PRIVACY POLICY OF DKMS gGmbH


1. OVERVIEW

1.1. The protection of your personal data is very important to us. In order to ensure that all data processing procedures on our website and the services offered on our website are transparent and comprehensible for you as a visitor and user (hereinafter referred to as “user”) of our website, we explain in this Privacy Policy the type, scope and purpose of the processing of your personal data on our website.

1.2. When processing your personal data, we strictly observe the data protection requirements of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).

1.3. Personal data refers to any information that can be related to you personally and can be used to identify you, e.g., IP address, name, address, e-mail data, user behavior.

1.4. This Privacy Policy is effective as of March 2021. Due to our website’s ongoing development and the services offered on our website or due to changes in legal or regulatory requirements, this Privacy Policy is subject to change. Accordingly, we reserve the right to amend the content of this Privacy Policy at any time. Any changes will be communicated by posting the amended Privacy Policy on our website. Unless otherwise specified, such amendments shall take effect immediately. We, therefore, recommend that you regularly review the Privacy Policy.

1.5. The Data Controller pursuant to Art. 4 (7) GDPR is DKMS gemeinnützige GmbH (see legal notice). Our Data Protection Officer can be reached at datenschutz@dkms.de or at our postal address with “the Data Protection Officer” as the addressee.

2. WHAT PERSONAL DATA DO WE PROCESS?

We collect information from you when you visit our website or use our services on the website. Depending on how you use our website, this may include the following information:

2.1. For informational purposes only: You can visit our website without providing any personal data. When using the website for informational purposes only, i.e., if you do not fill out a contact form or otherwise send us information, we do not collect any personal data, with the exception of the data that your browser automatically transmits to our server to enable your use of our website.

For the technical provision of our website and to ensure our information technology systems’ security, it is necessary for us to process certain automatically transmitted information from you so that your browser can display our website and you can use it. This information is automatically collected every time our website is visited and stored in our server log files. This information refers to the computer system of the requesting computer. The following information is collected here:

  • IP address,
  • date and time of the request,
  • time zone difference to Greenwich Mean Time (GMT),
  • country of access,
  • content of the request (specific page),
  • transmitted data volume,
  • HTTP status code,
  • website where the request originated from,
  • operating system and its interface,
  • language and version of the browser software,
  • cookies on/off,
  • notification whether access/retrieval was successful.

This information refers to the computer system used. We use this data (with the exception of the IP number of your computer) solely for statistical purposes to measure demand for our web content and services. The data is recorded cumulatively for all website users, which means that it is not possible to assign this data to a specific person. This data is not merged with data from other data sources.

2.2. In addition to the purely informational use of our website, we offer various services (e.g., contact forms) that you can use if interested. This generally requires you to supply additional personal data that we need to provide the respective service.

2.2.2. Contacting us by e-mail or contact form: If you contact us by e-mail or one of the contact forms on our website, the data you provide will also be processed (your e-mail address, possibly your name and telephone number) and stored by us in order for us to be able to answer your questions. User data can be stored in a Customer Relationship Management (CRM) system or similar.

2.2.3. Links to third-party websites:

Our website contains links to third-party websites in various places. After clicking on the embedded link, you will be redirected to the respective third-party provider’s website. During the redirect process, user data is transferred to the respective third-party provider. If you send information to or via these third-party sites, we recommend that you read the privacy policies of these sites before providing them with any further information that may be personally identifiable. For information on how your data is processed on third-party websites, please refer to the respective privacy policies of the third-party providers. We are not responsible for how they operate or handle data.

3. FOR WHAT PURPOSE DO WE PROCESS YOUR PERSONAL DATA?

3.1. We only process your personal data to the extent that this is necessary to provide a functional website and our content and services and where we are legally permitted to do so. The corresponding legal bases are listed individually below. Moreover, we are always entitled to process personal data if the data subject has consented (Art. 6 (1) a, Art. 7 GDPR), if we are obliged to fulfill contractual or pre-contractual obligations (Art. 6 (1) b GDPR), if we have to fulfill legal obligations (Art. 6 (1) c GDPR) or if we protect our legitimate interests (Art. 6 (1) f GDPR).

3.2. If you use our website for purely informational purposes, we only collect the data that is technically necessary for us to display our website to you and to ensure its stability and security. The legal basis for processing is our legitimate interest according to Art. 6 (1) (1) f GDPR.

3.3. When you contact us by e-mail or contact form, your personal data will only be used for the purpose of answering your request. The legal basis for processing is our legitimate interest according to Art. 6 (1) (1) f GDPR.

4. HOW DO WE PROCESS YOUR PERSONAL DATA?

When you use our website, your data is transmitted to us in encrypted form to prevent access by unauthorized third parties. We store your data on specially protected servers. Access to personal data is only possible for a few specially authorized DKMS employees, all of whom are familiar with and committed to the relevant data protection regulations.

5. DO WE SHARE PERSONAL DATA WITH THIRD PARTIES?

Only our employees have access to your personal data. In addition, we sometimes share personal data with order processors, in particular service providers, with whom we cooperate. We are entitled to do this if the data subject has consented to this (Art. 6 (1) a, Art. 7 GDPR), if we thereby fulfill contractual or pre-contractual obligations (Art. 6 (1) b GDPR), if we thereby fulfill a legal obligation (Art. 6 (1) c GDPR) or if we safeguard our legitimate interests (Art. 6 (1) f GDPR). The service providers have been carefully selected and commissioned by us, are bound by our instructions and are monitored on a regular basis. We conclude a so-called order processing agreement with order processors in accordance with Art. 28 GDPR, according to which they also undertake to comply with data protection.

We assure you that we do not sell or rent your information to other companies or organizations. Under no circumstances will we use your e-mail address or other data without your consent for other purposes for which you have not given your consent.

6. HOW LONG DO WE STORE YOUR PERSONAL DATA?

6.1. We will only store personal data that you have transmitted or provided until the purpose for doing so has been fulfilled, until you revoke your consent, until you object to the data being processed or until you request the deletion of your data.

6.2. If you use our website for informational purposes only, we store your data on our servers exclusively for the duration of your visit to our website. Once you leave our website, your data will be deleted immediately.

6.3. If you contact us by e-mail or one of the contact forms provided when using our website, we will delete the data collected in this context once it is no longer necessary to store it or restrict its processing if any statutory retention obligations exist. We check necessity on a regular basis.

7. WHAT ARE MY RIGHTS?

7.1. You have the right to request confirmation as to whether personal data concerning you is being processed by us. If this is the case, we will gladly provide you with information about this personal data and the information listed in Art. 15 GDPR.

In addition, you have the following rights vis-à-vis us:

  • right to rectification, Art. 16 GDPR,
  • right to erasure, Art. 17 GDPR,
  • right to restriction of processing, Art. 18 GDPR,
  • right to data portability, Art. 20 GDPR,
  • right to object to processing, Art. 21 GDPR.

Without prejudice to these rights and the possibility of seeking any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, under the conditions set out in Art. 77 GDPR if you believe that the processing of your personal data infringes data protection law.

7.2. If you have given your consent to the processing of your personal data, you can revoke this consent at any time. If you revoke your consent, this will restrict us from processing your personal data once you have notified us of your revocation. You can also limit the revocation of the processing of your personal data to specific purposes (e.g., newsletter) (restriction of processing).

7.3. To exercise your rights described above, please submit your request to: DKMS gGmbH, Kressbach 1, 72072 Tübingen or by e-mail to datenschutz@dkms.de

8. CONSENT MANAGEMENT / DECLARATION OF CONSENT

On this website, we use the Piwik PRO Analytics Suite (“Piwik PRO”) consent management tool from the company Piwik PRO GmbH, Lina-Bommer-Weg 6, 51149 Cologne, Germany.

Consent management (declaration of consent for tracking user data) is used to actively ask for your permission when you first visit our site to allow us to collect analytical data on your user behavior. Consent management also allows users to actively decide whether external content is displayed on our site. Consent to cookies, Analytics, Tag Manager, social embeds, YouTube can be activated and deactivated at any time in this website’s footer. Click the link "Consent Manager".

Each permission can be activated and deactivated individually. All the following points are dependent on this consent by the user.

9. HOW DO WE USE COOKIES?

9.1. In addition to the data specified above, we use cookies to make our website available to you. Cookies are small text files that are saved on your hard disk, assigned to the browser that you use, and which supply certain information (see below for details) to the party that set the cookie (in this case, to us). Cookies cannot execute any programs or transfer viruses to your computer. They serve to make the website as a whole more user-friendly and more effective.

9.2. We use cookies to make our website available to you with its technical functions (essential cookies). In addition, we use cookies for the purpose of web analysis (non-essential cookies). The legal basis for the use of essential cookies that are necessary for the operation of the website is Art. 6 (1) (1) f GDPR. In the case of non-essential cookies, the legal basis is your consent pursuant to Art. 6 (1) a GDPR.

9.3. You can configure your browser settings according to your preferences and, for example, refuse to accept so-called third-party cookies or all cookies. Moreover, you can prevent or restrict the installation of cookies through your Internet browser’s relevant settings. You can also delete previously stored cookies at any time. However, the steps and measures that are necessary to do so depend on the specific Internet browser that you use. Therefore, if you have any questions, please refer to the help function or documentation for your Internet browser or contact the corresponding manufacturer or support. If no consent is given in the Consent Banner (or revoked via the “Consent Management” link in the footer), only cookies that store this block decision are set.

9.4. This website uses the following types of cookies, the scope and function of which are explained below:

We use the “local storage” and “session storage” of the browser. The web storage stores the data securely in the user’s browser and does not transmit it unencrypted over the Internet.

Local storage: The scope includes all browser windows/tabs and is cleared only by JavaScript or with the browser cache.

Session storage: The scope includes an individual browser window/tab and is automatically cleared when the browser window is closed.

10. DATA PROCESSING OF YOUR USER DATA BY WEB ANALYSIS TOOLS AND ONLINE MARKETING SERVICES

10.1 On this website, we use the Piwik PRO Analytics Suite (“Piwik PRO”) analysis program from the company Piwik PRO GmbH, Lina-Bommer-Weg 6, 51149 Cologne, Germany. This software is used to collect data that enables us to tailor our website’s design to user requirements and statistically evaluate visitors’ flow for marketing and optimization purposes. Pseudonymous usage profiles are also created in this context. Cookies are used for this purpose, which are stored on your computer and which enable a pseudonymous analysis of your use of our website. The IP address is immediately truncated after collection and prior to storage. Piwik PRO Marketing Suite Cloud is hosted on Microsoft Azure in Germany.

Piwik Pro always tracks anonymously. If the user consents to the use of Analytics, the tracking is enriched pseudonymously. This makes it possible, for example, to identify returning users and perform more precise analyses.

The legal basis for this processing is our legitimate interest according to Art. 6 (1) (1) f GDPR. The information collected by the cookies about the use of our website is stored on servers of Piwik PRO or service providers commissioned by them in Europe. The IP address is anonymized immediately after processing and prior to storage. The information generated by Piwik PRO is not used to identify visitors personally and is not merged with other personal data of the user.

You can specify in the consent banner as well as subsequently in the footer via the link “Consent Management” whether you consent to us using PIWIK PRO in the manner described. If you choose not to do so, a PIWIK PRO deactivation cookie will be deposited on your end device (“opt-out” cookie). Please note that your browser must accept cookies in order for this cookie to be deposited. If you delete the deactivation cookie, you may have to opt-out again.

For more information about Piwik PRO’s privacy policy, please visit https://piwik.pro/privacy-policy/.

10.2. Piwik Tag Manager

This website uses Piwik Pro Tag Manager. This service allows website tags to be managed via an interface. Piwik Pro Tag Manager does not set any cookies, only tags, and does not collect any personal data. The service triggers other tags, which in turn may collect data. A tag is only triggered if the user has consented to this beforehand. If the user does not grant specific permissions in Piwik Consent Management, the corresponding tags will not be triggered. Tags that do not process personal data are always loaded. However, Piwik Pro Tag Manager does not access this data. If deactivation has been made at the domain or cookie level, it will apply to all tracking tags implemented with Piwik Pro Tag Manager.

10.3. AddSearch search function

The search box results on our website are provided by the web service of AddSearch Oy, Töölönkatu 4, FI-00100 Helsinki, Finland (“AddSearch”). When you actively use the search box on our website, a data transfer to AddSearch takes place. Only the search terms you enter and your IP address are transmitted.

The transfer of your personal data for these purposes is based on our legitimate interest in providing you with the search function, pursuant to Art. 6 (1) f GDPR. Information is not transmitted until at least three characters have been entered in the search. No data will be sent to AddSearch prior to this. An order data processing agreement exists with AddSearch. For information about AddSearch’s privacy policy, please visit https://www.addsearch.com/privacy/.

10.4. Amazon Web Services: Hosting

For hosting the database and web content on our website, we use the Amazon Web Services (“AWS”) service provided by Amazon Web Services, Inc. Box 81226, Seattle, WA 98108-1226, USA. The data is stored exclusively in a German data center (Frankfurt/Main), which is certified according to ISO 27001, 27017 and 2018, as well as PCI DSS Level 1. We only have strictly limited access rights and the data is automatically encrypted.

The transmission of your personal data for these purposes is based on our legitimate interest in being able to provide you with the technical infrastructure of our website, in particular web servers, databases and the sending of e-mails, pursuant to Art. 6 (1) f GDPR.

For technical reasons, infrastructure maintenance may be carried out from the USA. To the extent that AWS transfers your personal data to the USA for this purpose, we will take safeguards to adequately protect your personal data. In particular, we conclude contracts with standard contractual clauses. For more information about standard contractual clauses for the transfer of personal data to processors outside the EU or EEA, please visit https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en

For more information about AWS and privacy, please visit https://aws.amazon.com/compliance/gdpr-center/?nc1=h_ls and https://aws.amazon.com/privacy/.

10.5. Amazon CloudFront

As part of the web hosting with AWS, we continue to use technologies provided by AWS or by the Amazon CloudFront content delivery network (“CDN”). A CDN makes extensive media files available via a regionally distributed server network in order to conserve own server resources. Before the website loads in your web browser, we use Amazon CloudFront to build SSL encryption to the website and to build other security features to protect against harmful influences from the worldwide web.

During this process, your IP address and other data are transmitted to Amazon CloudFront. The legal basis for this is Art. 6 (1) f GDPR.

For more information, please refer to the Amazon CloudFront – Content Delivery Network (CDN) privacy policy: https://aws.amazon.com/privacy/?nc1=f_pr. To prevent the execution of the Amazon CloudFront – Content Delivery Network (CDN) JavaScript code altogether, you can install a JavaScript blocker.

10.6. Gatsby Cloud

Gatsby Cloud creates the DKMS gGmbH website’s front end and is hosted on the Google Cloud server. No private user data is transmitted to Gatsby Cloud. The service serves content from the Kentico Kontent content management system and delivers it to Amazon Web Services. Gatsby Cloud follows standard Google Cloud Service protocols.

11. HOW ARE YOUTUBE VIDEOS INTEGRATED?

11.1. We have integrated YouTube videos into our web content, which can only be played with prior consent via Consent Management. These videos are stored on the DKMS YouTube page and can be played directly from our website.

YouTube is operated by YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

11.2. By visiting the website and after consent via Consent Management, YouTube receives information that you have accessed the corresponding subpage of our website. The data mentioned in section 2.1. of this Privacy Policy will also be transmitted. This occurs regardless of whether you have a YouTube user account that you are logged in to or not. If you are logged in to Google, your data is directly assigned to your account. If you do not want data to be assigned to your YouTube profile, you have to log out before activating the button. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research and/or the customized design of its website. Such analysis is carried out in particular (even for users who are not logged in) to provide targeted advertising and inform other social network users about your activities on our website. You have the right to object to the processing of your personal data, whereby you must direct the objection to YouTube and Google.

11.3. By integrating YouTube, we improve our offer and can make it more interesting for you as a user. The legal basis for the integration is our legitimate interest according to Art. 6 (1) (1) f GDPR.

11.4. For more information on the purpose and scope of data collection and processing by YouTube, please see the privacy policy. There you will also find further information on your rights and setting options to protect your privacy: https://policies.google.com/privacy?hl=en&gl=en

Please note that we have no control over how and for how long YouTube and Google retain this data. The privacy policy published by YouTube, which is available at https://policies.google.com/privacy?hl=en&gl=en, provides information about the collection, processing and use of personal data by YouTube and Google.

12. QUESTIONS AND COMMENTS

Do you have questions regarding our Privacy Policy? Please contact our Data Protection Officer at datenschutz@dkms.de.

Information about your right of objection pursuant to Art. 21 GDPR

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data based on Art. 6 (1) f GDPR (data processing based on a balance of interests) or Art. 6 (1) e GDPR (data processing in the public interest). This also applies to profiling based on these provisions within the meaning of Art. 4 (4) GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

In individual cases, we also process your personal data for direct advertising purposes. If you do not wish to receive advertising, you have the right to object at any time; this also applies to profiling insofar as it is associated with such direct advertising. We will observe such objection with effect for the future.

We will no longer process your data for direct advertising purposes if you object to processing for this purpose.

The objection can be made in any form and should be addressed to:


DKMS gGmbH
Kressbach 1
72072 Tübingen
E-mail: datenschutz@dkms.de