information about the type and version of the browser being used

·       The user’s operating system

·       The user’s internet service provider

·       The referrer URL (the previously visited site)

·       The host name of the accessing memory (IP address)

·       Date and time of access

·       Websites called up by the user's system via our website

The data are also stored in the log files of our system. This data is not stored together with the user’s other personal data.

2.        The legal basis for data processing

The legal basis for the temporary storage of the data and the log files is Art. 6(1)(f) of the GDPR.

3.        The purpose of the data processing

It is necessary for the system to temporarily store the IP address in order to deliver the website to the user's computer. This means the user’s IP address must be stored for the duration of the session.

 

The data is stored in log files to ensure the functionality of the website. Furthermore, the data enables us to optimize our website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

 

For these purposes, our legitimate interest also lies in the processing of personal data in accordance with Art. 6(1)(f) of the GDPR.

4.        Length of storage

The data shall be erased as soon as they are no longer necessary for achieving the purpose for which they were collected. If the data are collected for the purpose of providing access to the website, this is defined as being the time at which the respective session has ended.

 

If the data are stored in log files, this is deemed to be no later than seven days. Further storage is possible. In this case, the user’s IP addresses is deleted or pseudonymized so that it can no longer be assigned to the client called.

 

5.        Possibility of objection and removal

The collection of data for the provision of the website and the storage of data in log files are absolutely necessary for the operation of the website. Consequently, there is no possibility to object on the part of the user.

V.       Use of cookies

a) Description and scope of the data processing

Cookies are text files that are stored on the Internet browser or by the Internet browser on the user's computer system. If a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is visited again.

Cookies are stored on the user's computer and transmitted to our site. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings of your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to fully use all of our website’s functions.

We use a PHP session cookie to make our website more user-friendly. TYOP3 automatically uses a cookie on the form pages, which contains a hash value and serves to protect against CSRF.

 

We also use technically unnecessary cookies on our website, which enable the user's surfing behavior to be analyzed. You can find the necessary information on this under point IX.

b) The legal basis for data processing

The legal basis for the processing of personal data with respect to the use of cookies is Art. 6(1)(f) of the GDPR.

 

c) The purpose of the data processing

The purpose of using technically necessary cookies is to make it easier for users to use websites. Some functions of our website cannot be accessed without the use of cookies. This requires that the browser be recognized even after moving to another webpage.

The user data collected by technically necessary cookies are not used to create user profiles.

Analysis cookies are used to improve the quality of our website and its content. By analyzing cookies, we learn how the website is used and can thus continuously optimize our offer.

For these purposes, our legitimate interest also lies in the processing of personal data in accordance with Art. 6(1)(f) of the GDPR.

e) Length of storage, possibility of objection and removal

Cookies are stored on the user's computer and transmitted to our site. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings of your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If the cookies are deactivated for our website, it may no longer be possible to fully use all of the website's functions.

VI.     Newsletter

1.           Description and scope of the data processing

 

We do not send out a newsletter for which a registration of the user on our website would be necessary. Therefore, further explanation on the legal basis and the purpose of data processing, the duration of storage and the possibilities of objection and removal are unnecessary.

VII.   Registration

1.        Description and scope of the data processing

On our website we offer EQA participants the opportunity to register for these purposes by providing the necessary personal data. The data is entered into an input field and transmitted to us and stored. The data is not passed on to third parties. The following data is collected during the registration process:

·       Form of address

·       Title

·       First and last name

·       Address

·       Country

·       Health insurance number

·       Language

·       Order number

·       Number of requested certificates

·       Various legal declarations clarifying the entitlement to participant in the EQAs

·       Other important addresses of the person who has registered

The following data is stored at the time of registration:

 

·       Date and time of registration

·       Form of address, name, e-mail address

·       Storage of a lab’s complete address details (delivery, invoice)

·       Telecommunication data

 

The user's consent to the processing of this data is obtained during the course of the registration process.

2.        The legal basis for the data processing  

If the user has given consent, the legal basis for the processing of data is Art. 6(1)(a) of the GDPR. Furthermore, the registration serves to fulfill the contract to which the user is a party as well as to execute pre-contractual measures. Therefore Art. 6(1)(b) of the GDPR serves as an additional legal basis for the processing of the data.

3.        The purpose of the data processing

The guideline of the German Medical Association on quality assurance in medical laboratory testing - Rili-BÄK - prescribes internal and external quality controls for testing carried out within the framework of laboratory medicine. The latter of the two is illustrated by participating in EQA tests offered and organized by Instand e. V.

 

User registration is therefore to be regarded as a pre-contractual measure and as a prerequisite for the subsequent fulfilment of the contract concluded with the user.   

4.        Length of storage

 

The data are deleted as soon as they are no longer necessary for achieving the purpose for which they were collected. Contractual and legal obligations are taken into account.

5.        Possibility of objection and removal

As a user you have the possibility to cancel the registration at any time. You can have the data stored about you altered at any time.

 

If the data is required to fulfil a contract or to implement pre-contractual measures, premature erasure of the data is only possible insofar as contractual or statutory obligations do not prevent an erasure. In such cases, deactivation of the collected data is possible, which rules out further processing.

VIII.     Contact form and e-mail contact

1.             Description and scope of the data processing

A contact form on our website can be used to electronically contact us. If a user takes advantage of this option, the following data entered in the input field will be transmitted to us and stored.

·       Name

·       E-mail address, phone number

·       Participant number

·       Other information entered into the free text field provided for this purpose.

Your consent is obtained for processing the data as part of the submission process and reference is made to this data protection policy.

 

Alternatively, you can contact us via the e-mail address provided. In this case, the user's personal data transmitted by the e-mail will be stored.

 

In this context, the data will not be passed on to third parties. The data is used exclusively for processing the conversation.

 

2.        The legal basis for the data processing

The legal basis for the processing of the data is Art. 6(1)(a) of the GDPR if consent has been given by the user.

 

The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6(1)(f) of the GDPR.  

 

If the aim of the e-mail contact or the transmission of the contact form is the conclusion of a contract, then Art. 6(1)(b) of the GDPR forms the additional legal basis for processing.

 

3.        The purpose of the data processing

We only process the personal data entered into the input field to establish contact. In the event we are contacted by e-mail, this also constitutes a necessary legitimate interest for processing the data. The other personal data processed during the data submission process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.

4.        Length of storage

The data are erased as soon as they are no longer necessary for achieving the purpose for which they were collected. With respect to the personal data entered into the input field of the contact form and the data sent by e-mail, this is the case once the conversation with the user is finished. The conversation is terminated when it can be inferred from the circumstances that the matter in question has been conclusively resolved.

 

The personal data additionally collected during the form submission process shall be erased after a period of no later than seven days.

5.        Possibility of objection and removal

The user can revoke consent to the processing of personal data at any time. If the user contacts us via the contact form or e-mail, an objection to the storage of personal data can be made at any time. In such case, the conversation cannot be continued.

 

All personal data stored in the course of contacting us will be deleted in this case.

IX.     Matomo web analysis (formerly PIWIK)

1.        Scope of the processing of personal data

On our website we use the open source software tool Matomo (formerly PIWIK) to analyze the surfing behavior of our users. The software places a cookie on the user's computer (see above for information on cookies). When individual pages of our website are accessed, the following data is stored:

(1)   Two bytes of the IP address of the user’s system that is calling up

(2)   The website that is visited

(3)   The website from which the user accesses the visited website (referrer)

(4)   The subpages that are called up by the visited website

(5)   Time spent on the website

(6)   How often the website is visited

The software runs exclusively on the servers of our website. The personal data of users is only stored there. The data shall not be passed on to third parties.

 

The software is set up so that the entire IP address is not stored. Instead 2 bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). This makes it impossible to attribute the abbreviated IP address to the computer that is calling up.

 

2.        The legal basis for the processing of personal data

The legal basis for processing the personal data of the user is Art. 6(1)(f) of the GDPR.

3.        Purpose of the data processing

The processing of users' personal data enables us to analyze the surfing behavior of our users. We are in a position to compile information about the use of the individual components of our website by evaluating the data we obtain. This helps us to continuously improve our website and its user-friendliness. For these purposes, it is also in our legitimate interest to process the data in accordance with Art. 6(1)(f) of the GDPR. By anonymizing the IP address, users' interest in protecting their personal data is sufficiently taken into consideration.

4.        Length of storage

Automatic erasure is currently not activated due to the masking of the IP address.

5.        Possibility of objection and removal

Cookies are stored on the user's computer and transmitted to our site. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings of your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to fully use all of our website’s functions.

More information of the privacy settings of the Matomo Software can be found at the following link: https://matomo.org/docs/privacy/.

X.        Rights of the data subject

If your personal data are processed, you are the data subject within the meaning of the GDPR and you are entitled to the following rights vis-à-vis the data controller:

1.        Right of access

You have the right to ask the data controller to confirm whether we process the personal data concerning you.

If such processing is being conducted, you can request the following information from the data controller:

(1)         the purposes for which the personal data are being processed;

(2)         the categories of personal data being processed;

(3)         the recipients or categories of recipients to whom the personal data concerning you have been or are being disclosed;

(4)         the envisaged period for which the personal data concerning you will be stored, or, if specific information is not possible, criteria used to determine the storage period;

(5)         the existence of a right to rectify or erase personal data concerning you, a right to restrict processing by the data controller or a right to object to such processing;

(6)         the right to lodge a complaint with a supervisory authority;

(7)         any available information on the origin of the data if the personal data are not collected from the data subject;

(8)         the existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4) of the GDPR and - at least in these cases - meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 of the GDPR in connection with the transfer.

2.        Right to rectification  

You have a right to request that the data controller rectify and/or complete the personal data concerning that is being processed if these data are incorrect or incomplete. The data controller shall make the correction without delay.

3.        Right to restriction of processing

Under the following conditions, you may request that the processing of personal data concerning you be restricted:

(1)      if you contest the accuracy of the personal data concerning you for a period that enables the data controller to verify the accuracy of the personal data;

(2)      the processing is unlawful and you oppose the erasure of the personal data and instead request that the use of the personal data be restricted;

(3)      the data controller no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or

(4)      if you object to the processing pursuant to Art. 21(1) of the GDPR pending verification of whether the legitimate grounds of the data controller override yours.

If the processing of your personal data has been restricted, such data, with the exception of storage, may only be processed with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

If the processing restriction has been limited in accordance with the above conditions, you will be informed by the data controller before the restriction is lifted.

4.        Right to erasure

a)        Right to be forgotten

You may request that the data controller delete your personal data without delay, and the data controller shall be obliged to erase this data without delay if one of the following reasons applies:

(1) Your personal data are no longer necessary for the purposes for which they were collected or otherwise processed.

(2)   You revoke your consent on which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) of the GDPR, and there is no other legal ground for the processing.

(3)   You object to the processing pursuant to Art. 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) of the GDPR.

(4)   Your personal data have been processed unlawfully.

(5)   The erasure of your personal data is necessary to fulfil a legal obligation in Union or Member State law to which the data controller is subject.

(6)   Your personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) of the GDPR.

b)        Information to third parties

Where the data controller has made your personal data public and, in accordance with Art. 17(1) of the GDPR, the data controller, taking account of available technology and cost of implementation, shall take reasonable steps, including technical measures, to inform data controllers who are processing the personal data that you, as the data subject, have requested the erasure by such data controllers of any links to, or copy or replication of, those personal data.

c)         Exceptions

The right to erasure shall not apply insofar as the processing is necessary

(1)         for exercising the right of freedom of expression and information;

(2)         for compliance with a legal obligation that requires processing by Union or Member State law to which the data controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;

(3)         for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) of the GDPR;

(4)         for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89(1) of the GDPR, insofar as the right referred to under a) is likely to make it impossible or seriously impair the attainment of the objectives of such processing; or

(5)         for the assertion, exercise or defense of legal claims.

5.        Right to information

If you have exercised your right to have the data controller erase or restrict the processing of your data, the data controller is obliged to communicate any rectification or erasure of personal data or restriction of processing to every recipient to whom your personal data have been disclosed, unless this proves impossible or involves a disproportionate degree of effort.

You have the right to be informed of such recipients by the data controller.

6.        Right to data portability

You have the right to receive, in a structured, conventional and machine-readable format, the personal data concerning you that you have provided to the data controller. Furthermore, you have the right to pass this data on to another data controller without being obstructed by the data controller to whom your personal data was given, provided that

(1)      processing is based on consent pursuant to Art. 6(1)(a) of the GDPR or Art. 9(2)(a) of the GDPR, or on a contract pursuant to Art. 6(1)(b) of the GDPR and

(2)      the processing is carried out by automated means.

In exercising this right you shall have the right to have the personal data concerning you transmitted directly from one controller to another, provided this is technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to portability shall not apply to processing personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7.        Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6(1) (e) or (f) of the GDPR, including profiling based on those provisions. 

The data controller shall no longer process the personal data concerning you unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.

Where you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

8.        Right to revoke consent pertaining to data protection

You have the right to revoke your consent pertaining to data protection at any time. By revoking this consent, the legality of the processing carried out on the basis of this consent until it was revoked shall not be affected.

9.        Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision

(1)         is necessary for entering into, or performance of, a contract between you and the data controller;

(2)         is authorized by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard your rights and freedoms, as well as your legitimate interests; or

(3)         is based on your explicit consent.

However, these decisions may not be based on special categories of personal data referred to in Art. 9(1) of the GDPR unless Art. 9 (2) (a) or (g) applies and suitable measures are in place to safeguard your rights and freedoms as well as your legitimate interests.

With regard to the cases referred to in (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms, as well as your legitimate interests, not least the right to obtain human intervention on the part of the data controller, to express your point of view and to contest the decision.

10.    Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you are of the opinion that the processing of the personal data concerning you violates the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 of the GDPR.