Data protection declaration
The protection of your personal data on AGAH.eu
This data protection declaration explains the extent and purpose of the processing of personal data (hereinafter "data") within our online offering and the websites, functions and content connected with it, as well as external online presences, e.g. our social media profiles (hereinafter referred to together as "online offering").
In respect of the terms used, such as "processing" or "controller", we refer to the definitions in the General Data Protection Regulation (GDPR), Art. 4.
AGAH e. V.
Authorised representative directors:
Dr. rer. nat. Andreas Kovar (President), Prof. Dr. med. Georg Wensing (Past President), Dr. med. Sybille Baumann (President Elect),
Dr. med. Christine Klipping (Treasurer), Dr. med. Jens Rengelshausen (Secretary)
Amtsgericht Hamburg (Local Court), Caffamacherreihe 20, 20355 Hamburg
Data protection declaration
Type of processed data
- Personal data (e.g. names, addresses).
- Contact details (e.g. email, telephone numbers).
- Content data (e.g. text input, photographs, videos).
- Usage data (e.g. websites visited, interest in contents, access times).
- Meta/communication data (e.g. device information, IP addresses).
Categories of data subjects
Visitors and users of the online offering (we hereinafter refer also refer to data subjects as "users").
Purpose of the processing
- Provision of online offering, its functions and content
- Answering contact queries and communication with users
- Security measures
- Reach measurement/Marketing
"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data. The term is far-reaching and includes practically any use of data.
"Pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant legal basis
According to the provisions of GDPR Art. 13, we inform you of the legal basis for our data processing. The following applies if the legal basis is not stated in the data protection declaration: The legal basis for collecting consent is GDPR Art. 6(1) lit. a and Art. 7, the legal basis for processing in order to fulfil our work and services and to realise contractual measures and to answer queries is GDPR Art. 6(1) lit. b, the legal basis for processing in order to fulfil our legal obligations is GDPR Art. 6(1) lit. c, and the legal basis for processing in order to safeguard our justified interests is GDPR Art. 6(1) lit. f. In the event that vital interests of the data subject or another natural person makes processing of personal data necessary, GDPR Art. 6(1) 1 lit. d shall apply as the legal basis.
In accordance with Art. 32 DSGVO, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The measures include, in particular, securing confidentiality, integrity and availability of data through control of the physical access to the data, as well as the relevant access, input, forwarding, security of availability and its separation. Furthermore, we have established processes that guarantee the rights of the data subject, deletion of data and reaction to threats to the data. Further, we already take the protection of personal data into account in the development and selection of hardware, software and processes corresponding to the principle of data protection by structuring the technology and with default settings that are data protection friendly (GDPR Art. 25).
Cooperation with processors and third parties
Insofar as we disclose data to other persons and companies (processors or third parties) within the framework of our processing, transmit it to them or otherwise grant them access to the data, this shall only be on the basis of a statutory permission (e.g. if transmission of the data to third parties, such as to service providers, is necessary for fulfilling the contract according to GDPR Art. 6(1) lit. b, you have consented, a legal obligation requires this or based on our justified interests (e.g. when using representatives, web hosters, etc.)).
Insofar as we engage third parties to process data on the basis of a so-called "processing contract", this shall be based on GDPR Art. 28.
Transmissions to third countries
Insofar as we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EWR)) or this is done as part of the use of third-party services or disclosure or transmission of data to third parties, this shall take place only if this is for the fulfilment of our (pre)contractual duties, on the basis of your consent, on the basis of a legal obligation or based on our justified interests. Subject to statutory or contractual permissions, we process or get third parties to process data in a third country only in the case of the specific requirements according to GDPR Art. 44 et seq. That is, the processing is performed, for example, on the basis of specific guarantees, such as the officially recognised finding of a data protection level corresponding to that of the EU (e.g. for the USA the "Privacy Shield") or in compliance with officially recognised specific contractual obligations (known as "standard contractual clauses").
Rights of the data subjects
You have the right to demand confirmation as to whether relevant data are processed and to information about these data and to other information and to copies of the data corresponding to GDPR Art. 15.
In accordance with GDPR Art. 16 you have the right to demand completion of the data relevant to you or to correct the incorrect data relevant to you.
You have the right according to GDPR Art. 17 to demand that relevant data be deleted immediately or, alternatively, according to GDPR Art. 18 to demand the restriction of the data processing.
You have the right to demand that the data relevant to you, which you have provided to us, be provided to you according to GDPR Art. 20 and to demand its transmission to other controllers.
You also have the right according to GDPR Art. 77 to lodge a complaint with the respective regulatory authority.
Right of cancellation
You have the right to cancel consent granted according to GDPR Art. 7(3) with effect for the future.
Right of refusal
At any time you can refuse the future processing of the data relevant to you according to GDPR Art. 21. The refusal can be made, in particular, with regard to the processing for direct advertising purposes.
Cookies and right of refusal for direct advertising
"Cookies" are small files, which are saved on users' computers. Different information can be saved in the cookies. A cookie primarily serves to save information about a user (or about the device, on which the cookie is saved) during or also after the user’s visit to an online offering. Temporary cookies, or "session cookies" or "transient cookies" are cookies that are deleted after a user leaves an online offering and closes the browser. The content of a shopping basket in an online shop or a login status, for example, can be saved in these cookies. Cookies are "permanent" or "persistent" if they also remain saved after the browser has been closed. For example, the login status can be saved if the user returns after several days. This type of cookie can also save the users' interests, which are used for reach measurement or marketing purposes. "Third-party cookies" are cookies that are offered by providers other than the controller operating the online offering (if only the controller's cookies are exist, these are called "first-party cookies").
We can use temporary and permanent cookies and explain this in our data protection declaration.
If the users do not want cookies to be saved on their computer, they are asked to disable the corresponding option in their browser's system settings. Saved cookies can be deleted in the browser's system settings. Excluding cookies can lead to function restrictions of this online offering.
The data processed by us are deleted or their processing restricted according to the provisions of GDPR Art. 17 and 18. Unless expressly stated in this data protection declaration, data saved by us are deleted as soon as they are no longer required for their purpose and the deletion is not prevented by statutory duties of retention. If the data are not deleted because they are needed for other and statutorily permitted purposes, their processing is restricted. That is, the data are locked and not processed for other purposes. This applies, for example, to data that have to be retained because of commercial code or tax law requirements.
According to statutory requirements in Germany, the retention period in particular is 10 years according to the German Tax Code (AO) Section 147(1), the German Commercial Code (HGB) Section 257(1) Nos. 1 and 4 and (4) (books, records, management reports, receipts, account books, documents relevant for taxation, etc.) and 6 years according to HGB Section 257(1) Nos. 2 and 3 and (4) (commercial letters).
According to statutory requirements in Austria, the retention period in particular is 7 years according to the Austrian Federal Tax Code (BAO) Section 132(1) (account documents, receipts/invoices, bank accounts, receipts, business papers, statements of income and expenditure, etc.), 22 years in conjunction with real estate and 10 years for documents connected with electronically provided services, telecommunication, radio and television services, which are provided to non-companies in EU member states and for which the Mini One Stop Shop (MOSS) is used.
Providing our constitutional and business services
We process the data of our members, supporters, potential customers, customers or other persons corresponding to GDPR Art. 6(1) lit. b, insofar as we offer them contractual services or work for them within the frame of an existing commercial relationship, e.g. to members, or if we ourselves are recipients of services and payments. Moreover, we process the data of data subjects according to GDPR Art. 6(1) lit. f on the basis of our justified interests, e.g. if this involves administrative tasks or publicity work.
The data processed here, the type, extent and purpose, along with the necessity of the processing are determined according to the underlying contractual relationship. These generally include existing and master data of the persons (e.g. name, address, etc.), as well as contact details (e.g. email address, telephone, etc.), the contractual data (e.g. services used, content and information provided, names of contact persons) and, insofar as we offer services or products for payment, payment details (e.g., bank details, payment history, etc.).
We delete data that are no longer needed for providing our constitutional and business purposes. This is determined corresponding to the respective tasks and contractual relationships. In the case of commercial processing, we retain the data as long as they may be relevant for the business processing, as well as in respect of any guarantee or liability duties. The necessity to retain data is reviewed every three years; moreover the statutory duties of retention apply.
Hosting and email sending
The hosting services used by us serve to provide the following services: infrastructure and platform services, computing capacity, memory and database services, email sending, security services and technical maintenance services, which we use to operate this online offering.
We or our hosting provider processes personal data, contact data, content data, contractual data, usage data, meta and communication data from customers, potential customers and visitors to this online offering on the basis of our justified interests in an efficient and secure provision of this online offering according to GDPR Art. 6(1) lit. f in conjunction with GDPR Art. 28 (conclusion of processor contract).
Collecting access data and logfiles
We or our hosting provider collects data about every access to the server on which this service is saved (known as server logfiles) on the basis of our justified interest as defined in GDPR Art. 6(10 lit. f. The access data include the name of the website accessed, file, data and time of access, data quantity transmitted, message about successful call up, browser type plus version, the user's operating system, referrer URL (site previously visited), IP address and requesting provider.
For security reasons (e.g. to investigate misuse or fraudulent actions) logfile information is saved for a maximum of 7 days and then deleted. Data, the further retention of which is necessary as evidence, are excluded from deletion until the conclusive clarification of the respective incident.