Data Protection

 

Name and address

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States of the European Union as well as other data protection regulations is: 

  • German Cancer Research Center - Foundation under public law
  • Im Neuenheimer Feld 280
  • 69120 Heidelberg
  • Germany
  • Telephone: +49 (0)6221 420
  • Email: kontakt@dkfz.de
  • Website: www.dkfz.de

 

Name and address of the Data Protection Officer

  • Data Protection Officer 
  • German Cancer Research Center - Foundation under public law
  • Im Neuenheimer Feld 280 
  • 69120 Heidelberg 
  • Telephone: +49 (0)6221 420 
  • Email: datenschutz@dkfz.de

 

General information on data processing

1. Extent of processing of personal data

We only process the personal data of our users when it is necessary so that we can offer content and services to our users. We primarily utilise consent as the legal basis for processing of personal data. In certain circumstances however, clearly indicated below, alternate legal bases will be used. 

GHGA involves a number of institutions across Germany who work closely together. It is necessary to share certain personal data with these institutions in order to operate our services. These institutions are considered to be joint-controllers of the data. A list of institutions that may receive your data is included below. Legally, GHGA is usually represented by DKFZ.

2. Legal basis for the processing of personal data

When we receive consent from you for the processing of your personal data, Article 6 (1) lit. a) GDPR serves as the legal basis. 

If you agree to a contract with DKFZ, it will be necessary to process your personal data in order for GHGA to fulfil that contract. For example, if you wish to deposit Research Data with GHGA. The legal basis for that processing is Article 6 (1) lit. b) GDPR. 

If DKFZ is required to process your personal data due to a legal obligation to which we are subject, the legal basis will be Article 6 (1) lit. c) GDPR.

When the processing of your personal data is required for the purposes of legitimate interests pursued by DKFZ or an institution which is part of GHGA, the legal basis is Article 6 (1) lit. f) GDPR. 

3. Erasure of data and retention duration

Your personal data will be deleted when it is no longer required for its intended purpose. This may vary depending on the reason why it has been collected. GHGA operates a Data Deletion Concept to ensure that personal data are not stored beyond any legal retention periods. 

The duration of storage for each data type is described below. You may have the legal right to request the deletion of your data prior to the planned retention period, please see the ‘Your rights’ section.

 

Provision of the GHGA Website 

1. Description and scope of data processing

Each time the GHGA website is accessed, our system automatically records data and information about the device used to access the site. This is stored as data and log files.
The following data are collected: 

  • (1) Information on the type and version of the browser being used.
  • (2) The visitor’s operating system.
  • (3) The visitor’s internet service provider.
  • (4) The visitor’s IP address.
  • (5) Time and date of retrieval.
  • (6) Websites from which the visitor’s system accesses our website (for example, if our website was accessed via a link from another website).

2. Legal basis for data processing 

The legal basis for the temporary storage of data and log files is Article 6 (1) lit. f) GDPR. 

3. Purpose of data processing

It is necessary for us to temporarily store IP addresses on our system so that we can ensure the delivery of our website to visitors’ devices. For this purpose, your IP address must be stored whilst you are visiting our website. 

Primarily the data collected are stored in log files which are used to ensure the functionality of our website. In addition, the data may also be used to support the security of our system. We do not use your data collected when you are using our website for marketing purposes.

As we have a legitimate interest to operate our website for you, we use Article 6 (1) lit. f) GDPR as the legal basis for processing.

4. Duration of storage

The data will be deleted when they are no longer necessary for the intended purpose for which they have been collected. The data that are collected for the provision of the Website, are deleted as soon as the session is completed. 

The data stored in log files are usually deleted no later than seven days after the end of the session. In exceptional circumstances, the data may be stored for a longer time, for example for system security purposes. In such cases, your IP addresses are deleted or modified so that you cannot be identified.

5. Options for objection and removal

These data must be collected to ensure the functioning of our website and they must be stored in log files in order to make our website available to you. Consequently, we cannot offer you the right to object to processing in this case.

 

Usage of cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are small data files that are placed on a website visitor’s device by their browser. Cookies are typically used to store information that is needed to support the functionality of the website. 

We use cookies to ensure our site is user-friendly. Some elements of our website call for the browser to be identified even after switching pages.

2. Legal basis for data processing 

The legal basis for the processing of your personal data with the use of cookies is Article 6 (1) lit. f) GDPR.

3. Purpose of data processing

We use cookies for three distinct purposes. 

(1) Required Cookies

Required cookies support the functionality of the GHGA website. They are created by the Typo3 system that the website uses.   

(2) Website Analytics

Statistical cookies are used for the purpose of improving the quality of our website and its contents. These cookies enable us to learn how the GHGA website is used so that we can continually improve our service. For example, we may wish to understand how long it takes for visitors to find the information they require so that we can optimise the structure of the GHGA website.

The statistical cookies can recognise which internet browser you are using and a profile about the ways in which you use our website. However, your IP address is anonymised immediately by shortening it so that we only know from which region you are accessing our website. We can therefore understand how you use the GHGA website, but we have no way to link that information back to you.

In order to collect this information we are using third-party cookies provided by Matomo. The information collected by the analysis cookies is transferred to a server operated by GHGA. 

(3) Youtube

Content hosted by video platforms will be disabled automatically on the GHGA website. To see content from external sources, you need to enable the YouTube cookies in the Cookie Settings. 

Detailed information on the YouTube plugin used and the data transferred to YouTube can be found below in section “Plugins and tools”.

As we have a legitimate interest to operate our website for you, we use Article 6 (1) lit. f) GDPR as the legal basis for processing.

4. Duration of storage, options for objection and removal

The cookies produced are stored on your device and transmitted to our website. Therefore, you have full control of where the cookies are stored. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Previously stored cookies can be deleted from your device at any time. It may also be possible to do so automatically. 

You can update your preferences for the GHGA website by clicking on Cookie Settings. From there you can accept or reject the use of cookies by their purpose. Rejecting cookies may limit the functionality of the GHGA website.

 

Newsletter

1. Description and scope of data processing

In order to subscribe to the GHGA Newsletter, you will be asked to provide personal data via a submission form. 

The registration for our newsletter takes place via a so-called double opt-in procedure. That means, you will receive an email after registration in which you will be asked to confirm your registration. This confirmation is necessary so that no one can register with someone else’s email address. When initially registering for the newsletter, your IP address, and the date and time of registration are stored. This helps prevent the misuse of the services or your email address. The data is used exclusively for sending you our newsletter. 

We use rapidmail to send the GHGA newsletter.

2. Legal basis for data processing 

The legal basis for the processing of your personal data to subscribe to the newsletter is Article 6 para. 1 lit. a) DSGVO. 

3. Purpose of data processing

Use of rapidmail:

rapidmail is provided by rapidmail GmbH, Wentzingerstraße, 21, 79106 Freiburg, Germany. The information that you provide via the submission form is stored on their servers in Germany. 

We use rapidmail to organise the sending of the GHGA newsletter. In addition, rapidmail enables us to understand whether the newsletter has been opened, and whether any links have been clicked on. To do so, emails sent by rapidmail contain a tracking pixel which connects to their servers when the email is opened and the links in the newsletter are tracking-links. This information enables us to understand how recipients engage with our newsletter, and what content they find to be most interesting and relevant. 

The legal basis for the processing of the personal data used to manage subscriptions to the GHGA newsletter is consent, Article 6 para. 1 lit. a) DSGVO. The legal basis for sending the newsletter is described in Section 7 (3) UWG.

4. Duration of storage

You can cancel your subscription to the GHGA newsletter at any time. We include links on how to do so in every newsletter. You can also unsubscribe via the GHGA website. The personal data collected from you for this purpose will be deleted. Data collected from you for other purposes will not be affected if you choose to unsubscribe from the GHGA newsletter.

If you do not wish for your data to be processed by rapidmail, you must unsubscribe to the newsletter. You can access a copy of the GHGA newsletter from our website without subscribing.  

 

Contact form and email contact / Helpdesk System

1. Description and scope of data processing

The GHGA website includes contact forms if you wish to contact us. If you decide to contact us using the forms, the data you provide is sent to us and stored within a Helpdesk system operated by Zammad GmbH and managed by DKFZ. Any data processing performed by Zammad GmbH is performed in accordance with a contract between Zammad GmbH and DKFZ

The following email addresses are also rerouted to the Zammad Helpdesk:

The contact forms requests the following information from you: the reason for contacting us, your name, your email address, and your message to us. The time and date of your message is also stored. Your message may also include any other personal data you choose to include.

You will be asked to confirm that you have read and understood this privacy policy before contacting us via the form. 

Zammad helpdesk system

We use the Zammad helpdesk system provided by Zammad GmbH, Marienstraße 11 in 10117 Berlin. The use of a helpdesk system ensures that we can respond to enquiries and requests effectively and in an appropriate time. 

Zammad only uses the data for the technical processing of the enquiries and requests and does not pass them on to other third parties. In the course of processing enquiries and requests, it may be necessary for us to request further data from you.

When submitting using the contact form, Zammad creates a ticket regarding your enquiry or request and a user profile using the provided first name, surname, and email address, if this does not already exist. All messages that you send to us are automatically assigned to your user profile. You have the option to create an account with Zammad as part of the process to directly view and manage your own enquiries and requests.

2. Legal basis for data processing 

The legal basis for the processing of the data that are sent to the Zammad helpdesk is Article 6 (1) lit. f) GDPR. GHGA has a legitimate interest to process this data to ensure the functionality and security of our data infrastructure for users in the event of problems, malfunctions, and failures. The processing is also in the interest of our users, as they are supported as users in case of technical questions and problems. 

If you enter into a contract with DKFZ, then the legal basis for the processing of your communications with us is Article 6 (1) lit. b) GDPR.

3. Purpose of data processing

The personal data you submit to us via a contact form is used to create a helpdesk ticket through which we can communicate with you and provide support to you. The other data processed during the transmission of the contact form are used to prevent misuse of the contact form to ensure the security of our helpdesk system.

4. Duration of storage

While we aim to resolve your problems quickly, the tickets and the information that they contain provided by you will be stored for a longer period, in case you have any follow-up questions. 

Tickets which are processed under Article 6 (1) lit. f) will be deleted no later than 5 years after the issue to which they relate has been resolved. Doing so will only delete the information in that particular ticket, and so if you have opened multiple tickets, we may still continue to store personal data about you.

Tickets which are processed under Article 6 (1) lit. b) will be stored until such time that the Research Data and Personal Metadata that they refer to is no longer archived by GHGA. Due to the sensitive nature of the Research Data and Personal Metadata, it is necessary to retain a record of all instructions we have received that relate to their processing.

5. Options for objection and removal

You have the right to request the erasure of data we hold about you under certain conditions. You may also object to our processing of data about you. Please see the section ‘Your rights’ for more information. 

 

Life Science Login

1. Description and scope of data processing

Life Science Login (LS Login) is an Authentication service from EOSC-Life. It enables researchers to use their home institutional credentials to access services. At GHGA, LS Login is used to access the GHGA Data Portal when a user wishes to request access to data or download data they have been approved to access. In the future, it will also be necessary for users who wish to submit data to GHGA to login into the GHGA Data Portal. Data regarding persons approved to act is stored in the de.NBI Cloud hosted by the DKFZ. This is a secure cloud infrastructure with strict access controls in place.

2. Legal basis for data processing

The legal basis for the processing of data for LS Login is Article 6 (1) lit. f) GDPR. GHGA has a legitimate interest to process this data to ensure the functionality and security of our data infrastructure for users. 

3. Purpose of data processing

These data are processed in order to identify you when you request access to the GHGA Data Portal. This enables us to ensure that Research Data and Personal Metadata are only accessed by approved researchers. It is also necessary for us to ascertain that instructions relating to the processing of Research Data and Personal Metadata are issued by authorised persons.

4. Duration of storage

Due to the sensitive nature of the Research Data and Personal Metadata, it is necessary to store information about who has accessed it, or instructed GHGA Central act, whilst it is stored within the GHGA Data Infrastructure. Data related to persons who accessed Research Data and Personal Metadata, or instructed GHGA Central, shall be deleted 6 years after the Research Data and Personal Metadata has been removed from the GHGA Data Infrastructure.

5. Options for objection and removal

It is necessary to process your information through LS Login in order to identify and authorise you on our systems. This is essential when you wish to access Research Data and Personal Metadata or to enable you to instruct us to process Research Data and Personal Metadata. Consequently, we cannot offer you the right to object to processing in this case.

 

Plugins and tools

YouTube

YouTube is an Internet video portal that allows video publishers to post video clips free of charge and for other users to view, rate, and comment about the videos, also free of charge. It is operated by Google. In the European Economic Area (EEA) and Switzerland, YouTube services are offered by Google Ireland Limited, registered and operated under Irish law (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland.

The GHGA website uses plugins as a service from YouTube so that we can embed videos on our website. When you visit one of our pages that contains an embedded YouTube video, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you are visiting. The videos have been embedded using a privacy-enhanced mode which means that any videos you view via our website will not be used to personalise your YouTube experience or will it impact adverts that you see (for more information, see support.google.com/youtube/answer/171780).

We use YouTube as a platform to share presentations, talks, and other such events which may be of interest to the users of GHGA. This represents a legitimate interest within the meaning of Article 6 para. 1 lit. f GDPR for GHGA. For more information on the handling of user data, please refer to YouTube's privacy policy at: www.google.de/intl/de/policies/privacy.

Social media platforms

GHGA has a presence on social media platforms such as LinkedIn and Twitter. Anyone who registers with social media platforms and uses their functions to interact with GHGA there (such as by commenting, communicating, liking or sharing posts) leaves data behind in the process. It is possible that this data is stored, evaluated, and processed by the social media platform, for example to analyse user behaviour.

GHGA has no influence upon the data protection policies of these social media platforms. For more information about the data they processed and your rights please see their respective privacy policies:

You can access the content GHGA posts on social media platforms directly from our website without registering for the platforms. You may find that some functionality is missing without registration.

In order to make the GHGA website more attractive and user-friendly, we integrate content directly from selected social media platforms (YouTube and Twitter) into certain pages. We use cookies to do so. You can deactivate these cookies by going to Cookie Settings on our website. The content that relies on the deactivated cookies will not be displayed.  

Podigee Podcast-Hosting

GHGA hosts a regular podcast, Der Code Des Lebens, about genome research.

To do so, we use the Podigee podcast hosting service from the provider Podigee GmbH, Schlesische Straße 20, 10997 Berlin, Germany. The podcasts are downloaded or streamed from Podigee. Podigee processes your IP address and device information to enable the downloading or playback of podcasts and to collect statistical data to determine, for example, the total number of downloads. Your IP address is only required whilst Podigee is running. Statistical information is stored in an anonymised form by Podigee.

Further information about the processing and your options to object can be found in Podigee's data protection declaration: https://www.podigee.com/en/about/privacy.

The use of Podigee is based on a legitimate interest for GHGA to ensure a secure and efficient provision of our podcast and for us to be able to analyse and optimise its impact. The legal basis for processing this data is that GHGA has a legitimate interest within the meaning of Article 6 para. 1 lit. f GDPR.

Shinyapps.io

Our Legacy Consent Toolkit app is hosted at shinyapps.io which is provided by RStudio, 250 Northern Ave, Boston, MA 02210, USA. The app generates a log of the R console messages that would normally be seen if running the app code within RStudio.

The log does not contain any personal information about you such as your IP address or location; it is only generated to support bug-fixing. The log is automatically deleted after 1 week.

 

Transfer of personal data to third parties

The following institutions are involved in GHGA and are joint-controllers of the data described in this policy:

  • Deutsches Krebsforschungszentrum (DKFZ) 
  • Im Neuenheimer Feld 280, 69120 Heidelberg 
  • Eberhard Karls Universität Tübingen (EKUT) 
  • Geschwister-Scholl-Platz, 72074 Tübingen 
  • Technische Universität München (TUM) 
  • Arcisstraße 21, 80333 München 
  • Technische Universität Dresden (TUD) 
  • 01062 Dresden 
  • Universität zu Köln (UzK) 
  • Albertus-Magnus-Platz, 50923 Köln 
  • Universitätsklinikum Schleswig-Holstein (UKSH) 
  • Arnold-Heller-Str. 3, 24105 Kiel  
  • Max-Delbrück-Centrum für Molekulare Medizin in der Helmholtz-Gemeinschaft (MDC)
  • Robert-Rössle-Straße 10, 13125 Berlin 

 

Your rights

As soon as your personal data are processed, you assume the role of the data subject as pursuant to GDPR and are therefore granted the rights vis-à-vis the data controllers listed above. Please contact the Data Protection Officer listed under ‘Name and address’ or datenschutz@dkfz.de if you wish to exercise any of your rights. Your rights are as follows:

1. Right to revoke consent to data processing (Art. 7 para. 3 GDPR)

You have the right to revoke your consent to data processing at any time. Upon revoking consent, the legality of the data processing already carried out on the basis of the consent will not be affected by the revocation of consent.

2. Right of access (Article 15 GDPR)

You have the right to obtain from the controllers confirmation as to whether or not personal data concerning you are being processed by us.
If this is the case, you may request access to the following information from the controller:

  • (1) The purposes of the processing of personal data;
  • (2) The categories of personal data concerned;
  • (3) The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • (4) The envisaged period for which the personal data will be stored, or, if this is not possible, the criteria used to determine that period;
  • (5) The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
  • (6) The right to lodge a complaint with a supervisory authority;
  • (7) Where the personal data are not collected from the data subject, any available information as to their source;
  • (8) The existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You are also entitled to the right to request information on whether your personal data are transferred to a third country or to an international organisation. In this context, you have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

Please note that the first request for access to the data from you is provided by the controllers without charge, but that a reasonable charge for the work required to provide access may be required for subsequent requests.

3. Right to rectification (Article 16 GDPR)

You have a right to rectification and/or completion if the processed personal data concerning you is incorrect or incomplete. The controllers must make the correction without undue delay.

4. Right to erasure (Article 17 GDPR)

a) Duty to delete
You may request that the controllers delete personal data concerning you without undue delay, and the controller is required to so without undue delay, if one of the following reasons applies: 

  • (1) The personal data concerning you are no longer required for the purposes for which they were collected or processed.
  • (2) You revoke your consent to data processing based on Article 6 (1) lit. a) or Article 9 (2) lit. a) GDPR and there is no other legal basis for the data processing.
  • (3) You object to the processing as pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing as pursuant to Article 21 (2) GDPR.
  • (4) The personal data concerning you have been processed unlawfully.
  • (5) The erasure of personal data concerning you is required to fulfil a legal obligation based on laws of the European Union or of a Member State to which the controller is subject.
  • (6) The personal data concerning you have been collected in relation to services offered by the information society as pursuant to Article 8 (1) GDPR.

b) Information transferred to third parties
If the controllers make the personal data concerning you available to other parties and are obliged to erase the data as pursuant to Article 17 (1) GDPR, they must take appropriate measures, taking into account the available technology and the cost of their implementation and technical nature, to inform the other parties who process the personal data that you as the data subject have requested the erasure of all links to these personal data or copies or replication of such personal data.

c) Exceptions
The right to erasure does not apply insofar as the processing is required:

  • (1) to exercise the right to freedom of expression and information;
  • (2) to fulfil a legal obligation that requires processing according to the laws of the European Union or its Member States to which the controller is subject, or the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • (3) based on considerations of the public interest in the field of public health as pursuant to Article 9 (2) lit. h) and i) as well as Article 9 (3) GDPR;
  • (4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes as pursuant to Article 89 (1) GDPR insofar as the right listed under a) is expected to render impossible or seriously impair the achievement of the objectives of this processing; or
  • (5) for the assertion, exercise or defence of legal claims.

5. Right to restriction of processing (Article 18 GDPR)

You may request the restriction of processing of personal data concerning you under the following conditions: 

  • (1) You have contested the accuracy of the personal data for a period enabling the controller to verify the accuracy of the personal data;
  • (2) The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  • (3) The controller no longer needs the personal data for the purposes of the processing, but you require them to assert, exercise or defend legal claims; or
  • (4) You have objected to processing pursuant to Article 21 (1) GDPR pending the verification of whether the legitimate grounds of the controller override yours.

Where processing of personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

Where the restriction of processing is carried out pursuant to the aforementioned conditions, you will be informed by the controllers before the restriction of processing is lifted.

6. Right to be informed (Article 19 GDPR)

If you have asserted your right to rectification, erasure or restriction pertaining to the data processing vis-à-vis the controllers, they are thus obliged to inform all recipients to whom the personal data have been disclosed of this rectification or erasure of the data or the limitation of the processing, unless this proves to be impossible or involves a disproportionate effort. 

You are entitled to the right to be informed by the controller about these recipients.

7. Right to data portability (Article 20 GDPR)

You have the right to receive the personal data concerning you, which you have provided to the controllers, in a structured, commonly used, and machine-readable format. Moreover, you also have the right to transmit those data to another controller without hindrance from the controllers to which the personal data have been provided insofar as:

(1) the processing is based on a granted consent as pursuant to Article 6 (1) lit. a) GDPR or Article 9 (2) lit. a) GDPR or on a contract pursuant to Article 6 (1) lit. b) GDPR, and
(2) the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, wherever technically feasible. This may not adversely affect the rights and freedoms of others.

8. Right to object (Article 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 (1) lit. e) or f), including profiling based on those provisions. 

The controllers shall no longer process the personal data unless they demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the assertion, exercise or defense of legal claims.

Wherever personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you may no longer be processed for such purposes.

Within the context of the use of information society services, notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

9. Automated decision-making, including profiling (Article 22 GDPR)

You have the right not to be subject to a decision that is based solely on an automated processing of data, including profiling, and that may have a legal effect on you or any similarly significant restrictive effect. 

Please note, no automated decision-making is made by the controllers when using your data.

10. Right to lodge a complaint with a supervisory authority (Article 77 GDPR)

You also have the right to lodge a complaint with a supervisory authority, if you believe that the processing of your personal data by GHGA is in violation of the GDPR. You can do so in the Member State where you reside or work or where the alleged violation takes place. 

The supervisory authority to which the complaint is submitted will inform you on the status and the results of the complaint including the possibility of a judicial remedy as pursuant to Article 78 GDPR.