Last update: May 2018
Privacy Notice according to GDPR
I. Name and address of the responsible entity
In terms of the General Data Protection Regulation and other national data protection acts of the member states as well as other data protection laws the responsible entity is:
Alumni des Heidelberger Life-Science Lab e. V.
Im Neuenheimer Feld 581
II. General remarks on the data processed
1. Scope of the processing of personal data
Generally we are only processing personal data of our users if it is necessary for providing a fully functional web page, content and services. The regular processing of personal data of our users is only done after approval by the user. This is not the case however, when there are effective reasons why the consent can't be given beforehand and when it is allowed to process the data due to legal regulations.
2. Legal basis for the processing of personal data
When we ask the affected person for approval for the processing of personal data, Art. 6 para. 1 lit. a General Data Protection Regulation (GDPR) (EU) serves as the legal basis.
When it is necessary to process personal data to fulfill a contract where the contracting party is the affected person, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This is also true for data processing needed to carry out pre-contractual measures.
As long as the processing of personal data serves a legal obligation we are subject to, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
In case vital interests of the affected person or any other natural person require the use of the personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
If processing the data is needed for preserving a legitimate interest of us or a third party and outweigh the interests, fundamental rights and freedoms of the affected person, Art. 6 para. 1 lit. f GDPR serves as the legal basis.
3. Data deletion and storage time
The personal data of an affected person is deleted or locked as soon as the purpose of storing them has ceased. Data can be stored beyond this if it is envisaged by the European or national legislator in EU regulations, laws or other regulations the responsible entity is subject to. Locking or deletion is also done if a period allotted by said regulations is expiring unless there is a necessity to keep the data for the conclusion or realization of a contract.
III. Providing the web page and creation of log files
1. Description and extent of the collected data
For each view of our web page the system is automatically collecting anonymous data and information of the inquiring computer system.
The following data is recorded in this process:
- Information on the web browser type and version
- The operating system of the user
- The IP address of the user
- Date and time of the request
- The URL of the web page the user requested
The data is stored in log files on our system this data in not related to other personal data of the user.
2. Legal basis for the data processing
Legal basis for the temporary storage of this data and log files is Art. 6 para. 1 lit. f GDPR.
3. Purpose of the data processing
Temporary storage of the IP address by the system is needed to deliver the web page to the computer of the user. For this reason the IP address needs to stored for the duration of the session.
Storing the data in the log file ensures reliability of the web page. Also the data is used for optimizing the performance of the website and security of our IT systems. Marketing-oriented data analysis is not performed in this context.
These reasons legitimate our interest in the data processing according to Art. 6 para. 1 lit. f GDPR.
4. Duration of the data storage
The data is deletes as soon as the purpose of recording them has ceased to exist. In case of the data recorded to provide the web page this is the case when the respective session is closed.
In case of the data stored in the log files this is the case after a maximum storage time of five weeks and two months. A longer storage time is possible. In this case however the IP addresses of the users need to be deleted or pseudonymized so that they can't be mapped to the inquiring client computer.
5. Means of objection and disposal
Recording the data for providing of the web page and the data storage in log files is mandatory for the operation of a web server. Consequently the user has no means of objection.
1. Description and extent of the collected data
Our website is using cookies. Cookies are text files that are stored in the browser, more specifically by the web browser on the computer system of the user. When a user requests a web page, a cookie can be stored in the operating system of the user. This cookie contains a characteristic sequence of characters that allows for a unique identification of the browser in later request of the same website.
We are using cookies to increase the usability of our web page. Some elements of our website require that the browser can be re-identified after switching to another sub-page. For this purpose, login information is collected and transferred in cookies.
2. Legal basis for the data processing
Legal basis for the processing of personal data by using cookies is Art. 6 para. 1 lit. f GDPR.
3. Purpose of the data processing
We require cookies for the following features:
- Manage page content
- Session ID for the GIT repository
- Remembering the language selection in the GIT repository
The user data exalted from the use of technically required cookies is not used to create user profiles.
These reasons legitimate our interest in the processing of personal data according to Art. 6 para. 1 lit. f GDPR.
4. Duration of the data storage, means of objection and disposal
Cookies are stored on the computer of the user and are transferred to the web page by him. Because of this you as the user have full control over the use of the cookies. By changing a setting in the preferences of your web browser you can deactivate or restrict the transfer of cookies. Cookies that have already been stored can be deletes any time. This can also be automatized. If cookies are deactivated for our website potentially not all features of this website can be used to full extent.
V. Rights of the affected person
In case data of your person is processed, you are a data subject in the sense of the GDPR and you have the following rights over the responsible entity:
1. Right of access
You can obtain confirmation from the responsible person whether or not personal data concerning you is processed by us.
If this is the case, you can demand the following information from the responsible entity:
- the purposes for which the data is processed;
- the categories of personal data that is processed;
- the recipients respectively the categories of recipients the data was or will be disclosed to;
- the planned storage duration of the personal data concerning you or, if no precise statements can be made, criteria for the establishment of the storage duration;
- the existence of a right to correction or deletion of the personal data concerning you, the right of limiting the processing by the responsible entity or an objection against this processing;
- the existence of a right to lodge a complaint with a supervisory authority;
- all available information about the origin of the data if the personal data was not ascertained from the affected person;
- the existence of an automated decision in individual cases including profiling according to Art. 22 para. 1 and 4 GDPR and – at least in these cases – expressive information about the logic involved and the consequences of the processing for the affected person.
You have the right to demand information if the personal data concerning you is transferred to a third country or international organization. In this context you can demand to be informed about suitable guaranties according to Art. 46 GDPR related to the transfer.
2. Right of correction
You have the right of correction and/or completion over the responsible entity if the processed personal data concerning you is incorrect or incomplete. The responsible entity has to perform the correction immediately.
3. Right of limiting the processing
Under the following circumstances you can demand limiting the processing of personal data concerning you:
- if you deny the correctness of the personal data concerning you for a duration, that allows the responsible entity to check the personal data for correctness;
- if the processing is illegitimate and you deny the deletion of the personal data and demand to limit the use of the personal data instead;
- the responsible entity doesn't require the data for processing anymore, but you need them for the enforcement, exercise or defence of legal rights, or
- if you objected against the processing according to Art. 21 para. 1 GDPR and it has not yet been established if the legitimate interests of the responsible entity outweigh your interests.
When the processing of personal data concerning you was limited, the data can only be processed – with the exception of unaltered storage – with your consent or for the purpose of enforcement, exercise or defence of legal rights or for the protection of the rights of another natural person or corporate entity or because of important public interest of the European Union or one of its member states.
If the limitation of processing is constrained under the premises mentioned above, you are informed by the responsible entity before the limitation is lifted.
4. Right of deletion
a) Obligation to deletion
You can demand from the responsible entity that the personal data concerning you is deleted immediately and the responsible entity is obligated immediately do so, if one of the following reasons applies:
- The personal data concerning you is no longer required for the purposes they were recorded for.
- You are revoking your consent on which the processing was based on in accordance to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal ground for the processing.
- You did raise objection against the processing according to Art. 21 para. 1 GDPR and there are no compelling legitimate grounds for the processing or you raised objection against the processing according to Art. 21 para. 2 GDPR.
- The personal data concerning you was illegitimately processed.
- The deletion of the personal data concerning you is required to fulfil a legal obligation according to EU regulations or the law of the member states the responsible entity is subject to.
- The personal data concerning you was recorded in regard to the offer of information society services according to Art. 8 para. 1 GDPR.
b) Information of a third party
When the responsible entity has made the personal data concerning you public and if he is obligated to delete them according to Art. 17 para. 1 GDPR, it shall take measures to inform other entities responsible for processing the personal data about the demand to delete all references to, copies and replications of this data set. This measure is chosen appropriately under the consideration of the available technology and cost of implementation, including measures of technical nature.
The right of deletion does not exist, as long as the processing is necessary
- due to exercise of the right of free speech and information;
- for the fulfilling of a legal obligation that requires processing of the data according to EU regulations or of the member states which the responsible entity is subject of or for the exercise of a task in the public interest or in fulfilling a public duty that was assigned to the responsible entity;
- because of public interest in the scope of public health according to Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;
- for archival purposes in the public interest, scientific or historic research or for statistical reasons according to Art. 89 para. 1 GDPR, as long as the obligations mentioned in section a) will presumably render the goals of the data processing impossible or seriously compromises them, or
- for the enforcement, exercise or defence of legal rights.
5. Right of instruction
If you have asserted the right of correction, deletion or limitation of the data processing on the responsible entity, it is obligated to instruct all recipients to which the data was disclosed to about this correction, deletion or limitation of processing unless this is impossible or requires a disproportionate effort.
You have the right to be informed by the responsible entity about these recipients.
6. Right of data transferability
You have the right to get the personal data concerning you that you provided the responsible entity with in a structured well-established and machine-readable form. In addition you the right to transfer this personal data to another responsible entity without obstruction by the responsible entity if
- the processing is based on a consent according to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. 1 GDPR or on a contract according to Art. 6 para. 1 lit. b GDPR and
- the processing is performed by means of automated procedures.
In exercising this right you furthermore have the right to obtain that the personal data is directly transferred from one responsible entity to another one, as far as this is technically possible. Liberties and rights of other persons can't be violated in this process.
The right data transferability is not applicable to the processing of personal data that is done in the scope of a task that is of public interest or in fulfilling a public duty that was assigned to the responsible entity.
7. Right of objection
You have the right to raise objections against the processing of personal data concerning you that is based on Art. 6 para. 1 lit. e or f GDPR at any time; this is also true for profiling based on the same grounds.
The responsible entity is not processing the personal data anymore unless it can present compelling legitimate grounds for the processing that overweight your interests, rights and liberties or the processing serves the enforcement, exercise or defence of legal rights.
If the personal data concerning you are processed to facilitate direct advertising, you have the right to raise objections against the processing of personal data for the purpose of direct advertising at any time; this also applies to the profiling, as long as it is connected to such direct advertising.
When you are raising objections against processing for the means of direct advertising, the personal data concerning you will no longer be processed for this purpose.
In this context of using the offer of information society services you have the option of raising your objections by means of automated procedures under the use of technical specifications; despite the regulation 2002/58/EG.
8. Right of revoking the data privacy consent
You have the right to revoke your data privacy consent at any time. By revoking the consent the legitimacy of the data processing from the consent to the revocation is untouched.
9. Automated decision in individual cases including profiling
You have the right to not be subjected to an automated decision – including profiling – that has legal consequences for you or otherwise compromises you significantly to a similar extent. This is not true if the decision
- is required for the conclusion or realization of a contract between you and the responsible entity,
- is allowed according to EU regulation or the law of the member states to which the responsible entity is a subject and these legal regulations contain appropriate measures to protect your rights and liberties as well as your legitimate interests or
- is made with your explicit consent.
Nevertheless these decisions must not be based on special categories of personal data according to Art. 9 para. 1 GDPR as long as Art. 9 para. 2 lit. a or g GDPR is not applicable and appropriate measures for the protection of the rights and liberties as well as your legitimate interests have been made.
Concerning the cases mentioned in 1. and 3. the responsible entity is taking appropriate measures to protect the rights and liberties as well as your legitimate interests, which includes at least the right to obtain intervention by a person from the responsible entity, the right of presenting your own views and the right to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Regardless of other administrative or legal remedies you have the right to lodge a complaint with a supervisory authority, in particular in the member country of your whereabouts, your workplace or the place of the alleged violation, if you are under the impression that the processing of the personal data concerning you is in violation of the GDPR.
The supervisory authority where the complaint was lodged is informing the applicant about the status and results of the complaint including the option of a legal remedy according to Art. 78 GDPR.