This data protection policy explains the form, extent, and purpose of the use of personalised data (from here on „data“) within our online presence and its connected websites, features and content, as well as external online presences, i.e. social media profiles (from here on „online content“).  Regarding the used terminology, i.e. „use“ and „person responsible“ please refer to the definitions in art.4 of the General Data Protection Regulation (GDPR).

Person Responsible

Eberhard Karls Universität Tübingen/University of Tübingen
Faculty of Medicine
Department of Anatomy
Institute of Clinical Anatomy and Cell Analysis
Prof. Dr Bernhard Hirt
Elfriede-Aulhorn-Straße 8
72076 Tübingen
Germany

Phone: +49 (0) 7071 29-72185
Fax: +49 (0)7071 29-5097
E-Mail: info@klinische-anatomie.de

Categories of Used Data:

– Inventory data (e.g., name, address).
– Contact data (e.g., email, phone number).
– Content data (e.g., text input, photos, videos).
– Usage data (e.g., websites visited, interest in content, access times).
– Meta/communication data (e.g., device information, IP-address).

Categories of Persons Concerned

Visitors and users of online content (from here on „user“).

Purpose of Use

– Provision of online service, its features and content
– Responding to contact requests and communication with users.
– Security measures.
– Range measurements/marketing

Used Terminology

„Personalised data“ are all information referring to an identified or identifiable natural person (from here on „person concerned“); identifiable describes a natural person, who can be directly or indirectly identified by a determining factor, e.g. a name, an identification number, location data, online-identification (e.g. cookie) or  by one or more determining characteristics, that point towards the physical, physiological, economic, cultural or social identity of this natural person.

„Use“ describes every and any executed action and series of actions connected to personal data, either automated or not. The term is used extensively and refers to any use of data.

„Pseudonymisation“ is the use of personalised data so it is impossible to connect the personalised data to a specific person, unless additional information is given. These additional data need to be stored separately and technical and organisational measures have to be implemented so the personalised data cannot be assigned to a identified or identifiable person.   

„Profiling“ Any kind of automated processing of personalised data, used to assess personal characteristics pointing towards a natural person, in particular to analyse or predicts characteristics of this natural person that refer to work performance, economic standing, health, personal preferences, interests, reliability, current location or changes thereof..

The „person responsible“ describes a natural person or a legal person, body, entity or other, which is decides about purposes and measures of the use of personalised data either on their own or jointly with others.

„Data processor“ describes a natural person or a legal person, body, entity or other, which processes personalised data by order of the person responsible.

Essential Legal Basis

Based on Art. 13 GDPR we inform you about the legal basis of our data processing. If the legal basis of the data protection policy is not explicitly given, the following is applicable: The legal basis to obtain consent is art. 6 par. 1 lit a and art. 7 GDPR; the legal basis for the compliance of our services and to proceed with stipulatory actions as well as responding to requests is art. 6 par.1 lit b GDPR; the legal basis for the compliance with our legal obligations is art. 6 par. 1 lit c GDPR; the legal basis for the protection of our rightful interests is art.6 par. 1 lit f GDPR. If existential interests of a person concerned or of another natural person are required to process personalised data, art. 6 par. 1 lit d GDPR is the legal basis.

Security Measures

Based on art 32 GDPR we take appropriate technical and organisational measures to ensure a state of art level of protection adequate for the respective possible risk. Other determining factors for the level of protection are the cost of implementation, the kind, extent, circumstances and purpose of data processing as well as probability of occurrence and severity of the risk for the rights and liberty of natural persons.

Part of those measures are, in particular, ensuring confidentiality, integrity, and availability of data by limiting the physical and other access to said data, input, transfer, guaranteeing availability as well as delinking of said data. Furthermore, we have implemented measures to ensure data subject rights can be exercised, data deleted, and a reaction to a data risk guaranteed. We also pay attention to the protection of personalised data during the development and selection of hardware, software, and processes, based on the principle of data protection regarding the design of technology and privacy friendly default setting (art 25 GDPR).

Collaboration with Data Processors and Third Parties

The disclosure, transfer or other kind of access to and of data to other parties and companies within our processing of data (third parties and data processors) only happens on the basis of legal permission (e.g. if the transfer of data to a third party, e.g. payment service providers, is required as fulfilment of a contract in accordance with art. 6 par. 1 lit. b GDPR), you previously gave your permission, on basis of a legal obligation or on the basis of our lawful rights (e.g. if commissioned, webhosts etc.). 

If we commission a third party to process data within a so-called data processing agreement, this is based on art. 28 GDPR.

Transmission to Third Countries

Processing of data in a third country (i.e. outside of the European Union (EU) or of the European Economic Area (EEA)) or processing within the utilisation of third-party services, disclosure, or transmission of data to third parties does only take place, if it is required for fulfilment of our contractual obligations, you gave permission, on basis of a legal obligation or on the basis of our lawful rights. Pending legal or contractual permissions, we will only process data in a third country under particular conditions that are in accordance with art. 44 ff. GDPR. I.e. the processing of data is based on specific guarantees, as in an official, in accordance with the EU, recognized data protection level (e.g. the US “Privacy Shield”) or on officially recognised specific contractual obligations (so called „standard contractual clauses“).

Rights of Persons Concerned

You have the right to demand confirmation if data are being processed and information about these data and further information and copies of that data, in accordance with art. 15 GDPR.

In accordance with art 16 GDPR you have the right to demand completion of data concerning your person and the right to demand correction of incorrect data concerning your person. 

In accordance with art 17 GDPR you have the right to demand instant deletion of data, or alternatively, in accordance with art. 18 GDPR, to demand to limit the processing of these data.

You have the right to demand the release and transmission of data you have previously submitted to you or other persons responsible in accordance with art 20 GDPR. 

You also have the right to file a complaint with the data protection authority, in accordance with art. 77 GDPR.

Cancellation Right

You have the right to cancel any permissions given, in accordance with art 7 par. 3 GDPR; the revocation of permissions will only come into effect prospectively. 

Right of Objection

In accordance with art. 21 GDPR, you may object the future processing of data concerning your person at any time. The objection may be filed in particular to the processing for marketing purposes.

Cookies and Right of Objection Regarding Direct Marketing

The term „cookies“ refers to small files that will be stored on the user’s computer. Within a cookie several information can be stored. A cookie is primarily used to store information about a user (or about the device on which the cookie is stored) during and after his visit to online content. Temporary cookies, or “Session-cookies“, or „transient cookies“ are cookies which will be deleted once a user has left the online content and closed his browser. The content of an online-shop ‘s check-our cart or login state can be stored in such a cookie. „Permanent“ or „persistent“ cookies are cookies, which remain stored after the closing of the browser. This is how a login state can be stored, until a user revisits the site after several days. It is also possible to store in these cookies interests of users that can be used for reach measurement or marketing purposes. A “Third Party Cookie” is a cookie offered by a provider other than the person responsible for providing the online content (if there are only cookies set by the person responsible these are called “First Party-Cookies”).

We may implement temporary and permanent cookies and inform about this in our data protection policy.

If a user disagrees with the storing of cookies on his computer, he is asked to deactivate this in the settings of the system browser.  Stored cookies can be deleted in the system settings of the browser. Blocking cookies may lead to a limitation of functions of this online content. 

A general objection against the use of marketing cookies can be filed with several bodies, in particular in cases regarding tracking:

USA: http://www.aboutads.info/choices/ or EU: http://www.youronlinechoices.com/ 

Furthermore, a blocking of cookies is possible by changing the browser settings. Please be aware that not all features of this online content may be available afterwards.

Deletion of Data

Data processed by us will be deleted or their processing will be limited in accordance with art. 17 and 18 GDPR. Unless explicitly exempt in this data protection policy, data stored with us will be deleted, but for any operation of law or once they have served their purpose.  If data cannot be deleted due to operation of law or other, their processing will be limited, i.e. data will be blocked and not used for any other purposes. This is particularly valid for data that have to be stored for customary or fiscal reasons.

According to German law, storage has to be guaranteed for 10 years, according to §§ 147 par. 1 AO, 257 par. 1 and 4, par. 4 HGB (commercial code) (books, recordings, status reports, accounting records, commercial codes, documents relevant for taxation etc.), and 6 years, according to § 257 par. 1 No 2 and 3, par. 4 HGB (business letters).

According to Austrian law, storage has to be guaranteed for 7 years, according to § 132 par. 1 BAO („Austrian Federal Tax Code“) (accounts, receipts/invoices, bank accounts, business papers, cash method of accounting reports etc.), for 22 years in connection with realties, and for 10 years for papers connected to electronic services, telecommunication-, radio-, and television services for non-entrepreneurs in EU member states and for which the Mini-One-Stop-Shop (MOSS) was used.

Performance of our Statutory and Commercial Services

We process data of our users, supporters, interested parties, customers or other persons in accordance with art. 6 par. 1 lit. B GDPR, if we offer them statutory services or act within existing commercial relations (e.g. regarding members), or if we ourselves are recipients of services or benefits. In accordance with art. 6 par. 1 lit. f, we will also process the data of persons concerned based on our rightful interests, e.g. for administrative tasks and public relations.
The hereby processed data, the form, the extent, and the purpose as well as the necessity of the data being processed are based on the underlying contractual relationship. These essentially include inventory and reference data of users (e.g. name, address etc.), contact information (e.g. email-address, phone etc.), contract data (e.g. utilised services, imparted content and information, names of contact persons), and if we offer payed content or products, payment data (e.g. bank account, payment history etc.).

We delete data no longer needed to fulfil our statutory and commercial services. This is determined by the respective tasks and contractual relationships. In the case of commercial services, we will store data as long as is needed to fulfil the service, including the possible duration of warranties and liabilities. The necessity of the storage of data is reviewed every three years, also the statutory retention requirements apply.elten die gesetzlichen Aufbewahrungspflichten.

Contact

To contact us (e.g. vial contact form, email, phone, and social media), the user information needed to handle the contact request are used, in accordance with art. 6 par. 1 lit b (within statutory r4elationships), art 6 par 1 lit f (other requests) GDPR. The information given by the user can be stored in a customer relationship management system („CRM-System) or a comparable form of request management system.

We delete requests, if they are no longer needed. The necessity is reviewed every two years, also statutory retention requirements apply.

Hosting and Email Delivery

The hosting-services used by us have the purpose to provide the following services: Infrastructure and platform services, computing capacity, storage and database services, email delivery, security services as well as technical maintenance used for the purpose of running this online offer.

We, and our hosting provider, hereby process inventory, contact, content, contract, user, meta- and communication data of customers, interested parties, and visitors of this online content based on our rightful interests to provide efficient and secure online content, in accordance with art 6 par. 1 lit f GDPR in conjunction with art.28 GDPR (data processing agreement).

Elicitation of Access Data and Logfiles

We, and our hosting provider, within our rightful interests, elicit data about any kind of access to the server, on which this service is run (so-called server-logfiles), in accordance with art.6 par. 1 lit. f GDPR. These access data include the name of the accessed website, file, date, and time of the access, traffic, reports about the success of access, browser information and version, the user’s operating system, referrer-URL (website visited previously), IP address, and the provider sending the inquiry.   

For security reasons (e.g. to avoid misuse and fraud), logfile information will be stored for a maximum duration of 7 days and deleted thereafter. Data that need to be stored for the purpose of providing evidence are exempt from automatic deletion until the issue is solved.

Online Presence in Social Media

We maintain online presences on social media networks and platforms to communicate with customers, interested parties and users that are registered there and to inform about our services.

We explicitly inform that data of users can be processed outside of the European Union when using social media. This may lead to risks for the users, since e.g. the enforcements of user rights may be impeded. With regards to providers in the US, who are certified by the Privacy-Shield – they are legally committed to the data protection rules of the EU.

As a rule, data of users will be used for the purposes of marketing research and advertising.  Usage profiles of users may therefore be created based on usage behaviour and consequent interests. In turn, usage profiles may e.g. be used to show advertisements on and off the platforms that correspond to possible interests of the users.  For that purpose, cookies will normally be stored on a user’s computer to save the user’s usage behaviour and interests. Additionally, data may be stored independent of the devices used by the user (in particular, if users are registered members of a specific platform and logged into their respective accounts).  

The processing of personalised data is based on our rightful interests in effectively informing of and communicating with the users, in accordance with art. 6 par 1 lit f GDPR. If the users are asked to confirm their consent into the processing of data by the respective providers (by ticking a control box or button), it is in accordance with art. 6 par. 1 lit a, art. 7 GDPR. Please see the linked information of each provider for detailed information about the processed data and options to object (Opt-Out).

Also if you need further information or need to claim your user rights, please contact the respective providers. Only the providers have access to the user data and are able to react accordingly and give information.

– Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland) – Data protection policy: https://www.facebook.com/about/privacy/, Opt-Out: https://www.facebook.com/settings?tab=ads und http://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.

– Google/ YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – Data protection policy:  https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

– Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – Data protection policy / Opt-Out: http://instagram.com/about/legal/privacy/.

– Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) – Data protection policy: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.

– LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Irland) – Data protection policy https://www.linkedin.com/legal/privacy-policy , Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active.

– Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Deutschland) – Data protection policy / Opt-Out: https://privacy.xing.com/de/datenschutzerklaerung.

– Soundcloud (SoundCloud Limited, Rheinsberger Str. 76/77, 10115 Berlin, Deutschland) – Data protection policy / Opt-Out: https://soundcloud.com/pages/privacy.

Integration of Third-Party Services and Content

As part of our online content and on the basis of our rightful interests (i.e. interests in analysing, optimising and economical operating of our online content, in accordance with art. 6 par. 1 lit f GDPR), we integrate content and services of third parties to include e.g. videos or fonts (from here on: “content”).

This always includes that the third parties offering the content will gain knowledge about the user’s IP address. Without the IP address they are unable to send content to the respective browser. We try to only use content whose respective providers use the IP address only to deliver the content. Third parties may also use so-called Pixel-Tags (invisible images, also known as „Web-Beacons“) for statistic or marketing purposes. By using „Pixel-Tags“ information like website traffic can be analysed. The pseudonymous information can further be stored in cookies on the devices of users and may include technical information about the browser and operating system, referring websites, time of visit, and other information about the use of our online content. They may also be linked with this information from other sources.  

Youtube

We integrate videos of the platform “YouTube” of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection policy: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.