I. Data protection information according to Art. 13 and 21 GDPR for kidneyinfection.org, Hantavirus Registry – HantaReg, Leptospirosis Registry – LeptoScope, Clinic II for Internal Medicine, University Hospital of Cologne
Controller” in terms of the General Data Protection Regulation (GDPR), the Bundesdatenschutzgesetz – German Federal Data Protection Act (BDSG) and other data protection regulations is:
Study-Center, Clinic II for Internal Medicine
Kerpener Straße 62, 50931 Köln
for the website kindeyinfection.org and the registries
Webite: www.kidneyinfection.org and registry platform HantaReg and LeptoScope referred to hereinafter as „controller“ or „we“.
The responsible data protection officer is:
Dr. med. Felix Köhler
Joseph-Stelzmann-Str. 26, 50931 Köln
Please be aware that you may be redirected to other Internet pages via links on our website which other pages are not operated by us but by third parties. We either clearly mark such links or you can recognise them by the change of the address line of your browser. We are not responsible for compliance with the applicable data protection regulations and secure handling of your personal data by third parties operating such other Internet pages.
2.1. According to the GDPR
Cookies are text files which a website places on your terminal or which are read out there. They contain letters and combinations of numbers to enable, for instance when a connection is again established with the website that places the cookies, the recognition of the user and his settings, to enable you to stay logged in to a customer account or to conduct statistical analyses of a certain user behaviour.
3. General information about data processing
We only process personal data to the extent this is permitted by law. Disclosure or transfer to third parties takes place only in the cases described below (see sec. 4 below). The personal data is deleted or protected by technical and organisational measures (e.g. pseudonymisation, encryption) as soon as the data processing purpose ceases to exist. This is also the case as soon as a prescribed storage period expires unless continued storage of the personal data is necessary for the purpose of conclusion or performance of a contract. Unless we are obliged by law to ensure extended storage or disclose or transfer personal data to third parties (including but not limited to criminal prosecution authorities), the decision which personal data is collected by us, how long it is stored and to which extent you may be required to disclose your data depends on which functions and features of the website you use from time to time.
4. Data processing in connection with the use of the website
Using the website and its functions and features, as a rule, requires the processing of certain personal data.
4.1. Use of the website for information purposes
When you access our websites and use them for mere information purposes, e.g. without using additional functions or features such as contact forms or social media plugins, we automatically collect personal data. We thereby collect the following information: Name and URL of the retrieved file, date and time of the retrieval, transferred data volume, notification of a successful retrieval, browser type and browser version, operating system, referrer URL and the IP address. This information is transferred by your browser unless you have configured it such that the information transfer is prevented. The personal data is processed for purposes of functionality and optimisation of the website and to ensure the security of our information technology systems. This is at the same time our legitimate interest, which renders the processing permissible according to Art. 6 subs. 1 f) GDPR. The personal data is stored during a period of 4 weeks. We do not combine the personal data with other data sources. The data is only disclosed or transferred to third parties if and to the extent this is necessary for operating our website. For such purpose, the personal data is transferred to the Strato AG, Berlin, Germany and the RRZK of the University of Cologne, Germany). It is not intended to transfer personal data to a third country or an international organisation.
4.2. Email contact and personal data entered into HantaReg and LeptoScope
When you write us an email, we will process the personal data you have provided thereby. This information is transmitted by the email client and stored in our information technology systems. The processing of this personal data is necessary to answer your request. In addition, your IP address as well as the data and time of your request will be stored if you write us an email.Data processing serves to answer your request. If you send us your affliation to set-up your account at clinicalsurveys.net for documentation into the registries HantaReg and LeptoScope, your personal data stated there will also be stored by us. These processing activities are lawful because answering your request is a legitimate interest in terms of Art. 6 subs. 1 f) GDPR. The processing of your personal data in relation to the application procedure is justified in accordance with Art. 88 subs. 1 GDPR in conjunction with § 26 BDSG. In case your send us an email, your personal data is stored as long as this is required for answering your request. Thereafter, the personal data is deleted routinely every 3 months. When entering clinical cases into the registries HantaReg and LeptoScope your personal data related to the clinical subject, you entered will be stored on servers of the GDPR compliant platform clinicalsurveys.net on servers in Cologne, Germany. Personal Data entered into HantaReg or LeptoScope can only be seen by the site administration of clinicalsurveys.net and the researchers of HantaReg and LeptoScope. We do not combine this personal data with other data sources. The data is not disclosed or transferred to third parties. It is not intended to transfer the data to a third country or an international organisation. You are not obliged to provide this personal data; however, if you do not provide this data, you cannot send an email or entering patient subjects into HantaReg or LeptoScope.
5. Rights of data subjects
You as the person concerned (hereinafter “data subject”) are entitled to a right to information according to Art. 15 GDPR, a right to rectification according to Art. 16 GDPR, a right to erasure according to Art. 17 GDPR, a right to restriction of processing according to Art. 18 GDPR as well as a right to data portability according to Art. 20 GDPR. The right to information as well as the right to erasure are subject to the restrictions under §§ 34, 35 BDGS (German Federal Data Protection Act). In addition, you are entitled to lodge a complaint with a supervisory authority (Art. 77 GDPR in combination with § 19 BDSG).
6. Automated case-by-case decisions including profiling
There will be noc automated case-by-case decisions including profiling.
7. Controller’s duty to inform
We will inform all recipients to whom your personal data was disclosed of any rectification or erasure of your personal data or any restriction of processing according to Art. 16, Art. 17 subs. 1 and Art. 18 GDPR unless it is impossible or requires unreasonable effort to inform them. We will also inform you about the identity of the recipients at your request.
8. Right to oppose
You are entitled for reasons arising from your specific situation to oppose at any time the processing of your personal data which is carried out according to Art. 6 subs. 1 e) or f) GDPR. Where personal data is processed for the purpose of direct marketing, you are entitled at any time to oppose the processing of your personal data for such direct marketing purposes.
9. Right to withdraw your consent to personal data processing
You are entitled under Art. 7 subs. 3 sentence 4 GDPR at any time to withdraw your consent. However, the withdrawal will leave the lawfulness of the processing that has taken place with your consent before the withdrawal unimpaired. Thus, the withdrawal only takes effect for the processing intended for the time after the withdrawal. The withdrawal can be made informally, by posted letter or email. If you oppose the processing, we will no longer process your personal data unless this is permitted by another (legal) basis. If you oppose the processing and there is no other legal basis which permits continued processing, we are obliged under Art. 17 subs. 2 b) GDPR to erase your personal data without undue delay (“unverzüglich”) upon your request. The withdrawal can be made informally and is to be addressed to:
Study-Center, Clinic II for Internal Medicine
Kerpener Straße 62, 50931 Köln